diff options
293 files changed, 30987 insertions, 6944 deletions
diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 00000000..0524659f --- /dev/null +++ b/.gitattributes @@ -0,0 +1,46 @@ +# Using default template from https://help.github.com/articles/dealing-with-line-endings with modifications. +# Set default behaviour, in case users don't have core.autocrlf set. +* text=auto + +# Explicitly declare text files we want to always be normalized and converted +# to native line endings on checkout. +*.c text +*.h text +*.php text +*.inc text +*.sh text +*.h text +*.md5 text +*.sha256 text +*.conf text +*.xml text +*.ovf text +*.css text +*.htm* text +*.js text +*.diff text +*.patch text +*.pl text +*.rules text +*.txt text +rc.* text +*.sql text +*.mk text + +# Files that will always have CRLF line endings on checkout. (Not sure we have any of these) +*.nsh text eol=crlf + +# Denote all files that are truly binary and should not be modified. +*.png binary +*.jpg binary +*.gif binary +*.so* binary +*.gz binary +*.tgz binary +*.exe binary +*.ico binary +*.img binary +*.zip binary +*.uzip binary +*.tar binary +*.ttf binary
\ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..a01ee289 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.*.swp diff --git a/config/apache_mod_security-dev/apache_balancer.template b/config/apache_mod_security-dev/apache_balancer.template index 361a5ed4..06422125 100644 --- a/config/apache_mod_security-dev/apache_balancer.template +++ b/config/apache_mod_security-dev/apache_balancer.template @@ -6,7 +6,7 @@ $balancer_config= <<<EOF # then edit /usr/local/pkg/apache_* files. # # # # And don't forget to submit your changes to: # -# https://github.com/bsdperimeter/pfsense-packages # +# https://github.com/pfsense/pfsense-packages # ################################################################################## SetOutputFilter DEFLATE SetInputFilter DEFLATE @@ -37,4 +37,4 @@ Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ EOF; -?>
\ No newline at end of file +?> diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc index cdee4f6b..fb83f9a6 100644 --- a/config/apache_mod_security-dev/apache_mod_security.inc +++ b/config/apache_mod_security-dev/apache_mod_security.inc @@ -165,7 +165,7 @@ function generate_apache_configuration() { if (is_array($config['installedpackages']['apachesettings'])) $settings=$config['installedpackages']['apachesettings']['config'][0]; else - $setting=sarray(); + $settings=array(); // Set global site e-mail if ($settings['globalsiteadminemail']){ @@ -321,7 +321,7 @@ function generate_apache_configuration() { # then edit /usr/local/pkg/apache_* files. # # # # And don't forget to submit your changes to: # -# https://github.com/bsdperimeter/pfsense-packages # +# https://github.com/pfsense/pfsense-packages # ################################################################################## diff --git a/config/phpmrss.xml b/config/archive/phpmrss.xml index 3d144642..3d144642 100644 --- a/config/phpmrss.xml +++ b/config/archive/phpmrss.xml diff --git a/config/arpwatch_reports.php b/config/arpwatch_reports.php index d66b1a46..c2b4401e 100755 --- a/config/arpwatch_reports.php +++ b/config/arpwatch_reports.php @@ -29,7 +29,8 @@ POSSIBILITY OF SUCH DAMAGE. */ -require("guiconfig.inc"); +require_once("guiconfig.inc"); +require_once("service-utils.inc"); $logfile = "/var/log/arp.dat"; diff --git a/config/autoconfigbackup/parse_config_upload.php b/config/autoconfigbackup/parse_config_upload.php new file mode 100644 index 00000000..ce592966 --- /dev/null +++ b/config/autoconfigbackup/parse_config_upload.php @@ -0,0 +1,8 @@ +<?php + +if(file_exists("/usr/local/pkg/autoconfigbackup.inc")) { + require_once("/usr/local/pkg/autoconfigbackup.inc"); + upload_config(); +} + +?> diff --git a/config/avahi/avahi.xml b/config/avahi/avahi.xml index ef229af1..46f1293b 100644 --- a/config/avahi/avahi.xml +++ b/config/avahi/avahi.xml @@ -84,12 +84,12 @@ <additional_files_needed> <prefix>/root/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/avahi/binaries/avahi.tar.gz</item> + <item>http://files.pfsense.org/packages/avahi/avahi.tar.gz</item> </additional_files_needed> <additional_files_needed> <prefix>/root/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/avahi/binaries/avahi8.tar.gz</item> + <item>http://files.pfsense.org/packages/avahi/avahi8.tar.gz</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> diff --git a/config/bacula-client/bacula-client.inc b/config/bacula-client/bacula-client.inc index 156b3763..94411809 100644 --- a/config/bacula-client/bacula-client.inc +++ b/config/bacula-client/bacula-client.inc @@ -1,113 +1,120 @@ -<?php
-
-/* ========================================================================== */
-/*
- bacula-client.inc
- part of pfSense (http://www.pfSense.com)
- Copyright (C) 2012 Marcio Carlos Braga Antao
- Copyright (C) 2012 Marcello Coutinho
- All rights reserved.
-
- Based on m0n0wall (http://m0n0.ch/wall)
- Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
- All rights reserved.
- */
-/* ========================================================================== */
-/*
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
- */
-/* ========================================================================== */
- require_once("config.inc");
- require_once("util.inc");
-
-function baculaclient_custom_php_install_command(){
- global $g, $config;
- baculaclient_custom_php_write_config();
-}
-
-function baculaclient_custom_php_deinstall_command(){
- global $g, $config;
-
- conf_mount_rw();
-
- // 1. Delete our config file
- unlink_if_exists("/usr/local/etc/bacula-fd.conf");
-
- // 2. Re-run sshd config generation script
- exec("/usr/local/etc/rc.d/bacula-fd.sh stop");
- conf_mount_ro();
-}
-
-function baculaclient_custom_php_write_config(){
- global $g, $config;
- conf_mount_rw();
- //check config_file
- $startup_file="/usr/local/etc/rc.d/bacula-fd";
- if (file_exists($startup_file)){
- $startup_script=file_get_contents($startup_file);
- $startup_script=preg_replace("/NO/","YES",$startup_script);
- file_put_contents("{$startup_file}.sh",$startup_script,LOCK_EX);
- // Ensure bacula-fd has a+rx
- exec("chmod a+rx {$startup_file}.sh");
- }
-
- //check config
- if (is_array($config['installedpackages']['baculaclient']['config'])){
- $baculaclient_conf="";
- foreach ($config['installedpackages']['baculaclient']['config'] as $bc) {
- // create Director
- switch ($bc['type']){
- case "Director":
- $baculaclient_conf .= "Director { \n\t Name = {$bc['director']}-dir #{$bc['description']}\n\t Password = \"{$bc['password']}\"\n\t}\n";
- Break;
- case "Monitor":
- $baculaclient_conf .= "Director { \n\t Name = {$bc['director']}-mon #{$bc['description']}\n\t Password = \"{$bc['password']}\"\n\t Monitor = yes\n\t}\n";
- break;
- case "Local":
- $baculaclient_conf .= "Director { \n\t Name = {$bc['director']}-dir #{$bc['description']}\n\t Password = \"{$bc['password']}\"\n\t}\n";
- $baculaclient_conf .= "Director { \n\t Name = {$bc['director']}-mon #{$bc['description']}\n\t Password = \"{$bc['password']}\"\n\t Monitor = yes\n\t}\n";
- $LocalDirector = $bc['director'];
- }
-
- }
-
- // create Messages
- $baculaclient_conf .= "Messages { \n\t Name = Standard \n\t director = {$LocalDirector}-dir = all, !skipped, !restored\n\t}\n";
- // create FielDaemon
-
- if (is_array($config['installedpackages']['baculaclientfd']['config'])){
- $port = $config['installedpackages']['baculaclientfd']['config'][0]['port'];
- $jobs = $config['installedpackages']['baculaclientfd']['config'][0]['jobs'];
- }
- else{
- $port="9102";
- $jobs="20";
- }
- $baculaclient_conf .= "FileDaemon { \n\t Name = {$LocalDirector}-fd #\n\t FDport = {$port}\n\t WorkingDirectory = /var/db/bacula\n\t Pid Directory = /var/run\n\tMaximum Concurrent Jobs = {$jobs}\n\t}\n";
- file_put_contents("/usr/local/etc/bacula-fd.conf",$baculaclient_conf,LOCK_EX);
- exec("/usr/local/etc/rc.d/bacula-fd.sh restart");
- // Mount Read-only
- conf_mount_ro();
- }
- }
-
+<?php + +/* ========================================================================== */ +/* + bacula-client.inc + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcio Carlos Braga Antao + Copyright (C) 2012-2013 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + require_once("config.inc"); + require_once("util.inc"); + + $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('BACULA_LOCALBASE', '/usr/pbi/bacula-' . php_uname("m")); +else + define('BACULA_LOCALBASE','/usr/local'); + +function baculaclient_custom_php_install_command(){ + global $g, $config; + baculaclient_custom_php_write_config(); +} + +function baculaclient_custom_php_deinstall_command(){ + global $g, $config; + + conf_mount_rw(); + + // 1. Delete our config file + unlink_if_exists(BACULA_LOCALBASE."/etc/bacula-fd.conf"); + + // 2. Re-run sshd config generation script + exec("/usr/local/etc/rc.d/bacula-fd.sh stop"); + conf_mount_ro(); +} + +function baculaclient_custom_php_write_config(){ + global $g, $config; + conf_mount_rw(); + //check config_file + $startup_file="/usr/local/etc/rc.d/bacula-fd"; + if (file_exists($startup_file)){ + $startup_script=file_get_contents($startup_file); + $startup_script=preg_replace("/NO/","YES",$startup_script); + $startup_script=preg_replace("@/usr/local/etc/bacula-fd.conf@",BACULA_LOCALBASE."/etc/bacula-fd.conf",$startup_script); + file_put_contents("{$startup_file}.sh",$startup_script,LOCK_EX); + // Ensure bacula-fd has a+rx + exec("chmod a+rx {$startup_file}.sh"); + } + + //check config + if (is_array($config['installedpackages']['baculaclient']['config'])){ + $baculaclient_conf=""; + foreach ($config['installedpackages']['baculaclient']['config'] as $bc) { + // create Director + switch ($bc['type']){ + case "Director": + $baculaclient_conf .= "Director { \n\t Name = {$bc['director']}-dir #{$bc['description']}\n\t Password = \"{$bc['password']}\"\n\t}\n"; + Break; + case "Monitor": + $baculaclient_conf .= "Director { \n\t Name = {$bc['director']}-mon #{$bc['description']}\n\t Password = \"{$bc['password']}\"\n\t Monitor = yes\n\t}\n"; + break; + case "Local": + $baculaclient_conf .= "Director { \n\t Name = {$bc['director']}-dir #{$bc['description']}\n\t Password = \"{$bc['password']}\"\n\t}\n"; + $baculaclient_conf .= "Director { \n\t Name = {$bc['director']}-mon #{$bc['description']}\n\t Password = \"{$bc['password']}\"\n\t Monitor = yes\n\t}\n"; + $LocalDirector = $bc['director']; + } + + } + + // create Messages + $baculaclient_conf .= "Messages { \n\t Name = Standard \n\t director = {$LocalDirector}-dir = all, !skipped, !restored\n\t}\n"; + // create FielDaemon + + if (is_array($config['installedpackages']['baculaclientfd']['config'])){ + $port = $config['installedpackages']['baculaclientfd']['config'][0]['port']; + $jobs = $config['installedpackages']['baculaclientfd']['config'][0]['jobs']; + } + else{ + $port="9102"; + $jobs="20"; + } + $baculaclient_conf .= "FileDaemon { \n\t Name = {$LocalDirector}-fd #\n\t FDport = {$port}\n\t WorkingDirectory = /var/db/bacula\n\t Pid Directory = /var/run\n\tMaximum Concurrent Jobs = {$jobs}\n\t}\n"; + file_put_contents(BACULA_LOCALBASE."/etc/bacula-fd.conf",$baculaclient_conf,LOCK_EX); + exec("/usr/local/etc/rc.d/bacula-fd.sh restart"); + // Mount Read-only + conf_mount_ro(); + } + } + ?>
\ No newline at end of file diff --git a/config/bacula-client/bacula-client_view_config.php b/config/bacula-client/bacula-client_view_config.php index 7fa64cf4..021e1c15 100644 --- a/config/bacula-client/bacula-client_view_config.php +++ b/config/bacula-client/bacula-client_view_config.php @@ -34,6 +34,12 @@ $pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); if(strstr($pfSversion, "1.2")) $one_two = true; + $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('BACULA_LOCALBASE', '/usr/pbi/bacula-' . php_uname("m")); +else + define('BACULA_LOCALBASE','/usr/local'); + $pgtitle = "Bacula-Client: View Configuration"; include("head.inc"); @@ -68,7 +74,7 @@ include("head.inc"); <td class="tabcont" > <textarea id="varnishlogs" rows="50" cols="87%"> <?php - $config_file = file_get_contents("/usr/local/etc/bacula-fd.conf"); + $config_file = file_get_contents(BACULA_LOCALBASE."/etc/bacula-fd.conf"); echo $config_file; ?> </textarea> diff --git a/config/bandwidthd/bandwidthd.inc b/config/bandwidthd/bandwidthd.inc index 34532c18..00e3cd28 100644 --- a/config/bandwidthd/bandwidthd.inc +++ b/config/bandwidthd/bandwidthd.inc @@ -46,6 +46,8 @@ function bandwidthd_install_deinstall() { exec("rm -f /usr/local/etc/rc.d/bandwidthd*"); exec("rm -rf " . PKG_BANDWIDTHD_BASE . "/htdocs"); exec("rm -f /usr/local/www/bandwidthd"); + // Remove the cron job, if it is there + install_cron_job("/bin/kill -HUP `cat /var/run/bandwidthd.pid`", false); conf_mount_ro(); config_unlock(); } @@ -54,50 +56,76 @@ function bandwidthd_install_config() { global $config, $g; /* bandwidthd doesn't have a way to pass a custom config path, unfortunately */ + /* the conf file must be ./etc/bandwidthd.conf relative to the current dir */ + $bandwidthd_base_dir = PKG_BANDWIDTHD_BASE; $bandwidthd_config_dir = PKG_BANDWIDTHD_BASE . "/etc"; conf_mount_rw(); config_lock(); /* user defined values */ - $meta_refresh = $config['installedpackages']['bandwidthd']['config'][0]['meta_refresh']; + $bandwidthd_config = $config['installedpackages']['bandwidthd']['config'][0]; + $meta_refresh = $bandwidthd_config['meta_refresh']; if($meta_refresh) $meta_refresh = "meta_refresh $meta_refresh\n"; - $graph = $config['installedpackages']['bandwidthd']['config'][0]['drawgraphs']; + $graph = $bandwidthd_config['drawgraphs']; if($graph) $graph = "graph true\n"; else $graph = "graph false\n"; - $filter_text = $config['installedpackages']['bandwidthd']['config'][0]['filter']; + $filter_text = $bandwidthd_config['filter']; if($filter_text) $filter_text = "filter $filter_text\n"; - $recover_cdf = $config['installedpackages']['bandwidthd']['config'][0]['recovercdf']; + $recover_cdf = $bandwidthd_config['recovercdf']; if($recover_cdf) $recover_cdf = "recover_cdf true\n"; - $output_cdf = $config['installedpackages']['bandwidthd']['config'][0]['outputcdf']; + $output_cdf = $bandwidthd_config['outputcdf']; if($output_cdf) - $output_cdf = "output_cdf true\n"; - $promiscuous = $config['installedpackages']['bandwidthd']['config'][0]['promiscuous']; + $output_cdf_string = "output_cdf true\n"; + else + $output_cdf_string = ""; + + $output_postgresql = $bandwidthd_config['outputpostgresql']; + $postgresql_host = $bandwidthd_config['postgresqlhost']; + $postgresql_database = $bandwidthd_config['postgresqldatabase']; + $postgresql_username = $bandwidthd_config['postgresqlusername']; + $postgresql_password = $bandwidthd_config['postgresqlpassword']; + $postgresql_string = ""; + if($output_postgresql) { + if ($postgresql_host && $postgresql_username && $postgresql_database && $postgresql_password) + $postgresql_string = "pgsql_connect_string \"user = $postgresql_username dbname = $postgresql_database password = $postgresql_password host = $postgresql_host\"\n"; + else + log_error("You have to specify the postgreSQL Host, Database, Username and Password. Exiting."); + } + + $sensor_id = $bandwidthd_config['sensorid']; + + if($sensor_id) + $sensor_id_string = "sensor_id \"$sensor_id\""; + else + $sensor_id_string = ""; + + $promiscuous = $bandwidthd_config['promiscuous']; if($promiscuous) $promiscuous = "promiscuous true\n"; else $promiscuous = "promiscuous false\n"; - $graph_cutoff = $config['installedpackages']['bandwidthd']['config'][0]['graphcutoff']; + $graph_cutoff = $bandwidthd_config['graphcutoff']; if($graph_cutoff) $graph_cutoff = "graph_cutoff $graph_cutoff\n"; - $skip_intervals = $config['installedpackages']['bandwidthd']['config'][0]['skipintervals']; + $skip_intervals = $bandwidthd_config['skipintervals']; if($skip_intervals) $skip_intervals = "skip_intervals $skip_intervals\n"; - if($config['installedpackages']['bandwidthd']['config'][0]['active_interface']){ - $ifdescrs = array($config['installedpackages']['bandwidthd']['config'][0]['active_interface']); + if($bandwidthd_config['active_interface']){ + $ifdescrs = array($bandwidthd_config['active_interface']); } else { log_error("You should specify an interface for bandwidthd to listen on. Exiting."); } - $subnets_custom = explode(';',str_replace(' ','',$config['installedpackages']['bandwidthd']['config'][0]['subnets_custom'])); + $subnets_custom = explode(';',str_replace(' ','',$bandwidthd_config['subnets_custom'])); /* initialize to "" */ $subnets = ""; @@ -143,7 +171,7 @@ function bandwidthd_install_config() { # This file was automatically generated by the pfSense # package management system. Changing this file # will lead to it being overwritten again when -# the package manage resyncs. +# the package manager resyncs. # #################################################### # Bandwidthd.conf @@ -178,11 +206,19 @@ $graph_cutoff $promiscuous #Log data to cdf file htdocs/log.cdf -$output_cdf +$output_cdf_string #Read back the cdf file on startup $recover_cdf +# Standard postgres connect string, just like php, see postgres docs for +# details +$postgresql_string + +# Arbitrary sensor name, I recommend the sensors fully qualified domain +# name +$sensor_id_string + #Libpcap format filter string used to control what bandwidthd sees #Please always include "ip" in the string to avoid strange problems $filter_text @@ -206,25 +242,123 @@ EOF; fwrite($fd, $config_file); fclose($fd); - /* write out rc.d start/stop file */ - write_rcfile(array( - "file" => "bandwidthd.sh", - "start" => "/usr/local/bandwidthd/bandwidthd {$bandwidthd_config_dir}/bandwidthd.conf", - "stop" => "/usr/bin/killall bandwidthd" - ) - ); + if ($g['platform'] == 'nanobsd') { + $bandwidthd_nano_dir = "/var/bandwidthd"; + $bandwidthd_htdocs_dir = $bandwidthd_nano_dir . "/htdocs"; + if (!is_dir($bandwidthd_nano_dir)) { + if (file_exists($bandwidthd_nano_dir)) { + unlink($bandwidthd_nano_dir); + } + mkdir($bandwidthd_nano_dir); + } + } else { + $bandwidthd_htdocs_dir = $bandwidthd_base_dir . "/htdocs"; + } - exec("rm /usr/local/www/bandwidthd"); - exec("/bin/ln -s " . PKG_BANDWIDTHD_BASE . "/htdocs /usr/local/www/bandwidthd"); + $rc = array(); + $rc['file'] = 'bandwidthd.sh'; + $rc['stop'] = <<<EOD +/usr/bin/killall bandwidthd +EOD; + + // If this is an old config before the enable checkbox was added, then enable by default + $bandwidthd_enable = (!isset($bandwidthd_config['enable']) || ($bandwidthd_config['enable'])); + if ($bandwidthd_enable) { + if ($g['platform'] == 'nanobsd') { + // On nanobsd, /var/bandwidthd is created. + // In that is a real /var/bandwidth/htdocs, where the graph data is written + // A soft link to the real bandwidth program is made - /var/bandwidthd/bandwidthd + // A soft link to the etc folder with the conf file is made - /var/bandwidthd/etc + // bandwidthd is started from /var/bandwidthd with the current dir /var/bandwidth + // This way, it: + // looks in ./etc for the conf file + // writes graph files in ./htdocs + // writes cdf log files (if selected in the config) to ./ + // All of this is on the /var filesystem, which is a read-write memory disk on nanobsd + $rc['start'] = <<<EOD +if [ ! -d "{$bandwidthd_nano_dir}" ] ; then + if [ -e "{$bandwidthd_nano_dir}" ] ; then + /bin/rm -f {$bandwidthd_nano_dir} + fi + /bin/mkdir -p {$bandwidthd_nano_dir} +fi +if [ ! -d "{$bandwidthd_htdocs_dir}" ] ; then + if [ -e "{$bandwidthd_htdocs_dir}" ] ; then + /bin/rm -f {$bandwidthd_htdocs_dir} + fi + /bin/mkdir -p {$bandwidthd_htdocs_dir} +fi +if [ ! -L "{$bandwidthd_nano_dir}/bandwidthd" ] ; then + if [ -e "{$bandwidthd_nano_dir}/bandwidthd" ] ; then + /bin/rm -Rf {$bandwidthd_nano_dir}/bandwidthd + fi + /bin/ln -s {$bandwidthd_base_dir}/bandwidthd {$bandwidthd_nano_dir}/bandwidthd +fi +if [ ! -L "{$bandwidthd_nano_dir}/etc" ] ; then + if [ -e "{$bandwidthd_nano_dir}/etc" ] ; then + /bin/rm -Rf {$bandwidthd_nano_dir}/etc + fi + /bin/ln -s {$bandwidthd_config_dir} {$bandwidthd_nano_dir}/etc +fi +if [ ! -f "{$bandwidthd_htdocs_dir}/legend.gif" ] ; then + /bin/cp {$bandwidthd_base_dir}/htdocs/legend.gif {$bandwidthd_htdocs_dir} +fi +if [ ! -f "{$bandwidthd_htdocs_dir}/logo.gif" ] ; then + /bin/cp {$bandwidthd_base_dir}/htdocs/logo.gif {$bandwidthd_htdocs_dir} +fi +cd {$bandwidthd_nano_dir} +{$bandwidthd_nano_dir}/bandwidthd +cd - +EOD; + } else { + $rc['start'] = <<<EOD +/usr/local/bandwidthd/bandwidthd +EOD; + } + } else { + // bandwidthd is disabled, so do not put any real start commands in the script. + // This effectively disables it but keeps all the files in place (e.g. saved logs) ready to reload when it is enabled. + $rc['start'] = "return"; + } + + /* write out rc.d start/stop file */ + write_rcfile($rc); - exec("echo \"Please start bandwidthd to populate this directory.\" > " . PKG_BANDWIDTHD_BASE . "/htdocs/index.html"); + if (!is_dir($bandwidthd_htdocs_dir)) { + if (file_exists($bandwidthd_htdocs_dir)) { + unlink($bandwidthd_htdocs_dir); + } + mkdir($bandwidthd_htdocs_dir); + } + $bandwidthd_www_link = $g["www_path"] . "/bandwidthd"; + if (!is_link($bandwidthd_www_link)) { + if (file_exists($bandwidthd_www_link)) { + // It is a file and not a link - clean it up. + unlink($bandwidthd_www_link); + } + symlink($bandwidthd_htdocs_dir, $bandwidthd_www_link); + } + $bandwidthd_index_file = $bandwidthd_htdocs_dir . "/index.html"; + if (!file_exists($bandwidthd_index_file)) { + exec("echo \"Please start bandwidthd to populate this directory.\" > " . $bandwidthd_index_file); + } + + if (($bandwidthd_enable) && ($output_cdf)) { + // Use cron job to rotate logs every day at 00:01 + install_cron_job("/bin/kill -HUP `cat /var/run/bandwidthd.pid`", true, "1", "0"); + } + else + { + // Remove the cron job, if it is there + install_cron_job("/bin/kill -HUP `cat /var/run/bandwidthd.pid`", false); + } conf_mount_ro(); config_unlock(); - stop_service("bandwidthd"); - start_service("bandwidthd"); - + if ($bandwidthd_enable) { + start_service("bandwidthd"); + } } -?>
\ No newline at end of file +?> diff --git a/config/bandwidthd/bandwidthd.xml b/config/bandwidthd/bandwidthd.xml index 258772a7..1603e385 100644 --- a/config/bandwidthd/bandwidthd.xml +++ b/config/bandwidthd/bandwidthd.xml @@ -7,7 +7,7 @@ /* $Id$ */ /* ========================================================================== */ /* - authng.xml + bandwidthd.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2007 to whom it may belong All rights reserved. @@ -41,12 +41,12 @@ */ /* ========================================================================== */ ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> <name>bandwidthd</name> - <version>1.0</version> + <version>2.0.1_5 pkg v.0.1</version> <title>Bandwidthd</title> <aftersaveredirect>/pkg_edit.php?xml=bandwidthd.xml&id=0</aftersaveredirect> <include_file>/usr/local/pkg/bandwidthd.inc</include_file> @@ -60,7 +60,7 @@ <name>bandwidthd</name> <rcfile>bandwidthd.sh</rcfile> <executable>bandwidthd</executable> - </service> + </service> <tabs> <tab> <text>BandwidthD</text> @@ -69,7 +69,7 @@ </tab> <tab> <text>Access BandwidthD</text> - <url>/bandwidthd</url> + <url>/bandwidthd" target="_blank</url> </tab> </tabs> <configpath>installedpackages->package->bandwidthd</configpath> @@ -80,6 +80,12 @@ </additional_files_needed> <fields> <field> + <fielddescr>Enable bandwidthd</fielddescr> + <fieldname>enable</fieldname> + <type>checkbox</type> + <description></description> + </field> + <field> <fielddescr>Interface</fielddescr> <fieldname>active_interface</fieldname> <description>The interface that bandwidthd will bind to.</description> @@ -96,7 +102,7 @@ <field> <fielddescr>Skip intervals</fielddescr> <fieldname>skipintervals</fieldname> - <description>Number of intervals (2.5 minute) to skip between graphing. Default 0.</description> + <description>Number of intervals to skip between graphing. Default 0. Each interval is 200 seconds = 3 min 20 sec.</description> <type>input</type> </field> <field> @@ -108,22 +114,60 @@ <field> <fielddescr>Promiscuous</fielddescr> <fieldname>promiscuous</fieldname> - <description>Put interface in promiscuous mode to score to traffic that may not be routing through the host machine.</description> + <description>Put interface in promiscuous mode to see traffic that may not be routing through the host machine.<br> + Note: If the interface is connected to a switch then the interface will only see the traffic on its port.</description> <type>checkbox</type> </field> <field> <fielddescr>output_cdf</fielddescr> <fieldname>outputcdf</fieldname> - <description>Log data to cdf file htdocs/log.cdf</description> + <description>Log data to cdf files log*.cdf</description> <type>checkbox</type> </field> <field> <fielddescr>recover_cdf</fielddescr> <fieldname>recovercdf</fieldname> - <description>Read back the cdf file on startup</description> + <description>Read back the cdf files on startup</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>output PostgreSQL</fielddescr> + <fieldname>outputpostgresql</fieldname> + <description>Log data to a PostgreSQL database.<br> + Get the postgreSQL schema and PHP files to display the results from: <a target="_new" href="https://github.com/individual-it/bandwidthd-pSQL-frontend">https://github.com/individual-it/bandwidthd-pSQL-frontend</a></description> <type>checkbox</type> </field> <field> + <fielddescr>Database host</fielddescr> + <fieldname>postgresqlhost</fieldname> + <description>Hostname of the postgreSQL database server.</description> + <type>input</type> + </field> + <field> + <fielddescr>Database name</fielddescr> + <fieldname>postgresqldatabase</fieldname> + <description>Database on the postgreSQL database server.</description> + <type>input</type> + </field> + <field> + <fielddescr>Database Username</fielddescr> + <fieldname>postgresqlusername</fieldname> + <description>Username of the postgreSQL database server.</description> + <type>input</type> + </field> + <field> + <fielddescr>Database Password</fielddescr> + <fieldname>postgresqlpassword</fieldname> + <description>Password of the postgreSQL database server.</description> + <type>password</type> + </field> + <field> + <fielddescr>sensor_id</fielddescr> + <fieldname>sensorid</fieldname> + <description>Arbitrary sensor name, I recommend the sensors fully qualified domain name.</description> + <type>input</type> + </field> + <field> <fielddescr>Filter</fielddescr> <fieldname>filter</fieldname> <description>Libpcap format filter string used to control what bandwidthd sees. Please always include "ip" in the string to avoid strange problems.</description> @@ -139,9 +183,24 @@ <field> <fielddescr>Meta Refresh</fielddescr> <fieldname>meta_refresh</fieldname> - <description>Set META REFRESH seconds (default 150, use 0 to disable).</description> + <description>Sets the interval (seconds) at which the browser graph display refreshes (default 150, use 0 to disable).</description> <type>input</type> </field> + <field> + <fielddescr>Graph and Log Info</fielddescr> + <fieldname>graph_log_info</fieldname> + <description>If draw graphs is on, then the daily report and graph html data is regenerated every (skip intervals + 1) * 200 seconds. The data volumes in the report are for the same period as the span of the graph.<br> + If output_cdf is on, then a cron job is added to rotate the log files at 00:01 each day. 6 log files are kept for each log frequency (daily, weekly, monthly, yearly). At the respective rotation intervals, the oldest log is deleted, the others are shuffled back and a new log is created.<br> + <table cellpadding=1 cellspacing=0 style="text-align: left;"> <tbody> + <tr><th> </th><th> Data Interval </th><th> Graph Span </th><th> Log Rotation </th><th> Log File Name </th></tr> + <tr><th> Daily </th><td> 200 seconds </td><td> 2 days </td><td> 1 day </td><td> log.1.[0-5].cdf </td></tr> + <tr><th> Weekly </th><td> 10 minutes </td><td> 7 days </td><td> 7 days </td><td> log.2.[0-5].cdf </td></tr> + <tr><th> Monthly </th><td> 1 hour </td><td> 35 days </td><td> 35 days </td><td> log.3.[0-5].cdf </td></tr> + <tr><th> Yearly </th><td> 12 hours </td><td> 412.5 days </td><td> 412.5 days </td><td> log.4.[0-5].cdf </td></tr> + </tbody> </table> + </description> + <type>info</type> + </field> </fields> <custom_php_resync_config_command> bandwidthd_install_config(); diff --git a/config/checkmk-agent/checkmk.inc b/config/checkmk-agent/checkmk.inc new file mode 100644 index 00000000..056a39eb --- /dev/null +++ b/config/checkmk-agent/checkmk.inc @@ -0,0 +1,302 @@ +<?php +/* ========================================================================== */ +/* + checkmk.inc + part of pfSense (http://www.pfSense.com) + Copyright (C) 2013 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + +define('ETC_SERVICES','/etc/services'); +define('ETC_INETD','/etc/inetd.conf'); +define('ETC_HOSTS_ALLOW','/etc/hosts.allow'); +define('ETC_RC_CONF','/etc/rc.conf.local'); + +function checkmk_install() { + // Download latest check_mk version from head repo + $checkmk_bin="/usr/local/bin/check_mk_agent"; + mwexec("fetch -o {$checkmk_bin} 'http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob_plain;f=agents/check_mk_agent.freebsd;hb=HEAD'"); + chmod($checkmk_bin,0755); + sync_package_checkmk(); +} + +function checkmk_deinstall() { + // reserved +} + +function checkmk_start() { + global $g, $config; + + // reserved +} + +function checkmk_text_area_decode($text){ + return preg_replace('/\r\n/', "\n",base64_decode($text)); +} +function sync_package_checkmk() { + global $config, $g; + $update_conf=0; + + if (!is_array($config['installedpackages']['checkmk']['config'])) + return; + + $mk_config=$config['installedpackages']['checkmk']['config'][0]; + + $checkmk_bin="/usr/local/bin/check_mk_agent"; + if (!file_exists($checkmk_bin) && $mk_config['checkmkenable']=="on"){ + $error = "Check_mk-agent Binary file not found"; + log_error($error." You can manually download it using this cmd: fetch -o {$checkmk_bin} 'http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob_plain;f=agents/check_mk_agent.freebsd;hb=HEAD'"); + file_notice("Check_mk-agent", $error, "checkmk save config", ""); + return; + } + //mount filesystem writeable + conf_mount_rw(); + + + // check services file + $mk_services= file(ETC_SERVICES); + $port=($mk_config['checkmkport'] ? $mk_config['checkmkport'] : "6556"); + foreach($mk_services as $mk_service){ + if (!preg_match("/check_mk/",$mk_service)) + $mk_service_file.=chop($mk_service)."\n"; + } + if ($mk_config['checkmkenable']=="on") + $mk_service_file.="check_mk {$port}/tcp #check_mk agent\n"; + file_put_contents(ETC_SERVICES,$mk_service_file,LOCK_EX); + + // check inetd file + $mk_inetds= file(ETC_INETD); + foreach($mk_inetds as $mk_inetd){ + if (!preg_match("/check_mk/",$mk_inetd)) + $mk_inetd_file.=chop($mk_inetd)."\n"; + } + if ($mk_config['checkmkenable']=="on") + $mk_inetd_file.="check_mk stream tcp nowait root /usr/local/bin/check_mk_agent check_mk\n"; + file_put_contents(ETC_INETD,$mk_inetd_file,LOCK_EX); + + // check hosts.allow + $mk_hosts= file(ETC_HOSTS_ALLOW); + $inet_daemons_count=0; + foreach($mk_hosts as $mk_host){ + if (!preg_match("/check_mk/",$mk_host)) + $mk_hosts_file.=chop($mk_host)."\n"; + if (preg_match("/^\w+/")) + $inet_daemons_count++; + } + if ($mk_config['checkmkenable']=="on") + foreach (explode(',',$mk_config['checkmkhosts']) as $check_mk_host){ + $mk_hosts_file.="check_mk : {$check_mk_host} : allow\n"; + $inet_daemons_count++; + } + file_put_contents(ETC_HOSTS_ALLOW,$mk_hosts_file,LOCK_EX); + + //check inetd daemon rc_conf option + $mk_rc_confs= file(ETC_RC_CONF); + foreach($mk_rc_confs as $mk_rc_conf){ + if (!preg_match("/inetd_/",$mk_rc_conf)) + $mk_rc_conf_file.=chop($mk_rc_conf)."\n"; + } + if ($mk_config['checkmkenable']=="on"){ + $mk_rc_conf_file.='inetd_enable="YES"'."\n"; + $mk_rc_conf_file.='inetd_flags="-wW"'."\n"; + } + + file_put_contents(ETC_RC_CONF,$mk_rc_conf_file,LOCK_EX); + if ($inet_daemons_count > 0) + mwexec("/etc/rc.d/inetd restart"); + else + mwexec("/etc/rc.d/inetd stop"); + + //Write config if any file from filesystem was loaded + if ($update_conf > 0) + write_config(); + + // mount filesystem readonly + conf_mount_ro(); + + checkmk_sync_on_changes(); +} + +function checkmk_validate_input($post, &$input_errors) { + foreach ($post as $key => $value) { + if (empty($value)) + continue; + if (substr($key, 0, 3) == "port" && !preg_match("/^\d+$/", $value)) + $input_errors[] = "{$value} is no a valid port number"; + if (substr($key, 0, 11) == "description" && !preg_match("@^[a-zA-Z0-9 _/.-]+$@", $value)) + $input_errors[] = "Do not use special characters on description"; + if (substr($key, 0, 8) == "fullfile" && !preg_match("@^[a-zA-Z0-9_/.-]+$@", $value)) + $input_errors[] = "Do not use special characters on filename"; + + } +} +############################################## +/* Uses XMLRPC to synchronize the changes to a remote node */ +function checkmk_sync_on_changes() { + global $config, $g; + if (is_array($config['installedpackages']['checkmksync']['config'])){ + $checkmk_sync=$config['installedpackages']['checkmksync']['config'][0]; + $synconchanges = $checkmk_sync['synconchanges']; + $synctimeout = $checkmk_sync['synctimeout']; + switch ($synconchanges){ + case "manual": + if (is_array($checkmk_sync[row])){ + $rs=$checkmksync[row]; + } + else{ + log_error("[Check_mk-agent] xmlrpc sync is enabled but there is no hosts to push on squid config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['ipaddress']=$system_carp['synchronizetoip']; + $rs[0]['username']=$system_carp['username']; + $rs[0]['password']=$system_carp['password']; + } + else{ + log_error("[Check_mk-agent] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)){ + log_error("[Check_mk-agent] xmlrpc sync is starting."); + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if($password && $sync_to_ip) + checkmk_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout); + } + log_error("[Check_mk-agent] xmlrpc sync is ending."); + } + } +} +############################################## +/* Do the actual XMLRPC sync */ +function checkmk_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout) { + global $config, $g; + + if(!$username) + return; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['checkmk'] = $config['installedpackages']['checkmk']; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("[Check_mk-agent] Beginning checkmk XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after 250 seconds */ + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "[Check_mk-agent] A communications error occurred while attempting checkmk XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "checkmk Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "[Check_mk-agent] An error code was received while attempting checkmk XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "checkmk Settings Sync", ""); + } else { + log_error("[Check_mk-agent] XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell checkmk to reload our settings on the destionation sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/checkmk.inc');\n"; + $execcmd .= "sync_package_checkmk();"; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("[Check_mk-agent] XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "[Check_mk-agent] A communications error occurred while attempting checkmk XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "checkmk Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "[Check_mk-agent] An error code was received while attempting checkmk XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "checkmk Settings Sync", ""); + } else { + log_error("[Check_mk-agent] XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + +} + +?> diff --git a/config/checkmk-agent/checkmk.xml b/config/checkmk-agent/checkmk.xml new file mode 100644 index 00000000..6f458a1d --- /dev/null +++ b/config/checkmk-agent/checkmk.xml @@ -0,0 +1,121 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* ========================================================================== */ +/* + checkmk.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2013 Marcello Coutinho + All rights reserved. +*/ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>checkmk</name> + <version>0.5</version> + <title>Check_mk Agent</title> + <include_file>/usr/local/pkg/checkmk.inc</include_file> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/checkmk-agent/checkmk.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/checkmk-agent/checkmk_sync.xml</item> + </additional_files_needed> + <menu> + <name>Check_mk Agent</name> + <tooltiptext>checkmk</tooltiptext> + <section>Diagnostics</section> + <url>/pkg_edit.php?xml=checkmk.xml</url> + </menu> + <tabs> + <tab> + <text>Config</text> + <url>/pkg_edit.php?xml=checkmk.xml</url> + <active/> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=checkmk_sync.xml</url> + </tab> + </tabs> + + <fields> + <field> + <type>listtopic</type> + <fieldname>temp</fieldname> + <name>Check_mk agent configuration</name> + </field> + <field> + <fielddescr>Enable check_mk Agent</fielddescr> + <fieldname>checkmkenable</fieldname> + <type>checkbox</type> + <size>60</size> + <description><![CDATA[Enable check_mk Agent on this server. This will check all config options to run check_mk binary on your system.<br> + <strong>Reference:</strong><br>https://github.com/sileht/check_mk/tree/master/doc<br><br> + <strong>Latest check_mk version:</strong> fetch -o /usr/local/bin/check_mk_agent 'http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob_plain;f=agents/check_mk_agent.freebsd;hb=HEAD']]></description> + <required/> + </field> + <field> + <fielddescr>Listen Port</fielddescr> + <fieldname>checkmkport</fieldname> + <type>input</type> + <size>10</size> + <description>Enter port to listen on. Leave empty to use Default prot 6556</description> + <required/> + </field> + <field> + <fielddescr>Hosts.allow</fielddescr> + <fieldname>checkmkhosts</fieldname> + <description>Enter hosts(comma separeted) that can communicate with this agent.</description> + <type>input</type> + <size>60</size> + </field> + </fields> + <custom_php_install_command> + checkmk_install(); + </custom_php_install_command> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_php_validation_command> + checkmk_validate_input($_POST, &$input_errors); + </custom_php_validation_command> + <custom_delete_php_command> + sync_package_checkmk(); + </custom_delete_php_command> + <custom_php_resync_config_command> + sync_package_checkmk(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/checkmk-agent/checkmk_sync.xml b/config/checkmk-agent/checkmk_sync.xml new file mode 100644 index 00000000..6603991d --- /dev/null +++ b/config/checkmk-agent/checkmk_sync.xml @@ -0,0 +1,129 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* ========================================================================== */ +/* + checkmk_sync.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2013 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>checkmksync</name> + <version>1.1</version> + <title>Check_mk Agent: Sync</title> + <include_file>/usr/local/pkg/checkmk.inc</include_file> + <tabs> + <tab> + <text>Config</text> + <url>/pkg_edit.php?xml=checkmk.xml</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=checkmk_sync.xml</url> + <active/> + </tab> + </tabs> + <fields> + <field> + <type>listtopic</type> + <fieldname>temp</fieldname> + <name>Enable checkmk configuration sync</name> + </field> + <field> + <fielddescr>Sync Option</fielddescr> + <fieldname>synconchanges</fieldname> + <description>Automatically sync check_mk configuration changes.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>250</default_value> + <options> + <option><name>250 seconds(Default)</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>30 seconds</name><value>30</value></option> + </options> + </field> + <field> + <fielddescr>Remote Servers</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>IP Address</fielddescr> + <fieldname>ipaddress</fieldname> + <description>IP Address of remote server</description> + <type>input</type> + <size>20</size> + <required/> + </rowhelperfield> + <rowhelperfield> + <fielddescr>User Name</fielddescr> + <fieldname>username</fieldname> + <description>user name of remote server</description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Password for remote server.</description> + <type>password</type> + <size>20</size> + <required/> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_resync_config_command> + checkmk_sync_on_changes(); + </custom_php_resync_config_command> + <custom_php_command_before_form> + unset($_POST['temp']); + </custom_php_command_before_form> +</packagegui>
\ No newline at end of file diff --git a/config/cron/cron.inc b/config/cron/cron.inc index e5df104a..88388b3c 100644 --- a/config/cron/cron.inc +++ b/config/cron/cron.inc @@ -82,7 +82,7 @@ function cron_install_command() write_rcfile(array( "file" => "cron.sh", "start" => "/usr/sbin/cron -s &", - "stop" => "kill -9 `cat /var/run/cron.pid`" + "stop" => "[ -f \"/var/run/cron.pid\" ] && kill -9 `cat /var/run/cron.pid`; rm -f /var/run/cron.pid;" ) ); diff --git a/config/cron/cron.tmp b/config/cron/cron.tmp index 1834ba62..b9666e01 100644 --- a/config/cron/cron.tmp +++ b/config/cron/cron.tmp @@ -44,29 +44,29 @@ if ($_GET['act'] == "del") { } } +$pgtitle = array(gettext("Cron"),gettext("Settings")); include("head.inc"); ?> - <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> -<p class="pgtitle">Cron: Settings</p> <div id="mainlevel"> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="tabs"> <tr><td class="tabnavtbl"> <?php $tab_array = array(); $tab_array[] = array(gettext("Settings"), true, "/packages/cron/cron.php"); + $tab_array[] = array(gettext("Edit"), false, "/packages/cron/cron_edit.php"); display_top_tabs($tab_array); ?> </td></tr> </table> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="content"> <tr> <td class="tabcont" > @@ -85,7 +85,7 @@ if ($config_change == 1) { //endif; ?> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <table width="100%" border="0" cellpadding="6" cellspacing="0" summary="title"> <tr> <td><p><!--<span class="vexpl"><span class="red"><strong>Cron<br></strong></span>--> Cron controls the scheduling of commands. @@ -96,7 +96,7 @@ if ($config_change == 1) { </table> <br /> - <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <table width="100%" border="0" cellpadding="0" cellspacing="0" summary="heading"> <tr> <td width="5%" class="listhdrr">minute</td> <td width="5%" class="listhdrr">hour</td> @@ -107,10 +107,10 @@ if ($config_change == 1) { <td width="60%" class="listhdr">command</td> <td width="10%" class="list"> - <table border="0" cellspacing="0" cellpadding="1"> + <table border="0" cellspacing="0" cellpadding="1" summary="icons"> <tr> <td width="17"></td> - <td valign="middle"><a href="cron_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="cron_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" alt="edit" /></a></td> </tr> </table> @@ -149,11 +149,11 @@ if ($config_change == 1) { <td class="listr" ondblclick="document.location='cron_edit.php?id=<?=$i;?>';"> <?=$ent['command'];?> </td> - <td valign="middle" nowrap class="list"> - <table border="0" cellspacing="0" cellpadding="1"> + <td valign="middle" style="white-space:nowrap" class="list"> + <table border="0" cellspacing="0" cellpadding="1" summary="edit delete"> <tr> - <td valign="middle"><a href="cron_edit.php?id=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0"></a></td> - <td><a href="cron_edit.php?type=php&act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this?')"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="cron_edit.php?id=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" alt="edit" /></a></td> + <td><a href="cron_edit.php?type=php&act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this?')"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" alt="delete" /></a></td> </tr> </table> </td> @@ -168,10 +168,10 @@ if ($config_change == 1) { <tr> <td class="list" colspan="7"></td> <td class="list"> - <table border="0" cellspacing="0" cellpadding="1"> + <table border="0" cellspacing="0" cellpadding="1" summary="add"> <tr> <td width="17"></td> - <td valign="middle"><a href="cron_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="cron_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" alt="add" /></a></td> </tr> </table> </td> @@ -187,14 +187,14 @@ if ($config_change == 1) { </form> -<br> -<br> -<br> -<br> -<br> -<br> -<br> -<br> +<br /> +<br /> +<br /> +<br /> +<br /> +<br /> +<br /> +<br /> </td> </tr> diff --git a/config/cron/cron.xml b/config/cron/cron.xml index 710af132..4110090f 100644 --- a/config/cron/cron.xml +++ b/config/cron/cron.xml @@ -41,7 +41,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>Cron Settings</name> - <version>0.2</version> + <version>0.2.2</version> <title>Settings</title> <include_file>/usr/local/pkg/cron.inc</include_file> <menu> @@ -118,4 +118,4 @@ <custom_php_deinstall_command> cron_deinstall_command(); </custom_php_deinstall_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/cron/cron_edit.tmp b/config/cron/cron_edit.tmp index 71367d24..12fde39d 100644 --- a/config/cron/cron_edit.tmp +++ b/config/cron/cron_edit.tmp @@ -96,44 +96,48 @@ if ($_POST) { } } +$pgtitle = array(gettext("Cron"),gettext("Edit")); include("head.inc"); ?> -<script type="text/javascript" language="JavaScript"> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<script type="text/javascript"> +//<![CDATA[ function show_advanced_config() { document.getElementById("showadvancedbox").innerHTML=''; aodiv = document.getElementById('showadvanced'); aodiv.style.display = "block"; +//]]> </script> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> -<p class="pgtitle">Cron: Edit</p> + <?php if ($input_errors) print_input_errors($input_errors); ?> <div id="mainlevel"> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="mainlevel"> <tr><td class="tabnavtbl"> <?php $tab_array = array(); $tab_array[] = array(gettext("Settings"), false, "/packages/cron/cron.php"); + $tab_array[] = array(gettext("Edit"), true, "/packages/cron/cron_edit.php"); display_top_tabs($tab_array); ?> </td></tr> </table> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="mainarea"> <tr> <td class="tabcont" > <!-- - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <table width="100%" border="0" cellpadding="6" cellspacing="0" summary="title"> <tr> - <td><p><span class="vexpl"><span class="red"><strong>Cron<br> + <td><p><span class="vexpl"><span class="red"><strong>Cron<br /> </strong></span> </p></td> </tr> @@ -142,7 +146,7 @@ function show_advanced_config() { <br /> <form action="cron_edit.php" method="post" name="iform" id="iform"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <table width="100%" border="0" cellpadding="6" cellspacing="0" summary="form"> @@ -150,49 +154,50 @@ function show_advanced_config() { <tr> <td width="25%" valign="top" class="vncellreq">minute</td> <td width="75%" class="vtable"> - <input name="minute" type="text" class="formfld" id="minute" size="40" value="<?=htmlspecialchars($pconfig['minute']);?>"> + <input name="minute" type="text" class="formfld" id="minute" size="40" value="<?=htmlspecialchars($pconfig['minute']);?>" /> </td> </tr> <tr> <td width="25%" valign="top" class="vncellreq">hour</td> <td width="75%" class="vtable"> - <input name="hour" type="text" class="formfld" id="hour" size="40" value="<?=htmlspecialchars($pconfig['hour']);?>"> + <input name="hour" type="text" class="formfld" id="hour" size="40" value="<?=htmlspecialchars($pconfig['hour']);?>" /> </td> </tr> <tr> <td width="25%" valign="top" class="vncellreq">mday</td> <td width="75%" class="vtable"> - <input name="mday" type="text" class="formfld" id="mday" size="40" value="<?=htmlspecialchars($pconfig['mday']);?>"> + <input name="mday" type="text" class="formfld" id="mday" size="40" value="<?=htmlspecialchars($pconfig['mday']);?>" /> </td> </tr> <tr> <td width="25%" valign="top" class="vncellreq">month</td> <td width="75%" class="vtable"> - <input name="month" type="text" class="formfld" id="month" size="40" value="<?=htmlspecialchars($pconfig['month']);?>"> + <input name="month" type="text" class="formfld" id="month" size="40" value="<?=htmlspecialchars($pconfig['month']);?>" /> </td> </tr> <tr> <td width="25%" valign="top" class="vncellreq">wday</td> <td width="75%" class="vtable"> - <input name="wday" type="text" class="formfld" id="wday" size="40" value="<?=htmlspecialchars($pconfig['wday']);?>"> + <input name="wday" type="text" class="formfld" id="wday" size="40" value="<?=htmlspecialchars($pconfig['wday']);?>" /> </td> </tr> <tr> <td width="25%" valign="top" class="vncellreq">who</td> <td width="75%" class="vtable"> - <input name="who" type="text" class="formfld" id="who" size="40" value="<?=htmlspecialchars($pconfig['who']);?>"> + <input name="who" type="text" class="formfld" id="who" size="40" value="<?=htmlspecialchars($pconfig['who']);?>" /> </td> </tr> <tr> <td width="25%" valign="top" class="vncellreq">command</td> <td width="75%" class="vtable"> - <input name="command" type="text" class="formfld" id="command" size="40" value="<?=htmlspecialchars($pconfig['command']);?>"> + <!-- <input name="command" type="text" class="formfld" id="command" size="40" value="<?=htmlspecialchars($pconfig['command']);?>" /> --> + <textarea rows="3" cols="68" name="command" id="command"><?=htmlspecialchars($pconfig['command']);?></textarea> </td> </tr> <!-- @@ -224,16 +229,16 @@ function show_advanced_config() { echo " <option></option>\n"; switch (htmlspecialchars($pconfig['enabled'])) { case "true": - echo " <option value='true' selected='yes'>true</option>\n"; + echo " <option value='true' selected='selected'>true</option>\n"; echo " <option value='false'>false</option>\n"; break; case "false": echo " <option value='true'>true</option>\n"; - echo " <option value='false' selected='yes'>false</option>\n"; + echo " <option value='false' selected='selected'>false</option>\n"; break; default: - echo " <option value='true' selected='yes'>true</option>\n"; + echo " <option value='true' selected='selected'>true</option>\n"; echo " <option value='false'>false</option>\n"; } echo " </select>\n"; @@ -245,8 +250,8 @@ function show_advanced_config() { <tr> <td width="25%" valign="top" class="vncellreq">Description</td> <td width="75%" class="vtable"> - <input name="description" type="text" class="formfld" id="description" size="40" value="<?=htmlspecialchars($pconfig['description']);?>"> - <br><span class="vexpl">Enter the description here.<br></span> + <input name="description" type="text" class="formfld" id="description" size="40" value="<?=htmlspecialchars($pconfig['description']);?>" /> + <br /><span class="vexpl">Enter the description here.<br /></span> </td> </tr> --> @@ -254,21 +259,21 @@ function show_advanced_config() { <tr> <td valign="top"> </td> <td> - <input name="Submit" type="submit" class="formbtn" value="Save"> <input class="formbtn" type="button" value="Cancel" onclick="history.back()"> + <input name="Submit" type="submit" class="formbtn" value="Save" /> <input class="formbtn" type="button" value="Cancel" onclick="history.back()" /> <?php if (isset($id) && $a_cron[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>"> + <input name="id" type="hidden" value="<?=$id;?>" /> <?php endif; ?> </td> </tr> </table> </form> - <br> - <br> - <br> - <br> - <br> - <br> + <br /> + <br /> + <br /> + <br /> + <br /> + <br /> </td> </tr> diff --git a/config/dansguardian/blockedflash.swf b/config/dansguardian/blockedflash.swf Binary files differdeleted file mode 100644 index ef53ee44..00000000 --- a/config/dansguardian/blockedflash.swf +++ /dev/null diff --git a/config/dansguardian/dansguardian.conf.template b/config/dansguardian/dansguardian.conf.template index ab30527a..ed514eca 100755 --- a/config/dansguardian/dansguardian.conf.template +++ b/config/dansguardian/dansguardian.conf.template @@ -30,7 +30,7 @@ #create dansguardian.conf $dg=<<<EOF -# DansGuardian config file for version 2.12.0.0 +# DansGuardian config file for version 2.12.0.2 # **NOTE** as of version 2.7.5 most of the list files are now in dansguardianf1.conf @@ -52,7 +52,7 @@ reportinglevel = {$reportlevel} # and easier to customise the access denied page. # The language file is used no matter what setting however. # -languagedir = '/usr/local/share/dansguardian/languages' +languagedir = '{$dg_dir}/share/dansguardian/languages' # language to use from languagedir. language = '{$reportlanguage}' @@ -131,6 +131,8 @@ proxyip = {$proxyip} # the port DansGuardian connects to proxy on proxyport = {$proxyport} +proxytimeout = {$proxytimeout} + # Whether to retrieve the original destination IP in transparent proxy # setups and check it against the domain pulled from the HTTP headers. # @@ -178,7 +180,7 @@ nonstandarddelimiter = {$nonstandarddelimiter} # icons from banned domains. # on (default) | off usecustombannedimage = {$usecustombannedimage} -custombannedimagefile = '/usr/local/share/dansguardian/transparent1x1.gif' +custombannedimagefile = '{$dg_dir}/share/dansguardian/transparent1x1.gif' #Banned flash replacement @@ -194,18 +196,18 @@ usecustombannedflash = {$usecustombannedflash} # to a group. The more filter groups the more copies of the lists will be in RAM so # use as few as possible. filtergroups = {$filtergroups} -filtergroupslist = '/usr/local/etc/dansguardian/lists/filtergroupslist' +filtergroupslist = '{$dansguardian_dir}/lists/filtergroupslist' # Authentication files location -bannediplist = '/usr/local/etc/dansguardian/lists/bannediplist' -exceptioniplist = '/usr/local/etc/dansguardian/lists/exceptioniplist' +bannediplist = '{$dansguardian_dir}/lists/bannediplist' +exceptioniplist = '{$dansguardian_dir}/lists/exceptioniplist' # Per-Room blocking definition directory # A directory containing text files containing the room's name followed by IPs or ranges # Think of it as bannediplist on crack -perroomblockingdirectory = '/usr/local/etc/dansguardian/lists/bannedrooms/' +perroomblockingdirectory = '{$dansguardian_dir}/lists/bannedrooms/' # Show weighted phrases found # If enabled then the phrases found that made up the total which excedes @@ -475,9 +477,9 @@ trickledelay = {$trickledelay} # one is forced to match as the default, regardless of user agent # and other matching mechanisms. # -downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/fancy.conf' -##!! Not compiled !! downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/trickle.conf' -downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/default.conf' +downloadmanager = '{$dansguardian_dir}/downloadmanagers/fancy.conf' +##!! Not compiled !! downloadmanager = '{$dansguardian_dir}/downloadmanagers/trickle.conf' +downloadmanager = '{$dansguardian_dir}/downloadmanagers/default.conf' @@ -523,11 +525,11 @@ contentscanexceptions = {$contentscanexceptions} # # If you do not use multiple filter groups, you need not specify this option. # -#authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-basic.conf' -#authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-digest.conf' -#authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-ntlm.conf' -#authplugin = '/usr/local/etc/dansguardian/authplugins/ident.conf' -#authplugin = '/usr/local/etc/dansguardian/authplugins/ip.conf' +#authplugin = '{$dansguardian_dir}/authplugins/proxy-basic.conf' +#authplugin = '{$dansguardian_dir}/authplugins/proxy-digest.conf' +#authplugin = '{$dansguardian_dir}/authplugins/proxy-ntlm.conf' +#authplugin = '{$dansguardian_dir}/authplugins/ident.conf' +#authplugin = '{$dansguardian_dir}/authplugins/ip.conf' {$authplugin} diff --git a/config/dansguardian/dansguardian.inc b/config/dansguardian/dansguardian.inc index c897f944..39282409 100755 --- a/config/dansguardian/dansguardian.inc +++ b/config/dansguardian/dansguardian.inc @@ -2,13 +2,13 @@ /* dansguardian.inc part of the Dansguardian package for pfSense - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -90,7 +90,7 @@ function check_ca_hashes(){ } } -function sync_package_dansguardian($via_rpc=false) { +function sync_package_dansguardian($via_rpc="no",$install_process=false) { global $config,$g; # detect boot process @@ -101,8 +101,13 @@ function sync_package_dansguardian($via_rpc=false) { $boot_process="on"; } - if (is_process_running('dansguardian') && isset($boot_process) && $via_rpc==false) + if (is_process_running('dansguardian') && isset($boot_process) && $via_rpc=="no"){ + log_error("[Dansguardian] - Detected boot process pr:".is_process_running('dansguardian')." bp:".isset($boot_process)." rpc:".$via_rpc); return; + } + else{ + log_error("[Dansguardian] - Save settings package call pr:".is_process_running('dansguardian')." bp:".isset($boot_process)." rpc:".$via_rpc); + } #assign xml arrays if (!is_array($config['installedpackages']['dansguardian'])) @@ -136,7 +141,7 @@ function sync_package_dansguardian($via_rpc=false) { #daemon options $dansguardian_enabled=$dansguardian['enable_dg']; $filterport=($dansguardian['filterports']?$dansguardian['filterports']:"8080"); - $softrestart=(preg_match('/softrestart/',$dansguardian['daemon_options'])?"yes":"no"); + $softrestart=(preg_match('/softrestart/',$dansguardian['daemon_options'])?"on":"off"); $nodaemon=(preg_match('/nodaemon/',$dansguardian['daemon_options'])?"yes":"off"); if (preg_match("/(\d+)\/(\d+)/",$dansguardian['children'],$matches)){ $minchildren=$matches[1]; @@ -159,6 +164,7 @@ function sync_package_dansguardian($via_rpc=false) { $preforkchildren=($dansguardian['preforkchildren']?$dansguardian['preforkchildren']:"10"); $proxyip=($dansguardian['proxyip']?$dansguardian['proxyip']:"127.0.0.1"); $proxyport=($dansguardian['proxyport']?$dansguardian['proxyport']:"127.0.0.1"); + $proxytimeout=($dansguardian['proxytimeout']?$dansguardian['proxytimeout']:"30"); #general options $urlcachenumber=($dansguardian_config['urlcachenumber']?$dansguardian_config['urlcachenumber']:"1000"); @@ -184,13 +190,14 @@ function sync_package_dansguardian($via_rpc=false) { $recheckreplacedurls=(preg_match('/icapscan/',$dansguardian_config['misc_options'])?"on":"off"); $usexforwardedfor=(preg_match('/usexforwardedfor/',$dansguardian_config['misc_options'])?"on":"off"); $authplugin=(preg_match('/usr/',$dansguardian_config['auth_plugin'])?"authplugin = '".$dansguardian_config['auth_plugin']."'":""); - /*if ($dansguardian_config['auth_plugin']!=""){ + if ($dansguardian_config['auth_plugin']!=""){ $auth_plugins=explode(",",$dansguardian_config['auth_plugin']); $authplugin=""; foreach ($auth_plugins as $auth_selected) - $authplugin.="authplugin = '".$auth_selected."'\n"; + if ($auth_selected != "none") + $authplugin.="authplugin = '".preg_replace("@/usr/local@",DANSGUARDIAN_DIR,$auth_selected)."'\n"; } - */ + #limits $maxuploadsize=($dansguardian_limits['maxuploadsize']?$dansguardian_limits['maxuploadsize']:"-1"); $maxcontentfiltersize=($dansguardian_limits['maxcontentfiltersize']?$dansguardian_limits['maxcontentfiltersize']:"256"); @@ -214,8 +221,8 @@ function sync_package_dansguardian($via_rpc=false) { $reportlanguage=($dansguardian_log['report_language']?$dansguardian_log['report_language']:"ukenglish"); $showweightedfound=(preg_match('/showweightedfound/',$dansguardian_log['report_options'])?"on":"off"); $usecustombannedflash=(preg_match('/usecustombannedflash/',$dansguardian_log['report_options'])?"on":"off"); - if (file_exists('/usr/local/share/dansguardian/blockedflash.swf')) - $custombannedflashfile="custombannedflashfile = '/usr/local/share/dansguardian/blockedflash.swf'"; + if (file_exists(DANSGUARDIAN_DIR.'/share/dansguardian/blockedflash.swf')) + $custombannedflashfile="custombannedflashfile = '".DANSGUARDIAN_DIR."/share/dansguardian/blockedflash.swf'"; $usecustombannedimage=(preg_match('/usecustombannedimage/',$dansguardian_log['report_options'])?"on":"off"); $nonstandarddelimiter=(preg_match('/nonstandarddelimiter/',$dansguardian_log['report_options'])?"on":"off"); @@ -299,14 +306,14 @@ function sync_package_dansguardian($via_rpc=false) { exec("/usr/bin/openssl x509 -hash -noout -in /etc/ssl/demoCA/cacert.pem",$cert_hash); file_put_contents("/usr/local/share/certs/".$cert_hash[0].".0",base64_decode($ca_cert['crt'])); $ca_pem = "cacertificatepath = '/etc/ssl/demoCA/cacert.pem'"; - $generatedcertpath= "generatedcertpath = '/etc/ssl/demoCA/certs/'"; + $generatedcertpath= "generatedcertpath = '".$dansguardian_dir."/ssl/generatedcerts'"; #generatedcertpath = ".$dansguardian_dir . "/ssl/generatedcerts"; $generatedlinkpath= "generatedlinkpath = '".$dansguardian_dir . "/ssl/generatedlinks'"; } $svr_cert = lookup_cert($dansguardian_config["dcert"]); if ($svr_cert != false) { if(base64_decode($svr_cert['prv'])) { - file_put_contents("/etc/ssl/demoCA/private/serverkey.pem",base64_decode($svr_cert['prv'])); + file_put_contents("/etc/ssl/demoCA/private/serverkey.pem",base64_decode($svr_cert['prv']).base64_decode($svr_cert['crt'])); $cert_key = "certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem' "; } } @@ -317,7 +324,7 @@ function sync_package_dansguardian($via_rpc=false) { $match[1]="/(\/usr.local)/"; $match[2]="/,/"; $replace[0]="$1'"; - $replace[1]="contentscanner = '$1"; + $replace[1]="contentscanner = '".DANSGUARDIAN_DIR; $replace[2]="\n"; $contentscanners=preg_replace($match,$replace,$dansguardian_config['content_scanners']); @@ -327,7 +334,7 @@ function sync_package_dansguardian($via_rpc=false) { $match[1]="/\/usr.local/"; $match[2]="/,/"; $replace[0]="$1>\n"; - $replace[1]="\n.Include</usr/local"; + $replace[1]="\n.Include<".DANSGUARDIAN_DIR; $replace[2]=">"; #phrase ACL @@ -716,10 +723,11 @@ function sync_package_dansguardian($via_rpc=false) { 'urlacl'=> "Default", 'group_options' => "scancleancache,infectionbypasserrorsonly", 'reportinglevel'=>'3', + 'group_name_source'=>'name', 'mode'=> "1", 'report_level'=>"global"); - $groups=array("scancleancache","hexdecodecontent","blockdownloads","enablepics","deepurlanalysis","infectionbypasserrorsonly","disablecontentscan","sslcertcheck","sslmitm"); + $groups=array("scancleancache","hexdecodecontent","blockdownloads","enablepics","deepurlanalysis","infectionbypasserrorsonly","disablecontentscan","sslcheckcert","sslmitm"); #loop on array $count=1; $user_xml=""; @@ -735,7 +743,7 @@ function sync_package_dansguardian($via_rpc=false) { $dansguardian_groups['embeddedurlweight']=($dansguardian_groups['embeddedurlweight']?$dansguardian_groups['embeddedurlweight']:"0"); $dansguardian_groups['bypass']=($dansguardian_groups['bypass']?$dansguardian_groups['bypass']:"0"); $dansguardian_groups['infectionbypass']=($dansguardian_groups['infectionbypass']?$dansguardian_groups['infectionbypass']:"0"); - $dansguardian_groups['mitmkey']=($dansguardian_groups['mitmkey']?$dansguardian_groups['mitmkey']:"dgs3dD3da"); + $dansguardian_groups['maxuploadsize']=(is_numeric($dansguardian_groups['maxuploadsize'])?$dansguardian_groups['maxuploadsize']:$maxuploadsize); switch ($dansguardian_groups['reportinglevel']){ case "1": case "2": @@ -759,8 +767,11 @@ function sync_package_dansguardian($via_rpc=false) { $groupaccessdeniedaddress=""; } - foreach ($groups as $group) + foreach ($groups as $group){ $dansguardian_groups[$group]=(preg_match("/$group/",$dansguardian_groups['group_options'])?"on":"off"); + } + + #create group list files $lists=array("phraseacl" => array("bannedphrase","weightedphrase","exceptionphrase"), "siteacl" => array("bannedsite","greysite","exceptionsite","exceptionfilesite","logsite"), @@ -771,11 +782,16 @@ function sync_package_dansguardian($via_rpc=false) { "searchacl" => array("searchengineregexp","bannedsearchterm","weightedsearchterm","exceptionsearchterm") ); foreach ($lists as $list_key => $list_array){ + // verify groups acls to avoid errors on empty acl group options + if (!preg_match("/\w+/",$dansguardian_groups[$list_key])){ + log_error("dansguardian - Config warning, Group {$dansguardian_group_name} {$list_key} cannot be empty! Trying to load sample values"); + } foreach ($list_array as $list_value){ #read all access lists applied tho this group option foreach (explode(",",$dansguardian_groups[$list_key]) as $dacl){ if (! is_array(${$list_value})) ${$list_value}=array(); + $dacl=(preg_match("/\w+/",$dacl)? $dacl : "sample"); $file_temp=file_get_contents(DANSGUARDIAN_DIR . "/etc/dansguardian/lists/{$list_value}list.{$dacl}")."\n"; ${$list_value}=array_merge(explode("\n",$file_temp),${$list_value}); } @@ -784,7 +800,7 @@ function sync_package_dansguardian($via_rpc=false) { #save group file and unset array file_put_contents(DANSGUARDIAN_DIR . "/etc/dansguardian/lists/{$list_value}list.g_{$dansguardian_groups['name']}",implode("\n",array_unique(${$list_value}))."\n",LOCK_EX); unset(${$list_value}); - } + } } /* bannedphraselist = '/usr/local/etc/dansguardian/lists/bannedphraselist.{$dansguardian_groups['phraseacl']}' @@ -898,9 +914,9 @@ EOF; #Create/update filtergroupsiplist file_put_contents($dansguardian_dir."/lists/authplugins/ipgroups",$filtergroupsiplist,LOCK_EX); #Create/update userlist xml file - $ips_xml_header=file_get_contents("/usr/local/pkg/dansguardian_ips_header.xml"); - $user_xml_header=file_get_contents("/usr/local/pkg/dansguardian_users_header.xml"); - $user_xml_footer=file_get_contents("/usr/local/pkg/dansguardian_users_footer.xml"); + $ips_xml_header=file_get_contents("/usr/local/pkg/dansguardian_ips_header.template"); + $user_xml_header=file_get_contents("/usr/local/pkg/dansguardian_users_header.template"); + $user_xml_footer=file_get_contents("/usr/local/pkg/dansguardian_users_footer.template"); file_put_contents("/usr/local/pkg/dansguardian_users.xml",$user_xml_header.$user_xml.$user_xml_footer,LOCK_EX); file_put_contents("/usr/local/pkg/dansguardian_ips.xml",$ips_xml_header.$ips_xml.$user_xml_footer,LOCK_EX); @@ -909,29 +925,36 @@ EOF; file_put_contents("/usr/local/share/dansguardian/languages/".$reportlanguage."/template.html",dg_text_area_decode($dansguardian_log['report_file']),LOCK_EX); #check blacklist download files - if ($dansguardian_blacklist['cron']=="force_download"){ - log_error("Blacklist udpate process started"); - file_notice("Dansguardian - Blacklist udpate process started",""); - file_put_contents("/root/dansguardian_custom.script",base64_decode($dansguardian_blacklist['custom_script']),LOCK_EX); - if ($dansguardian_blacklist['enable_custom_script'] && $dansguardian_blacklist['custom_script'] != "") - mwexec_bg("/root/dansguardian_custom.script"); - else - mwexec_bg("/usr/local/bin/php /usr/local/www/dansguardian.php fetch_blacklist"); + if ($install_process == true){ + require_once("/usr/local/www/dansguardian.php"); + fetch_blacklist(false,true); + update_output_window("Blacklist check done, continuing package config sync."); + } + else{ + if ($dansguardian_blacklist['cron']=="force_download"){ + log_error("Blacklist udpate process started"); + file_notice("Dansguardian - Blacklist udpate process started",""); + file_put_contents("/root/dansguardian_custom.script",base64_decode($dansguardian_blacklist['custom_script']),LOCK_EX); + if ($dansguardian_blacklist['enable_custom_script'] && $dansguardian_blacklist['custom_script'] != "") + mwexec_bg("/root/dansguardian_custom.script"); + else + mwexec_bg("/usr/local/bin/php /usr/local/www/dansguardian.php fetch_blacklist"); + } + #update xml categories from downloaded file + if ($dansguardian_blacklist['cron']=="force_update"){ + $config['installedpackages']['dansguardianblacklist']['config'][0]['cron']="never"; + mwexec_bg("/usr/local/bin/php /usr/local/www/dansguardian.php update_lists"); } - #update xml categories from downloaded file - if ($dansguardian_blacklist['cron']=="force_update"){ - $config['installedpackages']['dansguardianblacklist']['config'][0]['cron']="never"; - mwexec_bg("/usr/local/bin/php /usr/local/www/dansguardian.php update_lists"); - } - #Import default blacklists - if (!is_array($config['installedpackages']['dansguardianblacklistsurls']['config'])) - mwexec_bg("/usr/local/bin/php /usr/local/www/dansguardian.php update_lists"); - + #Import default blacklists + if (!is_array($config['installedpackages']['dansguardianblacklistsurls']['config'])) + mwexec_bg("/usr/local/bin/php /usr/local/www/dansguardian.php update_lists"); + } #get clamav user - $cconf="/usr/local/etc/clamd.conf"; + $cconf= DANSGUARDIAN_DIR. "/etc/clamd.conf"; $cconf_file=file_get_contents($cconf); if (preg_match("/User (\w+)/",$cconf_file,$matches)){ + mwexec("/usr/sbin/pw user show {$matches[1]} || /usr/sbin/pw user add -n {$matches[1]} -s /usr/sbin/nologin"); $daemonuser = $matches[1]; $daemongroup = 'nobody'; } @@ -940,7 +963,6 @@ EOF; $daemongroup = 'nobody'; } $filtergroups=($count > 1?($count -1):1); - $filterip=""; $filterports=""; foreach (explode(",", $dansguardian['interface']) as $i => $iface) { @@ -958,12 +980,12 @@ EOF; $cron_found=0; if (is_array($config['cron']['item'])) foreach($config['cron']['item'] as $cron) - if (preg_match("/usr.local.(bin.freshclam|www.dansguardian)/",$cron["command"])) + if (preg_match("@(".DANSGUARDIAN_DIR."|/usr/local)/(bin.freshclam|www/dansguardian)@",$cron["command"])) $cron_found++; else $new_cron['item'][]=$cron; - $cron_cmd="/usr/local/bin/freshclam"; + $cron_cmd= DANSGUARDIAN_DIR."/bin/freshclam"; if($dansguardian_config['cron'] && preg_match("/clamd/",$dansguardian_config['content_scanners'])) switch ($dansguardian_config['cron']){ case "day": @@ -1041,6 +1063,7 @@ EOF; $cron_cmd="/usr/local/bin/php /usr/local/www/dansguardian_ldap.php"; if (is_array($config['installedpackages']['dansguardiangroups']['config'])) foreach ($config['installedpackages']['dansguardiangroups']['config'] as $dansguardian_groups){ + $dans_group_source=($dansguardian_groups['groupnamesource'] !="" ? $dansguardian_groups['groupnamesource'] : "name"); if(preg_match('/(\d+)m/',$dansguardian_groups['freq'],$matches)){ $new_cron['item'][]=array( "minute" => "*/".$matches[1], "hour" => "*", @@ -1048,7 +1071,7 @@ EOF; "month" => "*", "wday" => "*", "who" => "root", - "command"=> $cron_cmd." ".$dansguardian_groups['name']); + "command"=> "{$cron_cmd} $dans_group_source '{$dansguardian_groups[$dans_group_source]}'"); $config['cron']=$new_cron; $cron_found++; } @@ -1059,7 +1082,7 @@ EOF; "month" => "*", "wday" => "*", "who" => "root", - "command"=> $cron_cmd." ".$dansguardian_groups['name']); + "command"=> "{$cron_cmd} $dans_group_source '{$dansguardian_groups[$dans_group_source]}'"); $config['cron']=$new_cron; $cron_found++; } @@ -1068,7 +1091,6 @@ EOF; conf_mount_rw(); write_config(); - #update cron if ($cron_found > 0){ $config['cron']=$new_cron; @@ -1076,7 +1098,7 @@ EOF; configure_cron(); } - $dirs=array('/usr/local/etc/dansguardian/lists/bannedrooms/', + $dirs=array(DANSGUARDIAN_DIR . '/etc/dansguardian/lists/bannedrooms/', '/var/log/dansguardian'); foreach ($dirs as $dir) @@ -1084,27 +1106,23 @@ EOF; mkdir ($dir,0755,true); #update file owner - mwexec("chown -R $daemonuser:$daemongroup /usr/local/etc/dansguardian"); + mwexec("chown -R $daemonuser:$daemongroup ".DANSGUARDIAN_DIR."/etc/dansguardian"); mwexec("chown -R $daemonuser:$daemongroup /var/log/dansguardian"); #create config files file_put_contents($dansguardian_dir."/dansguardian.conf", $dg, LOCK_EX); #check virus_scanner options - $libexec_dir="/usr/local/libexec/dansguardian/"; - if (preg_match("/clamd/",$dansguardian_config['content_scanners'])){ + $libexec_dir= DANSGUARDIAN_DIR."/libexec/dansguardian/"; + if ($install_process==true) + update_output_window("Skipping clamav check during package install."); + if (preg_match("/clamd/",$dansguardian_config['content_scanners']) && $install_process==false){ if (!(file_exists('/var/db/clamav/main.cvd')||file_exists('/var/db/clamav/main.cld'))){ file_notice("Dansguardian - No antivirus database found for clamav, running freshclam in background.",""); - log_error('No antivirus database found for clamav, running freshclam in background.'); - mwexec_bg('/usr/local/bin/freshclam'); + log_error('No antivirus database found for clamav, running freshclam in background. Content-scanner may not work until freshclam finishes.'); + mwexec_bg(DANSGUARDIAN_DIR.'/bin/freshclam && /usr/local/etc/rc.d/clamav-clamd'); } - - $match=array(); - $match[0]='/NO/'; - $replace=array(); - $replace[0]='YES'; - #clamdscan.conf dansguardian file $cconf=DANSGUARDIAN_DIR . "/etc/dansguardian/contentscanners/clamdscan.conf"; $cconf_file=file_get_contents($cconf); @@ -1112,27 +1130,35 @@ EOF; $cconf_file=preg_replace('/#clamdudsfile/','clamdudsfile',$cconf_file); file_put_contents($cconf, $cconf_file, LOCK_EX); } - #clamd conf file - $cconf="/usr/local/etc/clamd.conf"; + $cconf=DANSGUARDIAN_DIR."/etc/clamd.conf"; $cconf_file=file_get_contents($cconf); if (preg_match("/User (\w+)/",$cconf_file,$matches)){ #clamd script file $script='/usr/local/etc/rc.d/clamav-clamd'; $script_file=file($script); + $new_clamav_startup=""; + $cpreg_m[0]="@NO@"; + $cpreg_m[1]="@/usr/local@"; + $cpreg_r[0]="YES"; + $cpreg_r[1]=DANSGUARDIAN_DIR; foreach ($script_file as $script_line){ if(preg_match("/command=/",$script_line)){ $new_clamav_startup.= 'if [ ! -d /var/run/clamav ];then /bin/mkdir /var/run/clamav;fi'."\n"; + $new_clamav_startup.= 'if [ ! -d /var/db/clamav ];then /bin/mkdir /var/db/clamav;fi'."\n"; + $new_clamav_startup.= 'if [ ! -d /var/log/clamav ];then /bin/mkdir -p /var/log/clamav;fi'."\n"; $new_clamav_startup.= "chown -R ".$matches[1]." /var/run/clamav\n"; + $new_clamav_startup.= "chown -R ".$matches[1]." /var/db/clamav\n"; $new_clamav_startup.= "chown -R ".$matches[1]." /var/log/clamav\n"; $new_clamav_startup.=$script_line; } elseif(!preg_match("/(mkdir|chown|sleep|mailscanner)/",$script_line)) { - $new_clamav_startup.=preg_replace("/NO/","YES",$script_line); + $new_clamav_startup.=preg_replace($cpreg_m,$cpreg_r,$script_line); } } file_put_contents($script, $new_clamav_startup, LOCK_EX); chmod ($script,0755); + if (file_exists('/var/run/dansguardian.pid') && is_process_running('clamd')){ log_error('Stopping clamav-clamd'); mwexec("$script stop"); @@ -1144,8 +1170,7 @@ EOF; mwexec_bg("$script start"); } } - } - + } #check certificate hashed $script='/usr/local/etc/rc.d/dansguardian.sh'; @@ -1180,23 +1205,58 @@ EOF; #mount read only conf_mount_ro(); + #avoid sync during boot process - if (!isset($boot_process)){ - $synconchanges = $config['installedpackages']['dansguardiansync']['config'][0]['synconchanges']; - if(!$synconchanges && !$syncondbchanges) - return; - log_error("[dansguardian] dansguardian_xmlrpc_sync.php is starting."); - foreach ($config['installedpackages']['dansguardiansync']['config'] as $rs ){ - foreach($rs['row'] as $sh){ + if (!isset($boot_process) || $via_rpc=="yes"){ + /* Uses XMLRPC to synchronize the changes to a remote node */ + if (is_array($config['installedpackages']['dansguardiansync']['config'])){ + $dans_sync=$config['installedpackages']['dansguardiansync']['config'][0]; + $synconchanges = $dans_sync['synconchanges']; + $synctimeout = $dans_sync['synctimeout']; + switch ($synconchanges){ + case "manual": + if (is_array($dans_sync[row])){ + $rs=$dans_sync[row]; + } + else{ + log_error("[Dansguardian] xmlrpc sync is enabled but there is no hosts to push on dansguardian config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['ipaddress']=$system_carp['synchronizetoip']; + $rs[0]['username']=$system_carp['username']; + $rs[0]['password']=$system_carp['password']; + if (! is_ipaddr($system_carp['synchronizetoip'])){ + log_error("[Dansguardian] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); + return; + } + } + else{ + log_error("[Dansguardian] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)){ + log_error("[Dansguardian] xmlrpc sync is starting."); + foreach($rs as $sh){ $sync_to_ip = $sh['ipaddress']; - $password = $sh['password']; - $sync_type = $sh['sync_type']; + $password = $sh['password']; + $username = ($sh['username']?$sh['username']:"admin"); if($password && $sync_to_ip) - dansguardian_do_xmlrpc_sync($sync_to_ip, $password,$sync_type); + dansguardian_do_xmlrpc_sync($sync_to_ip,$username,$password,$sync_type,$synctimeout); } + log_error("[Dansguardian] xmlrpc sync is ending."); } - log_error("[dansguardian] dansguardian_xmlrpc_sync.php is ending."); - } + } + } + } function dansguardian_validate_input($post, &$input_errors) { @@ -1207,15 +1267,22 @@ function dansguardian_validate_input($post, &$input_errors) { $input_errors[] = "{$value} cannot be used as name."; else if ($key == "name" && preg_match("/\W/",$value)) $input_errors[] = "{$value} cannot be used as name. Use only a-z 0-9 characters"; + else if ($key== "group_options"){ + $acls=array("pics","phrase","site","url","extension","header","content","search"); + foreach ($acls as $gacl) + if (!array_key_exists($gacl."acl",$post)) + $input_errors[] = ucfirst($gacl)." must has at least one acl assigned."; + } else if (empty($value)) continue; else if($key == "freq" && (!preg_match("/^\d+(h|m|d)$/",$value) || $value == 0)) $input_errors[] = "A valid number with a time reference is required for the field 'Update Frequency'"; } + } function dansguardian_php_install_command() { - sync_package_dansguardian(); + sync_package_dansguardian("no",true); } function dansguardian_php_deinstall_command() { @@ -1233,15 +1300,21 @@ function dansguardian_php_deinstall_command() { } } -function dansguardian_do_xmlrpc_sync($sync_to_ip, $password,$sync_type) { +function dansguardian_do_xmlrpc_sync($sync_to_ip,$username,$password,$sync_type,$synctimeout) { global $config, $g; + if(!$username) + return; + if(!$password) return; if(!$sync_to_ip) return; + if(!$synctimeout) + $synctimeout=30; + $xmlrpc_sync_neighbor = $sync_to_ip; if($config['system']['webgui']['protocol'] != "") { $synchronizetoip = $config['system']['webgui']['protocol']; @@ -1259,28 +1332,26 @@ function dansguardian_do_xmlrpc_sync($sync_to_ip, $password,$sync_type) { /* xml will hold the sections to sync */ $xml = array(); - $sync_xml=$config['installedpackages']['dansguardiansync']['config'][0]['synconchanges']; - if ($sync_xml){ - log_error("Include dansguardian config"); - $xml['dansguardian'] = $config['installedpackages']['dansguardian']; - $xml['dansguardianantivirusacl'] = $config['installedpackages']['dansguardianantivirusacl']; - $xml['dansguardianconfig'] = $config['installedpackages']['dansguardianconfig']; - $xml['dansguardianblacklist'] = $config['installedpackages']['dansguardianblacklist']; - $xml['dansguardianldap'] = $config['installedpackages']['dansguardianldap']; - $xml['dansguardiancontentacl'] = $config['installedpackages']['dansguardiancontentacl']; - $xml['dansguardianfileacl'] = $config['installedpackages']['dansguardianfileacl']; - $xml['dansguardiangroups'] = $config['installedpackages']['dansguardiangroups']; - $xml['dansguardianheaderacl'] = $config['installedpackages']['dansguardianheaderacl']; - $xml['dansguardianlimits'] = $config['installedpackages']['dansguardianlimits']; - $xml['dansguardianlog'] = $config['installedpackages']['dansguardianlog']; - $xml['dansguardianphraseacl'] = $config['installedpackages']['dansguardianphraseacl']; - $xml['dansguardianpicsacl'] = $config['installedpackages']['dansguardianpicsacl']; - $xml['dansguardiansearchacl'] = $config['installedpackages']['dansguardiansearchacl']; - $xml['dansguardiansiteacl'] = $config['installedpackages']['dansguardiansiteacl']; - $xml['dansguardianurlacl'] = $config['installedpackages']['dansguardianurlacl']; - $xml['dansguardianusers'] = $config['installedpackages']['dansguardianusers']; + log_error("Include dansguardian config"); + $xml['dansguardian'] = $config['installedpackages']['dansguardian']; + $xml['dansguardianantivirusacl'] = $config['installedpackages']['dansguardianantivirusacl']; + $xml['dansguardianconfig'] = $config['installedpackages']['dansguardianconfig']; + $xml['dansguardianblacklist'] = $config['installedpackages']['dansguardianblacklist']; + $xml['dansguardianldap'] = $config['installedpackages']['dansguardianldap']; + $xml['dansguardiancontentacl'] = $config['installedpackages']['dansguardiancontentacl']; + $xml['dansguardianfileacl'] = $config['installedpackages']['dansguardianfileacl']; + $xml['dansguardiangroups'] = $config['installedpackages']['dansguardiangroups']; + $xml['dansguardianheaderacl'] = $config['installedpackages']['dansguardianheaderacl']; + $xml['dansguardianlimits'] = $config['installedpackages']['dansguardianlimits']; + $xml['dansguardianlog'] = $config['installedpackages']['dansguardianlog']; + $xml['dansguardianphraseacl'] = $config['installedpackages']['dansguardianphraseacl']; + $xml['dansguardianpicsacl'] = $config['installedpackages']['dansguardianpicsacl']; + $xml['dansguardiansearchacl'] = $config['installedpackages']['dansguardiansearchacl']; + $xml['dansguardiansiteacl'] = $config['installedpackages']['dansguardiansiteacl']; + $xml['dansguardianurlacl'] = $config['installedpackages']['dansguardianurlacl']; + $xml['dansguardianusers'] = $config['installedpackages']['dansguardianusers']; + $xml['dansguardianips'] = $config['installedpackages']['dansguardianips']; - } if (count($xml) > 0){ /* assemble xmlrpc payload */ $params = array( @@ -1294,18 +1365,18 @@ function dansguardian_do_xmlrpc_sync($sync_to_ip, $password,$sync_type) { $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); + $cli->setCredentials($username, $password); if($g['debug']) $cli->setDebug(1); - /* send our XMLRPC message and timeout after 30 seconds */ - $resp = $cli->send($msg, "30"); + /* send our XMLRPC message and timeout after $synctimeout seconds */ + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting dansguardian XMLRPC sync with {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "dansguardian Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "30"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting dansguardian XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "dansguardian Settings Sync", ""); @@ -1316,7 +1387,7 @@ function dansguardian_do_xmlrpc_sync($sync_to_ip, $password,$sync_type) { /* tell dansguardian to reload our settings on the destionation sync host. */ $method = 'pfsense.exec_php'; $execcmd = "require_once('/usr/local/pkg/dansguardian.inc');\n"; - $execcmd .= "sync_package_dansguardian(true);"; + $execcmd .= "sync_package_dansguardian('yes');"; /* assemble xmlrpc payload */ $params = array( @@ -1327,15 +1398,15 @@ function dansguardian_do_xmlrpc_sync($sync_to_ip, $password,$sync_type) { log_error("dansguardian XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - $resp = $cli->send($msg, "30"); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting dansguardian XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "dansguardian Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "30"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting dansguardian XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "dansguardian Settings Sync", ""); @@ -1345,4 +1416,4 @@ function dansguardian_do_xmlrpc_sync($sync_to_ip, $password,$sync_type) { } } -?> +?>
\ No newline at end of file diff --git a/config/dansguardian/dansguardian.php b/config/dansguardian/dansguardian.php index 8571e1b7..b9c972a1 100644 --- a/config/dansguardian/dansguardian.php +++ b/config/dansguardian/dansguardian.php @@ -4,7 +4,7 @@ /* dansguardian.php part of pfSense (http://www.pfSense.com) - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -13,7 +13,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -38,36 +38,68 @@ require_once("/etc/inc/functions.inc"); require_once("/etc/inc/pkg-utils.inc"); require_once("/etc/inc/globals.inc"); require_once("/usr/local/pkg/dansguardian.inc"); - -function fetch_blacklist(){ + +function fetch_blacklist($log_notice=true,$install_process=false) { global $config,$g; - $url=$config['installedpackages']['dansguardianblacklist']['config'][0]['url']; - if (is_url($url)){ - conf_mount_rw(); - print "file download start.."; - unlink_if_exists("/usr/local/etc/dansguardian/lists/blacklist.tgz"); - exec("/usr/bin/fetch -o /usr/local/etc/dansguardian/lists/blacklist.tgz ".escapeshellarg($url)); - chdir ("/usr/local/etc/dansguardian/lists"); - if (is_dir ("blacklists.old")) - exec ('rm -rf /usr/local/etc/dansguardian/lists/blacklists.old'); - rename("blacklists","blacklists.old"); - exec('/usr/bin/tar -xvzf /usr/local/etc/dansguardian/lists/blacklist.tgz 2>&1',$output,$return); - if (preg_match("/x\W+(\w+)/",$output[0],$matches)){ - if ($matches[1] != "blacklists") - rename("./".$matches[1],"blacklists"); - read_lists(); - } - else - file_notice("Dansguardian - Could not determine Blacklist extract dir. Categories not updated",""); - } + if (is_array($config['installedpackages']['dansguardianblacklist']) && is_array($config['installedpackages']['dansguardianblacklist']['config'])){ + $url=$config['installedpackages']['dansguardianblacklist']['config'][0]['url']; + $uw="Found a previouns install, checking Blacklist config..."; + } else{ - file_notice("Dansguardian - Blacklist url is invalid.",""); + $uw="Found a clean install, reading default access lists..."; + } + conf_mount_rw(); + if ($install_process == true) + update_output_window($uw); + if (isset($url) && is_url($url)) { + if ($log_notice==true){ + print "file download start.."; + unlink_if_exists("/usr/local/pkg/blacklist.tgz"); + exec("/usr/bin/fetch -o /usr/local/pkg/blacklist.tgz ".escapeshellarg($url),$output,$return); + } + else{ + #install process + if (file_exists("/usr/local/pkg/blacklist.tgz")){ + update_output_window("Found previous blacklist database, skipping download..."); + $return=0; + } + else{ + update_output_window("Fetching blacklist"); + download_file_with_progress_bar($url, "/usr/local/pkg/blacklist.tgz"); + if (file_exists("/usr/local/pkg/blacklist.tgz")) + $return=0; + } + } + if ($return == 0) { + chdir (DANSGUARDIAN_DIR . "/etc/dansguardian/lists"); + if (is_dir ("blacklists.old")) + exec ('rm -rf '.DANSGUARDIAN_DIR . '/etc/dansguardian/lists/blacklists.old'); + rename("blacklists","blacklists.old"); + exec('/usr/bin/tar -xvzf /usr/local/pkg/blacklist.tgz 2>&1',$output,$return); + if (preg_match("/x\W+(\w+)/",$output[1],$matches)) { + if ($matches[1] != "blacklists") + rename("./".$matches[1],"blacklists"); + read_lists($log_notice); + } + else { + file_notice("Dansguardian - Could not determine Blacklist extract dir. Categories not updated",""); + } + } + else { + file_notice("Dansguardian - Could not fetch blacklists from url",""); + } + } + else { + if ($install_process==true) + read_lists(false,$uw); + elseif (!empty($url)) + file_notice("Dansguardian - Blacklist url is invalid.",""); } } -function read_lists(){ +function read_lists($log_notice=true,$uw=""){ global $config,$g; $group_type=array(); - $dir="/usr/local/etc/dansguardian/lists"; + $dir=DANSGUARDIAN_DIR . "/etc/dansguardian/lists"; #read dansguardian lists dirs $groups= array("phraselists", "blacklists", "whitelists"); #assigns know list files @@ -130,11 +162,14 @@ function read_lists(){ $edit_file=preg_replace('/size.19/','size>5',$edit_file); file_put_contents("/usr/local/pkg/dansguardian_".$edit_xml."_acl.xml",$edit_file,LOCK_EX); } - file_notice("Dansguardian - Blacklist applied, check site and URL access lists for categories",""); - #foreach($config['installedpackages'] as $key => $values) - # if (preg_match("/dansguardian(phrase|black|white)lists/",$key)) - # print "$key\n"; write_config(); + if($log_notice==true && $uw==""){ + file_notice("Dansguardian - Blacklist applied, check site and URL access lists for categories",""); + } + else{ + $uw.="done\n"; + update_output_window($uw); + } } if ($argv[1]=="update_lists") diff --git a/config/dansguardian/dansguardian.xml b/config/dansguardian/dansguardian.xml index 334c99e7..34d4156c 100644 --- a/config/dansguardian/dansguardian.xml +++ b/config/dansguardian/dansguardian.xml @@ -9,7 +9,7 @@ /* dansguardian.xml part of the dansguardian for pfSense - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -18,7 +18,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -84,17 +84,17 @@ <chmod>0755</chmod> </additional_files_needed> <additional_files_needed> - <item>http://www.pfsense.org/packages/config/dansguardian/dansguardian_ips_header.xml</item> + <item>http://www.pfsense.org/packages/config/dansguardian/dansguardian_ips_header.template</item> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> </additional_files_needed> <additional_files_needed> - <item>http://www.pfsense.org/packages/config/dansguardian/dansguardian_users_header.xml</item> + <item>http://www.pfsense.org/packages/config/dansguardian/dansguardian_users_header.template</item> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> </additional_files_needed> <additional_files_needed> - <item>http://www.pfsense.org/packages/config/dansguardian/dansguardian_users_footer.xml</item> + <item>http://www.pfsense.org/packages/config/dansguardian/dansguardian_users_footer.template</item> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> </additional_files_needed> @@ -188,11 +188,6 @@ <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> </additional_files_needed> - <additional_files_needed> - <item>http://www.pfsense.org/packages/config/dansguardian/blockedflash.swf</item> - <prefix>/usr/local/share/dansguardian/</prefix> - <chmod>0755</chmod> - </additional_files_needed> <tabs> <tab> <text>Daemon</text> @@ -212,8 +207,8 @@ <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> </tab> <tab> - <text>Access Lists</text> - <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> </tab> <tab> <text>LDAP</text> @@ -236,7 +231,7 @@ <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> </tab> <tab> - <text>XMLRPC Sync</text> + <text>Sync</text> <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> </tab> <tab> @@ -258,7 +253,8 @@ <field> <fielddescr>Listen Interface(s)</fielddescr> <fieldname>interface</fieldname> - <description><![CDATA[Default: <strong>LAN/loopback</strong><br>Select interface(s) that you want to dansguardian listen on.]]></description> + <description><![CDATA[Default: <strong>LAN/loopback</strong><br>Select interface(s) that you want to dansguardian listen on.<br> + <strong>Note: Do NOT select more then one interface if you plan to use more then one authentication plugin.</strong>]]></description> <type>interfaces_selection</type> <required/> <multiple/> @@ -349,10 +345,28 @@ <description><![CDATA[Default: <strong>3128</strong><br> Sets port number for proxy server.]]></description> </field> - + <field> + <fielddescr>Proxy Time out</fielddescr> + <fieldname>proxytimeout</fieldname> + <description><![CDATA[This option handle max time to wait for proxy server.]]></description> + <type>select</type> + <options> + <option><name>30 seconds (default)</name><value>30</value></option> + <option><name>20 seconds</name><value>20</value></option> + <option><name>40 seconds</name><value>40</value></option> + <option><name>50 seconds</name><value>50</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>70 seconds</name><value>70</value></option> + <option><name>80 seconds</name><value>80</value></option> + <option><name>90 seconds</name><value>90</value></option> + <default_value>30</default_value> + </options> + </field> </fields> <custom_php_install_command> - dansguardian_php_install_command(); + update_status("Checking Dansguardian Blacklists... One moment please..."); + update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."); + dansguardian_php_install_command(false,true); </custom_php_install_command> <custom_php_deinstall_command> dansguardian_php_deinstall_command(); diff --git a/config/dansguardian/dansguardian_about.php b/config/dansguardian/dansguardian_about.php index 07b5768e..b7834281 100755 --- a/config/dansguardian/dansguardian_about.php +++ b/config/dansguardian/dansguardian_about.php @@ -53,16 +53,16 @@ include("head.inc"); <?php $tab_array = array(); $tab_array[] = array(gettext("Daemon"), false, "/pkg_edit.php?xml=dansguardian.xml&id=0"); - $tab_array[] = array(gettext("General"), false, "/pkg_edit.php?xml=dansguardian_general.xml&id=0"); + $tab_array[] = array(gettext("General"), false, "/pkg_edit.php?xml=dansguardian_config.xml&id=0"); $tab_array[] = array(gettext("Limits"), false, "/pkg_edit.php?xml=dansguardian_limits.xml&id=0"); $tab_array[] = array(gettext("Blacklist"), false, "/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0"); - $tab_array[] = array(gettext("Access Lists"), false, "/pkg_edit.php?xml=dansguardian_antivirus.xml&id=0"); + $tab_array[] = array(gettext("ACLs"), false, "/pkg.php?xml=dansguardian_site_acl.xml"); $tab_array[] = array(gettext("LDAP"), false, "/pkg.php?xml=dansguardian_ldap.xml&id=0"); $tab_array[] = array(gettext("Groups"), false, "/pkg.php?xml=dansguardian_groups.xml&id=0"); - $tab_array[] = array(gettext("Users"), false, "/pkg.php?xml=dansguardian_users.xml&id=0"); - $tab_array[] = array(gettext("IPs"), false, "/pkg.php?xml=dansguardian_ips.xml&id=0"); + $tab_array[] = array(gettext("Users"), false, "/pkg_edit.php?xml=dansguardian_users.xml&id=0"); + $tab_array[] = array(gettext("IPs"), false, "/pkg_edit.php?xml=dansguardian_ips.xml&id=0"); $tab_array[] = array(gettext("Report and Log"), false, "/pkg_edit.php?xml=dansguardian_log.xml&id=0"); - $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=dansguardian_sync.xml&id=0"); + $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=dansguardian_sync.xml&id=0"); $tab_array[] = array(gettext("Help"), true, "/dansguardian_about.php"); display_top_tabs($tab_array); ?> diff --git a/config/dansguardian/dansguardian_antivirus_acl.xml b/config/dansguardian/dansguardian_antivirus_acl.xml index 21c5c17e..563d3f13 100755 --- a/config/dansguardian/dansguardian_antivirus_acl.xml +++ b/config/dansguardian/dansguardian_antivirus_acl.xml @@ -46,54 +46,100 @@ <title>Services: Dansguardian - Access Lists</title> <include_file>/usr/local/pkg/dansguardian.inc</include_file> <tabs> - <tab> - <text>Back to config</text> +<tab> + <text>Daemon</text> <url>/pkg_edit.php?xml=dansguardian.xml&id=0</url> </tab> <tab> + <text>General</text> + <url>/pkg_edit.php?xml=dansguardian_config.xml&id=0</url> + </tab> + <tab> + <text>Limits</text> + <url>/pkg_edit.php?xml=dansguardian_limits.xml&id=0</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <active/> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg.php?xml=dansguardian_ldap.xml</url> + </tab> + <tab> + <text>Groups</text> + <url>/pkg.php?xml=dansguardian_groups.xml</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + </tab> + <tab> + <text>IPs</text> + <url>/pkg_edit.php?xml=dansguardian_ips.xml</url> + </tab> + <tab> + <text>Report and log</text> + <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> + </tab> + <tab> + <text>Help</text> + <url>/dansguardian_about.php</url> + </tab> + <tab> <text>Antivirus</text> <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> <active/> + <tab_level>2</tab_level> </tab> <tab> <text>Pics</text> <url>/pkg.php?xml=dansguardian_pics_acl.xml&id=0</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Phase</text> + <text>Phrase Lists</text> <url>/pkg.php?xml=dansguardian_phrase_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Site</text> + <text>Site Lists</text> <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>URL</text> + <text>URL Lists</text> <url>/pkg.php?xml=dansguardian_url_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Extension</text> + <text>Extension Lists</text> <url>/pkg.php?xml=dansguardian_file_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Content</text> + <text>Content Lists</text> <url>/pkg.php?xml=dansguardian_content_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> <text>Header</text> <url>/pkg.php?xml=dansguardian_header_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> <text>Searche Engine</text> <url>/pkg.php?xml=dansguardian_search_acl.xml</url> - </tab> - <tab> - <text>Groups</text> - <url>/pkg.php?xml=dansguardian_groups.xml</url> - </tab> - <tab> - <text>Users</text> - <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + <tab_level>2</tab_level> </tab> </tabs> <fields> diff --git a/config/dansguardian/dansguardian_blacklist.xml b/config/dansguardian/dansguardian_blacklist.xml index d95558e6..e9cba862 100644 --- a/config/dansguardian/dansguardian_blacklist.xml +++ b/config/dansguardian/dansguardian_blacklist.xml @@ -9,7 +9,7 @@ /* dansguardian_limits.xml part of the dansguardian for pfSense - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -18,7 +18,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -65,8 +65,8 @@ <active/> </tab> <tab> - <text>Access Lists</text> - <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> </tab> <tab> <text>LDAP</text> @@ -89,7 +89,7 @@ <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> </tab> <tab> - <text>XMLRPC Sync</text> + <text>Sync</text> <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> </tab> <tab> diff --git a/config/dansguardian/dansguardian_config.xml b/config/dansguardian/dansguardian_config.xml index 0c14a7bb..35b0bf5b 100644 --- a/config/dansguardian/dansguardian_config.xml +++ b/config/dansguardian/dansguardian_config.xml @@ -9,7 +9,7 @@ /* dansguardian_config.xml part of the dansguardian for pfSense - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -18,7 +18,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -65,8 +65,8 @@ <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> </tab> <tab> - <text>Access Lists</text> - <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> </tab> <tab> <text>LDAP</text> @@ -89,7 +89,7 @@ <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> </tab> <tab> - <text>XMLRPC Sync</text> + <text>Sync</text> <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> </tab> <tab> @@ -106,7 +106,9 @@ <fielddescr>Auth Plugins</fielddescr> <fieldname>auth_plugin</fieldname> <description><![CDATA[This option handle the extraction of client usernames from various sources, such as Proxy-Authorisation headers and ident servers, - enabling requests to be handled according to the settings of the user's filter group]]></description> + enabling requests to be handled according to the settings of the user's filter group.<br> + Use CTRL + click for multiple select.<br> + <strong>Note: Do NOT select more then one auth plugin if you plan to use more then one listening interface.</strong>]]></description> <type>select</type> <options> <option><name>Proxy-Basic</name><value>/usr/local/etc/dansguardian/authplugins/proxy-basic.conf</value></option> @@ -116,11 +118,14 @@ <option><name>Ip Address</name><value>/usr/local/etc/dansguardian/authplugins/ip.conf</value></option> <option><name>none</name><value>none</value></option> </options> + <multiple/> + <size>7</size> </field> <field> <fielddescr>Scan Options</fielddescr> <fieldname>scan_options</fieldname> - <description><![CDATA[Scan options. Default values are in ( )]]></description> + <description><![CDATA[Scan options. Default values are in ( )<br> + Use CTRL + click for multiple select.]]></description> <type>select</type> <options> <option><name>Scan clean cache (on)</name><value>scancleancache</value></option> diff --git a/config/dansguardian/dansguardian_content_acl.xml b/config/dansguardian/dansguardian_content_acl.xml index 1302d89c..8a1866af 100755 --- a/config/dansguardian/dansguardian_content_acl.xml +++ b/config/dansguardian/dansguardian_content_acl.xml @@ -8,7 +8,7 @@ /* dansguardian_content_acl.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -17,7 +17,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -46,54 +46,100 @@ <title>Services: Dansguardian - Access Lists</title> <include_file>/usr/local/pkg/dansguardian.inc</include_file> <tabs> - <tab> - <text>Back to Config</text> +<tab> + <text>Daemon</text> <url>/pkg_edit.php?xml=dansguardian.xml&id=0</url> </tab> <tab> + <text>General</text> + <url>/pkg_edit.php?xml=dansguardian_config.xml&id=0</url> + </tab> + <tab> + <text>Limits</text> + <url>/pkg_edit.php?xml=dansguardian_limits.xml&id=0</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <active/> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg.php?xml=dansguardian_ldap.xml</url> + </tab> + <tab> + <text>Groups</text> + <url>/pkg.php?xml=dansguardian_groups.xml</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + </tab> + <tab> + <text>IPs</text> + <url>/pkg_edit.php?xml=dansguardian_ips.xml</url> + </tab> + <tab> + <text>Report and log</text> + <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> + </tab> + <tab> + <text>Help</text> + <url>/dansguardian_about.php</url> + </tab> + <tab> <text>Antivirus</text> <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <tab_level>2</tab_level> </tab> <tab> <text>Pics</text> <url>/pkg.php?xml=dansguardian_pics_acl.xml&id=0</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Phrase</text> + <text>Phrase Lists</text> <url>/pkg.php?xml=dansguardian_phrase_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Site</text> + <text>Site Lists</text> <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>URL</text> + <text>URL Lists</text> <url>/pkg.php?xml=dansguardian_url_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Extension</text> + <text>Extension Lists</text> <url>/pkg.php?xml=dansguardian_file_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Content</text> + <text>Content Lists</text> <url>/pkg.php?xml=dansguardian_content_acl.xml</url> + <tab_level>2</tab_level> <active/> </tab> <tab> <text>Header</text> <url>/pkg.php?xml=dansguardian_header_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> <text>Searche Engine</text> <url>/pkg.php?xml=dansguardian_search_acl.xml</url> - </tab> - <tab> - <text>Groups</text> - <url>/pkg.php?xml=dansguardian_groups.xml</url> - </tab> - <tab> - <text>Users</text> - <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + <tab_level>2</tab_level> </tab> </tabs> <adddeleteeditpagefields> @@ -104,7 +150,8 @@ <columnitem> <fielddescr>Description</fielddescr> <fieldname>description</fieldname> - </columnitem> + </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> diff --git a/config/dansguardian/dansguardian_file_acl.xml b/config/dansguardian/dansguardian_file_acl.xml index 808fb4e2..ed4866c6 100755 --- a/config/dansguardian/dansguardian_file_acl.xml +++ b/config/dansguardian/dansguardian_file_acl.xml @@ -8,7 +8,7 @@ /* dansguardian_file_acl.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -17,7 +17,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -46,54 +46,100 @@ <title>Services: Dansguardian - Access Lists</title> <include_file>/usr/local/pkg/dansguardian.inc</include_file> <tabs> - <tab> - <text>Back to Config</text> +<tab> + <text>Daemon</text> <url>/pkg_edit.php?xml=dansguardian.xml&id=0</url> </tab> <tab> + <text>General</text> + <url>/pkg_edit.php?xml=dansguardian_config.xml&id=0</url> + </tab> + <tab> + <text>Limits</text> + <url>/pkg_edit.php?xml=dansguardian_limits.xml&id=0</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <active/> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg.php?xml=dansguardian_ldap.xml</url> + </tab> + <tab> + <text>Groups</text> + <url>/pkg.php?xml=dansguardian_groups.xml</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + </tab> + <tab> + <text>IPs</text> + <url>/pkg_edit.php?xml=dansguardian_ips.xml</url> + </tab> + <tab> + <text>Report and log</text> + <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> + </tab> + <tab> + <text>Help</text> + <url>/dansguardian_about.php</url> + </tab> + <tab> <text>Antivirus</text> <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <tab_level>2</tab_level> </tab> <tab> <text>Pics</text> <url>/pkg.php?xml=dansguardian_pics_acl.xml&id=0</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Phrase</text> + <text>Phrase Lists</text> <url>/pkg.php?xml=dansguardian_phrase_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Site</text> + <text>Site Lists</text> <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>URL</text> + <text>URL Lists</text> <url>/pkg.php?xml=dansguardian_url_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Extension</text> + <text>Extension Lists</text> <url>/pkg.php?xml=dansguardian_file_acl.xml</url> + <tab_level>2</tab_level> <active/> </tab> <tab> - <text>Content</text> + <text>Content Lists</text> <url>/pkg.php?xml=dansguardian_content_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> <text>Header</text> <url>/pkg.php?xml=dansguardian_header_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> <text>Searche Engine</text> <url>/pkg.php?xml=dansguardian_search_acl.xml</url> - </tab> - <tab> - <text>Groups</text> - <url>/pkg.php?xml=dansguardian_groups.xml</url> - </tab> - <tab> - <text>Users</text> - <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + <tab_level>2</tab_level> </tab> </tabs> <adddeleteeditpagefields> @@ -104,7 +150,8 @@ <columnitem> <fielddescr>Description</fielddescr> <fieldname>description</fieldname> - </columnitem> + </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> diff --git a/config/dansguardian/dansguardian_groups.xml b/config/dansguardian/dansguardian_groups.xml index 9498ef4c..aaa9bcd6 100755 --- a/config/dansguardian/dansguardian_groups.xml +++ b/config/dansguardian/dansguardian_groups.xml @@ -8,7 +8,7 @@ /* dansguardian_groups.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -17,7 +17,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -63,8 +63,8 @@ <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> </tab> <tab> - <text>Access Lists</text> - <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> </tab> <tab> <text>LDAP</text> @@ -88,7 +88,7 @@ <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> </tab> <tab> - <text>XMLRPC Sync</text> + <text>Sync</text> <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> </tab> <tab> @@ -112,7 +112,8 @@ <columnitem> <fielddescr>Description</fielddescr> <fieldname>description</fieldname> - </columnitem> + </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> @@ -149,11 +150,11 @@ <option><name>Enable Deep URL Analysis (off)</name><value>deepurlanalysis</value></option> <option><name>Infection/Scan Error Bypass on Scan Errors Only (on)</name><value>infectionbypasserrorsonly</value></option> <option><name>Disable content scanning (off)</name><value>disablecontentscan</value></option> - <option><name>Check servers ssl certificates (off)</name><value>sslcertcheck</value></option> + <option><name>Check Server SSLCertificates (off)</name><value>sslcheckcert</value></option> <option><name>Filter ssl sites forging SSL Certificates (off)</name><value>sslmitm</value></option> </options> <multiple/> - <size>10</size> + <size>9</size> </field> <field> <fielddescr>Pics</fielddescr> @@ -297,7 +298,7 @@ </options> </field> <field> - <fielddescr>Naughtiness limite</fielddescr> + <fielddescr>Naughtiness limit</fielddescr> <fieldname>naughtynesslimit</fieldname> <description><![CDATA[This the limit over which the page will be blocked. Each weighted phrase is given a value either positive or negative and the values added up.<br> Phrases to do with good subjects will have negative values, and bad subjects will have positive values.<br> @@ -317,6 +318,17 @@ <size>10</size> </field> <field> + <fielddescr>Max upload size</fielddescr> + <fieldname>maxuploadsize</fieldname> + <type>input</type> + <size>10</size> + <description><![CDATA[POST protection (web upload and forms) does not block forms without any file upload, i.e. this is just for blocking or limiting uploads measured in kilobytes after MIME encoding and header bump<br> + use 0 for a complete block<br> + use higher (e.g. 512 = 512Kbytes) for limiting<br> + use -1 for no blocking(default)<br> + Leave empty to use global Max upload size limit value.]]></description> + </field> + <field> <fielddescr>Category display threshold</fielddescr> <fieldname>categorydisplaythreshold</fieldname> <description><![CDATA[This option only applies to pages blocked by weighted phrase filtering.<br> @@ -374,10 +386,20 @@ <type>listtopic</type> </field> <field> + <fielddescr>LDAP group name source</fielddescr> + <fieldname>groupnamesource</fieldname> + <description><![CDATA[ This option determines where to look for LDAP group/OU name.]]></description> + <type>select</type> + <options> + <option><name>Dansguardian Group Name(default)</name><value>name</value></option> + <option><name>Dansguardian Group Description</name><value>description</value></option> + </options> + </field> + <field> <fielddescr>LDAP</fielddescr> <fieldname>ldap</fieldname> - <description><![CDATA[Select Active directory servers to extract users from<br> - The group must has the same name in dansguardian and on active directory<br> + <description><![CDATA[Select LDAP servers to extract users from<br> + The group must has the same name( or description) in dansguardian and on active directory<br> <strong>This is not aplicable for default group</strong>]]></description> <type>select_source</type> <size>05</size> @@ -387,6 +409,31 @@ <source_value>dc</source_value> </field> <field> + <fielddescr>LDAP user account status</fielddescr> + <fieldname>useraccountcontrol</fieldname> + <description><![CDATA[Import only users with these account status. Leave empty to do not check account status.]]></description> + <type>select</type> + <options> + <option><name>Normal (code 512)</name><value>512</value></option> + <option><name>Disabled Account (code 514)</name><value>514</value></option> + <option><name>Account is Disabled (code 2)</name><value>2</value></option> + <option><name>Account Locked Out (code 16)</name><value>16</value></option> + <option><name>Entered Bad Password (code 17)</name><value>17</value></option> + <option><name>No Password is Required(code 32)</name><value>32</value></option> + <option><name>Password CANNOT Change(code 64)</name><value>64</value></option> + <option><name>Password has Expired (code 8388608)</name><value>8388608</value></option> + <option><name>Account will Never Expire (code 65536)</name><value>65536</value></option> + <option><name>Enabled and Does NOT expire Paswword (code 66048)</name><value>66048</value></option> + <option><name>Server Trusted Account for Delegation (code 8192)</name><value>8192</value></option> + <option><name>Trusted Account for Delegation (code 524288)</name><value>524288</value></option> + <option><name>Enabled, User Cannot Change Password, Password Never Expires (code 590336)</name><value>590336</value></option> + <option><name>Normal Account, Password will not expire and Currently Disabled (code 66050)</name><value>66050</value></option> + <option><name>Account Enabled, Password does not expire, currently Locked out (code 66064)</name><value>66064</value></option> + </options> + <multiple/> + <size>16</size> + </field> + <field> <fielddescr>Update frequency</fielddescr> <fieldname>freq</fieldname> <description><![CDATA[How often extract users from active directory and verify changes<br> diff --git a/config/dansguardian/dansguardian_header_acl.xml b/config/dansguardian/dansguardian_header_acl.xml index 4d120a7b..9ddb0c23 100755 --- a/config/dansguardian/dansguardian_header_acl.xml +++ b/config/dansguardian/dansguardian_header_acl.xml @@ -8,7 +8,7 @@ /* dansguardian_header_acl.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -17,7 +17,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -46,54 +46,100 @@ <title>Services: Dansguardian - Access Lists</title> <include_file>/usr/local/pkg/dansguardian.inc</include_file> <tabs> - <tab> - <text>Back to Config</text> +<tab> + <text>Daemon</text> <url>/pkg_edit.php?xml=dansguardian.xml&id=0</url> </tab> <tab> + <text>General</text> + <url>/pkg_edit.php?xml=dansguardian_config.xml&id=0</url> + </tab> + <tab> + <text>Limits</text> + <url>/pkg_edit.php?xml=dansguardian_limits.xml&id=0</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <active/> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg.php?xml=dansguardian_ldap.xml</url> + </tab> + <tab> + <text>Groups</text> + <url>/pkg.php?xml=dansguardian_groups.xml</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + </tab> + <tab> + <text>IPs</text> + <url>/pkg_edit.php?xml=dansguardian_ips.xml</url> + </tab> + <tab> + <text>Report and log</text> + <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> + </tab> + <tab> + <text>Help</text> + <url>/dansguardian_about.php</url> + </tab> + <tab> <text>Antivirus</text> <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <tab_level>2</tab_level> </tab> <tab> <text>Pics</text> <url>/pkg.php?xml=dansguardian_pics_acl.xml&id=0</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Phrase</text> + <text>Phrase Lists</text> <url>/pkg.php?xml=dansguardian_phrase_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Site</text> + <text>Site Lists</text> <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>URL</text> + <text>URL Lists</text> <url>/pkg.php?xml=dansguardian_url_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Extension</text> + <text>Extension Lists</text> <url>/pkg.php?xml=dansguardian_file_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Content</text> + <text>Content Lists</text> <url>/pkg.php?xml=dansguardian_content_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> <text>Header</text> <url>/pkg.php?xml=dansguardian_header_acl.xml</url> + <tab_level>2</tab_level> <active/> </tab> <tab> <text>Searche Engine</text> <url>/pkg.php?xml=dansguardian_search_acl.xml</url> - </tab> - <tab> - <text>Groups</text> - <url>/pkg.php?xml=dansguardian_groups.xml</url> - </tab> - <tab> - <text>Users</text> - <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + <tab_level>2</tab_level> </tab> </tabs> <adddeleteeditpagefields> @@ -104,7 +150,8 @@ <columnitem> <fielddescr>Description</fielddescr> <fieldname>description</fieldname> - </columnitem> + </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> diff --git a/config/dansguardian/dansguardian_ips_header.xml b/config/dansguardian/dansguardian_ips_header.template index c15e31da..48eb3e68 100644 --- a/config/dansguardian/dansguardian_ips_header.xml +++ b/config/dansguardian/dansguardian_ips_header.template @@ -9,7 +9,7 @@ /* dansguardian_ips.xml part of the dansguardian for pfSense - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -18,7 +18,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -64,7 +64,7 @@ </tab> <tab> <text>Access Lists</text> - <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <url>/pkg_edit.php?xml=dansguardian_site_acl.xml&id=0</url> </tab> <tab> <text>LDAP</text> @@ -88,7 +88,7 @@ <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> </tab> <tab> - <text>XMLRPC Sync</text> + <text>Sync</text> <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> </tab> <tab> diff --git a/config/dansguardian/dansguardian_ldap.php b/config/dansguardian/dansguardian_ldap.php index c02289ac..01d4764e 100644 --- a/config/dansguardian/dansguardian_ldap.php +++ b/config/dansguardian/dansguardian_ldap.php @@ -8,7 +8,7 @@ /* dansguardian_ldap.php part of pfSense (http://www.pfSense.com) - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -17,7 +17,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -56,6 +56,7 @@ function get_ldap_members($group,$user,$password) { global $ldap_host; global $ldap_dn; $LDAPFieldsToFind = array("member"); + print "{$ldap_host} {$ldap_dn}\n"; $ldap = ldap_connect($ldap_host) or die("Could not connect to LDAP"); // OPTIONS TO AD @@ -64,7 +65,10 @@ function get_ldap_members($group,$user,$password) { ldap_bind($ldap, $user, $password) or die("Could not bind to LDAP"); - $results = ldap_search($ldap,$ldap_dn,"cn=" . $group,$LDAPFieldsToFind); + //check if group is just a name or an ldap string + $group_cn=(preg_match("/cn=/i",$group)? $group : "cn={$group}"); + + $results = ldap_search($ldap,$ldap_dn,$group_cn,$LDAPFieldsToFind); $member_list = ldap_get_entries($ldap, $results); $group_member_details = array(); @@ -77,7 +81,8 @@ function get_ldap_members($group,$user,$password) { $member_search = ldap_search($ldap, $ldap_dn, "(CN=" . $member_cn . ")"); $member_details = ldap_get_entries($ldap, $member_search); $group_member_details[] = array($member_details[0]['samaccountname'][0], - $member_details[0]['displayname'][0]); + $member_details[0]['displayname'][0], + $member_details[0]['useraccountcontrol'][0]); } ldap_close($ldap); array_shift($group_member_details); @@ -96,34 +101,57 @@ $apply_config=0; if (is_array($config['installedpackages']['dansguardiangroups']['config'])) foreach($config['installedpackages']['dansguardiangroups']['config'] as $group) { #ignore default group - if ($id > 0) - if ($argv[1] == "" || $argv[1] == $group['name']){ + if ($id > 0){ + $ldap_group_source=(preg_match("/description/",$argv[1]) ? "description" : "name"); + if ($argv[2] == $group[$ldap_group_source]){ $members=""; $ldap_servers= explode (',',$group['ldap']); - echo "Group : " . $group['name']."\n"; + echo "Group : {$group['name']}({$group['description']})\n"; if (is_array($config['installedpackages']['dansguardianldap']['config'])) foreach ($config['installedpackages']['dansguardianldap']['config'] as $server){ if (in_array($server['dc'],$ldap_servers)){ $ldap_dn = $server['dn']; $ldap_host=$server['dc']; $mask=(empty($server['mask'])?"USER":$server['mask']); - $result = get_ldap_members($group['name'],$server['username'].','.$server['dn'],$server['password']); - foreach($result as $key => $value) { - if (preg_match ("/\w+/",$value[0])){ + if (preg_match("/cn/",$server['username'])) + $ldap_username=$server['username'].",".$server['dn']; + else + $ldap_username=$server['username']; + #$domainuser=split("cn=",$server['username']); + #$ldap_username=preg_replace("/,\./","@",$domainuser[1].preg_replace("/(,|)DC=/i",".",$server['dn'])); + $result = get_ldap_members($group[$ldap_group_source],$ldap_username,$server['password']); + if ($group['useraccountcontrol'] !="") + $valid_account_codes=explode(",",$group['useraccountcontrol']); + foreach($result as $mvalue) { + if (preg_match ("/\w+/",$mvalue[0])){ #var_dump($value); - $name= preg_replace('/[^(\x20-\x7F)]*/','', $value[1]); + $name= preg_replace("/&([a-z])[a-z]+;/i", "$1", htmlentities($mvalue[1]));//preg_replace('/[^(\x20-\x7F)]*/','', $mvalue[1]); $pattern[0]="/USER/"; $pattern[1]="/,/"; $pattern[2]="/NAME/"; - $replace[0]=$value[0]; + $replace[0]=$mvalue[0]; $replace[1]="\n"; $replace[2]="$name"; - $members .= preg_replace($pattern,$replace,$mask)."\n"; + + if (is_array($valid_account_codes)){ + if (in_array($mvalue[2],$valid_account_codes,true)) + $members .= preg_replace($pattern,$replace,$mask)."\n"; + } + else + { + $members .= preg_replace($pattern,$replace,$mask)."\n"; + } } } } } - if (!empty($members)){ + if (empty($members)){ + if (!is_null($config['installedpackages']['dansguardianusers']['config'][0][strtolower($group['name'])])){ + $config['installedpackages']['dansguardianusers']['config'][0][strtolower($group['name'])] = NULL; + $apply_config++; + } + } + else{ $import_users = explode("\n", $members); asort($import_users); $members=base64_encode(implode("\n", $import_users)); @@ -132,15 +160,18 @@ if (is_array($config['installedpackages']['dansguardiangroups']['config'])) $apply_config++; } } - } - $id++; + } + } + $id++; } if ($apply_config > 0){ - print "user list from LDAP is different from current group, applying new configuration..."; + print "User list from LDAP is different from current group, applying new configuration..."; write_config(); include("/usr/local/pkg/dansguardian.inc"); sync_package_dansguardian(); print "done\n"; +}else { + print "User list from LDAP is already the same as current group, no changes made\n"; } #mount filesystem read-only diff --git a/config/dansguardian/dansguardian_ldap.xml b/config/dansguardian/dansguardian_ldap.xml index 3411f483..4c2b60f7 100755 --- a/config/dansguardian/dansguardian_ldap.xml +++ b/config/dansguardian/dansguardian_ldap.xml @@ -8,7 +8,7 @@ /* dansguardian_ldap.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -17,7 +17,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -63,8 +63,8 @@ <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> </tab> <tab> - <text>Access Lists</text> - <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> </tab> <tab> <text>LDAP</text> @@ -88,7 +88,7 @@ <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> </tab> <tab> - <text>XMLRPC Sync</text> + <text>Sync</text> <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> </tab> <tab> @@ -109,7 +109,8 @@ <columnitem> <fielddescr>username</fielddescr> <fieldname>username</fieldname> - </columnitem> + </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> @@ -132,7 +133,7 @@ </field> <field> <fielddescr>Username</fielddescr> - <description><![CDATA[Username Example:<strong>cn=antispam,cn=Users</strong>]]></description> + <description><![CDATA[Username Example:<strong>cn=antispam,cn=Users OR username@mysite.com</strong>]]></description> <fieldname>username</fieldname> <type>input</type> <size>25</size> diff --git a/config/dansguardian/dansguardian_limits.xml b/config/dansguardian/dansguardian_limits.xml index 4974bc7d..2c147f1b 100644 --- a/config/dansguardian/dansguardian_limits.xml +++ b/config/dansguardian/dansguardian_limits.xml @@ -9,7 +9,7 @@ /* dansguardian_limits.xml part of the dansguardian for pfSense - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -18,7 +18,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -65,8 +65,8 @@ <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> </tab> <tab> - <text>Access Lists</text> - <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> </tab> <tab> <text>LDAP</text> @@ -89,7 +89,7 @@ <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> </tab> <tab> - <text>XMLRPC Sync</text> + <text>Sync</text> <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> </tab> <tab> @@ -107,7 +107,7 @@ <fieldname>maxuploadsize</fieldname> <type>input</type> <size>10</size> - <description><![CDATA[POST protection (web upload and forms) does not block forms without any file upload, i.e. this is just for blocking or limiting uploads measured in kibibytes after MIME encoding and header bumph<br> + <description><![CDATA[POST protection (web upload and forms) does not block forms without any file upload, i.e. this is just for blocking or limiting uploads measured in kilobytes after MIME encoding and header bump<br> use 0 for a complete block<br> use higher (e.g. 512 = 512Kbytes) for limiting<br> use -1 for no blocking(default)]]></description> diff --git a/config/dansguardian/dansguardian_log.xml b/config/dansguardian/dansguardian_log.xml index a9b9d0e9..88281dff 100644 --- a/config/dansguardian/dansguardian_log.xml +++ b/config/dansguardian/dansguardian_log.xml @@ -9,7 +9,7 @@ /* dansguardian_log.xml part of the Dansguardian package for pfSense - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -18,7 +18,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -64,8 +64,8 @@ <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> </tab> <tab> - <text>Access Lists</text> - <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> </tab> <tab> <text>LDAP</text> @@ -89,7 +89,7 @@ <active/> </tab> <tab> - <text>XMLRPC Sync</text> + <text>Sync</text> <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> </tab> <tab> diff --git a/config/dansguardian/dansguardian_phrase_acl.xml b/config/dansguardian/dansguardian_phrase_acl.xml index 74448bee..c32f7720 100755 --- a/config/dansguardian/dansguardian_phrase_acl.xml +++ b/config/dansguardian/dansguardian_phrase_acl.xml @@ -8,7 +8,7 @@ /* dansguardian_phrase_acl.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -17,7 +17,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -46,54 +46,100 @@ <title>Services: Dansguardian - Access Lists</title> <include_file>/usr/local/pkg/dansguardian.inc</include_file> <tabs> - <tab> - <text>Back to Config</text> +<tab> + <text>Daemon</text> <url>/pkg_edit.php?xml=dansguardian.xml&id=0</url> </tab> <tab> + <text>General</text> + <url>/pkg_edit.php?xml=dansguardian_config.xml&id=0</url> + </tab> + <tab> + <text>Limits</text> + <url>/pkg_edit.php?xml=dansguardian_limits.xml&id=0</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <active/> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg.php?xml=dansguardian_ldap.xml</url> + </tab> + <tab> + <text>Groups</text> + <url>/pkg.php?xml=dansguardian_groups.xml</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + </tab> + <tab> + <text>IPs</text> + <url>/pkg_edit.php?xml=dansguardian_ips.xml</url> + </tab> + <tab> + <text>Report and log</text> + <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> + </tab> + <tab> + <text>Help</text> + <url>/dansguardian_about.php</url> + </tab> + <tab> <text>Antivirus</text> <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <tab_level>2</tab_level> </tab> <tab> <text>Pics</text> <url>/pkg.php?xml=dansguardian_pics_acl.xml&id=0</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Phrase</text> + <text>Phrase Lists</text> <url>/pkg.php?xml=dansguardian_phrase_acl.xml</url> + <tab_level>2</tab_level> <active/> </tab> <tab> - <text>Site</text> + <text>Site Lists</text> <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>URL</text> + <text>URL Lists</text> <url>/pkg.php?xml=dansguardian_url_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Extension</text> + <text>Extension Lists</text> <url>/pkg.php?xml=dansguardian_file_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Content</text> + <text>Content Lists</text> <url>/pkg.php?xml=dansguardian_content_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> <text>Header</text> <url>/pkg.php?xml=dansguardian_header_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> <text>Searche Engine</text> <url>/pkg.php?xml=dansguardian_search_acl.xml</url> - </tab> - <tab> - <text>Groups</text> - <url>/pkg.php?xml=dansguardian_groups.xml</url> - </tab> - <tab> - <text>Users</text> - <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + <tab_level>2</tab_level> </tab> </tabs> <adddeleteeditpagefields> @@ -104,7 +150,8 @@ <columnitem> <fielddescr>Access List Descriptions</fielddescr> <fieldname>description</fieldname> - </columnitem> + </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> diff --git a/config/dansguardian/dansguardian_pics_acl.xml b/config/dansguardian/dansguardian_pics_acl.xml index bda76a50..c2f4b52c 100644 --- a/config/dansguardian/dansguardian_pics_acl.xml +++ b/config/dansguardian/dansguardian_pics_acl.xml @@ -9,7 +9,7 @@ /* dansguardian_limits.xml part of the dansguardian for pfSense - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -18,7 +18,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -47,54 +47,100 @@ <title>Services: Dansguardian - Access Lists</title> <include_file>/usr/local/pkg/dansguardian.inc</include_file> <tabs> - <tab> - <text>Back to Config</text> +<tab> + <text>Daemon</text> <url>/pkg_edit.php?xml=dansguardian.xml&id=0</url> </tab> <tab> + <text>General</text> + <url>/pkg_edit.php?xml=dansguardian_config.xml&id=0</url> + </tab> + <tab> + <text>Limits</text> + <url>/pkg_edit.php?xml=dansguardian_limits.xml&id=0</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <active/> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg.php?xml=dansguardian_ldap.xml</url> + </tab> + <tab> + <text>Groups</text> + <url>/pkg.php?xml=dansguardian_groups.xml</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + </tab> + <tab> + <text>IPs</text> + <url>/pkg_edit.php?xml=dansguardian_ips.xml</url> + </tab> + <tab> + <text>Report and log</text> + <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> + </tab> + <tab> + <text>Help</text> + <url>/dansguardian_about.php</url> + </tab> + <tab> <text>Antivirus</text> <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <tab_level>2</tab_level> </tab> <tab> <text>Pics</text> <url>/pkg.php?xml=dansguardian_pics_acl.xml&id=0</url> + <tab_level>2</tab_level> <active/> </tab> <tab> - <text>Phrase</text> + <text>Phrase Lists</text> <url>/pkg.php?xml=dansguardian_phrase_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Site</text> + <text>Site Lists</text> <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>URL</text> + <text>URL Lists</text> <url>/pkg.php?xml=dansguardian_url_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Extension</text> + <text>Extension Lists</text> <url>/pkg.php?xml=dansguardian_file_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Content</text> + <text>Content Lists</text> <url>/pkg.php?xml=dansguardian_content_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> <text>Header</text> <url>/pkg.php?xml=dansguardian_header_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> <text>Searche Engine</text> <url>/pkg.php?xml=dansguardian_search_acl.xml</url> - </tab> - <tab> - <text>Groups</text> - <url>/pkg.php?xml=dansguardian_groups.xml</url> - </tab> - <tab> - <text>Users</text> - <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + <tab_level>2</tab_level> </tab> </tabs> <adddeleteeditpagefields> @@ -105,7 +151,8 @@ <columnitem> <fielddescr>Access List Description</fielddescr> <fieldname>description</fieldname> - </columnitem> + </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> diff --git a/config/dansguardian/dansguardian_search_acl.xml b/config/dansguardian/dansguardian_search_acl.xml index 86ef67ff..9f9cfa49 100755 --- a/config/dansguardian/dansguardian_search_acl.xml +++ b/config/dansguardian/dansguardian_search_acl.xml @@ -8,7 +8,7 @@ /* dansguardian_search_acl.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -17,7 +17,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -46,55 +46,101 @@ <title>Services: Dansguardian - Access Lists</title> <include_file>/usr/local/pkg/dansguardian.inc</include_file> <tabs> - <tab> - <text>Back to Config</text> +<tab> + <text>Daemon</text> <url>/pkg_edit.php?xml=dansguardian.xml&id=0</url> </tab> <tab> + <text>General</text> + <url>/pkg_edit.php?xml=dansguardian_config.xml&id=0</url> + </tab> + <tab> + <text>Limits</text> + <url>/pkg_edit.php?xml=dansguardian_limits.xml&id=0</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <active/> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg.php?xml=dansguardian_ldap.xml</url> + </tab> + <tab> + <text>Groups</text> + <url>/pkg.php?xml=dansguardian_groups.xml</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + </tab> + <tab> + <text>IPs</text> + <url>/pkg_edit.php?xml=dansguardian_ips.xml</url> + </tab> + <tab> + <text>Report and log</text> + <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> + </tab> + <tab> + <text>Help</text> + <url>/dansguardian_about.php</url> + </tab> + <tab> <text>Antivirus</text> <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <tab_level>2</tab_level> </tab> <tab> <text>Pics</text> <url>/pkg.php?xml=dansguardian_pics_acl.xml&id=0</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Phrase</text> + <text>Phrase Lists</text> <url>/pkg.php?xml=dansguardian_phrase_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Site</text> + <text>Site Lists</text> <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>URL</text> + <text>URL Lists</text> <url>/pkg.php?xml=dansguardian_url_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Extension</text> + <text>Extension Lists</text> <url>/pkg.php?xml=dansguardian_file_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Content</text> + <text>Content Lists</text> <url>/pkg.php?xml=dansguardian_content_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> <text>Header</text> <url>/pkg.php?xml=dansguardian_header_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> <text>Searche Engine</text> <url>/pkg.php?xml=dansguardian_search_acl.xml</url> + <tab_level>2</tab_level> <active/> </tab> - <tab> - <text>Groups</text> - <url>/pkg.php?xml=dansguardian_groups.xml</url> - </tab> - <tab> - <text>Users</text> - <url>/pkg_edit.php?xml=dansguardian_users.xml</url> - </tab> </tabs> <adddeleteeditpagefields> <columnitem> @@ -104,7 +150,8 @@ <columnitem> <fielddescr>Access List Description</fielddescr> <fieldname>description</fieldname> - </columnitem> + </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> diff --git a/config/dansguardian/dansguardian_site_acl.xml b/config/dansguardian/dansguardian_site_acl.xml index fcddfea6..7804d9f6 100755 --- a/config/dansguardian/dansguardian_site_acl.xml +++ b/config/dansguardian/dansguardian_site_acl.xml @@ -8,7 +8,7 @@ /* dansguardian_site_acl.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -17,7 +17,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -46,54 +46,100 @@ <title>Services: Dansguardian - Access Lists</title> <include_file>/usr/local/pkg/dansguardian.inc</include_file> <tabs> - <tab> - <text>Back to Config</text> +<tab> + <text>Daemon</text> <url>/pkg_edit.php?xml=dansguardian.xml&id=0</url> </tab> <tab> + <text>General</text> + <url>/pkg_edit.php?xml=dansguardian_config.xml&id=0</url> + </tab> + <tab> + <text>Limits</text> + <url>/pkg_edit.php?xml=dansguardian_limits.xml&id=0</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <active/> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg.php?xml=dansguardian_ldap.xml</url> + </tab> + <tab> + <text>Groups</text> + <url>/pkg.php?xml=dansguardian_groups.xml</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + </tab> + <tab> + <text>IPs</text> + <url>/pkg_edit.php?xml=dansguardian_ips.xml</url> + </tab> + <tab> + <text>Report and log</text> + <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> + </tab> + <tab> + <text>Help</text> + <url>/dansguardian_about.php</url> + </tab> + <tab> <text>Antivirus</text> <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <tab_level>2</tab_level> </tab> <tab> <text>Pics</text> <url>/pkg.php?xml=dansguardian_pics_acl.xml&id=0</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Phrase</text> + <text>Phrase Lists</text> <url>/pkg.php?xml=dansguardian_phrase_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Site</text> + <text>Site Lists</text> <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <tab_level>2</tab_level> <active/> </tab> <tab> - <text>URL</text> + <text>URL Lists</text> <url>/pkg.php?xml=dansguardian_url_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Extension</text> + <text>Extension Lists</text> <url>/pkg.php?xml=dansguardian_file_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Content</text> + <text>Content Lists</text> <url>/pkg.php?xml=dansguardian_content_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> <text>Header</text> <url>/pkg.php?xml=dansguardian_header_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> <text>Searche Engine</text> <url>/pkg.php?xml=dansguardian_search_acl.xml</url> - </tab> - <tab> - <text>Groups</text> - <url>/pkg.php?xml=dansguardian_groups.xml</url> - </tab> - <tab> - <text>Users</text> - <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + <tab_level>2</tab_level> </tab> </tabs> <adddeleteeditpagefields> @@ -105,6 +151,7 @@ <fielddescr>Access List Description</fielddescr> <fieldname>description</fieldname> </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> diff --git a/config/dansguardian/dansguardian_sync.xml b/config/dansguardian/dansguardian_sync.xml index f91eae6a..9401253c 100755 --- a/config/dansguardian/dansguardian_sync.xml +++ b/config/dansguardian/dansguardian_sync.xml @@ -9,7 +9,7 @@ /* dansguardian_sync.xml part of the Dansguardian package for pfSense - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -17,7 +17,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -63,8 +63,8 @@ <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> </tab> <tab> - <text>Access Lists</text> - <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> </tab> <tab> <text>LDAP</text> @@ -87,7 +87,7 @@ <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> </tab> <tab> - <text>XMLRPC Sync</text> + <text>Sync</text> <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> <active/> </tab> @@ -104,8 +104,30 @@ <field> <fielddescr>Automatically sync dansguardian configuration changes</fielddescr> <fieldname>synconchanges</fieldname> - <description>pfSense will automatically sync changes to the hosts defined below.</description> - <type>checkbox</type> + <description>Select a sync method for dansguardian.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>250</default_value> + <options> + <option><name>250 seconds(Default)</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>30 seconds</name><value>30</value></option> + </options> </field> <field> <fielddescr>Remote Server</fielddescr> diff --git a/config/dansguardian/dansguardian_url_acl.xml b/config/dansguardian/dansguardian_url_acl.xml index 556e0bab..8adf46c0 100755 --- a/config/dansguardian/dansguardian_url_acl.xml +++ b/config/dansguardian/dansguardian_url_acl.xml @@ -8,7 +8,7 @@ /* dansguardian_url_acl.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -17,7 +17,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -46,54 +46,100 @@ <title>Services: Dansguardian - Access Lists</title> <include_file>/usr/local/pkg/dansguardian.inc</include_file> <tabs> - <tab> - <text>Back to Config</text> +<tab> + <text>Daemon</text> <url>/pkg_edit.php?xml=dansguardian.xml&id=0</url> </tab> <tab> + <text>General</text> + <url>/pkg_edit.php?xml=dansguardian_config.xml&id=0</url> + </tab> + <tab> + <text>Limits</text> + <url>/pkg_edit.php?xml=dansguardian_limits.xml&id=0</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <active/> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg.php?xml=dansguardian_ldap.xml</url> + </tab> + <tab> + <text>Groups</text> + <url>/pkg.php?xml=dansguardian_groups.xml</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + </tab> + <tab> + <text>IPs</text> + <url>/pkg_edit.php?xml=dansguardian_ips.xml</url> + </tab> + <tab> + <text>Report and log</text> + <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> + </tab> + <tab> + <text>Help</text> + <url>/dansguardian_about.php</url> + </tab> + <tab> <text>Antivirus</text> <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <tab_level>2</tab_level> </tab> <tab> <text>Pics</text> <url>/pkg.php?xml=dansguardian_pics_acl.xml&id=0</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Phrase</text> + <text>Phrase Lists</text> <url>/pkg.php?xml=dansguardian_phrase_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Site</text> + <text>Site Lists</text> <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>URL</text> + <text>URL Lists</text> <url>/pkg.php?xml=dansguardian_url_acl.xml</url> + <tab_level>2</tab_level> <active/> </tab> <tab> - <text>Extension</text> + <text>Extension Lists</text> <url>/pkg.php?xml=dansguardian_file_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> - <text>Content</text> + <text>Content Lists</text> <url>/pkg.php?xml=dansguardian_content_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> <text>Header</text> <url>/pkg.php?xml=dansguardian_header_acl.xml</url> + <tab_level>2</tab_level> </tab> <tab> <text>Searche Engine</text> <url>/pkg.php?xml=dansguardian_search_acl.xml</url> - </tab> - <tab> - <text>Groups</text> - <url>/pkg.php?xml=dansguardian_groups.xml</url> - </tab> - <tab> - <text>Users</text> - <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + <tab_level>2</tab_level> </tab> </tabs> <adddeleteeditpagefields> @@ -104,7 +150,8 @@ <columnitem> <fielddescr>Access List Description</fielddescr> <fieldname>description</fieldname> - </columnitem> + </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> diff --git a/config/dansguardian/dansguardian_users_footer.xml b/config/dansguardian/dansguardian_users_footer.template index 1288b919..1288b919 100644 --- a/config/dansguardian/dansguardian_users_footer.xml +++ b/config/dansguardian/dansguardian_users_footer.template diff --git a/config/dansguardian/dansguardian_users_header.xml b/config/dansguardian/dansguardian_users_header.template index 1f15a610..1cc038d5 100644 --- a/config/dansguardian/dansguardian_users_header.xml +++ b/config/dansguardian/dansguardian_users_header.template @@ -9,7 +9,7 @@ /* dansguardian_users.xml part of the dansguardian for pfSense - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ @@ -18,7 +18,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -63,8 +63,8 @@ <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> </tab> <tab> - <text>Access Lists</text> - <url>/pkg_edit.php?xml=dansguardian_antivirus_acl.xml&id=0</url> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> </tab> <tab> <text>LDAP</text> @@ -88,7 +88,7 @@ <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> </tab> <tab> - <text>XMLRPC Sync</text> + <text>Sync</text> <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> </tab> <tab> diff --git a/config/dansguardian/dansguardian_users_header.xml.template b/config/dansguardian/dansguardian_users_header.xml.template new file mode 100644 index 00000000..1cc038d5 --- /dev/null +++ b/config/dansguardian/dansguardian_users_header.xml.template @@ -0,0 +1,99 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + dansguardian_users.xml + part of the dansguardian for pfSense + Copyright (C) 2012-2013 Marcello Coutinho + + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>dansguardianusers</name> + <version>1.0</version> + <title>Services: Dansguardian</title> + <include_file>/usr/local/pkg/dansguardian.inc</include_file> + <tabs><tab> + <text>Daemon</text> + <url>/pkg_edit.php?xml=dansguardian.xml&id=0</url> + </tab> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=dansguardian_config.xml&id=0</url> + </tab> + <tab> + <text>Limits</text> + <url>/pkg_edit.php?xml=dansguardian_limits.xml&id=0</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg.php?xml=dansguardian_ldap.xml</url> + </tab> + <tab> + <text>Groups</text> + <url>/pkg.php?xml=dansguardian_groups.xml</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg_edit.php?xml=dansguardian_users.xml</url> + <active/> + </tab> + <tab> + <text>IPs</text> + <url>/pkg_edit.php?xml=dansguardian_ips.xml</url> + </tab> + <tab> + <text>Report and log</text> + <url>/pkg_edit.php?xml=dansguardian_log.xml&id=0</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=dansguardian_sync.xml&id=0</url> + </tab> + <tab> + <text>Help</text> + <url>/dansguardian_about.php</url> + </tab> +</tabs> + <fields> diff --git a/config/dansguardian/dansguardianfx.conf.template b/config/dansguardian/dansguardianfx.conf.template index cfc9645e..96b2b1b9 100644 --- a/config/dansguardian/dansguardianfx.conf.template +++ b/config/dansguardian/dansguardianfx.conf.template @@ -29,7 +29,7 @@ */ $dgf= <<<EOF -# DansGuardian filter group config file for version 2.12.0.0 +# DansGuardian filter group config file for version 2.12.0 # Filter group mode @@ -198,6 +198,7 @@ categorydisplaythreshold = {$dansguardian_groups['categorydisplaythreshold']} # WARNING: This option is highly CPU intensive! embeddedurlweight = {$dansguardian_groups['embeddedurlweight']} +maxuploadsize = {$dansguardian_groups['maxuploadsize']} # Enable PICS rating support # # Defaults to disabled @@ -370,13 +371,13 @@ deepurlanalysis = {$dansguardian_groups['deepurlanalysis']} #SSL certificate checking # Check that ssl certificates for servers on https connections are valid # and signed by a ca in the configured path -sslcertcheck = {$dansguardian_groups['sslcertcheck']} +sslcheckcert = {$dansguardian_groups['sslcheckcert']} #SSL man in the middle # Forge ssl certificates for all sites, decrypt the data then re encrypt it # using a different private key. Used to filter ssl sites sslmitm = {$dansguardian_groups['sslmitm']} -#mitmkey = '{$dansguardian_groups['mitmkey']}' +{$dansguardian_groups['mitmkey']} EOF; diff --git a/config/dashboard/dashboard.xml b/config/dashboard/dashboard.xml index 7177eed6..c09a2eda 100644 --- a/config/dashboard/dashboard.xml +++ b/config/dashboard/dashboard.xml @@ -57,7 +57,7 @@ <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/dashboard/binaries/widgets.tgz</item> + <item>http://files.pfsense.org/packages/widgets.tgz</item> </additional_files_needed> <custom_php_install_command> dashboard_install(); diff --git a/config/dnsblacklist/dnsblacklist.xml b/config/dnsblacklist/dnsblacklist.xml index 1b7c29e5..52c59b35 100644 --- a/config/dnsblacklist/dnsblacklist.xml +++ b/config/dnsblacklist/dnsblacklist.xml @@ -77,7 +77,7 @@ <additional_files_needed> <prefix>/tmp/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.com/packages/config/dnsblacklist/blacklists.tar.gz</item> + <item>http://files.pfsense.org/packages/blacklists.tar.gz</item> </additional_files_needed> <fields> <field> diff --git a/config/filemgr/file_manager.tmp b/config/filemgr/file_manager.tmp index 93d44a84..8c5ee1c5 100644 --- a/config/filemgr/file_manager.tmp +++ b/config/filemgr/file_manager.tmp @@ -2,9 +2,12 @@ include "rbfminc/config.php"; //include "rbfminc/session.php"; require_once('config.inc'); - require("guiconfig.inc"); - include("head.inc"); - global $config; +require("guiconfig.inc"); + +$closehead = false; +include("head.inc"); + +global $config; if('ok' == 'ok'){ set_time_limit(1800); //30 min include "rbfminc/functions.php"; @@ -155,28 +158,22 @@ if('ok' == 'ok'){ } closedir($handle); }else{ - $error = "<h1 style='color:red' align='center'>Invalid directory</h1>"; + $error = "<h1 style=\"color:red\" align=\"center\">Invalid directory</h1>"; } - $container .= " -<table border=\"0\" cellspacing=\"1\" cellpadding=\"1\" class=\"list\" width=\"100%\"> +<table border=\"0\" cellspacing=\"1\" cellpadding=\"1\" class=\"list\" width=\"100%\" summary=\"file manager\"> <tr> - <th style='padding:0;width:18px'> </th> + <th style=\"padding:0;width:18px\"> </th> <th>Name</th> - <!--<th> </th>--> - <th> </th> - <th> </th> - <th> </th> - <th> </th> - <th> </th> + <th colspan=\"5\"> </th> <th>Ext.</th> <th>Size</th> <th>Date</th> <th>Attributes</th> </tr> <tr> - <td style='padding:0;width:18px' title=\"UP one level\"><img width='16' height='16' src='rbfmimg/folder.png' alt='F'{$up_one_level} /></td> + <td style=\"padding:0;width:18px\" title=\"UP one level\"><img width=\"16\" height=\"16\" src=\"rbfmimg/folder.png\" alt=\"F\" {$up_one_level} /></td> <td colspan=\"11\"><b title=\"UP one level\"{$up_one_level}>[..]</b></td> </tr> "; @@ -195,40 +192,40 @@ if('ok' == 'ok'){ $fileperms = GetFilePerms($current_folder.$v); if($url_path){ - $browser = "<a href='{$url_path}{$v}' target='_blank'><img src='rbfmimg/ico_open_as_web.png' border='0' width='16' height='16' alt='W' title='Open as web page' /></a>"; + $browser = "<a href=\"{$url_path}{$v}\" target=\"_blank\"><img src=\"rbfmimg/ico_open_as_web.png\" border=\"0\" width=\"16\" height=\"16\" alt=\"W\" title=\"Open as web page\" /></a>"; if($url_field){ - $use_url = "<img src='rbfmimg/ico_use_file.png' border='0' width='16' height='16' alt='U' title='Use URL ({$url_path}{$v})' onclick=\"window.opener.document.getElementById('{$url_field}').value='{$url_path}{$v}'; window.close()\" style='cursor: pointer' />"; + $use_url = "<img src=\"rbfmimg/ico_use_file.png\" border=\"0\" width=\"16\" height=\"16\" alt=\"U\" title=\"Use URL ({$url_path}{$v})\" onclick=\"window.opener.document.getElementById('{$url_field}').value='{$url_path}{$v}'; window.close()\" style=\"cursor: pointer\" />"; }else{ - $use_url = "<img src='rbfmimg/ico_use_file_inactive.png' border='0' width='16' height='16' alt='U' title='Use URL (Inactive!!!)' />"; + $use_url = "<img src=\"rbfmimg/ico_use_file_inactive.png\" border=\"0\" width=\"16\" height=\"16\" alt=\"U\" title=\"Use URL (Inactive!!!)\" />"; } }else{ $browser = " "; - $use_url = "<img src='rbfmimg/ico_use_file_inactive.png' border='0' width='16' height='16' alt='U' title='Use URL (Inactive!!!)' />"; + $use_url = "<img src=\"rbfmimg/ico_use_file_inactive.png\" border=\"0\" width=\"16\" height=\"16\" alt=\"U\" title=\"Use URL (Inactive!!!)\" />"; } $container .= " <tr> - <td style='padding:0;width:18px'> - <img width='16' height='16' - src='rbfmimg/folder.png' - alt='Folder' + <td style=\"padding:0;width:18px\"> + <img width=\"16\" height=\"16\" + src=\"rbfmimg/folder.png\" + alt=\"Folder\" ondblclick=\"document.location='{$_SERVER['PHP_SELF']}?p=".urlencode($current_folder.$vf)."'\" /> </td> <td> - <div style='padding-top:2px;' - id='f{$id}' + <div style=\"padding-top:2px;\" + id=\"f{$id}\" ondblclick=\"document.location='{$_SERVER['PHP_SELF']}?p=".urlencode($current_folder.$vf)."'\" > {$v} </div> <form - class='rename_field' - id='r{$id}' - name=\"form{$id}\" + class=\"rename_field\" + id=\"r{$id}\" + name=\"r{$id}\" method=\"post\" action=\"rbfminc/rename.php\" target=\"results\" @@ -239,11 +236,11 @@ if('ok' == 'ok'){ > <input - class='input_name rename_input' + class=\"input_name rename_input\" name=\"n\" - type='text' - value='{$v}' - id='rf{$id}' + type=\"text\" + value=\"{$v}\" + id=\"rf{$id}\" onblur=\" document.form{$id}.submit(); document.getElementById('f{$id}').style.display = 'block'; @@ -256,16 +253,16 @@ if('ok' == 'ok'){ <input name=\"cf\" type=\"hidden\" value=\"{$current_folder}\" /> <input name=\"o\" type=\"hidden\" value=\"{$v}\" /> <input name=\"t\" type=\"hidden\" value=\"d\" /> - <input name=\"submitS\" type=\"submit\" value=\"submitS\" style='display: none; width:0;height:0' onsubmit=\"this.n.blur(); return false\" /> + <input name=\"submitS\" type=\"submit\" value=\"submitS\" style='display: none; width:0;height:0' /> </form> </td> <!--<td>{$use_url}</td>--> <td>{$browser}</td> <td> </td> <td> - <img width='16' height='16' - src='rbfmimg/ico_rename.png' - alt='Rename' title='Rename' + <img width=\"16\" height=\"16\" + src=\"rbfmimg/ico_rename.png\" + alt=\"Rename\" title=\"Rename\" onclick=\" document.getElementById('r{$id}').style.display = 'block'; document.getElementById('f{$id}').style.display = 'none'; @@ -276,25 +273,25 @@ if('ok' == 'ok'){ </td> <td> </td> <td> - <img width='16' height='16' - src='rbfmimg/ico_delete.png' - alt='D' - title='Delete' + <img width=\"16\" height=\"16\" + src=\"rbfmimg/ico_delete.png\" + alt=\"D\" + title=\"Delete\" onclick=\" if( - confirm('Delete folder "{$v}"?') && - confirm('You cannot undo this operation!!!') && + confirm('Delete folder "{$v}"?') && + confirm('You cannot undo this operation!!!') && confirm('To delete this folder "{$v}" press OK\\nTo cancel this operation press CANCEL') ){ - document.location = 'file_manager.php?p=".urlencode($current_folder)."&do=delete&file=".urlencode($v)."&type=directory' + document.location = 'file_manager.php?p=".urlencode($current_folder)."&do=delete&file=".urlencode($v)."&type=directory' } \" /> </td> - <td class='srow'> </td> + <td class=\"srow\"> </td> <td><b><DIR></b></td> - <td class='srow'>{$last_updated_time}</td> - <td class='fileperms'>{$fileperms}</td> + <td class=\"srow\">{$last_updated_time}</td> + <td class=\"fileperms\">{$fileperms}</td> </tr> "; $id++; @@ -349,7 +346,7 @@ if('ok' == 'ok'){ $extension == 'css' or $extension == 'CSS' ){ - $edit_file_content = "<a href='file_manager.php?p=".urlencode($current_folder)."&f=".urlencode($v)."&do=edit#file_edit'><img width='16' height='16' src='rbfmimg/ico_script_edit.png' alt='Edit' title='View/Edit' border='0' /></a>"; + $edit_file_content = "<a href=\"file_manager.php?p=".urlencode($current_folder)."&f=".urlencode($v)."&do=edit#file_edit\"><img width=\"16\" height=\"16\" src=\"rbfmimg/ico_script_edit.png\" alt=\"Edit\" title=\"View/Edit\" border=\"0\" /></a>"; }else{ $edit_file_content = " "; } @@ -357,35 +354,35 @@ if('ok' == 'ok'){ $fileperms = GetFilePerms($current_folder.$v); if($url_path){ - $browser = "<a href='{$url_path}{$v}' target='_blank'><img src='rbfmimg/ico_open_as_web.png' border='0' width='16' height='16' alt='W' title='Open as web page' /></a>"; + $browser = "<a href=\"{$url_path}{$v}\" target=\"_blank\"><img src=\"rbfmimg/ico_open_as_web.png\" border=\"0\" width=\"16\" height=\"16\" alt=\"W\" title=\"Open as web page\" /></a>"; if($url_field){ - $use_url = "<img src='rbfmimg/ico_use_file.png' border='0' width='16' height='16' alt='U' title='Use URL ({$url_path}{$v})' onclick=\"window.opener.document.getElementById('{$url_field}').value='{$url_path}{$v}'; window.close()\" style='cursor: pointer' />"; + $use_url = "<img src=\"rbfmimg/ico_use_file.png\" border=\"0\" width=\"16\" height=\"16\" alt=\"U\" title=\"Use URL ({$url_path}{$v})\" onclick=\"window.opener.document.getElementById('{$url_field}').value='{$url_path}{$v}'; window.close()\" style=\"cursor: pointer\" />"; }else{ - $use_url = "<img src='rbfmimg/ico_use_file_inactive.png' border='0' width='16' height='16' alt='U' title='Use URL (Inactive!!!)' />"; + $use_url = "<img src=\"rbfmimg/ico_use_file_inactive.png\" border=\"0\" width=\"16\" height=\"16\" alt=\"U\" title=\"Use URL (Inactive!!!)\" />"; } }else{ $browser = " "; - $use_url = "<img src='rbfmimg/ico_use_file_inactive.png' border='0' width='16' height='16' alt='U' title='Use URL (Inactive!!!)' />"; + $use_url = "<img src=\"rbfmimg/ico_use_file_inactive.png\" border=\"0\" width=\"16\" height=\"16\" alt=\"U\" title=\"Use URL (Inactive!!!)\" />"; } $container .= " <tr> - <td style='padding:0;width:18px'> - <img width='16' height='16' src='rbfmimg/{$file_image}' alt='File' ondblclick=\"document.location = 'rbfminc/download.php?p=".urlencode($current_folder)."&file_name=".urlencode($v)."'\" /> + <td style=\"padding:0;width:18px\"> + <img width=\"16\" height=\"16\" src=\"rbfmimg/{$file_image}\" alt=\"File\" ondblclick=\"document.location = 'rbfminc/download.php?p=".urlencode($current_folder)."&file_name=".urlencode($v)."'\" /> </td> <td> - <div style='padding-top:2px;' - id='f{$id}' - ondblclick=\"document.location = 'rbfminc/download.php?p=".urlencode($current_folder)."&file_name=".urlencode($v)."'\" + <div style=\"padding-top:2px;\" + id=\"f{$id}\" + ondblclick=\"document.location = 'rbfminc/download.php?p=".urlencode($current_folder)."&file_name=".urlencode($v)."'\" > {$v} </div> <form - class='rename_field' - id='r{$id}' - name=\"form{$id}\" + class=\"rename_field\" + id=\"r{$id}\" + name=\"r{$id}\" method=\"post\" action=\"rbfminc/rename.php\" target=\"results\" @@ -395,11 +392,11 @@ if('ok' == 'ok'){ <input name=\"o\" type=\"hidden\" value=\"{$v}\" /> <input name=\"t\" type=\"hidden\" value=\"f\" /> <input - class='input_name' + class=\"input_name\" name=\"n\" - type='text' - value='{$v}' - id='rf{$id}' + type=\"text\" + value=\"{$v}\" + id=\"rf{$id}\" onblur=\" document.form{$id}.submit(); document.getElementById('f{$id}').style.display = 'block'; @@ -408,24 +405,24 @@ if('ok' == 'ok'){ document.form{$id}.o.value = this.value; \" /> - <input name=\"submitS\" type=\"submit\" value=\"submitS\" style='display: none; width:0;height:0' onsubmit=\"this.n.blur(); return false\" /> + <input name=\"submitS\" type=\"submit\" value=\"submitS\" style=\"display: none; width:0;height:0\" /> </form> </td> <!--<td>{$use_url}</td>--> <td>{$browser}</td> <td> - <a href='rbfminc/download.php?p=".urlencode($current_folder)."&file_name=".urlencode($v)."'><img width='16' height='16' - src='rbfmimg/ico_download.png' - alt='Download' - title='Download' - border='0' + <a href=\"rbfminc/download.php?p=".urlencode($current_folder)."&file_name=".urlencode($v)."\"><img width=\"16\" height=\"16\" + src=\"rbfmimg/ico_download.png\" + alt=\"Download\" + title=\"Download\" + border=\"0\" /></a> </td> <td> - <img width='16' height='16' - src='rbfmimg/ico_rename.png' - alt='Rename' - title='Rename' + <img width=\"16\" height=\"16\" + src=\"rbfmimg/ico_rename.png\" + alt=\"Rename\" + title=\"Rename\" onclick=\"document.getElementById('f{$id}').style.display = 'none'; document.getElementById('r{$id}').style.display = 'block'; document.getElementById('rf{$id}').focus(); @@ -434,25 +431,25 @@ if('ok' == 'ok'){ </td> <td>{$edit_file_content}</td> <td> - <img width='16' height='16' - src='rbfmimg/ico_delete.png' - alt='D' - title='Delete' + <img width=\"16\" height=\"16\" + src=\"rbfmimg/ico_delete.png\" + alt=\"D\" + title=\"Delete\" onclick=\" if( - confirm('Delete file "{$v}"?') && - confirm('You cannot undo this operation!!!') && + confirm('Delete file "{$v}"?') && + confirm('You cannot undo this operation!!!') && confirm('To delete this file "{$v}" press OK\\nTo cancel this operation press CANCEL') ){ - document.location = 'file_manager.php?p=".urlencode($current_folder)."&do=delete&file=".urlencode($v)."&type=file' + document.location = 'file_manager.php?p=".urlencode($current_folder)."&do=delete&file=".urlencode($v)."&type=file' } \" /> </td> - <td class='srow'>{$extension}</td> + <td class=\"srow\">{$extension}</td> <td>{$file_size}</td> - <td class='srow'>{$last_updated_time}</td> - <td class='fileperms'>{$fileperms}</td> + <td class=\"srow\">{$last_updated_time}</td> + <td class=\"fileperms\">{$fileperms}</td> </tr> "; $id++; @@ -466,28 +463,24 @@ if('ok' == 'ok'){ ?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml"> - -<head> -<?php include("fbegin.inc"); ?> -<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> -<title>File editor</title> - <link href="rbfminc/file_editor_style.css" rel="stylesheet" type="text/css" /> - </head> + <body> + + +<?php include("fbegin.inc"); ?> + <?php echo $security_issues; ?> <div class="file_editor"> <div class="header"> </div> <form id="path" name="path" method="get" action="" class="path"> - <input type="text" name="p" id="location" value="<?php echo $current_folder; ?>" /> - <img src="rbfmimg/go.png" name="go" width="35" height="18" id="go" alt="go" title="go" /> + <input name="p" type="text" id="location" value="<?php echo $current_folder; ?>" /> + <input name="go" type="image" id="go" value="Go" src="rbfmimg/go.png" style="width:35;height:18" /> </form> - <div class="url_path">URL path: <a href='<?php echo $url_path; ?>' target="_blank"><?php echo $url_path; ?></a></div> + <div class="url_path"><br />URL path: <a href="/<?php echo $url_path; ?>" target="_blank"><?php echo $url_path; ?></a></div> <div class="container"> <?php echo $container; ?> <?php echo $error; ?> </div> <form action="" method="post" enctype="multipart/form-data" name="form_upload" id="form_upload" class="form_upload"> Upload a file in current folder: @@ -498,26 +491,26 @@ if('ok' == 'ok'){ <input type="submit" name="upload" id="upload" value="Upload" /> <input name="upload_file" type="hidden" id="upload_file" value="upload_file" /> </form> - <form action="" method="post" enctype="multipart/form-data" name="form_upload" id="form_upload" class="form_upload"> - Create new folder here; Folder name: - <input name="folder_name" type="text" style="width:290px" /> + <form action="" method="post" enctype="multipart/form-data" name="form_create" id="form_create" class="form_create"> + Create new folder here; Folder name: + <input name="folder_name" type="text" style="width:290" /> <input type="submit" name="create_folder" id="create_folder" value="Create folder" /> </form> - <iframe name="results", frameborder="0" scrolling="auto" class='results'></iframe> - <div align="center" style="margin-top:5px"> [ <img src="rbfmimg/ico_open_as_web.png" width="16" height="16" align="middle" /> OPEN IN BROWSER ] - [ <img src="rbfmimg/ico_download.png" width="16" height="16" align="middle" /> DOWNLOAD ] - [ <img src="rbfmimg/ico_rename.png" width="16" height="16" align="middle" /> RENAME ] - [ <img src="rbfmimg/ico_script_edit.png" width="16" height="16" align="middle" /> VIEW/EDIT ] - [ <img src="rbfmimg/ico_delete.png" width="16" height="16" align="middle" /> DELETE ] </div> + <iframe name="results" frameborder="0" scrolling="auto" class='results'></iframe> + <div align="center" style="margin-top:5px"> [ <img src="rbfmimg/ico_open_as_web.png" width="16" height="16" align="middle" alt="open" /> OPEN IN BROWSER ] + [ <img src="rbfmimg/ico_download.png" width="16" height="16" align="middle" alt="download" /> DOWNLOAD ] + [ <img src="rbfmimg/ico_rename.png" width="16" height="16" align="middle" alt="rename" /> RENAME ] + [ <img src="rbfmimg/ico_script_edit.png" width="16" height="16" align="middle" alt="view" /> VIEW/EDIT ] + [ <img src="rbfmimg/ico_delete.png" width="16" height="16" align="middle" alt="delete" /> DELETE ] </div> <?php if($_GET['do'] == 'edit'){ $file_content = file_get_contents($current_folder.$_GET['f']); echo " <form id=\"form_edit\" name=\"form_edit\" method=\"post\" action=\"\" style='width: 670px;margin: 10px auto 0;border-top: 1px #999999 solid'> - <a name='file_edit'></a> + <a name=\"file_edit\"></a> File: <b>{$current_folder}{$_GET['f']}</b><br /> - <textarea name=\"file_content\" id=\"file_content\" cols=\"\" rows=\"\" style='width: 99%; height: 400px'>".htmlentities ($file_content)."</textarea><br /> + <textarea name=\"file_content\" id=\"file_content\" cols=\"1\" rows=\"1\" style=\"width: 99%; height: 400px\">".htmlentities ($file_content)."</textarea><br /> <input name=\"save\" type=\"submit\" value=\"Save\" /> <input name=\"close\" type=\"button\" value=\"Close file editor\" onclick=\"document.location = 'file_manager.php?f=".urlencode($current_folder)."'\" /> <input name=\"save_file\" type=\"hidden\" value=\"save_file\" /> @@ -532,15 +525,19 @@ if('ok' == 'ok'){ <?php if($alert_info){ echo " -<script language=\"javascript\"> +<script type=\"text/javascript\"> +//<![CDATA[ alert('{$alert_info}'); +//]]> </script> "; } if($redirect){ echo " -<script language=\"javascript\"> +<script type=\"text/javascript\"> +//<![CDATA[ document.location = '{$redirect}'; +//]]> </script> "; } @@ -551,12 +548,14 @@ if($redirect){ <?php }else{ ?> -<html xmlns="http://www.w3.org/1999/xhtml"> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Login</title> <style type="text/css"> -<!-- +/*<![CDATA[*/ body,td,th,input { font-family: Arial, Helvetica, sans-serif; font-size: 12px; @@ -564,13 +563,13 @@ body,td,th,input { body { background-color: #EEEEEE; } ---> +/*]]>*/ </style></head> <body><br /><br /><br /><br /> <div class="login"> <div style="color:red" align="center"><?php echo $error_message; ?></div> <form id="login_form" name="login_form" method="post" action=""> - <table border="0" align="center" cellpadding="4" cellspacing="0" bgcolor="#FFFFFF" style="border:1px solid #999999; padding:10px"> + <table border="0" align="center" cellpadding="4" cellspacing="0" bgcolor="#FFFFFF" style="border:1px solid #999999; padding:10px" summary="login"> <tr> <td align="right">Username:</td> <td><input type="text" name="username" id="username" class="login_input" style="width:230px" /></td> @@ -593,4 +592,4 @@ body { <?php } -?>
\ No newline at end of file +?> diff --git a/config/filemgr/filemgr.xml b/config/filemgr/filemgr.xml index ec95a3c8..57f0e1f9 100644 --- a/config/filemgr/filemgr.xml +++ b/config/filemgr/filemgr.xml @@ -31,7 +31,7 @@ <requirements>none</requirements> <faq>http://forum.pfsense.org/index.php/topic,26974.0.html</faq> <name>File Manager</name> - <version>0.1.1</version> + <version>0.1.2</version> <title>Settings</title> <include_file>/usr/local/pkg/filemgr.inc</include_file> <menu> diff --git a/config/filemgr/index.tmp b/config/filemgr/index.tmp index 7c768af6..47092a0c 100644 --- a/config/filemgr/index.tmp +++ b/config/filemgr/index.tmp @@ -1,11 +1,11 @@ <html> -<HEAD> -<SCRIPT language="JavaScript"> -<!-- +<head> +<SCRIPT type="text/javascript"> +//<![CDATA[ window.parent.location="../../index.php"; -//--> +//]]> </SCRIPT> -</HEAD> +</head> </html>
\ No newline at end of file diff --git a/config/filemgr/rbfminc/config.tmp b/config/filemgr/rbfminc/config.tmp index 47a7563a..405514f8 100644 --- a/config/filemgr/rbfminc/config.tmp +++ b/config/filemgr/rbfminc/config.tmp @@ -89,7 +89,7 @@ if( !get_magic_quotes_gpc() ){ //END Protect against GLOBALS tricks /***********************************/ //if($username == 'admin' and $password == 'admin'){ - //$security_issues = "<div align='center' style='color: red;'><b>Security issue</b>: Please change your username or password</div>"; + //$security_issues = "<div align=\"center\" style=\"color: red;\"><b>Security issue</b>: Please change your username or password</div>"; //} $security_issues = "<br />"; -?>
\ No newline at end of file +?> diff --git a/config/filemgr/rbfminc/rename.tmp b/config/filemgr/rbfminc/rename.tmp index 6d56c449..285e19d1 100644 --- a/config/filemgr/rbfminc/rename.tmp +++ b/config/filemgr/rbfminc/rename.tmp @@ -11,7 +11,8 @@ if($user_login == 'ok'){ <title>Rename</title> </head> <body> -<script language="javascript"> +<script type="text/javascript"> +//<![CDATA[ <? //print_r($_POST); if($_POST['o'] != $_POST['n']){ @@ -30,6 +31,7 @@ if($_POST['o'] != $_POST['n']){ } ?> +//]]> </script> </body> </html> diff --git a/config/filemgr/rbfminc/session.tmp b/config/filemgr/rbfminc/session.tmp index 8f3a666e..7cfc133d 100644 --- a/config/filemgr/rbfminc/session.tmp +++ b/config/filemgr/rbfminc/session.tmp @@ -29,4 +29,4 @@ if($_SESSION['username'] and $_SESSION['password']){ } } -?>
\ No newline at end of file +?> diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 2a6594f7..bf48dd06 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -4,7 +4,8 @@ /* freeradius.inc part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Marcello Coutinho All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -47,16 +48,24 @@ require_once("services.inc"); // Check pfSense version $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); -switch ($pfs_version) { - case "1.2": - case "2.0": - define('FREERADIUS_BASE', '/usr/local'); - break; - default: - define('FREERADIUS_BASE', '/usr/pbi/freeradius-' . php_uname("m")); +if ($pfs_version > 2.0){ + define('FREERADIUS_BASE', '/usr/pbi/freeradius-' . php_uname("m")); +} +else{ + define('FREERADIUS_BASE', '/usr/local'); } -// End: Check pfSense version +// Check freeradius lib version + $frlib=""; + $libfiles = scandir(FREERADIUS_BASE . "/lib/"); + foreach ($libfiles as $libfile){ + if (preg_match("/freeradius-/",$libfile)) + $frlib=FREERADIUS_BASE . "/lib/{$libfile}"; + } + if ($frlib == ""){ + log_error("freeRADIUS - No freeradius lib found on ".FREERADIUS_BASE."/lib"); + } + function freeradius_deinstall_command() { if (substr(trim(file_get_contents("/etc/version")),0,3) == "2.0") { exec("cd /var/db/pkg && pkg_delete `ls | grep freeradius`"); @@ -68,7 +77,7 @@ function freeradius_deinstall_command() { function freeradius_install_command() { global $config; conf_mount_rw(); - + // put the constant to a variable $varFREERADIUS_BASE = FREERADIUS_BASE; @@ -79,7 +88,7 @@ function freeradius_install_command() { exec("mkdir " . FREERADIUS_BASE . "/etc/raddb/scripts"); if (!file_exists("/var/log/radutmp")) { exec("touch /var/log/radutmp"); } if (!file_exists("/var/log/radwtmp")) { exec("touch /var/log/radwtmp"); } - exec("chown -R root:wheel " . FREERADIUS_BASE . "/etc/raddb && chown -R root:wheel " . FREERADIUS_BASE . "/lib/freeradius-2.1.12 && chown -R root:wheel /var/log/radacct"); + exec("chown -R root:wheel " . FREERADIUS_BASE . "/etc/raddb && chown -R root:wheel {$frlib} && chown -R root:wheel /var/log/radacct"); // creating a backup file of the original policy.conf no matter if user checked this or not if (!file_exists(FREERADIUS_BASE . "/etc/raddb/policy.conf.backup")) { @@ -213,7 +222,7 @@ raddbdir = \${sysconfdir}/raddb radacctdir = \${logdir}/radacct confdir = \${raddbdir} run_dir = \${localstatedir}/run -libdir = \${exec_prefix}/lib/freeradius-2.1.12 +libdir = {$frlib} pidfile = \${run_dir}/radiusd.pid db_dir = \${raddbdir} name = radiusd @@ -390,6 +399,18 @@ if (is_array($arrusers) && !empty($arrusers)) { $varusersusername = $users['varusersusername']; $varuserspassword = $users['varuserspassword']; + + // Check password encryption + $varuserspasswordencryption = ($users['varuserspasswordencryption']?$users['varuserspasswordencryption']:'Cleartext-Password'); + switch ($varuserspasswordencryption) { + case "MD5-Password": + $varuserspassword = md5($varuserspassword); + break; + default: + $varuserspassword = $users['varuserspassword']; + } + + $varusersmotpinitsecret = $users['varusersmotpinitsecret']; $varusersmotppin = $users['varusersmotppin']; $varusersmotpoffset = ($users['varusersmotpoffset']?$users['varusersmotpoffset']:'0'); @@ -420,6 +441,13 @@ if (is_array($arrusers) && !empty($arrusers)) { $varusersmaxbandwidthdown = ($users['varusersmaxbandwidthdown']?$users['varusersmaxbandwidthdown']:''); $varusersmaxbandwidthdown = $varusersmaxbandwidthdown * 1024; + // Accounting-Interim-Interval - Must not be smaller than 60 and should be bigger than 600s + if (($users['varusersacctinteriminterval'] >= '0') && ($users['varusersacctinteriminterval'] < '60')) { + $varusersacctinteriminterval = 60; + } else { + $varusersacctinteriminterval = $users['varusersacctinteriminterval']; + } + // Clear variables for next user foreach additional options TOP $varuserstopadditionaloptions = ''; $varusersadditionaloptionstop = ''; @@ -467,7 +495,7 @@ if (is_array($arrusers) && !empty($arrusers)) { } else { // Add the user attributes to each user. - $varuserscheckitem = '"' . $varusersusername . '"' . " Cleartext-Password := " . '"' . $varuserspassword .'"'; + $varuserscheckitem = '"' . $varusersusername . '"' . " $varuserspasswordencryption := " . '"' . $varuserspassword .'"'; } } // end of check if otp is enabled @@ -530,6 +558,10 @@ if (is_array($arrusers) && !empty($arrusers)) { if ($varusersreplyitem != '') { $varusersreplyitem .=","; } $varusersreplyitem .= "\n\tWISPr-Bandwidth-Max-Down := $varusersmaxbandwidthdown"; } + if ($varusersacctinteriminterval != '') { + if ($varusersreplyitem != '') { $varusersreplyitem .=","; } + $varusersreplyitem .= "\n\tAcct-Interim-Interval := $varusersacctinteriminterval"; + } if ($varuserswisprredirectionurl != '') { if ($varusersreplyitem != '') { $varusersreplyitem .=","; } $varusersreplyitem .= "\n\tWISPr-Redirection-URL := $varuserswisprredirectionurl"; @@ -617,6 +649,15 @@ if (is_array($arrmacs) && !empty($arrmacs)) { $varmacsmaxbandwidthdown = ($macs['varmacsmaxbandwidthdown']?$macs['varmacsmaxbandwidthdown']:''); $varmacsmaxbandwidthdown = $varmacsmaxbandwidthdown * 1024; + + // Accounting-Interim-Interval + if (($users['varmacsacctinteriminterval'] >= '0') && ($users['varmacsacctinteriminterval'] < '60')) { + $varmacsacctinteriminterval = 60; + } else { + $varmacsacctinteriminterval = $users['varmacsacctinteriminterval']; + } + + // Clear variables for next mac foreach additional options TOP $varmacstopadditionaloptions = ''; $varmacsadditionaloptionstop = ''; @@ -711,6 +752,10 @@ if (is_array($arrmacs) && !empty($arrmacs)) { if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; } $varmacsreplyitem .= "\n\tWISPr-Bandwidth-Max-Down := $varmacsmaxbandwidthdown"; } + if ($varmacsacctinteriminterval != '') { + if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; } + $varmacsreplyitem .= "\n\tAcct-Interim-Interval := $varmacsacctinteriminterval"; + } if ($varmacswisprredirectionurl != '') { if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; } $varmacsreplyitem .= "\n\tWISPr-Redirection-URL := $varmacsswisprredirectionurl"; @@ -912,12 +957,18 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') { if(base64_decode($ca_cert['crt'])) { + $crl_cert = lookup_crl($eapconf["ssl_ca_crl"]); + if ($crl_cert != false){ + $crl=base64_decode($crl_cert['text']); + $check_crl="check_crl = yes"; + } + else{ + $check_crl="check_crl = no"; + } file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_cert.pem", - base64_decode($ca_cert['crt'])); + base64_decode($ca_cert['crt']). $crl); $conf['ssl_ca_cert'] = FREERADIUS_BASE . "/etc/raddb/certs/ca_cert.pem"; } - - $svr_cert = lookup_cert($eapconf["ssl_server_cert"]); if ($svr_cert != false) { if(base64_decode($svr_cert['prv'])) { @@ -934,7 +985,7 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') { $conf['ssl_server_cert'] = FREERADIUS_BASE . "/etc/raddb/certs/server_cert.pem"; } - + /* Not needed anymore because pfsense can do this by default if ($eapconf['vareapconfenableclientp12'] == 'on') { $svr_cert = lookup_cert($eapconf["ssl_client_cert"]); if ($svr_cert != false) { @@ -954,7 +1005,7 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') { exec("openssl pkcs12 -export -in " . FREERADIUS_BASE . "/etc/raddb/certs/client_cert.pem -inkey " . FREERADIUS_BASE . "/etc/raddb/certs/client_key.pem -out " . FREERADIUS_BASE . "/etc/raddb/certs/client_cert.p12 -passout pass\:"); } - + */ $conf['ssl_cert_dir'] = FREERADIUS_BASE . '/etc/raddb/certs'; } @@ -1019,7 +1070,7 @@ else { random_file = \${certdir}/random fragment_size = $vareapconffragmentsize include_length = $vareapconfincludelength - # check_crl = yes + {$check_crl} CA_path = \${cadir} $vareapconfcheckcertissuer $vareapconfcheckcertcn @@ -1084,6 +1135,18 @@ function freeradius_get_ca_certs() { } // Gets started from freeradiuseapconf.xml +function freeradius_get_ca_crl() { + global $config; + $crl_arr = array(); + $crl_arr[] = array('refid' => 'none', 'descr' => 'none'); + + foreach ($config['crl'] as $crl) { + $crl_arr[] = array('refid' => $crl['refid'], 'descr' => $crl['descr']); + } + return $crl_arr; +} + +// Gets started from freeradiuseapconf.xml function freeradius_get_server_certs() { global $config; $cert_arr = array(); @@ -2458,52 +2521,75 @@ conf_mount_ro(); /* Uses XMLRPC to synchronize the changes to a remote node */ function freeradius_sync_on_changes() { global $config, $g; - $varsyncenablexmlrpc = $config['installedpackages']['freeradiussync']['config'][0]['varsyncenablexmlrpc']; - $varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout']; - - // if checkbox is NOT checked do nothing - if(!$varsyncenablexmlrpc) { + if (is_array($config['installedpackages']['freeradiussync'])){ + $synconchanges = $config['installedpackages']['freeradiussync']['config'][0]['varsyncenablexmlrpc']; + $varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout']; + } + else + { return; } - - log_error("FreeRADIUS: Starting XMLRPC process (freeradius_do_xmlrpc_sync) with timeout {$varsynctimeout} seconds."); - - // if checkbox is checked get IP and password of the destination hosts - foreach ($config['installedpackages']['freeradiussync']['config'] as $rs ){ - foreach($rs['row'] as $sh){ - // if checkbox is NOT checked do nothing - if($sh['varsyncdestinenable']) { - $varsyncprotocol = $sh['varsyncprotocol']; - $sync_to_ip = $sh['varsyncipaddress']; - $password = $sh['varsyncpassword']; - $varsyncport = $sh['varsyncport']; - // check if all credentials are complete for this host - if($password && $sync_to_ip && $varsyncport && $varsyncprotocol) { - freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol); + + // if checkbox is NOT checked do nothing + switch ($synconchanges){ + case "manual": + if (is_array($config['installedpackages']['freeradiussync']['config'][0]['row'])){ + $rs=$config['installedpackages']['freeradiussync']['config'][0]['row']; + } + else{ + log_error("[FreeRADIUS]: xmlrpc sync is enabled but there is no hosts to push on FreeRADIUS config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['varsyncdestinenable']="on"; + $rs[0]['varsyncprotocol']=($config['system']['webgui']['protocol']!=""?$config['system']['webgui']['protocol']:"https"); + $rs[0]['varsyncipaddress']=$system_carp['synchronizetoip']; + $rs[0]['varsyncpassword']=$system_carp['password']; + $rs[0]['varsyncport']=($config['system']['webgui']['port']!=""?$config['system']['webgui']['port']:"443"); + if (! is_ipaddr($system_carp['synchronizetoip'])){ + log_error("[FreeRADIUS]: xmlrpc sync is enabled but there is no system backup hosts to push FreeRADIUS config."); + return; + } + } + else{ + log_error("[FreeRADIUS]: xmlrpc sync is enabled but there is no system backup hosts to push FreeRADIUS config."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)){ + log_error("[FreeRADIUS]: xmlrpc sync is starting with timeout {$varsynctimeout} seconds."); + foreach($rs as $sh){ + if($sh['varsyncdestinenable']){ + $varsyncprotocol = $sh['varsyncprotocol']; + $sync_to_ip = $sh['varsyncipaddress']; + $password = $sh['varsyncpassword']; + $varsyncport = $sh['varsyncport']; + if($password && $sync_to_ip) + freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout); + else + log_error("[FreeRADIUS]: XMLRPC Sync with {$sh['varsyncipaddress']} has incomplete credentials. No XMLRPC Sync done!"); } else { - log_error("FreeRADIUS: XMLRPC Sync with {$sh['varsyncipaddress']} has incomplete credentials. No XMLRPC Sync done!"); + log_error("[FreeRADIUS]: XMLRPC Sync with {$sh['varsyncipaddress']} is disabled"); } } - else { - log_error("FreeRADIUS: XMLRPC Sync with {$sh['varsyncipaddress']} is disabled"); + log_error("[FreeRADIUS]: xmlrpc sync is ending."); } - } - } - log_error("FreeRADIUS: Finished XMLRPC process (freeradius_do_xmlrpc_sync)."); } /* Do the actual XMLRPC sync */ -function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol) { +function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout) { global $config, $g; - $varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout']; - - if($varsynctimeout == '' || $varsynctimeout == 0) { + if($varsynctimeout == '' || $varsynctimeout == 0) $varsynctimeout = 150; - } - - // log_error("FreeRADIUS: Starting XMLRPC process (freeradius_do_xmlrpc_sync) with timeout {$varsynctimeout} seconds."); if(!$password) return; @@ -2537,7 +2623,7 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn /* set a few variables needed for sync code borrowed from filter.inc */ $url = $synchronizetoip; - log_error("FreeRADIUS: Beginning FreeRADIUS XMLRPC sync with {$url}:{$port}."); + log_error("[FreeRADIUS]: Beginning FreeRADIUS XMLRPC sync with {$url}:{$port}."); $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); @@ -2548,22 +2634,22 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn $resp = $cli->send($msg, $varsynctimeout); if(!$resp) { $error = "A communications error occurred while FreeRADIUS was attempting XMLRPC sync with {$url}:{$port}."; - log_error("FreeRADIUS: $error"); - file_notice("sync_settings", $error, "freeradius Settings Sync", ""); + log_error("[FreeRADIUS]: $error"); + file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $varsynctimeout); $error = "An error code was received while FreeRADIUS XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error("FreeRADIUS: $error"); - file_notice("sync_settings", $error, "freeradius Settings Sync", ""); + log_error("[FreeRADIUS]: $error"); + file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", ""); } else { - log_error("FreeRADIUS: XMLRPC has synced data successfully with {$url}:{$port}."); + log_error("[FreeRADIUS]: XMLRPC has synced data successfully with {$url}:{$port}."); } - /* tell freeradius to reload our settings on the destionation sync host. */ + /* tell FreeRADIUS to reload our settings on the destionation sync host. */ $method = 'pfsense.exec_php'; $execcmd = "require_once('/usr/local/pkg/freeradius.inc');\n"; - // pfblocker just needed one fuction to reload after XMLRPC. freeRADIUS needs more so we point to a fuction below which contains all fuctions + // pfblocker just needed one fuction to reload after XMLRPC. FreeRADIUS needs more so we point to a fuction below which contains all fuctions $execcmd .= "freeradius_all_after_XMLRPC_resync();"; /* assemble xmlrpc payload */ @@ -2572,7 +2658,7 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn XML_RPC_encode($execcmd) ); - log_error("FreeRADIUS XMLRPC is reloading data on {$url}:{$port}."); + log_error("[FreeRADIUS]: XMLRPC is reloading data on {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials('admin', $password); @@ -2580,21 +2666,19 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn if(!$resp) { $error = "A communications error occurred while FreeRADIUS was attempting XMLRPC sync with {$url}:{$port} (exec_php)."; log_error($error); - file_notice("sync_settings", $error, "freeradius Settings Sync", ""); + file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $varsynctimeout); $error = "An error code was received while FreeRADIUS XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); - file_notice("sync_settings", $error, "freeradius Settings Sync", ""); + file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", ""); } else { - log_error("FreeRADIUS: XMLRPC has reloaded data successfully on {$url}:{$port} (exec_php)."); + log_error("[FreeRADIUS]: XMLRPC has reloaded data successfully on {$url}:{$port} (exec_php)."); } } -// ##### The part above is based on the code of pfblocker ##### - // This function restarts all other needed functions after XMLRPC so that the content of .XML + .INC will be written in the files (clients.conf, users) // Adding more functions will increase the to sync function freeradius_all_after_XMLRPC_resync() { @@ -3919,7 +4003,7 @@ USERNAME=`echo -n "\$1" | sed 's/[^0-9a-zA-Z._-]/X/g' ` PASSWD=`echo -n "\$2" | sed 's/[^0-9a-f]/0/g' ` SECRET=`echo -n "\$3" | sed 's/[^0-9a-f]/0/g' ` PIN=`echo -n "\$4" | sed 's/[^0-9]/0/g' ` -OFFSET=`echo -n "\$5" | sed 's/[^0-9]/0/g' ` +OFFSET=`echo -n "\$5" | sed 's/[^0-9-]/0/g' ` EPOCHTIME=`date +%s` ; EPOCHTIME=`chop \$EPOCHTIME` # delete old logins @@ -4189,4 +4273,4 @@ EOD; } -?>
\ No newline at end of file +?> diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml index 39aaf84d..8e3105ef 100644 --- a/config/freeradius2/freeradius.xml +++ b/config/freeradius2/freeradius.xml @@ -9,7 +9,7 @@ /* freeradius.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -45,7 +45,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradius</name> - <version>2.1.12</version> + <version>2.2.0</version> <title>FreeRADIUS: Users</title> <include_file>/usr/local/pkg/freeradius.inc</include_file> <menu> @@ -238,6 +238,17 @@ <type>password</type> </field> <field> + <fielddescr>Password encryption</fielddescr> + <fieldname>varuserspasswordencryption</fieldname> + <description><![CDATA[Select the password encryption for this user. Default: Cleartext-Password]]></description> + <type>select</type> + <default_value>Cleartext-Password</default_value> + <options> + <option><name>Cleartext-Password</name><value>Cleartext-Password</value></option> + <option><name>MD5-Password</name><value>MD5-Password</value></option> + </options> + </field> + <field> <fielddescr>Enable One-Time-Password for this user</fielddescr> <fieldname>varusersmotpenable</fieldname> <description><![CDATA[This enables the possibility to authenticate against an username and an one-time-password. The client to generate OTP can be installed on various mobile device plattforms like Android and more.<br><br> @@ -264,7 +275,7 @@ 1. Write down the first 9 digits of the Epoch-Time on the client.<br> 2. Check with <b>date +%s</b> the Epoch-Time on your FreeRADIUS server and write down the first 9 digits.<br> - 3. Subtract both values, multiply the result with 10 and enter the value in this field. (Default: 0)]]></description> + 3. Subtract both values, multiply the result with 10 and enter the value in this field. Example: 30 or -180 (Default: 0)]]></description> <type>input</type> <default_value>0</default_value> </field> @@ -408,6 +419,12 @@ <type>input</type> </field> <field> + <fielddescr>Accounting Interim Interval</fielddescr> + <fieldname>varusersacctinteriminterval</fieldname> + <description><![CDATA[Enter the seconds which should be between every interim-update. It MUST be more than 60s and SHOULD NOT be less than 600s. (Default: 600)]]></description> + <type>input</type> + </field> + <field> <name>ADVANCED CONFIGURATION</name> <type>listtopic</type> </field> @@ -463,4 +480,4 @@ <custom_php_deinstall_command> freeradius_deinstall_command(); </custom_php_deinstall_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/freeradius2/freeradius_view_config.php b/config/freeradius2/freeradius_view_config.php index a29e1a55..a1943653 100644 --- a/config/freeradius2/freeradius_view_config.php +++ b/config/freeradius2/freeradius_view_config.php @@ -2,7 +2,7 @@ /* freeradius_view_config.php part of pfSense (http://www.pfsense.com/) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> Copyright (C) 2011 Marcello Coutinho <marcellocoutinho@gmail.com> based on postfix_view_config.php based on varnish_view_config. diff --git a/config/freeradius2/freeradiusauthorizedmacs.xml b/config/freeradius2/freeradiusauthorizedmacs.xml index 1903c375..235d0218 100644 --- a/config/freeradius2/freeradiusauthorizedmacs.xml +++ b/config/freeradius2/freeradiusauthorizedmacs.xml @@ -9,7 +9,7 @@ /* freeradiusauthorizedmacs.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -366,6 +366,12 @@ <type>input</type> </field> <field> + <fielddescr>Accounting Interim Interval</fielddescr> + <fieldname>varmacsacctinteriminterval</fieldname> + <description><![CDATA[Enter the seconds which should be between every interim-update. It MUST be more than 60s and SHOULD NOT be less than 600s. (Default: 600)]]></description> + <type>input</type> + </field> + <field> <name>ADVANCED CONFIGURATION</name> <type>listtopic</type> </field> @@ -415,4 +421,4 @@ <custom_php_resync_config_command> freeradius_authorizedmacs_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml index 21f18643..6108215b 100644 --- a/config/freeradius2/freeradiuscerts.xml +++ b/config/freeradius2/freeradiuscerts.xml @@ -9,7 +9,7 @@ /* freeradiuscerts.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -290,4 +290,4 @@ <custom_php_resync_config_command> freeradius_allcertcnf_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml index 87d8a11f..215a751e 100644 --- a/config/freeradius2/freeradiusclients.xml +++ b/config/freeradius2/freeradiusclients.xml @@ -9,7 +9,7 @@ /* freeradiusclients.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -246,4 +246,4 @@ <custom_php_resync_config_command> freeradius_clients_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml index ac761523..8f8e4dc7 100644 --- a/config/freeradius2/freeradiuseapconf.xml +++ b/config/freeradius2/freeradiuseapconf.xml @@ -9,7 +9,8 @@ /* freeradiuseapconf.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Marcello Coutinho (revocation list code) All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -171,7 +172,7 @@ <b>uncheked</b>: FreeRADIUS Cert-Manager (not recommended) (Default: unchecked)<br> <b>cheked</b>: Firewall Cert-Manager (recommended)]]></description> <type>checkbox</type> - <enablefields>ssl_ca_cert,ssl_server_cert,vareapconfenableclientp12</enablefields> + <enablefields>ssl_ca_cert,ssl_ca_crl,ssl_server_cert</enablefields> </field> <field> <fielddescr>Private Key Password</fielddescr> @@ -191,6 +192,18 @@ <source_value>refid</source_value> </field> <field> + <fielddescr>SSL Revocation List</fielddescr> + <fieldname>ssl_ca_crl</fieldname> + <description><![CDATA[Choose the SSL CA Certficate revocation list here which you created with the firewall's Cert Manager.<br> + <b>HINT:</b> You need to restart freeradius service after adding a certificate to the CRL.<br> + Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]></description> + <type>select_source</type> + <source><![CDATA[freeradius_get_ca_crl()]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> + </field> + + <field> <fielddescr>SSL Server Certificate</fielddescr> <fieldname>ssl_server_cert</fieldname> <description><![CDATA[Choose the SSL Server Certficate here which you created with the firewall's Cert Manager.<br> @@ -200,6 +213,7 @@ <source_name>descr</source_name> <source_value>refid</source_value> </field> + <!-- Not needed anymore because pfsense itself can do this now> <field> <fielddescr>Create client.p12 for export</fielddescr> <fieldname>vareapconfenableclientp12</fieldname> @@ -217,6 +231,7 @@ <source_name>descr</source_name> <source_value>refid</source_value> </field> + --> <field> <name>EAP-TLS</name> <type>listtopic</type> @@ -470,4 +485,4 @@ <custom_php_resync_config_command> freeradius_eapconf_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml index c944ac17..1233f72f 100644 --- a/config/freeradius2/freeradiusinterfaces.xml +++ b/config/freeradius2/freeradiusinterfaces.xml @@ -9,7 +9,7 @@ /* freeradiusinterfaces.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -185,4 +185,4 @@ <custom_php_resync_config_command> freeradius_settings_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml index 0fa98493..c7b5e79d 100644 --- a/config/freeradius2/freeradiusmodulesldap.xml +++ b/config/freeradius2/freeradiusmodulesldap.xml @@ -9,7 +9,7 @@ /* freeradiusmodulesldap.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -45,7 +45,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradiusmodulesldap</name> - <version>none</version> + <version>2.2.0</version> <title>FreeRADIUS: LDAP</title> <aftersaveredirect>pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</aftersaveredirect> <include_file>/usr/local/pkg/freeradius.inc</include_file> @@ -705,4 +705,4 @@ <custom_php_resync_config_command> freeradius_modulesldap_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml index 4bc98723..1d908ca4 100644 --- a/config/freeradius2/freeradiussettings.xml +++ b/config/freeradius2/freeradiussettings.xml @@ -9,7 +9,7 @@ /* freeradiussettings.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -45,7 +45,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradiussettings</name> - <version>none</version> + <version>2.2.0</version> <title>FreeRADIUS: Settings</title> <aftersaveredirect>pkg_edit.php?xml=freeradiussettings.xml&id=0</aftersaveredirect> <include_file>/usr/local/pkg/freeradius.inc</include_file> @@ -376,4 +376,4 @@ <custom_php_resync_config_command> freeradius_settings_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/freeradius2/freeradiussqlconf.xml b/config/freeradius2/freeradiussqlconf.xml index 6851711c..bb72a07a 100644 --- a/config/freeradius2/freeradiussqlconf.xml +++ b/config/freeradius2/freeradiussqlconf.xml @@ -9,7 +9,7 @@ /* freeradiussqlconf.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -45,7 +45,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradiussqlconf</name> - <version>none</version> + <version>2.2.0</version> <title>FreeRADIUS: SQL</title> <aftersaveredirect>pkg_edit.php?xml=freeradiussqlconf.xml&id=0</aftersaveredirect> <include_file>/usr/local/pkg/freeradius.inc</include_file> @@ -621,4 +621,4 @@ <custom_php_resync_config_command> freeradius_sqlconf_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/freeradius2/freeradiussync.xml b/config/freeradius2/freeradiussync.xml index 5f1acc74..be678e5a 100644 --- a/config/freeradius2/freeradiussync.xml +++ b/config/freeradius2/freeradiussync.xml @@ -9,8 +9,8 @@ /* freeradiussync.xml part of pfSense (http://www.pfSense.com) -Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> -Copyright (C) 2011 Marcello Coutinho <marcellocoutinho@gmail.com> +Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> +Copyright (C) 2013 Marcello Coutinho <marcellocoutinho@gmail.com> based on pfblocker_sync.xml All rights reserved. @@ -47,7 +47,7 @@ POSSIBILITY OF SUCH DAMAGE. <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradiussync</name> - <version>2.1.12</version> + <version>2.2.0</version> <title>FreeRADIUS: XMLRPC Sync</title> <include_file>/usr/local/pkg/freeradius.inc</include_file> <menu> @@ -111,23 +111,29 @@ POSSIBILITY OF SUCH DAMAGE. </tabs> <fields> <field> - <name>freeRADIUS XMLRPC Sync</name> + <name>FreeRADIUS XMLRPC Sync</name> <type>listtopic</type> </field> <field> - <fielddescr>Automatically sync freeRADIUS configuration changes?</fielddescr> + <fielddescr>Enable Sync</fielddescr> <fieldname>varsyncenablexmlrpc</fieldname> <description><![CDATA[All changes will be synced immediately to the IPs listed below if this option is checked.<br> - Only <b>Users</b>, <b>MACs</b> and <b>NAS / Clients</b> will be synced.<br> - <b>Important:</b> Only sync from host A to B, A to C but <b>do not</B> enable XMLRPC sync <b>to</b> A. This will result in a loop!]]></description> - <type>checkbox</type> + <b>Important:</b> While using "Sync to hosts defined below", only sync from host A to B, A to C but <b>do not</B> enable XMLRPC sync <b>to</b> A. This will result in a loop!]]></description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> </field> <field> - <fielddescr>XMLRPC timeout</fielddescr> + <fielddescr>XMLRPC timeout</fielddescr> <fieldname>varsynctimeout</fieldname> <description><![CDATA[Timeout in seconds for the XMLRPC timeout. Default: 150]]></description> <type>input</type> - <default_value>150</default_value> + <default_value>150</default_value> <size>5</size> </field> @@ -166,7 +172,7 @@ POSSIBILITY OF SUCH DAMAGE. <type>input</type> <size>3</size> </rowhelperfield> - <rowhelperfield> + <rowhelperfield> <fielddescr>GUI Admin Password</fielddescr> <fieldname>varsyncpassword</fieldname> <description><![CDATA[Password of the user "admin" on the destination host.]]></description> diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc new file mode 100644 index 00000000..f8434327 --- /dev/null +++ b/config/haproxy-devel/haproxy.inc @@ -0,0 +1,1260 @@ +<?php +/* + haproxy.inc + Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> + Copyright (C) 2008 Remco Hoef + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("functions.inc"); +require_once("pkg-utils.inc"); +require_once("notices.inc"); + +global $haproxy_sni_ssloffloading; +$haproxy_sni_ssloffloading=true;// can only be used with recent 1.5-dev17 builds. + +$d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; + +$a_acltypes = array(); +$a_acltypes[] = array('name' => 'host_starts_with', 'descr' => 'Host starts with', + 'mode' => 'http', 'syntax' => 'hdr_beg(host) -i %1$s'); +$a_acltypes[] = array('name' => 'host_ends_with', 'descr' => 'Host ends with', + 'mode' =>'http', 'syntax' => 'hdr_end(host) -i %1$s'); +$a_acltypes[] = array('name' => 'host_matches', 'descr' => 'Host matches', + 'mode' =>'http', 'syntax' => 'hdr(host) -i %1$s'); +$a_acltypes[] = array('name' => 'host_regex', 'descr' => 'Host regex', + 'mode' =>'http', 'syntax' => 'hdr_reg(host) -i %1$s'); +$a_acltypes[] = array('name' => 'host_contains', 'descr' => 'Host contains', + 'mode' => 'http', 'syntax' => 'hdr_dir(host) -i %1$s'); +$a_acltypes[] = array('name' => 'path_starts_with', 'descr' => 'Path starts with', + 'mode' => 'http', 'syntax' => 'path_beg -i %1$s'); +$a_acltypes[] = array('name' => 'path_ends_with', 'descr' => 'Path ends with', + 'mode' => 'http', 'syntax' => 'path_end -i %1$s'); +$a_acltypes[] = array('name' => 'path_matches', 'descr' => 'Path matches', + 'mode' => 'http', 'syntax' => 'path -i %1$s'); +$a_acltypes[] = array('name' => 'path_regex', 'descr' => 'Path regex', + 'mode' => 'http', 'syntax' => 'path_reg -i %1$s'); +$a_acltypes[] = array('name' => 'path_contains', 'descr' => 'Path contains', + 'mode' => 'http', 'syntax' => 'path_dir -i %1$s'); +$a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', + 'mode' => '', 'syntax' => 'src %1$s'); +$a_acltypes[] = array('name' => 'backendservercount', 'descr' => 'Minimum count usable servers', + 'mode' => '', 'syntax' => 'nbsrv(%2$s) ge %1$d', 'parameters' => 'value,backendname'); +if ($haproxy_sni_ssloffloading) { + $a_acltypes[] = array('name' => 'ssl_sni_matches', 'descr' => 'Server Name Indication TLS extension matches', + 'mode' => 'https', 'syntax' => 'req_ssl_sni -i %1$s', 'advancedoptions' => "tcp-request inspect-delay 5s\n\ttcp-request content accept if { req_ssl_hello_type 1 }"); +} + +$a_checktypes['none'] = array('name' => 'none', 'syntax' => '', + 'descr' => 'No health checks will be performed.'); +$a_checktypes['Basic'] = array('name' => 'Basic', 'syntax' => '', + 'descr' => 'Basic socket connection check'); +$a_checktypes['HTTP'] = array('name' => 'HTTP', 'syntax' => 'httpchk', + 'descr' => 'HTTP protocol to check on the servers health, can also be used for HTTPS servers(requirs checking the SSL box for the servers).', 'parameters' => "uri,method,version"); +/* 'Agent' was added in HAProxy1.5dev18 */ +$a_checktypes['Agent'] = array('name' => 'Agent', 'syntax' => 'lb-agent-chk', 'usedifferenport' => 'yes', + 'descr' => 'Use a TCP connection to read an ASCII string of the form 100%,75%,drain,down (others in haproxy manual)'); +$a_checktypes['LDAP'] = array('name' => 'LDAP', 'syntax' => 'ldap-check', + 'descr' => 'Use LDAPv3 health checks for server testing'); +$a_checktypes['MySQL'] = array('name' => 'MySQL', 'syntax' => 'mysql-check', + 'descr' => 'Use MySQL health checks for server testing', 'parameters' => 'username'); +$a_checktypes['PostgreSQL'] = array('name' => 'PostgreSQL', 'syntax' => 'pgsql-check', + 'descr' => 'Use PostgreSQL health checks for server testing', 'parameters' => 'username'); +$a_checktypes['Redis'] = array('name' => 'Redis', 'syntax' => 'redis-check', + 'descr' => 'Test that the server correctly talks REDIS protocol.'); +$a_checktypes['SMTP'] = array('name' => 'SMTP', 'syntax' => 'smtpchk HELO', + 'descr' => 'Use SMTP HELO health checks for server testing', 'parameters' => 'domain'); +$a_checktypes['ESMTP'] = array('name' => 'ESMTP', 'syntax' => 'smtpchk EHLO', + 'descr' => 'Use ESMTP EHLO health checks for server testing', 'parameters' => 'domain'); +$a_checktypes['SSL'] = array('name' => 'SSL', 'syntax' => 'ssl-hello-chk', + 'descr' => 'Use SSLv3 client hello health checks for server testing.'); + +$a_httpcheck_method['OPTIONS'] = array('name' => 'OPTIONS', 'syntax' => 'OPTIONS'); +$a_httpcheck_method['HEAD'] = array('name' => 'HEAD', 'syntax' => 'HEAD'); +$a_httpcheck_method['GET'] = array('name' => 'GET', 'syntax' => 'GET'); +$a_httpcheck_method['POST'] = array('name' => 'POST', 'syntax' => 'POST'); +$a_httpcheck_method['PUT'] = array('name' => 'PUT', 'syntax' => 'PUT'); +$a_httpcheck_method['DELETE'] = array('name' => 'DELETE', 'syntax' => 'DELETE'); +$a_httpcheck_method['TRACE'] = array('name' => 'TRACE', 'syntax' => 'TRACE'); + +function haproxy_custom_php_deinstall_command() { + exec("cd /var/db/pkg && pkg_delete `ls | grep haproxy`"); + exec("rm /usr/local/pkg/haproxy.inc"); + exec("rm /usr/local/www/haproxy*"); + exec("rm /usr/local/etc/rc.d/haproxy.sh"); + exec("rm /etc/devd/haproxy.conf"); + exec("/etc/rc.d/devd restart"); + haproxy_install_cron(false); +} + +function haproxy_custom_php_install_command() { + global $g, $config; + conf_mount_rw(); + + $haproxy = <<<EOD +#!/bin/sh + +# PROVIDE: haproxy +# REQUIRE: LOGIN +# KEYWORD: FreeBSD + +. /etc/rc.subr + +name="haproxy" +rcvar=`set_rcvar` +command="/usr/local/bin/haproxy" +haproxy_enable=\${haproxy-"YES"} + +start_cmd="haproxy_start" +stop_postcmd="haproxy_stop" +check_cmd="haproxy_check" +extra_commands="check" + +load_rc_config \$name + +haproxy_start () { + echo "Starting haproxy." + /usr/bin/env \ + PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \ + /usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDOFF + <?php + require_once("globals.inc"); + require_once("functions.inc"); + require_once("haproxy.inc"); + haproxy_configure(); + ?> +ENDOFF +} + +haproxy_check () { + echo "Checking haproxy." + /usr/bin/env \ + PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \ + /usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDOFF + <?php + require_once("globals.inc"); + require_once("functions.inc"); + require_once("haproxy.inc"); + haproxy_check_run(0); + ?> +ENDOFF +} + +haproxy_stop () { + echo "Stopping haproxy." + killall haproxy +} + +run_rc_command "\$1" + +EOD; + + $fd = fopen("/usr/local/etc/rc.d/haproxy.sh", "w"); + fwrite($fd, $haproxy); + fclose($fd); + exec("chmod a+rx /usr/local/etc/rc.d/haproxy.sh"); + + $devd = <<<EOD +notify 0 { + match "system" "IFNET"; + match "subsystem" "carp[0-9]+"; + match "type" "LINK_UP"; + action "/usr/local/etc/rc.d/haproxy.sh check"; +}; +notify 0 { + match "system" "IFNET"; + match "subsystem" "carp[0-9]+"; + match "type" "LINK_DOWN"; + action "/usr/local/etc/rc.d/haproxy.sh check"; +}; + +EOD; + exec("mkdir -p /etc/devd"); + $fd = fopen("/etc/devd/haproxy.conf", "w"); + fwrite($fd, $devd); + fclose($fd); + exec("/etc/rc.d/devd restart"); + + /* Do XML upgrade from haproxy 0.31 to haproxy-dev */ + if (is_array($config['installedpackages']['haproxy']['ha_servers'])) { + /* We have an old config */ + $config['installedpackages']['haproxy']['ha_pools']['item'] = array(); + $a_global = &$config['installedpackages']['haproxy']; + $a_backends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + $a_oldservers = &$config['installedpackages']['haproxy']['ha_servers']['item']; + $a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; + + foreach ($a_backends as $id => $be) { + $a_backends[$id]['status'] = 'active'; + } + $id = 0; + foreach ($a_oldservers as $oldserver) { + $pool=$oldserver; + /* make server sub array */ + $server=array(); + $server['name'] = $oldserver['name']; + $server['address'] = $oldserver['address']; + $server['port'] = $oldserver['port']; + $server['weight'] = $oldserver['weight']; + $a_servers=array(); + $a_servers[]=$server; + /* set new pool */ + $pool['name'] = "pool$id"; + $id++; + $pool['ha_servers']['item']=$a_servers; + /* link to frontend */ + foreach ($a_backends as $id => $be) { + if ($a_backends[$id]['name'] == $oldserver['backend']) { + $a_backends[$id]['backend_serverpool'] = $pool['name']; + $pool['monitor_uri'] = $be['monitor_uri']; + unset($a_backends[$id]['monitor_uri']); + break; + } + } + unset($pool['backend']); + unset($pool['address']); + unset($pool['port']); + unset($pool['weight']); + $a_pools[] = $pool; + } + unset($config['installedpackages']['haproxy']['ha_servers']); + write_config(); + } + + /* XML update to: pkg v1.3 and 'pool' changed to 'backend_serverpool' because 'pool' was added to listtags() in xmlparse.inc */ + if (is_array($config['installedpackages']['haproxy']['ha_backends']['item'][0]['pool'])) + { + foreach($config['installedpackages']['haproxy']['ha_backends']['item'] as &$frontend) + { + $backend_serverpool = $frontend['pool'][0]; + $frontend['backend_serverpool'] = $backend_serverpool; + unset($frontend['pool']); + } + write_config(); + } + //also move setting for existing 2.0 installations as only the new variable is used + if (isset($config['installedpackages']['haproxy']['ha_backends']['item'][0]['pool'])) + { + foreach($config['installedpackages']['haproxy']['ha_backends']['item'] as &$frontend) + { + $backend_serverpool = $frontend['pool']; + $frontend['backend_serverpool'] = $backend_serverpool; + unset($frontend['pool']); + } + write_config(); + } + + conf_mount_ro(); + + exec("/usr/local/etc/rc.d/haproxy.sh start"); +} + +function haproxy_install_cron($should_install) { + global $config, $g; + if($g['booting']==true) + return; + $is_installed = false; + if(!$config['cron']['item']) + return; + $x=0; + foreach($config['cron']['item'] as $item) { + if(strstr($item['command'], "/usr/local/etc/rc.d/haproxy.sh")) { + $is_installed = true; + break; + } + $x++; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "*/2"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/local/etc/rc.d/haproxy.sh check"; + $config['cron']['item'][] = $cron_item; + parse_config(true); + write_config(); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + parse_config(true); + write_config(); + } + configure_cron(); + } + break; + } +} + +function haproxy_find_acl($name) { + global $a_acltypes; + + /* XXX why is this broken from xmlsync? */ + if (!$a_acltypes) { + $a_acltypes = array(); + $a_acltypes[] = array('name' => 'host_starts_with', 'descr' => 'Host starts with', + 'mode' => 'http', 'syntax' => 'hdr_beg(host) -i'); + $a_acltypes[] = array('name' => 'host_ends_with', 'descr' => 'Host ends with', + 'mode' =>'http', 'syntax' => 'hdr_end(host) -i'); + $a_acltypes[] = array('name' => 'host_matches', 'descr' => 'Host matches', + 'mode' =>'http', 'syntax' => 'hdr(host) -i'); + $a_acltypes[] = array('name' => 'host_regex', 'descr' => 'Host regex', + 'mode' =>'http', 'syntax' => 'hdr_reg(host) -i'); + $a_acltypes[] = array('name' => 'host_contains', 'descr' => 'Host contains', + 'mode' => 'http', 'syntax' => 'hdr_dir(host) -i'); + $a_acltypes[] = array('name' => 'path_starts_with', 'descr' => 'Path starts with', + 'mode' => 'http', 'syntax' => 'path_beg -i'); + $a_acltypes[] = array('name' => 'path_ends_with', 'descr' => 'Path ends with', + 'mode' => 'http', 'syntax' => 'path_end -i'); + $a_acltypes[] = array('name' => 'path_matches', 'descr' => 'Path matches', + 'mode' => 'http', 'syntax' => 'path -i'); + $a_acltypes[] = array('name' => 'path_regex', 'descr' => 'Path regex', + 'mode' => 'http', 'syntax' => 'path_reg -i'); + $a_acltypes[] = array('name' => 'path_contains', 'descr' => 'Path contains', + 'mode' => 'http', 'syntax' => 'path_dir -i'); + $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', + 'mode' => '', 'syntax' => 'src'); + } + + if($a_acltypes) { + foreach ($a_acltypes as $acl) { + if ($acl['name'] == $name) + return $acl; + } + } +} + +function write_backend($fd, $name, $pool, $frontend) { + if(!is_array($pool['ha_servers']['item']) && !$pool['stats_enabled']=='yes') + return; + global $a_checktypes; + + $a_servers = &$pool['ha_servers']['item']; + + unset($sslserverpresent); + if (is_array($a_servers)) + { + foreach($a_servers as $be) { + if (!$be['status'] == "inactive") + continue; + if ($be['ssl']) + $sslserverpresent = true; + } + } + + fwrite ($fd, "backend " . $name . "\n"); + if($pool['cookie_name'] && strtolower($frontend['type']) == "http") + fwrite ($fd, "\tcookie\t\t\t" . $pool['cookie_name'] . " insert indirect\n"); + + // https is an alias for tcp for clarity purpouses + if(strtolower($frontend['type']) == "https") { + $backend_type = "tcp"; + } else { + $backend_type = $frontend['type']; + } + + fwrite ($fd, "\tmode\t\t\t" . $backend_type . "\n"); + + unset($checkport); + $check_type = $pool['check_type']; + if ($check_type != 'none') + { + $optioncheck = $a_checktypes[$check_type]['syntax']; + if ($check_type == "MySQL" || $check_type == "PostgreSQL") + $optioncheck .= " user " . $pool['monitor_username']; + if ($check_type == "SMTP" || $check_type == "ESMTP") + $optioncheck .= " " . $pool['monitor_domain']; + if ($check_type == "HTTP") { + $uri = $pool['monitor_uri']; + if (!$uri) + $uri = "/"; + $optioncheck .= " {$pool['httpcheck_method']} {$uri} {$pool['monitor_httpversion']}"; + } + if ($check_type == "Agent") { + $checkport = " port " . $pool['monitor_agentport']; + } + } else { + $optioncheck = "httpchk"; + } + + if($pool['balance']) + fwrite ($fd, "\tbalance\t\t\t" . $pool['balance'] . "\n"); + + if(!$pool['connection_timeout']) + $pool['connection_timeout'] = 30000; + fwrite ($fd, "\ttimeout connect\t\t" . $pool['connection_timeout'] . "\n"); + + if(!$pool['server_timeout']) + $pool['server_timeout'] = 30000; + fwrite ($fd, "\ttimeout server\t\t" . $pool['server_timeout'] . "\n"); + + if(!$pool['retries']) + $pool['retries'] = 3; + fwrite ($fd, "\tretries\t\t\t" . $pool['retries'] . "\n"); + + if ($pool['transparent_clientip']) + fwrite ($fd, "\tsource 0.0.0.0 usesrc clientip\n"); + + if($pool['stats_enabled']=='yes') { + fwrite ($fd, "\tstats\t\t\tenable\n"); + if($pool['stats_uri']) + fwrite ($fd, "\tstats\t\t\turi ".$pool['stats_uri']."\n"); + if($pool['stats_realm']) + fwrite ($fd, "\tstats\t\t\trealm " . haproxy_escapestring($pool['stats_realm']) . "\n"); + else + fwrite ($fd, "\tstats\t\t\trealm .\n"); + fwrite ($fd, "\tstats\t\t\tauth " . haproxy_escapestring($pool['stats_username']).":". haproxy_escapestring($pool['stats_password'])."\n"); + + if($pool['stats_admin']=='yes') + fwrite ($fd, "\tstats\t\t\tadmin if TRUE" . "\n"); + + if($pool['stats_node_enabled']=='yes') + fwrite ($fd, "\tstats\t\t\tshow-node " . $pool['stats_node'] . "\n"); + if($pool['stats_desc']) + fwrite ($fd, "\tstats\t\t\tshow-desc " . $pool['stats_desc'] . "\n"); + if($pool['stats_refresh']) + fwrite ($fd, "\tstats\t\t\trefresh " . $pool['stats_refresh'] . "\n"); + } + + $uri = $pool['monitor_uri']; + if ($pool['monitor_uri']) + $uri = $pool['monitor_uri']; + else + $uri = "/"; + + if ($optioncheck) + fwrite ($fd, "\toption\t\t\t{$optioncheck}\n"); + + if ($pool['advanced_backend']) { + $adv_be = explode("\n", base64_decode($pool['advanced_backend'])); + foreach($adv_be as $adv_line) { + if ($adv_line != "") { + fwrite($fd, "\t" . str_replace("\r", "", $adv_line) . "\n"); + } + } + } + + if($pool['cookie'] && strtolower($frontend['type']) == "http") + $cookie = " cookie {$pool['cookie']} "; + else + $cookie = ""; + if($pool['advanced']) { + $advanced = base64_decode($pool['advanced']); + $advanced_txt = " " . $advanced; + } else { + $advanced_txt = ""; + } + + if ($check_type != 'none') + { + if($pool['checkinter']) + $checkinter = "check inter {$pool['checkinter']}"; + else + $checkinter = "check inter 1000"; + } + + if (is_array($a_servers)) + { + foreach($a_servers as $be) { + if ($be['status'] == "inactive") + continue; + + if (!$be['name']) + $be['name'] = $be['address']; + if(!$be['status'] || $be['status'] != 'active') { + $isbackup = $be['status']; + } else { + $isbackup = ""; + } + $ssl = ""; + if ($be['ssl'] == 'yes') + { + $ssl = $backend_type == "http" ? ' ssl' : ' check-ssl'; + } + fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . "$ssl $cookie $checkinter$checkport $isbackup weight " . $be['weight'] . "{$advanced_txt} {$be['advanced']}\n"); + } + } + fwrite ($fd, "\n"); +} + +function haproxy_configure() { + global $g; + // reload haproxy + haproxy_writeconf("{$g['varetc_path']}/haproxy.cfg"); + return haproxy_check_run(1); +} + +function haproxy_check_and_run(&$messages, $reload) { + global $g; + $configname = "{$g['varetc_path']}/haproxy.cfg"; + haproxy_writeconf("$configname.new"); + $retval = exec("haproxy -c -V -f $configname.new 2>&1", $output, $err); + $messages = ""; + if ($err > 1) + $messages = "<h2><strong>FATAL ERROR CODE: $err while starting haproxy</strong></h2>"; + elseif ($err == 1) + $messages = "Errors found while starting haproxy"; + + if ((count($output) > 1) && $output[0] != "Configuration file is valid") + { + foreach($output as $line) + $messages .= "<br/>" . htmlspecialchars($line) . "\n"; + } + $ok = strstr($retval, "Configuration file is valid"); + if ($ok && $reload) { + global $haproxy_run_message; + exec("mv $configname.new $configname"); + $ok = haproxy_check_run(1) == 0; + $messages = $haproxy_run_message; + } + return $ok; +} + +function haproxy_writeconf($configfile) { + global $config; + + $a_global = &$config['installedpackages']['haproxy']; + $a_backends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + $a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; + + $fd = fopen($configfile, "w"); + + if(is_array($a_global)) { + fwrite ($fd, "global\n"); + fwrite ($fd, "\tmaxconn\t\t\t".$a_global['maxconn']."\n"); + if($a_global['remotesyslog']) + fwrite ($fd, "\tlog\t\t\t{$a_global['remotesyslog']}\t{$a_global['logfacility']}\t{$a_global['loglevel']}\n"); + fwrite ($fd, "\tstats socket /tmp/haproxy.socket level admin\n"); + + if(!use_transparent_clientip_proxying()) + fwrite ($fd, "\tuid\t\t\t80\n"); + + fwrite ($fd, "\tgid\t\t\t80\n"); + // Set numprocs if defined or use system default (#cores) + if($a_global['nbproc']) + $numprocs = $a_global['nbproc']; + else + $numprocs ="1"; + fwrite ($fd, "\tnbproc\t\t\t$numprocs\n"); + fwrite ($fd, "\tchroot\t\t\t/var/empty\n"); + fwrite ($fd, "\tdaemon\n"); + + // Keep the advanced options on the bottom of the global settings, to allow additional sections to be easely added + if($a_global['advanced']) { + $adv = explode("\n", base64_decode($a_global['advanced'])); + foreach($adv as $adv_line) { + fwrite($fd, "\t" . str_replace("\r", "", $adv_line) . "\n"); + + } + } + fwrite ($fd, "\n"); + } + + // Try and get a unique array for address:port as frontends can duplicate + $a_bind = array(); + if(is_array($a_backends)) { + foreach ($a_backends as $backend) { + if($backend['status'] != 'active') + { + unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt"); + continue; + } + if(!$backend['backend_serverpool']) + { + unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt"); + continue; + } + + //check ssl info + if (strtolower($backend['type']) == "http" && $backend['ssloffload']){ + //ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem + $ssl_crt=" crt /var/etc/{$backend['name']}.{$backend['port']}.crt"; + $cert = lookup_cert($backend['ssloffloadcert']); + $certcontent = base64_decode($cert['crt'])."\r\n".base64_decode($cert['prv']); + file_put_contents("/var/etc/{$backend['name']}.{$backend['port']}.crt", $certcontent); + unset($certcontent); + }else{ + $ssl_crt=""; + unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt"); + } + + $bname = get_frontend_ipport($backend); + + if ($backend['extaddr']=='localhost') + $backend['extaddr'] = "127.0.0.1"; + + if (!is_array($a_bind[$bname])) { + $a_bind[$bname] = array(); + $a_bind[$bname]['config'] = array(); + // Settings which are constant for a merged frontend + $a_bind[$bname]['name'] = $backend['name']; + $a_bind[$bname]['extaddr'] = $backend['extaddr']; + $a_bind[$bname]['port'] = $backend['port']; + } + $b = &$a_bind[$bname]; + + // Overwrite ? + if ($backend['secondary'] != 'yes') { + if (isset($b['type'])) + $input_errors[] = "Multiple primary frondends for $bname"; + $b['type'] = $backend['type']; + $b['forwardfor'] = $backend['forwardfor']; + $b['httpclose'] = $backend['httpclose']; + $b['max_connections'] = $backend['max_connections']; + $b['client_timeout'] = $backend['client_timeout']; + $b['advanced'] = $backend['advanced']; + $b['ssloffload'] = $backend['ssloffload']; + $b['advanced_bind'] = $backend['advanced_bind']; + } + + if ($ssl_crt != "") { + if ($b['ssl_info'] == "") + $b['ssl_info'] = "ssl {$backend['dcertadv']}"; + $b['ssl_info'] .= $ssl_crt; + } + + // pointer to each backend + $b['config'][] = $backend; + } + } + + $a_pendingpl = array(); + + // Construct and write out configuration for each "frontend" + if(is_array($a_bind)) { + foreach ($a_bind as $bind) { + if (count($bind['config']) > 1) + $frontendinfo = "frontend {$bind['name']}-merged\n"; + else + $frontendinfo = "frontend {$bind['name']}\n"; + + $advancedextra = array(); + + // Prepare ports for processing by splitting + $portss = "{$bind['port']},"; + $ports = split(",", $portss); + $ssl_info = $bind['ssl_info']; + $advanced_bind = $bind['advanced_bind']; + // Initialize variable + $listenip = ""; + + // Process and add bind directives for ports + foreach($ports as $port) { + if($port) { + if($bind['extaddr'] == "any") + $listenip .= "\tbind\t\t\t0.0.0.0:{$port} {$ssl_info} {$advanced_bind}\n"; + elseif($bind['extaddr']) + $listenip .= "\tbind\t\t\t{$bind['extaddr']}:{$port} {$ssl_info} {$advanced_bind}\n"; + else + $listenip .= "\tbind\t\t\t" . get_current_wan_address('wan') . ":{$port} {$ssl_info} {$advanced_bind}\n"; + } + } + + fwrite ($fd, "{$frontendinfo}"); + fwrite ($fd, "{$listenip}"); + + // Advanced pass thru + if($bind['advanced']) { + $advanced = explode("\n", base64_decode($bind['advanced'])); + foreach($advanced as $adv_line) { + if ($adv_line != "") { + fwrite($fd, "\t" . str_replace("\r", "", $adv_line) . "\n"); + } + } + } + + // https is an alias for tcp for clarity purpouses + if($bind['type'] == "https") { + $backend_type = "tcp"; + } else { + $backend_type = $bind['type']; + } + + fwrite ($fd, "\tmode\t\t\t" . $backend_type . "\n"); + fwrite ($fd, "\tlog\t\t\tglobal\n"); + fwrite ($fd, "\toption\t\t\tdontlognull\n"); + + if ($backend_type == 'http') + { + if($bind['httpclose']) + fwrite ($fd, "\toption\t\t\thttpclose\n"); + + if($bind['forwardfor']) { + fwrite ($fd, "\toption\t\t\tforwardfor\n"); + if($bind['ssloffload'] == "yes") + fwrite ($fd, "\treqadd X-Forwarded-Proto:\ https\n"); + else + fwrite ($fd, "\treqadd X-Forwarded-Proto:\ http\n"); + } + } + + if($bind['max_connections']) + fwrite ($fd, "\tmaxconn\t\t\t" . $bind['max_connections'] . "\n"); + + if(!$bind['client_timeout']) + $bind['client_timeout'] = 30000; + + fwrite ($fd, "\ttimeout client\t\t" . $bind['client_timeout'] . "\n"); + + + // Combine the rest of the listener configs + $default_backend = ""; + $i = 0; + foreach ($bind['config'] as $bconfig) { + $a_acl=&$bconfig['ha_acls']['item']; + if(!is_array($a_acl)) + $a_acl=array(); + + $poolname = $bconfig['backend_serverpool'] . "_" . strtolower($bconfig['type']); + + // Create different pools if the svrport is set + if ($bconfig['svrport'] > 0) + $poolname .= "_" . $bconfig['svrport']; + + // Write this out once, and must be before any backend config text + if ($default_backend = "" || $bconfig['secondary'] != 'yes') { + $default_backend = $poolname; + } + + if (!isset($a_pendingpl[$poolname])) { + $a_pendingpl[$poolname] = array(); + $a_pendingpl[$poolname]['name'] = $poolname; + $a_pendingpl[$poolname]['frontend'] = $bconfig; + } + + if (strtolower($bind['type']) == "http" && $bconfig['ssloffload'] && $bconfig['ssloffloadacl']) { + $aclname = "SNI_" . $poolname; + $cert_cn = cert_get_cn($bconfig['ssloffloadcert'] ,true); + $a_acl[] = array('name' => $aclname,'expression' => 'host_matches', 'value' => $cert_cn); + } + + // combine acl's with same name to allow for 'combined checks' to check for example hostname and fileextension together.. + $a_acl_combine = array(); + foreach ($a_acl as $entry) { + $name = $entry['name']; + $a_acl_combine[$name][] = $entry; + } + + foreach ($a_acl_combine as $a_usebackend) { + $aclnames = ""; + foreach ($a_usebackend as $entry) { + $acl = haproxy_find_acl($entry['expression']); + if (!$acl) + continue; + + // Filter out acls for different modes + if ($acl['mode'] != '' && $acl['mode'] != strtolower($bind['type'])) + continue; + + $expr = sprintf($acl['syntax'],$entry['value'],$poolname); + + $aclname = $i . "_" . $entry['name']; + $aclnames .= $aclname." "; + fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n"); + + if ($acl['advancedoptions'] != '') + $advancedextra[$acl['syntax']] = $acl['advancedoptions']."\n"; + $i++; + } + fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclnames . "\n"); + } + } + fwrite ($fd, "\tdefault_backend\t\t" . $default_backend . "\n"); + + foreach($advancedextra as $extra) + fwrite ($fd, "\t".$extra."\n"); + fwrite ($fd, "\n"); + } + } + // Construct and write out configuration for each "backend" + if (is_array($a_pendingpl) && is_array($a_pools)) { + foreach ($a_pendingpl as $pending) { + foreach ($a_pools as $pool) { + if ($pending['frontend']['backend_serverpool'] == $pool['name']) { + write_backend($fd, $pending['name'], $pool, $pending['frontend']); + } + } + } + } + fwrite ($fd, "\n"); + + // Sync HAProxy configuration (if enabled) + if(isset($config['installedpackages']['haproxy']['enablesync'])) { + if($config['installedpackages']['haproxy']['synchost1']) { + haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost1'], + $config['installedpackages']['haproxy']['syncpassword']); + } + if($config['installedpackages']['haproxy']['synchost2']) { + haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost2'], + $config['installedpackages']['haproxy']['syncpassword']); + } + if($config['installedpackages']['haproxy']['synchost3']) { + haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost3'], + $config['installedpackages']['haproxy']['syncpassword']); + } + } + + // create config file + fclose($fd); + + if ($input_errors) + { + require_once("guiconfig.inc"); + print_input_errors($input_errors); + } + + if (isset($a_global['carpdev'])) + haproxy_install_cron(true); + else + haproxy_install_cron(false); + + $freebsd_version = substr(trim(`uname -r`), 0, 1); + if(!file_exists("/usr/bin/limits")) { + exec("fetch -q -o /usr/bin/limits http://files.pfsense.org/extras/{$freebsd_version}/limits"); + exec("chmod a+rx /usr/bin/limits"); + } +} + +function haproxy_is_running() { + $running = (shell_exec("/bin/pgrep -x haproxy") != ''); + return $running; +} + + +function haproxy_load_modules() { + // On FreeBSD 8 ipfw is needed to allow 'transparent' proxying (getting reply's to a non-local ip to pass back to the client-socket).. + // On FreeBSD 9 it is probably possible to do the same with the pf option "divert-reply" + mute_kernel_msgs(); + if (!is_module_loaded("ipfw.ko")) { + mwexec("/sbin/kldload ipfw"); + /* make sure ipfw is not on pfil hooks */ + mwexec("/sbin/sysctl net.inet.ip.pfil.inbound=\"pf\" net.inet6.ip6.pfil.inbound=\"pf\"" . + " net.inet.ip.pfil.outbound=\"pf\" net.inet6.ip6.pfil.outbound=\"pf\""); + } + /* Activate layer2 filtering */ + mwexec("/sbin/sysctl net.link.ether.ipfw=1"); + unmute_kernel_msgs(); +} + +function use_transparent_clientip_proxying() { + global $config; + $a_backends = &$config['installedpackages']['haproxy']['ha_pools']['item']; + if (is_array($a_backends)) { + foreach ($a_backends as $backend) { + if ($backend["transparent_clientip"] == 'yes') { + return true; + break; + } + } + } + return false; +} + +function load_ipfw_rules() { + // On FreeBSD 8 pf does not support "divert-reply" so ipfw is needed. + global $g, $config; + $ipfw_zone_haproxy = "haproxy"; + + $a_backends = &$config['installedpackages']['haproxy']['ha_pools']['item']; + + haproxy_load_modules(); + + $transparent_interfaces = array(); + $transparent_backends = array(); + foreach ($a_backends as $backend) { + if ($backend["transparent_clientip"] != 'yes') + continue; + $real_if = get_real_interface($backend["transparent_interface"]); + $a_servers = &$backend['ha_servers']['item']; + foreach($a_servers as $server) { + if (is_array($a_servers)) { + + foreach($a_servers as $be) { + if (!$be['status'] == "inactive") + continue; + if (!is_ipaddr($be['address'])) + continue; + $item = array(); + $item['address'] = $be['address']; + $item['port'] = $be['port']; + $item['interface'] = $real_if; + $transparent_backends[] = $item; + $transparent_interfaces[$real_if] = 1; + } + } + } + } + mwexec("/usr/local/sbin/ipfw_context -a $ipfw_zone_haproxy", true); + + foreach($transparent_interfaces as $transparent_if => $value) { + mwexec("/usr/local/sbin/ipfw_context -a $ipfw_zone_haproxy -n $transparent_if", true); + } + + $rulenum = 64000; // why that high? captiveportal.inc also does it... + $rules = "flush\n"; + foreach($transparent_backends as $transparent_be) { + $rules .= "add $rulenum fwd localhost tcp from {$transparent_be["address"]} {$transparent_be["port"]} to any in recv {$transparent_be["interface"]}\n"; + $rulenum++; + } + + + file_put_contents("{$g['tmp_path']}/ipfw_{$ipfw_zone_haproxy}.haproxy.rules", $rules); + mwexec("/usr/local/sbin/ipfw_context -s $ipfw_zone_haproxy", true); + mwexec("/sbin/ipfw -x $ipfw_zone_haproxy -q {$g['tmp_path']}/ipfw_{$ipfw_zone_haproxy}.haproxy.rules", true); +} + +function haproxy_check_run($reload) { + global $config, $g, $haproxy_run_message; + + $a_global = &$config['installedpackages']['haproxy']; + + exec("/usr/bin/limits -n 300014"); + + if(use_transparent_clientip_proxying()) + load_ipfw_rules(); + else + mwexec("/usr/local/sbin/ipfw_context -d haproxy", true); + + if(isset($a_global['enable'])) { + if (isset($a_global['carpdev'])) { + $status = get_carp_interface_status($a_global['carpdev']); + if ($status != "MASTER") { + if (haproxy_is_running()) { + log_error("Stopping haproxy on CARP backup."); + //exec("/bin/pkill -F /var/run/haproxy.pid haproxy");//doesnt work for multiple pid's in a pidfile + haproxy_kill(); + } + return (0); + } else if (haproxy_is_running() && $reload == 0) { + return (0); + } + log_error("Starting haproxy on CARP master."); + /* fallthrough */ + } else if ($reload == 0) + return (0); + + if (haproxy_is_running()) { + if (isset($a_global['terminate_on_reload'])) + $sf_st = "-st";//terminate old process as soon as the new process is listening + else + $sf_st = "-sf";//finish serving existing connections exit when done, and the new process is listening + exec("/usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid $sf_st `cat /var/run/haproxy.pid` 2>&1", $output, $errcode); + } else { + exec("/usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -D 2>&1", $output, $errcode); + } + foreach($output as $line) + $haproxy_run_message .= "<br/>" . htmlspecialchars($line) . "\n"; + return ($errcode); + } else { + if ($reload && haproxy_is_running()) { + //exec("/bin/pkill -F /var/run/haproxy.pid haproxy");//doesnt work for multiple pid's in a pidfile + haproxy_kill(); + } + return (0); + } +} + +function haproxy_kill($killimmediately = true) { + if ($killimmediately) + $signal = "KILL"; // stop now + else + $signal = "USR1"; // stop when all connections are closed + killprocesses("haproxy", "/var/run/haproxy.pid", $signal); +} + +function killprocesses($processname, $pidfile, $signal = "KILL") { + exec("kill -$signal `pgrep -x $processname | grep -w -f $pidfile`"); +} + +function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { + global $config, $g; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + // Do not allow syncing to self. + $donotsync = false; + $lanip = find_interface_ip($config['interfaces']['lan']['if']); + if($lanip == $sync_to_ip) + $donotsync = true; + $wanip = find_interface_ip($config['interfaces']['wan']['if']); + if($wanip == $sync_to_ip) + $donotsync = true; + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { + $optip = find_interface_ip($config['interfaces']['opt' . $j]['if']); + if($optip == $sync_to_ip) + $donotsync = true; + } + if($donotsync) { + log_error("Disallowing sync loop for HAProxy sync."); + return; + } + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['haproxy'] = $config['installedpackages']['haproxy']; + + // Prevent sync loops + unset($xml['synchost1']); + unset($xml['synchost2']); + unset($xml['synchost3']); + unset($xml['syncpassword']); + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("Beginning HAProxy XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after 250 seconds */ + $resp = $cli->send($msg, "250"); + if(!$resp) { + $error = "A communications error occurred while attempting HAProxy XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "HAProxy Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, "250"); + $error = "An error code was received while attempting HAProxy XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "HAProxy Settings Sync", ""); + } else { + log_error("HAProxy XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell haproxy to reload our settings on the destionation sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/haproxy.inc');\n"; + $execcmd .= "haproxy_configure();\n"; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("HAProxy XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + $resp = $cli->send($msg, "250"); + if(!$resp) { + $error = "A communications error occurred while attempting HAProxy XMLRPC sync with {$url}:{$port} (exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "HAProxy Settings Reload", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, "250"); + $error = "An error code was received while attempting HAProxy XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "HAProxy Settings Sync", ""); + } else { + log_error("HAProxy XMLRPC reload data success with {$url}:{$port} (exec_php)."); + } +} + +function get_frontend_id($name) { + global $config; + $a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item']; + $i = 0; + foreach($a_backend as $backend) + { + if ($backend['name'] == $name) + return $i; + $i++; + } + return null; +} + +function get_frontend_ipport($fontend) { + global $config; + $a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item']; + if ($fontend['secondary'] == 'yes') + $mainfontend = $a_backend[get_frontend_id($fontend['primary_frontend'])]; + else + $mainfontend = $fontend; + if($mainfontend['extaddr'] == "any") + $result = "0.0.0.0"; + elseif($mainfontend['extaddr']) + $result = $mainfontend['extaddr']; + else + $result = get_current_wan_address('wan'); + return $result . ":" . $mainfontend['port']; +} + +function haproxy_check_config() { + global $config; + $a_backends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + $result = false; + $activefrontends = array(); + $issues = array(); + + foreach($a_backends as $frontend) { + if (($frontend['status'] != 'active') || ($frontend['secondary'] == 'yes')) + continue; + $ipport = get_frontend_ipport($frontend); + if (isset($activefrontends[$ipport])) + $issues['P_'.$ipport] = "Multiple primary frontends with IP:Port \"$ipport\""; + else + $activefrontends[$ipport] = true; + } + foreach($a_backends as $frontend) { + if (($frontend['status'] != 'active') || ($frontend['secondary'] != 'yes')) + continue; + $ipport = get_frontend_ipport($frontend); + if (!isset($activefrontends[$ipport])) + $issues['S_'.$frontend['name']] = "Secondary frontend \"{$frontend['name']}\" without active primary frontend."; + } + foreach ($issues as $item) + $result .= ($result == false ? "" : "<br/>") . $item; + return $result; +} + +function get_haproxy_frontends($excludeitem="") { + global $config; + $a_frontend = &$config['installedpackages']['haproxy']['ha_backends']['item']; + $result = array(); + foreach($a_frontend as &$frontend) + { + if ($frontend['secondary']) + continue; + if ($frontend['name'] == $excludeitem) + continue; + + $serveradress = "{$frontend['extaddr']}:{$frontend['port']}"; + $result[$frontend['name']]['name'] = "{$frontend['name']} - {$frontend['type']} ({$serveradress})"; + $result[$frontend['name']]['ref'] = &$frontend; + } + asort($result, SORT_STRING); + return $result; +} + +function get_frontent_acls($frontend) { + $result = array(); + $a_acl = &$frontend['ha_acls']['item']; + if (is_array($a_acl)) + { + foreach ($a_acl as $entry) { + $acl = haproxy_find_acl($entry['expression']); + if (!$acl) + continue; + + // Filter out acls for different modes + if ($acl['mode'] != '' && $acl['mode'] != strtolower($frontend['type'])) + continue; + + $acl_item = array(); + $acl_item['descr'] = $acl['descr'] . ": " . $entry['value']; + $acl_item['ref'] = $entry; + + $result[] = $acl_item; + } + } + return $result; +} + +function phparray_to_javascriptarray_recursive($nestID, $path, $items, $nodeName, $includeitems) { + $offset = str_repeat(' ',$nestID); + $itemName = "item$nestID"; + echo "{$offset}$nodeName = {};\n"; + if (is_array($items)) + foreach ($items as $key => $item) + { + if (in_array($path.'/'.$key, $includeitems)) + $subpath = $path.'/'.$key; + else + $subpath = $path.'/*'; + if (in_array($subpath, $includeitems) || in_array($path.'/*', $includeitems)) { + if (is_array($item)) { + $subNodeName = "item$nestID"; + phparray_to_javascriptarray_recursive($nestID+1, $subpath, $items[$key], $subNodeName, $includeitems); + echo "{$offset}{$nodeName}['{$key}'] = $itemName;\n"; + } else + echo "{$offset}{$nodeName}['$key'] = '$item';\n"; + } + } +} + +function phparray_to_javascriptarray($items, $javaMapName, $includeitems) { + phparray_to_javascriptarray_recursive(1,'',$items, $javaMapName, $includeitems); +} + +function haproxy_escapestring($configurationsting) { + $result = str_replace('\\', '\\\\', $configurationsting); + $result = str_replace(' ', '\\ ', $result); + return str_replace('#', '\\#', $result); +} + +function echo_html_select($name, $keyvaluelist, $selected, $listEmptyMessage="", $onchangeEvent="") { + if (count($keyvaluelist)>0){ + if ($onchangeEvent != "") + $onchangeEvent .= " onchange=$onchangeEvent"; + echo "<select name=\"$name\" id=\"$name\" class=\"formselect\"$onchangeEvent>"; + foreach($keyvaluelist as $key => $desc){ + $selectedhtml = $key == $selected ? "selected" : ""; + echo "<option value=\"{$key}\" {$selectedhtml}>{$desc['name']}</option>"; + } + echo "</select>"; + } else { + echo $listEmptyMessage; + } +} + +?> diff --git a/config/haproxy-devel/haproxy.widget.php b/config/haproxy-devel/haproxy.widget.php new file mode 100644 index 00000000..abc5d935 --- /dev/null +++ b/config/haproxy-devel/haproxy.widget.php @@ -0,0 +1,281 @@ +<?php +/* + Copyright 2011 Thomas Schaefer - Tomschaefer.org + Copyright 2011 Marcello Coutinho + Part of pfSense widgets (www.pfsense.com) + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* + Some mods made from pfBlocker widget to make this for HAProxy on Pfsense + Copyleft 2012 by jvorhees +*/ +require_once("guiconfig.inc"); +require_once("pfsense-utils.inc"); +require_once("functions.inc"); +require_once("haproxy_socketinfo.inc"); +$first_time = false; +if (!is_array($config["widgets"]["haproxy"])) { + $first_time = true; + $config["widgets"]["haproxy"] = array(); +} +$a_config = &$config["widgets"]["haproxy"]; + +$getupdatestatus=false; +if(!empty($_GET['getupdatestatus'])) { + $getupdatestatus=true; +} + +#Backends/Servers Actions if asked +if(!empty($_GET['act']) and !empty($_GET['be']) and !empty($_GET['srv'])) { + $backend = $_GET['be']; + $server = $_GET['srv']; + $enable = $_GET['act'] == 'start' ? true : false; + haproxy_set_server_enabled($backend, $server, $enable); +} + +$simplefields = array("haproxy_widget_timer","haproxy_widget_showfrontends","haproxy_widget_showclients","haproxy_widget_showclienttraffic"); +if ($_POST) { + foreach($simplefields as $fieldname) + $a_config[$fieldname] = $_POST[$fieldname]; + + write_config("Updated traffic graph settings via dashboard."); + header("Location: /"); + exit(0); +} + +// Set default values +if (!$a_config['haproxy_widget_timer']) { + $a_config['haproxy_widget_timer'] = 5000; + $a_config['haproxy_widget_showfrontends'] = 'no'; + $a_config['haproxy_widget_showclients'] = 'yes'; + $a_config['haproxy_widget_showclienttraffic'] = 'no'; +} + +$refresh_rate = $a_config['haproxy_widget_timer']; +$show_frontends = $a_config['haproxy_widget_showfrontends']=='yes'; +$show_clients = $a_config['haproxy_widget_showclients']=='yes'; +$show_clients_traffic = $a_config['haproxy_widget_showclienttraffic']=='yes'; + +$out="<img src ='/themes/{$g['theme']}/images/icons/icon_interface_down.gif'>"; +$in="<img src ='/themes/{$g['theme']}/images/icons/icon_interface_up.gif'>"; +$running="<img src ='/themes/{$g['theme']}/images/icons/icon_pass.gif'>"; +$stopped="<img src ='/themes/{$g['theme']}/images/icons/icon_block.gif'>"; +$log="<img src ='/themes/{$g['theme']}/images/icons/icon_log.gif'>"; +$start="<img src ='/themes/{$g['theme']}/images/icons/icon_service_start.gif' title='Enable this backend/server'>"; +$stop="<img src ='/themes/{$g['theme']}/images/icons/icon_service_stop.gif' title='Disable this backend/server'>"; + +$clients=array(); +$clientstraffic=array(); + +$statistics = haproxy_get_statistics(); +$frontends = $statistics['frontends']; +$backends = $statistics['backends']; +$servers = $statistics['servers']; + +if ($show_clients == "YES") { + $clients = haproxy_get_clients($show_clients_traffic == "YES"); +} +if (!$getupdatestatus) { +?> +<div id="haproxy-settings" name="haproxy-settings" class="widgetconfigdiv" style="display:none;"> +<form action="/widgets/widgets/haproxy.widget.php" method="post" name="iform" id="iform"> + <table> + <tr><td> + Refresh Interval:</td><td> + <input id="haproxy_widget_timer" name="haproxy_widget_timer" type="text" value="<?=$a_config['haproxy_widget_timer']?>"/></td> + </tr><tr> + <td>Show frontends:</td><td> + <input id="haproxy_widget_showfrontends" name="haproxy_widget_showfrontends" type="checkbox" value="yes" <?php if ($a_config['haproxy_widget_showfrontends']=='yes') echo "checked"; ?>/></td> + </tr><tr> + <td>Show clients:</td> + <td><input id="haproxy_widget_showclients" name="haproxy_widget_showclients" type="checkbox" value="yes" <?php if ($a_config['haproxy_widget_showclients']=='yes') echo "checked"; ?>/> + Note: showing clients increases CPU/memory usage. + </td> + </tr><tr> + <td>Show client traffic:</td> + <td><input id="haproxy_widget_showclienttraffic" name="haproxy_widget_showclienttraffic" type="checkbox" value="yes" <?php if ($a_config['haproxy_widget_showclienttraffic']=='yes') echo "checked"; ?>/> + Note: showing client traffic considerably increases CPU/memory usage. + </td> + </tr></table> + <br> + <input id="submit" name="submit" type="submit" onclick="return updatePref();" class="formbtn" value="Save Settings" /> +</form> +</div> +<div name="haproxy_content" id="haproxy_content"> +<? +} + +echo "<table style=\"padding-top:0px; padding-bottom:0px; padding-left:0px; padding-right:0px\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\""; +#Frontends +if ($show_frontends == "YES") { + print "<tr><td class=\"widgetsubheader\" colspan=\"4\"><strong>FrontEnd(s)</strong></td></tr>"; + print "<tr><td class=\"listlr\"><strong>Name</strong></td>"; + print "<td class=\"listlr\"><strong>Sessions</strong><br>(cur/max)</td>"; + print "<td class=\"listlr\" colspan=\"2\"><strong><center>Status</center></strong></td></tr>"; + + foreach ($frontends as $fe => $fedata){ + print "<tr><td class=\"listlr\">".$fedata['pxname']."</td>"; + print "<td class=\"listlr\">".$fedata['scur']." / ".$fedata['slim']."</td>"; + if ($fedata['status'] == "OPEN") { + $fedata['status'] = $running." ".$fedata['status']; + } else { + $fedata['status'] = $stopped." ".$fedata['status']; + } + print "<td class=\"listlr\" colspan=\"2\"><center>".$fedata['status']."</center></td></tr>"; + } + + print "<tr height=\"6\"><td colspan=\"4\"></td></tr>"; +} + +#Backends/Servers w/o clients +print "<tr><td class=\"widgetsubheader\" colspan=\"4\"><strong>Backend(s)/Server(s)</strong></td></tr>"; +print "<tr><td class=\"listlr\"><strong>Backend(s)</strong><br> Server(s)"; +if ($show_clients == "YES") { + print "<br> <font color=\"blue\"><i>Client(s) addr:port</i></font>"; +} +print "</td>"; +print "<td class=\"listlr\"><strong>Sessions</strong><br>(cur/max)<br>"; +if ($show_clients == "YES" and $show_clients_traffic != "YES") { + print "<font color=\"blue\">age/id</font>"; +} elseif ($show_clients == "YES" and $show_clients_traffic == "YES") { + print "<font color=\"blue\">age/traffic i/o</font>"; +} +print "</td>"; +print "<td class=\"listlr\" colspan=\"2\"><strong><center>Status<br>/<br>Actions</center></strong></td>"; + +foreach ($backends as $be => $bedata) { + if ($bedata['status'] == "UP") { + $statusicon = $in; + $besess = $bedata['scur']." / ".$bedata['slim']; + $bename = $bedata['pxname']; + } else { + $statusicon = $out; + $besess = "<strong><font color=\"red\">".$bedata['status']."</font></strong>"; + $bename = "<font color=\"red\">".$bedata['pxname']."</font>"; + } + $icondetails = " onmouseover=\"this.title='".$bedata['status']."'\""; + print "<tr height=\"4\"><td bgcolor=\"#B1B1B1\" colspan=\"4\"></td></tr>"; + print "<tr><td class=\"listlr\"><strong>".$bename."</strong></td>"; + print "<td class=\"listlr\">".$besess."</td>"; + print "<td class=\"listlr\"$icondetails><center>".$statusicon."</center></td>"; + print "<td class=\"listlr\"> </td></tr>"; + + foreach ($servers as $srv => $srvdata) { + if ($srvdata['pxname'] == $bedata['pxname']) { + if ($srvdata['status'] == "UP") { + $nextaction = "stop"; + $statusicon = $in; + $acticon = $stop; + $srvname = $srvdata['svname']; + } elseif ($srvdata['status'] == "no check") { + $nextaction = "stop"; + $statusicon = $in; + $acticon = $stop; + $srvname = $srvdata['svname']; + $srvdata['scur'] = "<font color=\"blue\">no check</font>"; + } elseif ($srvdata['status'] == "MAINT") { + $nextaction = "start"; + $statusicon = $out; + $acticon = $start; + $srvname = "<font color=\"blue\">".$srvdata['svname']."</font>"; + $srvdata['scur'] = "<font color=\"blue\">".$srvdata['status']."</font>"; + } else { + $nextaction = "stop"; + $statusicon = $out; + $acticon = $stop; + $srvname = "<font color=\"red\">".$srvdata['svname']."</font>"; + $srvdata['scur'] = "<font color=\"red\">".$srvdata['status']."</font>"; + } + $icondetails = " onmouseover=\"this.title='".$srvdata['status']."'\""; + print "<tr><td class=\"listlr\"> ".$srvname."</td>"; + print "<td class=\"listlr\">".$srvdata['scur']."</td>"; + print "<td class=\"listlr\"$icondetails><center>".$statusicon."</center></td>"; + print "<td class=\"listlr\"><center><a onclick=\"control_haproxy('".$nextaction."','".$bedata['pxname']."','".$srvdata['svname']."');\">".$acticon."</a></center></td></tr>"; + + if ($show_clients == "YES") { + foreach ($clients as $cli => $clidata) { + if ($clidata['be'] == $bedata['pxname'] && $clidata['srv'] == $srvdata['svname']) { + print "<tr><td class=\"listlr\"> <font color=\"blue\"><i>".$clidata['src']."</i></font> <a href=\"diag_dns.php?host=".$clidata['srcip']."\" title=\"Reverse Resolve with DNS\">".$log."</a></td>"; + if ($show_clients_traffic == "YES") { + $clientstraffic[0] = format_bytes($clidata['session_datareq']); + $clientstraffic[1] = format_bytes($clidata['session_datares']); + print "<td class=\"listlr\" colspan=\"3\"><font color=\"blue\">".$clidata['age']." / ".$clientstraffic[0]." / ".$clientstraffic[1]."</font></td></tr>"; + } else { + print "<td class=\"listlr\" colspan=\"3\"><font color=\"blue\">".$clidata['age']." / ".$clidata['sessid']."</font></td></tr>"; + } + } + } + } + } + } +} + +echo "</table>"; +if (!$getupdatestatus) +{ + echo "</div>"; +?> +<script language="javascript" type="text/javascript"> + d = document; + selectIntLink = "haproxy-configure"; + textlink = d.getElementById(selectIntLink); + textlink.style.display = "inline"; +</script> +<script type="text/javascript"> + function getstatusgetupdate() { + var url = "/widgets/widgets/haproxy.widget.php"; + var pars = 'getupdatestatus=yes'; + var myAjax = new Ajax.Request( + url, + { + method: 'get', + parameters: pars, + onComplete: activitycallback_haproxy + }); + } + function getstatus_haproxy() { + getstatusgetupdate(); + setTimeout('getstatus_haproxy()', <?= $refresh_rate ?>); + } + function activitycallback_haproxy(transport) { + $('haproxy_content').innerHTML = transport.responseText; + } + setTimeout('getstatus_haproxy()', <?= $refresh_rate ?>); +</script> +<script type="text/javascript"> + function control_haproxy(act,be,srv) { + var url = "/widgets/widgets/haproxy.widget.php"; + var pars = 'act='+act+'&be='+be+'&srv='+srv; + var myAjax = new Ajax.Request( + url, + { + method: 'get', + parameters: pars, + //onComplete: activitycallback_haproxy + onComplete: getstatusgetupdate + }); + } +</script> +<? +} +?>
\ No newline at end of file diff --git a/config/haproxy-devel/haproxy.xml b/config/haproxy-devel/haproxy.xml new file mode 100644 index 00000000..4511bde4 --- /dev/null +++ b/config/haproxy-devel/haproxy.xml @@ -0,0 +1,116 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + haproxy.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2009 Scott Ullrich + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>haproxy</name> + <version>1.0</version> + <title>HAProxy</title> + <aftersaveredirect>/pkg_edit.php?xml=haproxy_pools.php</aftersaveredirect> + <include_file>/usr/local/pkg/haproxy.inc</include_file> + <menu> + <name>HAProxy</name> + <tooltiptext></tooltiptext> + <section>Services</section> + <url>/haproxy_listeners.php</url> + </menu> + <service> + <name>HAProxy</name> + <rcfile>haproxy.sh</rcfile> + <executable>haproxy</executable> + <description>The Reliable, High Performance TCP/HTTP Load Balancer</description> + </service> + <configpath>installedpackages->haproxy->config</configpath> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_listeners.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_listeners_edit.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_global.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_pools.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_pool_edit.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_socketinfo.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/widgets/widgets/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy.widget.php</item> + </additional_files_needed> + <custom_delete_php_command> + </custom_delete_php_command> + <custom_add_php_command> + </custom_add_php_command> + <custom_php_resync_config_command> + </custom_php_resync_config_command> + <custom_php_install_command> + haproxy_custom_php_install_command(); + </custom_php_install_command> + <custom_php_deinstall_command> + haproxy_custom_php_deinstall_command(); + </custom_php_deinstall_command> + <custom_php_command_before_form> + </custom_php_command_before_form> +</packagegui> diff --git a/config/haproxy-devel/haproxy_global.php b/config/haproxy-devel/haproxy_global.php new file mode 100755 index 00000000..dbc55847 --- /dev/null +++ b/config/haproxy-devel/haproxy_global.php @@ -0,0 +1,420 @@ +<?php +/* $Id: load_balancer_pool.php,v 1.5.2.6 2007/03/02 23:48:32 smos Exp $ */ +/* + haproxy_global.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> + Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once("guiconfig.inc"); +require_once("haproxy.inc"); +require_once("globals.inc"); + +if (!is_array($config['installedpackages']['haproxy'])) + $config['installedpackages']['haproxy'] = array(); + + +if ($_POST) { + unset($input_errors); + $pconfig = $_POST; + + if ($_POST['apply']) { + $result = haproxy_check_and_run($savemsg, true); + if ($result) + unlink_if_exists($d_haproxyconfdirty_path); + } else { + if ($_POST['enable']) { + $reqdfields = explode(" ", "maxconn"); + $reqdfieldsn = explode(",", "Maximum connections"); + } + + if ($_POST['carpdev'] == "disabled") + unset($_POST['carpdev']); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ($_POST['maxconn'] && (!is_numeric($_POST['maxconn']))) + $input_errors[] = "The maximum number of connections should be numeric."; + + if($_POST['synchost1'] && !is_ipaddr($_POST['synchost1'])) + $input_errors[] = "Synchost1 needs to be an IPAddress."; + if($_POST['synchost2'] && !is_ipaddr($_POST['synchost2'])) + $input_errors[] = "Synchost2 needs to be an IPAddress."; + if($_POST['synchost3'] && !is_ipaddr($_POST['synchost3'])) + $input_errors[] = "Synchost3 needs to be an IPAddress."; + + if (!$input_errors) { + $config['installedpackages']['haproxy']['enable'] = $_POST['enable'] ? true : false; + $config['installedpackages']['haproxy']['terminate_on_reload'] = $_POST['terminate_on_reload'] ? true : false; + $config['installedpackages']['haproxy']['maxconn'] = $_POST['maxconn'] ? $_POST['maxconn'] : false; + $config['installedpackages']['haproxy']['enablesync'] = $_POST['enablesync'] ? true : false; + $config['installedpackages']['haproxy']['synchost1'] = $_POST['synchost1'] ? $_POST['synchost1'] : false; + $config['installedpackages']['haproxy']['synchost2'] = $_POST['synchost2'] ? $_POST['synchost2'] : false; + $config['installedpackages']['haproxy']['synchost2'] = $_POST['synchost3'] ? $_POST['synchost3'] : false; + $config['installedpackages']['haproxy']['remotesyslog'] = $_POST['remotesyslog'] ? $_POST['remotesyslog'] : false; + $config['installedpackages']['haproxy']['logfacility'] = $_POST['logfacility'] ? $_POST['logfacility'] : false; + $config['installedpackages']['haproxy']['loglevel'] = $_POST['loglevel'] ? $_POST['loglevel'] : false; + $config['installedpackages']['haproxy']['carpdev'] = $_POST['carpdev'] ? $_POST['carpdev'] : false; + $config['installedpackages']['haproxy']['syncpassword'] = $_POST['syncpassword'] ? $_POST['syncpassword'] : false; + $config['installedpackages']['haproxy']['advanced'] = $_POST['advanced'] ? base64_encode($_POST['advanced']) : false; + $config['installedpackages']['haproxy']['nbproc'] = $_POST['nbproc'] ? $_POST['nbproc'] : false; + touch($d_haproxyconfdirty_path); + write_config(); + } + } +} + +$pconfig['enable'] = isset($config['installedpackages']['haproxy']['enable']); +$pconfig['terminate_on_reload'] = isset($config['installedpackages']['haproxy']['terminate_on_reload']); +$pconfig['maxconn'] = $config['installedpackages']['haproxy']['maxconn']; +$pconfig['enablesync'] = isset($config['installedpackages']['haproxy']['enablesync']); +$pconfig['syncpassword'] = $config['installedpackages']['haproxy']['syncpassword']; +$pconfig['synchost1'] = $config['installedpackages']['haproxy']['synchost1']; +$pconfig['synchost2'] = $config['installedpackages']['haproxy']['synchost2']; +$pconfig['synchost3'] = $config['installedpackages']['haproxy']['synchost3']; +$pconfig['remotesyslog'] = $config['installedpackages']['haproxy']['remotesyslog']; +$pconfig['logfacility'] = $config['installedpackages']['haproxy']['logfacility']; +$pconfig['loglevel'] = $config['installedpackages']['haproxy']['loglevel']; +$pconfig['carpdev'] = $config['installedpackages']['haproxy']['carpdev']; +$pconfig['advanced'] = base64_decode($config['installedpackages']['haproxy']['advanced']); +$pconfig['nbproc'] = $config['installedpackages']['haproxy']['nbproc']; + +// defaults +if (!$pconfig['logfacility']) + $pconfig['logfacility'] = 'local0'; +if (!$pconfig['loglevel']) + $pconfig['loglevel'] = 'info'; + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Services: HAProxy: Settings"; +include("head.inc"); + +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<script type="text/javascript" src="javascript/scriptaculous/prototype.js"></script> +<script type="text/javascript" src="javascript/scriptaculous/scriptaculous.js"></script> +<?php include("fbegin.inc"); ?> +<script language="JavaScript"> +<!-- +function enable_change(enable_change) { + var endis; + endis = !(document.iform.enable.checked || enable_change); + document.iform.maxconn.disabled = endis; +} +//--> +</script> +<?php if($one_two): ?> +<p class="pgtitle"><?=$pgtitle?></p> +<?php endif; ?> +<form action="haproxy_global.php" method="post" name="iform"> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<?php if ($savemsg) print_info_box($savemsg); ?> +<?php if (file_exists($d_haproxyconfdirty_path)): ?><p> +<?php print_info_box_np("The haproxy configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> +<?php endif; ?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td class="tabnavtbl"> + <?php + /* active tabs */ + $tab_array = array(); + $tab_array[] = array("Settings", true, "haproxy_global.php"); + $tab_array[] = array("Listener", false, "haproxy_listeners.php"); + $tab_array[] = array("Server Pool", false, "haproxy_pools.php"); + display_top_tabs($tab_array); + ?> + </td></tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic">General settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"> </td> + <td width="78%" class="vtable"> + <input name="enable" type="checkbox" value="yes" <?php if ($pconfig['enable']) echo "checked"; ?> onClick="enable_change(false)"> + <strong>Enable HAProxy</strong></td> + </tr> + <tr> + <td valign="top" class="vncell"> + Maximum connections + </td> + <td class="vtable"> + <table><tr><td> + <table cellpadding="0" cellspacing="0"> + <tr> + <td> + <input name="maxconn" type="text" class="formfld" id="maxconn" size="5" <?if ($pconfig['enable']!='yes') echo "enabled=\"false\"";?> value="<?=htmlspecialchars($pconfig['maxconn']);?>"> per Backend. + </td> + </tr> + </table> + Sets the maximum per-process number of concurrent connections to X.<br/> + <strong>NOTE:</strong> setting this value too high will result in HAProxy not being able to allocate enough memory.<br/> + <?php + $memusage = trim(`ps auxw | grep haproxy | grep -v grep | awk '{ print $5 }'`); + if($memusage) + echo "<p>Current memory usage: {$memusage} K.</p>"; + ?> + </td><td> + <table style="border: 1px solid #000;"> + <tr> + <td><font size=-1>Connections</td> + <td><font size=-1>Memory usage</td> + </tr> + <tr> + <td colspan="2"> + <hr noshade style="border: 1px solid #000;"> + </td> + </tr> + <tr> + <td align="right"><font size=-1>999</td> + <td><font size=-1>1888K</td> + </tr> + <tr> + <td align="right"><font size=-1>99999</td> + <td><font size=-1>8032K</td> + </tr> + <tr> + <td align="right"><font size=-1>999999</td> + <td><font size=-1>50016K</td> + </tr> + <tr> + <td align="right"><font size=-1>9999999</td> + <td><font size=-1>467M</td> + </tr> + </table> + </td></tr></table> + </td> + </tr> + <tr> + <td valign="top" class="vncell"> + Number of processes to start + </td> + <td class="vtable"> + <input name="nbproc" type="text" class="formfld" id="nbproc" size="18" value="<?=htmlspecialchars($pconfig['nbproc']);?>"> + <br/> + Defaults to 1 if left blank (<?php echo trim(`/sbin/sysctl kern.smp.cpus | cut -d" " -f2`); ?> CPU core(s) detected).<br/> + Note : Consider leaving this value empty or 1 because in multi-process mode (nbproc > 1) memory is not shared between the processes, which could result in random behaviours for several options like ACL's, sticky connections and some others.<br/> + For more information about the <b>"nbproc"</b> option please see <b><a href='http://haproxy.1wt.eu/download/1.5/doc/configuration.txt' target='_new'>HAProxy Documentation</a> </b> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Reload behaviour</td> + <td width="78%" class="vtable"> + <input name="terminate_on_reload" type="checkbox" value="yes" <?php if ($pconfig['terminate_on_reload']) echo "checked"; ?>> + Force immediate stop of old process on reload. (closes existing connections)<br/><br/>Note: when this option is selected connections will be closed when haproxy is restarted. + Otherwise the existing connections will be served by the old haproxy process untill they are closed. + Checking this option will interupt existing connections on a restart. (which happens when the configuration is applied, + but possibly also when pfSense detects an interface comming up or changing its ip-address)</td> + </tr> + <tr> + <td valign="top" class="vncell"> + Remote syslog host + </td> + <td class="vtable"> + <input name="remotesyslog" type="text" class="formfld" id="remotesyslog" size="18" value="<?=htmlspecialchars($pconfig['remotesyslog']);?>"><br/> + To log to the local pfSense systemlog fill the host with the value <b>/var/run/log</b>, however if a lot of messages are generated logging is likely to be incomplete. (Also currently no informational logging gets shown in the systemlog.) + </td> + </tr> + <tr> + <td valign="top" class="vncell"> + Syslog facility + </td> + <td class="vtable"> + <select name="logfacility" class="formfld"> + <?php + $facilities = array("kern", "user", "mail", "daemon", "auth", "syslog", "lpr", + "news", "uucp", "cron", "auth2", "ftp", "ntp", "audit", "alert", "cron2", + "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7"); + foreach ($facilities as $f): + ?> + <option value="<?=$f;?>" <?php if ($f == $pconfig['logfacility']) echo "selected"; ?>> + <?=$f;?> + </option> + <?php + endforeach; + ?> + </select> + </td> + </tr> + <tr> + <td valign="top" class="vncell"> + Syslog level + </td> + <td class="vtable"> + <select name="loglevel" class="formfld"> + <?php + $levels = array("emerg", "alert", "crit", "err", "warning", "notice", "info", "debug"); + foreach ($levels as $l): + ?> + <option value="<?=$l;?>" <?php if ($l == $pconfig['loglevel']) echo "selected"; ?>> + <?=$l;?> + </option> + <?php + endforeach; + ?> + </select> + </td> + </tr> + <tr> + <td valign="top" class="vncell"> + Carp monitor + </td> + <td class="vtable"> + <select name="carpdev" class="formfld"> + <option value="disabled" <?php if (!isset($pconfig['carpdev'])) echo "selected"; ?>> + disabled + </option> + <?php + if(is_array($config['virtualip']['vip'])) { + foreach($config['virtualip']['vip'] as $carp): + if ($carp['mode'] != "carp") continue; + $ipaddress = $carp['subnet']; + $carp_int = trim(find_carp_interface($ipaddress)); + ?> + <option value="<?=$carp_int;?>" + <?php if (isset($pconfig['carpdev']) && $carp_int == $pconfig['carpdev']) echo "selected"; ?>> + <?=$carp_int;?> (<?=$ipaddress;?>) + </option> + <?php + endforeach; + } + ?> + </select> + <br/> + Monitor carp interface and only run haproxy on the firewall which is MASTER. + </td> + </tr> + <tr> + <td> + + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Global Advanced pass thru</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"> </td> + <td width="78%" class="vtable"> + <textarea name='advanced' rows="4" cols="70" id='advanced'><?php echo $pconfig['advanced']; ?></textarea> + <br/> + NOTE: paste text into this box that you would like to pass thru in the global settings area. + </td> + </tr> + <tr> + <td> + + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Configuration synchronization</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"> </td> + <td width="78%" class="vtable"> + <input name="enablesync" type="checkbox" value="yes" <?php if ($pconfig['enablesync']) echo "checked"; ?>> + <strong>Sync HAProxy configuration to backup CARP members via XMLRPC.</strong> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Synchronization password</td> + <td width="78%" class="vtable"> + <input name="syncpassword" type="password" autocomplete="off" value="<?=$pconfig['syncpassword'];?>"> + <br/> + <strong>Enter the password that will be used during configuration synchronization. This is generally the remote webConfigurator password.</strong> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Sync host #1</td> + <td width="78%" class="vtable"> + <input name="synchost1" value="<?=$pconfig['synchost1'];?>"> + <br/> + <strong>Synchronize settings to this hosts IP address.</strong> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Sync host #2</td> + <td width="78%" class="vtable"> + <input name="synchost2" value="<?=$pconfig['synchost2'];?>"> + <br/> + <strong>Synchronize settings to this hosts IP address.</strong> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Sync host #3</td> + <td width="78%" class="vtable"> + <input name="synchost3" value="<?=$pconfig['synchost3'];?>"> + <br/> + <strong>Synchronize settings to this hosts IP address.</strong> + </td> + </tr> + <tr> + <td> + + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save" onClick="enable_change(true)"> + </td> + </td> + </tr> + </table> + </div> +</table> + +<?php if(file_exists("/var/etc/haproxy.cfg")): ?> + <p/> + <div id="configuration" style="display:none; border-style:dashed; padding: 8px;"> + <b><i>/var/etc/haproxy.cfg file contents:</b></i> + <?php + if(file_exists("/var/etc/haproxy.cfg")) { + echo "<pre>" . trim(file_get_contents("/var/etc/haproxy.cfg")) . "</pre>"; + } + ?> + </div> + <div id="showconfiguration"> + <a onClick="new Effect.Fade('showconfiguration'); new Effect.Appear('configuration'); setTimeout('scroll_after_fade();', 250); return false;" href="#">Show</a> automatically generated configuration. + </div> +<?php endif; ?> + +</form> +<script language="JavaScript"> + function scroll_after_fade() { + scrollTo(0,99999999999); + } +<!-- +enable_change(false); +//--> +</script> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/haproxy-devel/haproxy_listeners.php b/config/haproxy-devel/haproxy_listeners.php new file mode 100644 index 00000000..7b6e3d58 --- /dev/null +++ b/config/haproxy-devel/haproxy_listeners.php @@ -0,0 +1,223 @@ +<?php +/* $Id: load_balancer_virtual_server.php,v 1.6.2.1 2006/01/02 23:46:24 sullrich Exp $ */ +/* + haproxy_baclkends.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> + Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once("guiconfig.inc"); +require_once("haproxy.inc"); +require_once("certs.inc"); + +if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { + $config['installedpackages']['haproxy']['ha_backends']['item'] = array(); +} +$a_frontend = &$config['installedpackages']['haproxy']['ha_backends']['item']; + +if ($_POST) { + $pconfig = $_POST; + + if ($_POST['apply']) { + $result = haproxy_check_and_run($savemsg, true); + if ($result) + unlink_if_exists($d_haproxyconfdirty_path); + } +} else { + $result = haproxy_check_config($retval); + if ($result) + $savemsg = gettext($result); +} + +$id = $_GET['id']; +$id = get_frontend_id($id); + +if ($_GET['act'] == "del") { + if (isset($a_frontend[$id])) { + if (!$input_errors) { + unset($a_frontend[$id]); + write_config(); + touch($d_haproxyconfdirty_path); + } + header("Location: haproxy_listeners.php"); + exit; + } +} + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Services: HAProxy: Listener"; +include("head.inc"); + +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<form action="haproxy_listeners.php" method="post"> +<?php if($one_two): ?> +<p class="pgtitle"><?=$pgtitle?></p> +<?php endif; ?> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<?php if ($savemsg) print_info_box($savemsg); ?> +<?php if (file_exists($d_haproxyconfdirty_path)): ?><p> +<?php print_info_box_np("The haproxy configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> +<?php endif; ?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td class="tabnavtbl"> + <?php + /* active tabs */ + $tab_array = array(); + $tab_array[] = array("Settings", false, "haproxy_global.php"); + $tab_array[] = array("Listener", true, "haproxy_listeners.php"); + $tab_array[] = array("Server Pool", false, "haproxy_pools.php"); + display_top_tabs($tab_array); + ?> + </td></tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="5%" class="listhdrr">Primary</td> + <td width="20%" class="listhdrr">Advanced</td> + <td width="20%" class="listhdrr">Name</td> + <td width="30%" class="listhdrr">Description</td> + <td width="20%" class="listhdrr">Address</td> + <td width="5%" class="listhdrr">Type</td> + <td width="10%" class="listhdrr">Server pool</td> + <td width="20%" class="listhdrr">Parent</td> + <td width="5%" class="list"></td> + </tr> +<?php + + function sort_sharedfrontends(&$a, &$b) { + // make sure the 'primary frontend' is the first in the array, after that sort by name. + if ($a['secondary'] != $b['secondary']) + return $a['secondary'] > $b['secondary'] ? 1 : -1; + if ($a['name'] != $b['name']) + return $a['name'] > $b['name'] ? 1 : -1; + return 0; + } + + $a_frontend_grouped = array(); + foreach($a_frontend as &$frontend2) { + $ipport = get_frontend_ipport($frontend2); + $frontend2['ipport'] = $ipport; + $a_frontend_grouped[$ipport][] = $frontend2; + } + ksort($a_frontend_grouped); + + $img_cert = "/themes/{$g['theme']}/images/icons/icon_frmfld_cert.png"; + $img_adv = "/themes/{$g['theme']}/images/icons/icon_advanced.gif"; + $img_acl = "/themes/{$g['theme']}/images/icons/icon_ts_rule.gif"; + $last_frontend_shared = false; + foreach ($a_frontend_grouped as $a_frontend) { + usort($a_frontend,'sort_sharedfrontends'); + if (count($a_frontend) > 1 || $last_frontend_shared) { + ?> <tr class="<?=$textgray?>"><td collspan="7"> </td></tr> <? + } + $last_frontend_shared = count($a_frontend) > 1; + foreach ($a_frontend as $frontend) { + $frontendname = $frontend['name']; + $textgray = $frontend['status'] != 'active' ? " gray" : ""; + ?> + <tr class="<?=$textgray?>"> + <td class="listlr" style="<?=$frontend['secondary']=='yes'?"visibility:hidden;":""?>" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';"> + <?=$frontend['secondary']!='yes'?"yes":"no";?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';"> + <? + if (strtolower($frontend['type']) == "http" && $frontend['ssloffload']) { + $cert = lookup_cert($frontend['ssloffloadcert']); + echo '<img src="'.$img_cert.'" title="SSL offloading cert: '.$cert['descr'].'" alt="SSL offloading" border="0" height="16" width="16" />'; + } + + $acls = get_frontent_acls($frontend); + $isaclset = ""; + foreach ($acls as $acl) { + $isaclset .= " " . $acl['descr']; + } + if ($isaclset) + echo "<img src=\"$img_acl\" title=\"" . gettext("acl's used") . ": {$isaclset}\" border=\"0\">"; + + $isadvset = ""; + if ($frontend['advanced_bind']) $isadvset .= "Advanced bind: {$frontend['advanced_bind']}\r\n"; + if ($frontend['advanced']) $isadvset .= "advanced settings used\r\n"; + if ($isadvset) + echo "<img src=\"$img_adv\" title=\"" . gettext("advanced settings set") . ": {$isadvset}\" border=\"0\">"; + + ?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';"> + <?=$frontend['name'];?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';"> + <?=$frontend['desc'];?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';"> + <?=$frontend['ipport'];?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';"> + <?=$frontend['type']?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';"> + <?=$frontend['backend_serverpool']?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';"> + <?=$frontend['secondary'] == 'yes' ? $frontend['primary_frontend'] : "";?> + </td> + <td class="list" nowrap> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td valign="middle"><a href="haproxy_listeners_edit.php?id=<?=$frontendname;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="haproxy_listeners.php?act=del&id=<?=$frontendname;?>" onclick="return confirm('Do you really want to delete this entry?')"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="haproxy_listeners_edit.php?dup=<?=$frontendname;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + </tr> + </table> + </td> + </tr><?php + } + } ?> + <tfoot> + <tr> + <td class="list" colspan="8"></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td valign="middle"><a href="haproxy_listeners_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + </tr> + </table> + </td> + </tr> + </tfoot> + </table> + </div> + </table> + </form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php new file mode 100644 index 00000000..8f9c2484 --- /dev/null +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -0,0 +1,804 @@ +<?php +/* $Id: load_balancer_pool_edit.php,v 1.24.2.23 2007/03/03 00:07:09 smos Exp $ */ +/* + haproxy_listeners_edit.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> + Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> + Copyright (C) 2013 PiBa-NL merging (some of the) "haproxy-devel" changes from: Marcello Coutinho <marcellocoutinho@gmail.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +require_once("haproxy.inc"); + +/* Compatibility function for pfSense 2.0 */ +if (!function_exists("cert_get_purpose")) { + function cert_get_purpose(){ + $result = array(); + $result['server'] = "Yes"; + return $result; + } +} +/**/ + +function get_certificat_usage($refid) { + $usage = array(); + $cert = lookup_cert($refid); + if (is_cert_revoked($cert)) + $usage[] = "Revoked"; + if (is_webgui_cert($refid)) + $usage[] = "webConfigurator"; + if (is_user_cert($refid)) + $usage[] = "User Cert"; + if (is_openvpn_server_cert($refid)) + $usage[] = "OpenVPN Server"; + if (is_openvpn_client_cert($refid)) + $usage[] = "OpenVPN Client"; + if (is_ipsec_cert($cert['refid'])) + $usage[] = "IPsec Tunnel"; + if (function_exists("is_captiveportal_cert")) + if (is_captiveportal_cert($refid)) + $usage[] = "Captive Portal"; + + return $usage; +} + +// This function (is intended to) provides a uniform way to retrieve a list of server certificates +function get_certificates_server($get_includeWebCert=false) { + global $config; + $certificates=array(); + $a_cert = &$config['cert']; + foreach ($a_cert as $cert) + { + if ($get_ca == false && is_webgui_cert($cert['refid'])) + continue; + + $purpose = cert_get_purpose($cert['crt']); + //$certserverpurpose = $purpose['server'] == 'Yes' ? " [Server certificate]" : ""; + $certserverpurpose = ""; + + $selected = ""; + $caname = ""; + $inuse = ""; + $revoked = ""; + $ca = lookup_ca($cert['caref']); + if ($ca) + $caname = " (CA: {$ca['descr']})"; + if ($pconfig['certref'] == $cert['refid']) + $selected = "selected"; + if (cert_in_use($cert['refid'])) + $inuse = " *In Use"; + if (is_cert_revoked($cert)) + $revoked = " *Revoked"; + + $usagestr=""; + $usage = get_certificat_usage($cert['refid']); + foreach($usage as $use){ + $usagestr .= " " . $use; + } + if ($usagestr != "") + $usagestr = " (".trim($usagestr).")"; + + $certificates[$cert['refid']]['name'] = $cert['descr'] . $caname . $certserverpurpose . $inuse . $revoked . $usagestr; + } + return $certificates; +} + +function haproxy_acl_select($mode) { + global $a_acltypes; + + $seltext = ''; + foreach ($a_acltypes as $expr) { + if ($expr['mode'] == '' || $expr['mode'] == $mode) + $seltext .= "<option value='" . $expr['name'] . "'>" . $expr['descr'] .":</option>"; + } + return $seltext; +} + +$d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; + +if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { + $config['installedpackages']['haproxy']['ha_backends']['item'] = array(); +} + +$a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item']; +$a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; + +global $simplefields; +$simplefields = array('name','desc','status','secondary','primary_frontend','type','forwardfor','httpclose','extaddr','backend_serverpool', + 'max_connections','client_timeout','port','ssloffloadcert','dcertadv','ssloffload','ssloffloadacl','advanced_bind'); + +if (isset($_POST['id'])) + $id = $_POST['id']; +else + $id = $_GET['id']; + +if (isset($_GET['dup'])) + $id = $_GET['dup']; + +$id = get_frontend_id($id); + +if (isset($id) && $a_backend[$id]) { + $pconfig['a_acl']=&$a_backend[$id]['ha_acls']['item']; + $pconfig['advanced'] = base64_decode($a_backend[$id]['advanced']); + + foreach($simplefields as $stat) + $pconfig[$stat] = $a_backend[$id][$stat]; +} + +if (isset($_GET['dup'])) + unset($id); + +$changedesc = "Services: HAProxy: Frontend"; +$changecount = 0; + +if ($_POST) { + $changecount++; + + unset($input_errors); + $pconfig = $_POST; + + + if ($pconfig['secondary'] != "yes") { + $reqdfields = explode(" ", "name type port max_connections"); + $reqdfieldsn = explode(",", "Name,Type,Port,Max connections"); + } else { + $reqdfields = explode(" ", "name"); + $reqdfieldsn = explode(",", "Name"); + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['name'])) + $input_errors[] = "The field 'Name' contains invalid characters."; + + if ($pconfig['secondary'] != "yes") { + if (!is_numeric($_POST['max_connections'])) + $input_errors[] = "The field 'Max connections' value is not a number."; + + $ports = split(",", $_POST['port'] . ","); + foreach($ports as $port) + if ($port && !is_numeric($port)) + $input_errors[] = "The field 'Port' value is not a number."; + + if ($_POST['client_timeout'] !== "" && !is_numeric($_POST['client_timeout'])) + $input_errors[] = "The field 'Client timeout' value is not a number."; + } + + /* Ensure that our pool names are unique */ + for ($i=0; isset($config['installedpackages']['haproxy']['ha_backends']['item'][$i]); $i++) + if (($_POST['name'] == $config['installedpackages']['haproxy']['ha_backends']['item'][$i]['name']) && ($i != $id)) + $input_errors[] = "This frontend name has already been used. Frontend names must be unique. $i != $id"; + + $a_acl=array(); + $acl_names=array(); + for($x=0; $x<99; $x++) { + $acl_name=$_POST['acl_name'.$x]; + $acl_expression=$_POST['acl_expression'.$x]; + $acl_value=$_POST['acl_value'.$x]; + + if ($acl_name) { + $acl_names[]=$acl_name; + + $acl=array(); + $acl['name']=$acl_name; + $acl['expression']=$acl_expression; + $acl['value']=$acl_value; + $a_acl[]=$acl; + + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $acl_name)) + $input_errors[] = "The field 'Name' contains invalid characters."; + + if (!preg_match("/.{1,}/", $acl_value)) + $input_errors[] = "The field 'Value' is required."; + + if (!preg_match("/.{2,}/", $acl_name)) + $input_errors[] = "The field 'Name' is required."; + + } + } + + $pconfig['a_acl']=$a_acl; + + if (!$input_errors) { + $backend = array(); + if(isset($id) && $a_backend[$id]) + $backend = $a_backend[$id]; + + if($backend['name'] != "") + $changedesc .= " modified '{$backend['name']}' pool:"; + + foreach($simplefields as $stat) + update_if_changed($stat, $backend[$stat], $_POST[$stat]); + + + update_if_changed("advanced", $backend['advanced'], base64_encode($_POST['advanced'])); + $backend['ha_acls']['item'] = $a_acl; + + if (isset($id) && $a_backend[$id]) { + $a_backend[$id] = $backend; + } else { + $a_backend[] = $backend; + } + + if ($changecount > 0) { + touch($d_haproxyconfdirty_path); + write_config($changedesc); + } + + header("Location: haproxy_listeners.php"); + exit; + } +} + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +if (!$id) +{ + //default value for new items. + $pconfig['ssloffloadacl'] = "yes"; +} + +$pgtitle = "HAProxy: Frontend: Edit"; +include("head.inc"); +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + <style type="text/css"> + .haproxy_mode_http{display:none;} + .haproxy_ssloffloading_enabled{display:none;} + .haproxy_primary{} + .haproxy_secondary{display:none;} + </style> + +<?php if($one_two): ?> +<script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script> +<script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script> +<?php endif; ?> +<script type="text/javascript"> + // Global Variables + var rowname = new Array(99); + var rowtype = new Array(99); + var newrow = new Array(99); + var rowsize = new Array(99); + + for (i = 0; i < 99; i++) { + rowname[i] = ''; + rowtype[i] = ''; + newrow[i] = ''; + rowsize[i] = '25'; + } + + var field_counter_js = 0; + var loaded = 0; + var is_streaming_progress_bar = 0; + var temp_streaming_text = ""; + + var addRowTo = (function() { + return (function (tableId) { + var d, tbody, tr, td, bgc, i, ii, j, type, seltext; + var btable, btbody, btr, btd; + + d = document; + type = d.getElementById("type").value; + if (type == 'health') + seltext = "<?php echo haproxy_acl_select('health');?>"; + else if (type == 'tcp') + seltext = "<?php echo haproxy_acl_select('tcp');?>"; + else if (type == 'https') + seltext = "<?php echo haproxy_acl_select('https');?>"; + else + seltext = "<?php echo haproxy_acl_select('http');?>"; + if (seltext == '') { + alert("No ACL types available in current listener mode"); + return; + } + + tbody = d.getElementById(tableId).getElementsByTagName("tbody").item(0); + tr = d.createElement("tr"); + totalrows++; + tr.setAttribute("id","aclrow" + totalrows); + for (i = 0; i < field_counter_js; i++) { + td = d.createElement("td"); + if(rowtype[i] == 'textbox') { + td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + + "'></input><input size='" + rowsize[i] + "' name='" + rowname[i] + totalrows + + "' id='" + rowname[i] + totalrows + + "'></input> "; + } else if(rowtype[i] == 'select') { + td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + + "'></input><select name='" + rowname[i] + totalrows + + "' id='" + rowname[i] + totalrows + + "'>" + seltext + "</select> "; + } else { + td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + + "'></input><input type='checkbox' name='" + rowname[i] + totalrows + + "' id='" + rowname[i] + totalrows + "'></input> "; + } + tr.appendChild(td); + } + td = d.createElement("td"); + td.rowSpan = "1"; + td.setAttribute("class","list"); + + // Recreate the button table. + btable = document.createElement("table"); + btable.setAttribute("border", "0"); + btable.setAttribute("cellspacing", "0"); + btable.setAttribute("cellpadding", "1"); + btbody = document.createElement("tbody"); + btr = document.createElement("tr"); + btd = document.createElement("td"); + btd.setAttribute("valign", "middle"); + btd.innerHTML = '<img src="/themes/' + theme + '/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="removeRow(this); return false;">'; + btr.appendChild(btd); + btd = document.createElement("td"); + btd.setAttribute("valign", "middle"); + btd.innerHTML = '<img src="/themes/' + theme + "/images/icons/icon_plus.gif\" title=\"duplicate entry\" width=\"17\" height=\"17\" border=\"0\" onclick=\"dupRow(" + totalrows + ", 'acltable'); return false;\">"; + btr.appendChild(btd); + btbody.appendChild(btr); + btable.appendChild(btbody); + + td.appendChild(btable); + tr.appendChild(td); + tbody.appendChild(tr); + }); + })(); + + function dupRow(rowId, tableId) { + var dupEl; + var newEl; + + addRowTo(tableId); + for (i = 0; i < field_counter_js; i++) { + dupEl = document.getElementById(rowname[i] + rowId); + newEl = document.getElementById(rowname[i] + totalrows); + if (dupEl && newEl) + newEl.value = dupEl.value; + } + } + + function removeRow(el) { + var cel; + // Break out of one table first + while (el && el.nodeName.toLowerCase() != "table") + el = el.parentNode; + while (el && el.nodeName.toLowerCase() != "tr") + el = el.parentNode; + + if (el && el.parentNode) { + cel = el.getElementsByTagName("td").item(0); + el.parentNode.removeChild(el); + } + } + + function find_unique_field_name(field_name) { + // loop through field_name and strip off -NUMBER + var last_found_dash = 0; + for (var i = 0; i < field_name.length; i++) { + // is this a dash, if so, update + // last_found_dash + if (field_name.substr(i,1) == "-" ) + last_found_dash = i; + } + if (last_found_dash < 1) + return field_name; + return(field_name.substr(0,last_found_dash)); + } + + rowname[0] = "acl_name"; + rowtype[0] = "textbox"; + rowsize[0] = "20"; + + rowname[1] = "acl_expression"; + rowtype[1] = "select"; + rowsize[1] = "10"; + + rowname[2] = "acl_value"; + rowtype[2] = "textbox"; + rowsize[2] = "35"; + + function setCSSdisplay(cssID, display) + { + var ss = document.styleSheets; + for (var i=0; i<ss.length; i++) { + var rules = ss[i].cssRules || ss[i].rules; + for (var j=0; j<rules.length; j++) { + if (rules[j].selectorText === cssID) { + rules[j].style.display = display ? "" : "none"; + } + } + } + } + + function updatevisibility() + { + d = document; + ssloffload = d.getElementById("ssloffload"); + type = d.getElementById("type"); + secondary = d.getElementById("secondary"); + primary_frontend = d.getElementById("primary_frontend"); + + if (secondary.checked) + type = primaryfrontends[primary_frontend.value]['ref']['type']; + else + type = d.getElementById("type").value; + + setCSSdisplay(".haproxy_ssloffloading_enabled", ssloffload.checked); + setCSSdisplay(".haproxy_mode_http", type == "http"); + setCSSdisplay(".haproxy_primary", !secondary.checked); + setCSSdisplay(".haproxy_secondary", secondary.checked); + + type_change(type); + } + + function type_change(type) { + var d, i, j, el, row; + var count = <?=count($a_acltypes);?>; + var acl = [ <?php foreach ($a_acltypes as $expr) echo "'".$expr['name']."'," ?> ]; + var mode = [ <?php foreach ($a_acltypes as $expr) echo "'".$expr['mode']."'," ?> ]; + + d = document; + for (i = 0; i < 99; i++) { + el = d.getElementById("acl_expression" + i); + row = d.getElementById("aclrow" + i); + if (!el) + continue; + for (j = 0; j < count; j++) { + if (acl[j] == el.value) { + if (mode[j] != '' && mode[j] != type) { + Effect.Fade(row,{ duration: 1.0 }); + } else { + Effect.Appear(row,{ duration: 1.0 }); + } + } + } + } + } +</script> +<?php include("fbegin.inc"); ?> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<?php if($one_two): ?> +<p class="pgtitle"><?=$pgtitle?></p> +<?php endif; ?> +<form action="haproxy_listeners_edit.php" method="post" name="iform" id="iform"> + <div class="tabcont"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic">Edit haproxy listener</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Name</td> + <td width="78%" class="vtable" colspan="2"> + <input name="name" type="text" <?if(isset($pconfig['name'])) echo "value=\"{$pconfig['name']}\"";?> size="25" maxlength="25"> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Description</td> + <td width="78%" class="vtable" colspan="2"> + <input name="desc" type="text" <?if(isset($pconfig['desc'])) echo "value=\"{$pconfig['desc']}\"";?> size="64"> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncellreq">Status</td> + <td width="78%" class="vtable" colspan="2"> + <select name="status" id="status"> + <option value="active"<?php if($pconfig['status'] == "active") echo " SELECTED"; ?>>Active</option> + <option value="disabled"<?php if($pconfig['status'] == "disabled") echo " SELECTED"; ?>>Disabled</option> + </select> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Shared Frontend</td> + <td width="78%" class="vtable" colspan="2"> + <input id="secondary" name="secondary" type="checkbox" value="yes" <?php if ($pconfig['secondary']=='yes') echo "checked"; ?> onclick="updatevisibility();"/> + Use this setting to configure multiple backends/accesslists for a single frontend.<br/> + All settings of which only 1 can exist will be hidden.<br/> + The frontend settings will be merged into 1 set of frontend configuration. + </td> + </tr> + <tr class="haproxy_secondary" align="left"> + <td width="22%" valign="top" class="vncellreq">Primary frontend</td> + <td width="78%" class="vtable" colspan="2"> + <? + $primaryfrontends = get_haproxy_frontends($pconfig['name']); + echo_html_select('primary_frontend',$primaryfrontends, $pconfig['primary_frontend'],"You must first create a 'primary' frontend.","updatevisibility();"); + ?> + </td> + </tr> + <tr class="haproxy_primary"> + <td width="22%" valign="top" class="vncellreq">External address</td> + <td width="78%" class="vtable"> + <select name="extaddr" class="formfld"> + <option value="" <?php if (!$pconfig['extaddr']) echo "selected"; ?>>Interface address</option> + <option value="localhost" <?php if ('localhost' == $pconfig['extaddr']) echo "selected"; ?>>Localhost</option> + <?php + if (is_array($config['virtualip']['vip'])): + foreach ($config['virtualip']['vip'] as $sn): + ?> + <option value="<?=$sn['subnet'];?>" <?php if ($sn['subnet'] == $pconfig['extaddr']) echo "selected"; ?>> + <?=htmlspecialchars("{$sn['subnet']} ({$sn['descr']})");?> + </option> + <?php + endforeach; + endif; + ?> + <option value="any" <?php if($pconfig['extaddr'] == "any") echo "selected"; ?>>any</option> + </select> + <br /> + <span class="vexpl"> + If you want this rule to apply to another IP address than the IP address of the interface chosen above, + select it here (you need to define <a href="firewall_virtual_ip.php">Virtual IP</a> addresses on the first). + Also note that if you are trying to redirect connections on the LAN select the "any" option. + </span> + </td> + </tr> + <tr class="haproxy_primary" align="left"> + <td width="22%" valign="top" class="vncellreq">External port</td> + <td width="78%" class="vtable" colspan="2"> + <input name="port" type="text" <?if(isset($pconfig['port'])) echo "value=\"{$pconfig['port']}\"";?> size="30" maxlength="500"> + <div>The port to listen to. To specify multiple ports, separate with a comma (,). EXAMPLE: 80,443</div> + </td> + </tr> + <tr class="haproxy_primary" align="left"> + <td width="22%" valign="top" class="vncellreq">Max connections</td> + <td width="78%" class="vtable" colspan="2"> + <input name="max_connections" type="text" <?if(isset($pconfig['max_connections'])) echo "value=\"{$pconfig['max_connections']}\"";?> size="10" maxlength="10"> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Backend server pool</td> + <td width="78%" class="vtable"> + + <select id="backend_serverpool" name="backend_serverpool" class="formfld"> + <?php + if (is_array($a_pools)) { + foreach ($a_pools as $p) { + $selected = $p['name'] == $pconfig['backend_serverpool'] ? 'selected' : ''; + $name = htmlspecialchars("{$p['name']}"); + echo "<option value=\"{$p['name']}\" $selected>$name</option>"; + } + } else { + echo "<option value=\"-\">-</option>"; + } + ?> + </select> + <tr class="haproxy_primary" align="left"> + <td width="22%" valign="top" class="vncellreq">Type</td> + <td width="78%" class="vtable" colspan="2"> + <select name="type" id="type" onchange="updatevisibility();"> + <option value="http"<?php if($pconfig['type'] == "http") echo " SELECTED"; ?>>HTTP</option> + <option value="https"<?php if($pconfig['type'] == "https") echo " SELECTED"; ?>>HTTPS</option> + <option value="tcp"<?php if($pconfig['type'] == "tcp") echo " SELECTED"; ?>>TCP</option> + <option value="health"<?php if($pconfig['type'] == "health") echo " SELECTED"; ?>>Health</option> + </select><br/> + <span class="vexpl"> + This defines the processing type of HAProxy, and will determine the availabe options for acl checks and also several other options.<br/> + Please note that for https encryption/decryption on HAProxy with a certificate the processing type needs to be set to 'http'. + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Access Control lists</td> + <td width="78%" class="vtable" colspan="2" valign="top"> + <table class="" width="100%" cellpadding="0" cellspacing="0" id='acltable'> + <tr> + <td width="35%" class="">Name</td> + <td width="40%" class="">Expression</td> + <td width="20%" class="">Value</td> + <td width="5%" class=""></td> + </tr> + <?php + $a_acl=$pconfig['a_acl']; + + if (!is_array($a_acl)) { + $a_acl=array(); + } + + $counter=0; + foreach ($a_acl as $acl) { + $t = haproxy_find_acl($acl['expression']); + $display = ''; + if (!$t || ($t['mode'] != '' && $t['mode'] != strtolower($pconfig['type']))) + $display = 'style="display: none;"'; + ?> + <tr id="aclrow<?=$counter;?>" <?=$display;?>> + <td><input name="acl_name<?=$counter;?>" id="acl_name<?=$counter;?>" type="text" value="<?=$acl['name']; ?>" size="20"/></td> + <td> + <select name="acl_expression<?=$counter;?>" id="acl_expression<?=$counter;?>"> + <?php + foreach ($a_acltypes as $expr) { ?> + <option value="<?=$expr['name'];?>"<?php if($acl['expression'] == $expr['name']) echo " SELECTED"; ?>><?=$expr['descr'];?>:</option> + <?php } ?> + </select> + </td> + <td><input name="acl_value<?=$counter;?>" id="acl_value<?=$counter;?>" type="text" value="<?=$acl['value']; ?>" size="35"/></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"><tr> + <td valign="middle"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="removeRow(this); return false;"> + </td> + <td valign="middle"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="duplicate entry" width="17" height="17" border="0" onclick="dupRow(<?=$counter;?>, 'acltable'); return false;"> + </td></tr></table> + </td> + </tr> + <?php + $counter++; + } + ?> + </table> + <a onclick="javascript:addRowTo('acltable'); return false;" href="#"> + <img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" alt="" title="add another entry" /> + </a><br/> + acl's with the same name wil be 'combined', acl's with different names will be evaluated seperately.<br/> + For more information about ACL's please see <a href='http://haproxy.1wt.eu/download/1.5/doc/configuration.txt' target='_new'>HAProxy Documentation</a> Section 7 - Using ACL's + </td> + </tr> + </table> + <br/> <br/> + <table class="haproxy_primary" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic">Advanced settings</td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Client timeout</td> + <td width="78%" class="vtable" colspan="2"> + <input name="client_timeout" type="text" <?if(isset($pconfig['client_timeout'])) echo "value=\"{$pconfig['client_timeout']}\"";?> size="10" maxlength="10"> + <div>the time (in milliseconds) we accept to wait for data from the client, or for the client to accept data (default 30000).</div> + </td> + </tr> + <tr align="left" class="haproxy_mode_http"> + <td width="22%" valign="top" class="vncell">Use 'forwardfor' option</td> + <td width="78%" class="vtable" colspan="2"> + <input id="forwardfor" name="forwardfor" type="checkbox" value="yes" <?php if ($pconfig['forwardfor']=='yes') echo "checked"; ?>> + <br/> + The 'forwardfor' option creates an HTTP 'X-Forwarded-For' header which + contains the client's IP address. This is useful to let the final web server + know what the client address was. (eg for statistics on domains)<br/> + <br/> + It is important to note that as long as HAProxy does not support keep-alive connections, + only the first request of a connection will receive the header. For this reason, + it is important to ensure that option httpclose is set when using this option. + </td> + </tr> + <tr align="left" class="haproxy_mode_http"> + <td width="22%" valign="top" class="vncell">Use 'httpclose' option</td> + <td width="78%" class="vtable" colspan="2"> + <input id="httpclose" name="httpclose" type="checkbox" value="yes" <?php if ($pconfig['httpclose']=='yes') echo "checked"; ?>> + <br/> + The 'httpclose' option removes any 'Connection' header both ways, and + adds a 'Connection: close' header in each direction. This makes it easier to + disable HTTP keep-alive than the previous 4-rules block. + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Bind pass thru</td> + <td width="78%" class="vtable" colspan="2"> + <input name="advanced_bind" type="text" <?if(isset($pconfig['advanced_bind'])) echo "value=\"".htmlspecialchars($pconfig['advanced_bind'])."\"";?> size="64"> + <br/> + NOTE: paste text into this box that you would like to pass behind the bind option. + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Advanced pass thru</td> + <td width="78%" class="vtable" colspan="2"> + <textarea name='advanced' rows="4" cols="70" id='advanced'><?php echo htmlspecialchars($pconfig['advanced']); ?></textarea> + <br/> + NOTE: paste text into this box that you would like to pass thru. + </td> + </tr> + <tr> + <td> </td> + </tr> + </table> +<? + global $haproxy_sni_ssloffloading; + if ($haproxy_sni_ssloffloading): +?> + <table class="haproxy_mode_http" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic">SSL Offloading</td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Use Offloading</td> + <td width="78%" class="vtable" colspan="2"> + <input id="ssloffload" name="ssloffload" type="checkbox" value="yes" <?php if ($pconfig['ssloffload']=='yes') echo "checked";?> onclick="updatevisibility();"><strong>Use Offloading</strong></input> + <br/> + The SSL Offloading will reduce web servers load by encrypt data to users on internet and send it without encrytion to internal servers. + </td> + </tr> + <tr class="haproxy_ssloffloading_enabled" align="left"> + <td width="22%" valign="top" class="vncell">Certificate</td> + <td width="78%" class="vtable" colspan="2"> + <? + $servercerts = get_certificates_server(); + echo_html_select("ssloffloadcert", $servercerts, $pconfig['ssloffloadcert'], '<b>No Certificates defined.</b> <br/>Create one under <a href="system_certmanager.php">System > Cert Manager</a>.'); + ?> + <br/> + NOTE: choose the cert to use on this frontend. + </td> + </tr> + <tr class="haproxy_ssloffloading_enabled" align="left"> + <td width="22%" valign="top" class="vncell">ACL for certificate CN</td> + <td width="78%" class="vtable" colspan="2"> + <input id="ssloffloadacl" name="ssloffloadacl" type="checkbox" value="yes" <?php if ($pconfig['ssloffloadacl']=='yes') echo "checked";?> onclick="updatevisibility();">Add ACL for certificate CommonName.</input> + </td> + </tr> + <tr class="haproxy_ssloffloading_enabled haproxy_primary" align="left"> + <td width="22%" valign="top" class="vncell">Advanced ssl options</td> + <td width="78%" class="vtable" colspan="2"> + <input type='text' name='dcertadv' size="64" id='dcertadv' <?if(isset($pconfig['dcertadv'])) echo "value=\"{$pconfig['dcertadv']}\"";?> size="10" maxlength="64"> + <br/> + NOTE: Paste additional ssl options(without commas) to include on ssl listening options.<br> + some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets + </td> + </tr> + <tr> + <td> </td> + </tr> + </table> +<? + endif; +?> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr align="left"> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save"> + <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> + <?php if (isset($id) && $a_backend[$id]): ?> + <input name="id" type="hidden" value="<?=$a_backend[$id]['name'];?>"> + <?php endif; ?> + </td> + </tr> + <tr> + <td colspan='3'> + <span class="vexpl"><b>NOTE:</b> You must add a firewall rule permitting access to this frontend!</span> + </td> + </tr> + </table> + </div> + </form> +<br> +<script type="text/javascript"> +<? + phparray_to_javascriptarray($primaryfrontends,"primaryfrontends",Array('/*','/*/name','/*/ref','/*/ref/type','/*/ref/ssloffload')); +?> + +</script> +<script type="text/javascript"> + field_counter_js = 3; + rows = 1; + totalrows = <?php echo $counter; ?>; + loaded = <?php echo $counter; ?>; + + updatevisibility(); +</script> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php new file mode 100644 index 00000000..a7a56b1c --- /dev/null +++ b/config/haproxy-devel/haproxy_pool_edit.php @@ -0,0 +1,903 @@ +<?php +/* $Id: load_balancer_pool_edit.php,v 1.24.2.23 2007/03/03 00:07:09 smos Exp $ */ +/* + haproxy_pool_edit.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> + Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +require_once("haproxy.inc"); + +$d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; + +if (!is_array($config['installedpackages']['haproxy']['ha_pools']['item'])) { + $config['installedpackages']['haproxy']['ha_pools']['item'] = array(); +} + +$a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; + +if (isset($_POST['id'])) + $id = $_POST['id']; +else + $id = $_GET['id']; + +if (isset($_GET['dup'])) + $id = $_GET['dup']; + +global $simplefields; +$simplefields = array( +"name","cookie","balance","transparent_clientip","transparent_interface", +"check_type","checkinter","httpcheck_method","monitor_uri","monitor_httpversion","monitor_username","monitor_domain","monitor_agentport", +"connection_timeout","server_timeout","retries", +"stats_enabled","stats_username","stats_password","stats_uri","stats_realm","stats_admin","stats_node_enabled","stats_node","stats_desc","stats_refresh"); + +if (isset($id) && $a_pools[$id]) { + $pconfig['advanced'] = base64_decode($a_pools[$id]['advanced']); + $pconfig['advanced_backend'] = base64_decode($a_pools[$id]['advanced_backend']); + $pconfig['a_servers']=&$a_pools[$id]['ha_servers']['item']; + + foreach($simplefields as $stat) + $pconfig[$stat] = $a_pools[$id][$stat]; +} + +if (isset($_GET['dup'])) + unset($id); + +$changedesc = "Services: HAProxy: pools: "; +$changecount = 0; + +if ($_POST) { + $changecount++; + + unset($input_errors); + $pconfig = $_POST; + + $reqdfields = explode(" ", "name"); + $reqdfieldsn = explode(",", "Name"); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ($_POST['stats_enabled']) { + $reqdfields = explode(" ", "name stats_username stats_password stats_uri stats_realm"); + $reqdfieldsn = explode(",", "Name,Stats Username,Stats Password,Stats Uri,Stats Realm"); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + } + + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['name'])) + $input_errors[] = "The field 'Name' contains invalid characters."; + + if ($_POST['checkinter'] !== "" && !is_numeric($_POST['checkinter'])) + $input_errors[] = "The field 'Check frequency' value is not a number."; + + if ($_POST['connection_timeout'] !== "" && !is_numeric($_POST['connection_timeout'])) + $input_errors[] = "The field 'Connection timeout' value is not a number."; + + if ($_POST['server_timeout'] !== "" && !is_numeric($_POST['server_timeout'])) + $input_errors[] = "The field 'Server timeout' value is not a number."; + + if ($_POST['retries'] !== "" && !is_numeric($_POST['retries'])) + $input_errors[] = "The field 'Retries' value is not a number."; + + // the colon ":" is invalid in the username, other than that pretty much any character can be used. + if (preg_match("/[^a-zA-Z0-9!-\/;-~ ]/", $_POST['stats_username'])) + $input_errors[] = "The field 'Stats Username' contains invalid characters."; + + // the colon ":" can also be used in the password + if (preg_match("/[^a-zA-Z0-9!-~ ]/", $_POST['stats_password'])) + $input_errors[] = "The field 'Stats Password' contains invalid characters."; + + /* Ensure that our pool names are unique */ + for ($i=0; isset($config['installedpackages']['haproxy']['ha_pools']['item'][$i]); $i++) + if (($_POST['name'] == $config['installedpackages']['haproxy']['ha_pools']['item'][$i]['name']) && ($i != $id)) + $input_errors[] = "This pool name has already been used. Pool names must be unique."; + + $a_servers=array(); + for($x=0; $x<99; $x++) { + $server_name = $_POST['server_name'.$x]; + $server_address = $_POST['server_address'.$x]; + $server_port = $_POST['server_port'.$x]; + $server_ssl = $_POST['server_ssl'.$x]; + $server_weight = $_POST['server_weight'.$x]; + $server_status = $_POST['server_status'.$x]; + $server_advanced = $_POST['server_advanced'.$x]; + + if ($server_address) { + $server = array(); + $server['name'] = $server_name; + $server['address'] = $server_address; + $server['port'] = $server_port; + $server['ssl'] = $server_ssl; + $server['weight'] = $server_weight; + $server['status'] = $server_status; + $server['advanced'] = $server_advanced; + $a_servers[] = $server; + + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $server_name)) + $input_errors[] = "The field 'Name' contains invalid characters."; + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $server_address)) + $input_errors[] = "The field 'Address' contains invalid characters."; + + if (!preg_match("/.{2,}/", $server_name)) + $input_errors[] = "The field 'Name' is required (and must be at least 2 characters)."; + + if (!preg_match("/.{2,}/", $server_address)) + $input_errors[] = "The field 'Address' is required (and must be at least 2 characters)."; + + + if (!is_numeric($server_weight)) + $input_errors[] = "The field 'Weight' value is not a number."; + + if ($server_port && !is_numeric($server_port)) + $input_errors[] = "The field 'Port' value is not a number."; + } + } + + if (!$input_errors) { + $pool = array(); + if(isset($id) && $a_pools[$id]) + $pool = $a_pools[$id]; + + if ($pool['name'] != $_POST['name']) { + // name changed: + if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { + $config['installedpackages']['haproxy']['ha_backends']['item'] = array(); + } + $a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item']; + + for ( $i = 0; $i < count($a_backend); $i++) { + if ($a_backend[$i]['backend_serverpool'] == $pool['name']) + $a_backend[$i]['backend_serverpool'] = $_POST['name']; + } + } + + if($pool['name'] != "") + $changedesc .= " modified pool: '{$pool['name']}'"; + + $pool['ha_servers']['item']=$a_servers; + + update_if_changed("name", $pool['name'], $_POST['name']); + update_if_changed("cookie", $pool['cookie'], $_POST['cookie']); + update_if_changed("advanced", $pool['advanced'], base64_encode($_POST['advanced'])); + update_if_changed("advanced_backend", $pool['advanced_backend'], base64_encode($_POST['advanced_backend'])); + update_if_changed("checkinter", $pool['checkinter'], $_POST['checkinter']); + update_if_changed("monitor_uri", $pool['monitor_uri'], $_POST['monitor_uri']); + + global $simplefields; + foreach($simplefields as $stat) + update_if_changed($stat, $pool[$stat], $_POST[$stat]); + + if (isset($id) && $a_pools[$id]) { + $a_pools[$id] = $pool; + } else { + $a_pools[] = $pool; + } + + if ($changecount > 0) { + touch($d_haproxyconfdirty_path); + write_config($changedesc); + /* + echo "<PRE>"; + print_r($config); + echo "</PRE>"; + */ + } + + header("Location: haproxy_pools.php"); + exit; + } + $pconfig['a_servers']=&$a_pools[$id]['ha_servers']['item']; +} + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "HAProxy: Backend: Edit"; +include("head.inc"); + +row_helper(); + +// 'processing' done, make all simple fields usable in html. +foreach($simplefields as $field){ + $pconfig[$field] = htmlspecialchars($pconfig[$field]); +} +?> + +<input type='hidden' name='address_type' value='textbox' /> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + <style type="text/css"> + .haproxy_stats_visible{display:none;} + .haproxy_check_enabled{display:none;} + .haproxy_check_http{display:none;} + .haproxy_check_username{display:none;} + .haproxy_check_smtp{display:none;} + .haproxy_transparent_clientip{display:none;} + .haproxy_check_agent{display:none;} + </style> +<script language="javascript"> + function clearcombo(){ + for (var i=document.iform.serversSelect.options.length-1; i>=0; i--){ + document.iform.serversSelect.options[i] = null; + } + document.iform.serversSelect.selectedIndex = -1; + } + + function setCSSdisplay(cssID, display) + { + var ss = document.styleSheets; + for (var i=0; i<ss.length; i++) { + var rules = ss[i].cssRules || ss[i].rules; + for (var j=0; j<rules.length; j++) { + if (rules[j].selectorText === cssID) { + rules[j].style.display = display ? "" : "none"; + } + } + } + } + + function updatevisibility() + { + d = document; + setCSSdisplay(".haproxy_stats_visible", stats_enabled.checked); + + check_type = d.getElementById("check_type").value; + check_type_description = d.getElementById("check_type_description"); + check_type_description.innerHTML=checktypes[check_type]["descr"]; + setCSSdisplay(".haproxy_check_enabled", check_type != 'none'); + setCSSdisplay(".haproxy_check_http", check_type == 'HTTP'); + setCSSdisplay(".haproxy_check_username", check_type == 'MySQL' || check_type == 'PostgreSQL'); + setCSSdisplay(".haproxy_check_smtp", check_type == 'SMTP' || check_type == 'ESMTP'); + setCSSdisplay(".haproxy_check_agent", check_type == 'Agent'); + + transparent_clientip = d.getElementById("transparent_clientip"); + setCSSdisplay(".haproxy_transparent_clientip", transparent_clientip.checked); + + monitor_username = d.getElementById("monitor_username"); + sqlcheckusername = d.getElementById("sqlcheckusername"); + if(!browser_InnerText_support){ + sqlcheckusername.textContent = monitor_username.value; + } else{ + sqlcheckusername.innerText = monitor_username.value; + } + } + + +</script> +<script type="text/javascript"> + rowname[0] = "server_name"; + rowtype[0] = "textbox"; + rowsize[0] = "30"; + rowname[1] = "server_address"; + rowtype[1] = "textbox"; + rowsize[1] = "20"; + rowname[2] = "server_port"; + rowtype[2] = "textbox"; + rowsize[2] = "5"; + rowname[3] = "server_ssl"; + rowtype[3] = "checkbox"; + rowsize[3] = "5"; + rowname[4] = "server_weight"; + rowtype[4] = "textbox"; + rowsize[4] = "5"; + rowname[5] = "server_status"; + rowtype[5] = "select"; + rowsize[5] = "1"; + rowname[6] = "server_advanced"; + rowtype[6] = "textbox"; + rowsize[6] = "20"; +</script> +<?php include("fbegin.inc"); ?> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<?php if($one_two): ?> +<p class="pgtitle"><?=$pgtitle?></p> +<?php endif; ?> + <form action="haproxy_pool_edit.php" method="post" name="iform" id="iform"> + <div class="tabcont"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic">Edit HAProxy pool</td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncellreq">Name</td> + <td width="78%" class="vtable" colspan="2"> + <input name="name" type="text" <?if(isset($pconfig['name'])) echo "value=\"{$pconfig['name']}\"";?> size="16" maxlength="16"> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Cookie</td> + <td width="78%" class="vtable" colspan="2"> + <input name="cookie" type="text" <?if(isset($pconfig['cookie'])) echo "value=\"{$pconfig['cookie']}\"";?>size="64"><br/> + This value will be checked in incoming requests, and the first + operational pool possessing the same value will be selected. In return, in + cookie insertion or rewrite modes, this value will be assigned to the cookie + sent to the client. There is nothing wrong in having several servers sharing + the same cookie value, and it is in fact somewhat common between normal and + backup servers. See also the "cookie" keyword in backend section. + + </td> + </tr> + <tr align="left"> + <td class="vncell" colspan="3"><strong>Server list</strong> + + <table class="" width="100%" cellpadding="0" cellspacing="0" id='servertable'> + <tr> + <td width="20%" class="listhdrr">Name</td> + <td width="10%" class="listhdrr">Address</td> + <td width="5%" class="listhdrr">Port</td> + <td width="5%" class="listhdrr">SSL</td> + <td width="8%" class="listhdrr">Weight</td> + <td width="5%" class="listhdr">Backup</td> + <td width="15%" class="listhdr">Advanced</td> + <td width="4%" class=""></td> + </tr> + <?php + $a_servers=$pconfig['a_servers']; + + if (!is_array($a_servers)) { + $a_servers=array(); + } + + $counter=0; + foreach ($a_servers as $server) { + ?> + <tr id="tr_view_<?=$counter;?>" name="tr_view_<?=$counter;?>" ondblclick="editRow(<?=$counter;?>); return false;" > + <td class="vtable listlr"><?=$server['name']; ?></td> + <td class="vtable listr"><?=$server['address']; ?></td> + <td class="vtable listr"><?=$server['port']; ?></td> + <td class="vtable listr"><?=$server['ssl']=='yes'?'yes':'no'; ?></td> + <td class="vtable listr"><?=$server['weight']; ?></td> + <td class="vtable listr"><?=$server['status']; ?></td> + <td class="vtable listr"><?=htmlspecialchars($server['advanced']); ?></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"><tr> + <td valign="middle"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit entry" width="17" height="17" border="0" onclick="editRow(<?=$counter;?>); return false;"> + </td> + <td valign="middle"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="deleteRow(<?=$counter;?>, 'servertable'); return false;"> + </td> + <td valign="middle"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="duplicate entry" width="17" height="17" border="0" onclick="dupRow(<?=$counter;?>, 'servertable'); return false;"> + </td></tr></table> + </td> + </tr> + <tr id="tr_edit_<?=$counter;?>" name="tr_edit_<?=$counter;?>" style="display: none;"> + <td class="vtable"> + <input name="server_name<?=$counter;?>" id="server_name<?=$counter;?>" type="text" value="<?=$server['name']; ?>" size="30"/></td> + <td class="vtable"> + <input name="server_address<?=$counter;?>" id="server_address<?=$counter;?>" type="text" value="<?=$server['address']; ?>" size="20"/></td> + <td class="vtable"> + <input name="server_port<?=$counter;?>" id="server_port<?=$counter;?>" type="text" value="<?=$server['port']; ?>" size="5"/></td> + <td class="vtable"> + <input name="server_ssl<?=$counter;?>" id="server_ssl<?=$counter;?>" type="checkbox" value="yes" <?=$server['ssl']=='yes'?"checked":""; ?> size="5"/></td> + <td class="vtable"> + <input name="server_weight<?=$counter;?>" id="server_weight<?=$counter;?>" type="text" value="<?=$server['weight']; ?>" size="5"/></td> + <td class="vtable"> + <select name="server_status<?=$counter;?>" id="server_status<?=$counter;?>"> + <option value="active" <?php if($server['status']=='active') echo "SELECTED";?>>active</option> + <option value="backup" <?php if($server['status']=='backup') echo "SELECTED";?>>backup</option> + <option value="disabled" <?php if($server['status']=='disabled') echo "SELECTED";?>>disabled</option> + <option value="inactive" <?php if($server['status']=='inactive') echo "SELECTED";?>>inactive</option> + </select> + </td> + <td class="vtable"> + <input name="server_advanced<?=$counter;?>" id="server_advanced<?=$counter;?>" type="text" value="<?=htmlspecialchars($server['advanced']); ?>" size="20"/></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"><tr> + <td valign="middle"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="removeRow(this); return false;"> + </td> + <td valign="middle"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="duplicate entry" width="17" height="17" border="0" onclick="dupRow(<?=$counter;?>, 'servertable'); return false;"> + </td></tr></table> + </td> + </tr> + <?php + $counter++; + } + ?> + </table> + <a onclick="javascript:addRowTo('servertable'); return false;" href="#"> + <img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" alt="" title="add another entry" /> + </a> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncellreq">Balance</td> + <td width="78%" class="vtable" colspan="1"> + <table width="100%"> + <tr> + <td width="25%" valign="top"> + <input type="radio" name="balance" id="balance" value="roundrobin"<?php if($pconfig['balance'] == "roundrobin") echo " CHECKED"; ?>>Round robin</input> + </td> + <td> + Each server is used in turns, according to their weights. + This is the smoothest and fairest algorithm when the server's + processing time remains equally distributed. This algorithm + is dynamic, which means that server weights may be adjusted + on the fly for slow starts for instance. + </td> + </tr> + <tr> + <td width="25%" valign="top"> + <input type="radio" name="balance" id="balance" value="static-rr"<?php if($pconfig['balance'] == "static-rr") echo " CHECKED"; ?>>Static Round Robin</input> + </td> + <td> + Each server is used in turns, according to their weights. + This algorithm is as similar to roundrobin except that it is + static, which means that changing a server's weight on the + fly will have no effect. On the other hand, it has no design + limitation on the number of servers, and when a server goes + up, it is always immediately reintroduced into the farm, once + the full map is recomputed. It also uses slightly less CPU to + run (around -1%). + </td> + </tr> + <tr> + <td width="25%" valign="top"> + <input type="radio" name="balance" id="balance" value="leastconn"<?php if($pconfig['balance'] == "leastconn") echo " CHECKED"; ?>>Least Connections</input> + </td> + <td> + The server with the lowest number of connections receives the + connection. Round-robin is performed within groups of servers + of the same load to ensure that all servers will be used. Use + of this algorithm is recommended where very long sessions are + expected, such as LDAP, SQL, TSE, etc... but is not very well + suited for protocols using short sessions such as HTTP. This + algorithm is dynamic, which means that server weights may be + adjusted on the fly for slow starts for instance. + </td> + </tr> + <tr><td valign="top"><input type="radio" name="balance" id="balance" value="source"<?php if($pconfig['balance'] == +"source") echo " CHECKED"; ?>>Source</input></td><td> + The source IP address is hashed and divided by the total + weight of the running servers to designate which server will + receive the request. This ensures that the same client IP + address will always reach the same server as long as no + server goes down or up. If the hash result changes due to the + number of running servers changing, many clients will be + directed to a different server. This algorithm is generally + used in TCP mode where no cookie may be inserted. It may also + be used on the Internet to provide a best-effort stickyness + to clients which refuse session cookies. This algorithm is + static, which means that changing a server's weight on the + fly will have no effect. + </td> + </tr> + </table> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Transparent ClientIP</td> + <td width="78%" class="vtable" colspan="2"> + <input id="transparent_clientip" name="transparent_clientip" type="checkbox" value="yes" <?php if ($pconfig['transparent_clientip']=='yes') echo "checked"; ?> onclick='updatevisibility();'> + Use Client-IP to connect to backend servers. + <div class="haproxy_transparent_clientip"> + + <? + $interfaces = get_configured_interface_with_descr(); + $interfaces2 = array(); + foreach($interfaces as $key => $name) + { + + $interfaces2[$key]['name'] = $name; + } + echo_html_select("transparent_interface",$interfaces2,$pconfig['transparent_interface']?$pconfig['transparent_interface']:"lan","","updatevisibility();"); + ?>Interface that will connect to the backend server. (this will generally be your LAN or OPT1(dmz) interface)<br/> + </div> + <br/> + Connect transparently to the backend server's so the connection seams to come straight from the client ip address. + For proper workings this requires the reply's traffic to pass through pfSense by means of correct routing. + (uses the option "source 0.0.0.0 usesrc clientip") + <br/><br/> + Note : When this is enabled for a single backend HAProxy will run as 'root', which reduces security. + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Per server pass thru</td> + <td width="78%" class="vtable" colspan="2"> + <input type="text" name='advanced' id='advanced' value='<?php echo $pconfig['advanced']; ?>' size="64"> + <br/> + NOTE: paste text into this box that you would like to pass thru. Applied to each 'server' line. + </td> + </tr> + + <tr align="left"> + <td width="22%" valign="top" class="vncell">Backend pass thru</td> + <td width="78%" class="vtable" colspan="2"> + <textarea rows="4" cols="70" name='advanced_backend' id='advanced_backend'><?php echo $pconfig['advanced_backend']; ?></textarea> + <br/> + NOTE: paste text into this box that you would like to pass thru. Applied to the backend section. + </td> + </tr> + + </table> + <br/> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic">Health checking</td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Health check method</td> + <td width="78%" class="vtable" colspan="2"> + <? + echo_html_select("check_type",$a_checktypes,$pconfig['check_type']?$pconfig['check_type']:"HTTP","","updatevisibility();"); + ?><br/> + <textarea readonly="yes" cols="60" rows="2" id="check_type_description" name="check_type_description" style="padding:5px; border:1px dashed #990000; background-color: #ffffff; color: #000000; font-size: 8pt;"></textarea> + </td> + </tr> + <tr align="left" class="haproxy_check_enabled"> + <td width="22%" valign="top" class="vncell">Check frequency</td> + <td width="78%" class="vtable" colspan="2"> + <input name="checkinter" type="text" <?if(isset($pconfig['checkinter'])) echo "value=\"{$pconfig['checkinter']}\"";?>size="20"> milliseconds + <br/>For HTTP/HTTPS defaults to 1000 if left blank. For TCP no check will be performed if left empty. + </td> + </tr> + <tr align="left" class="haproxy_check_http"> + <td width="22%" valign="top" class="vncell">Http check method</td> + <td width="78%" class="vtable" colspan="2"> + <? + echo_html_select("httpcheck_method",$a_httpcheck_method,$pconfig['httpcheck_method']); + ?> + <br/>OPTIONS is the method usually best to perform server checks, HEAD and GET can also be used + </td> + </tr> + <tr align="left" class="haproxy_check_http"> + <td width="22%" valign="top" class="vncell">Http check URI</td> + <td width="78%" class="vtable" colspan="2"> + <input name="monitor_uri" type="text" <?if(isset($pconfig['monitor_uri'])) echo "value=\"{$pconfig['monitor_uri']}\"";?>size="64"> + <br/>Defaults to / if left blank. + </td> + </tr> + <tr align="left" class="haproxy_check_http"> + <td width="22%" valign="top" class="vncell">Http check version</td> + <td width="78%" class="vtable" colspan="2"> + <input name="monitor_httpversion" type="text" <?if(isset($pconfig['monitor_httpversion'])) echo "value=\"{$pconfig['monitor_httpversion']}\"";?>size="64"> + <br/>Defaults to "HTTP/1.0" if left blank. + Note that the Host field is mandatory in HTTP/1.1, and as a trick, it is possible to pass it + after "\r\n" following the version string like this:<br/> + "<i>HTTP/1.1\r\nHost:\ www</i>"<br/> + Also some hosts might require an accept parameter like this:<br/> + "<i>HTTP/1.0\r\nHost:\ webservername:8080\r\nAccept:\ */*</i>" + </td> + </tr> + <tr align="left" class="haproxy_check_username"> + <td width="22%" valign="top" class="vncell">Check with Username</td> + <td width="78%" class="vtable" colspan="2"> + <input name="monitor_username" id="monitor_username" type="text" <?if(isset($pconfig['monitor_username'])) echo "value=\"{$pconfig['monitor_username']}\"";?>size="64" onchange="updatevisibility();" onkeyup="updatevisibility();"> + <br/> + This is the username which will be used when connecting to MySQL/PostgreSQL server. + <pre> +USE mysql; +CREATE USER '<span id="sqlcheckusername" name="sqlcheckusername"></span>'@'<pfSenseIP>'; +FLUSH PRIVILEGES;</pre> + </td> + </tr> + <tr align="left" class="haproxy_check_smtp"> + <td width="22%" valign="top" class="vncell">Domain</td> + <td width="78%" class="vtable" colspan="2"> + <input name="monitor_domain" type="text" <?if(isset($pconfig['monitor_domain'])) echo "value=\"{$pconfig['monitor_domain']}\"";?>size="64"> + </td> + </tr> + <tr align="left" class="haproxy_check_agent"> + <td width="22%" valign="top" class="vncell">Agentport</td> + <td width="78%" class="vtable" colspan="2"> + <input name="monitor_agentport" type="text" <?if(isset($pconfig['monitor_agentport'])) echo "value=\"{$pconfig['monitor_agentport']}\"";?>size="64"> + <br/> + Fill in the TCP portnumber the healthcheck should be performed on. + </td> + </tr> + </table> + <br/> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic">Advanced settings</td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Connection timeout</td> + <td width="78%" class="vtable" colspan="2"> + <input name="connection_timeout" type="text" <?if(isset($pconfig['connection_timeout'])) echo "value=\"{$pconfig['connection_timeout']}\"";?> size="64"> + <div>the time (in milliseconds) we give up if the connection does not complete within (default 30000).</div> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Server timeout</td> + <td width="78%" class="vtable" colspan="2"> + <input name="server_timeout" type="text" <?if(isset($pconfig['server_timeout'])) echo "value=\"{$pconfig['server_timeout']}\"";?> size="64"> + <div>the time (in milliseconds) we accept to wait for data from the server, or for the server to accept data (default 30000).</div> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Retries</td> + <td width="78%" class="vtable" colspan="2"> + <input name="retries" type="text" <?if(isset($pconfig['retries'])) echo "value=\"{$pconfig['retries']}\"";?> size="64"> + <div>After a connection failure to a server, it is possible to retry, potentially +on another server. This is useful if health-checks are too rare and you don't +want the clients to see the failures. The number of attempts to reconnect is +set by the 'retries' parameter.</div> + </td> + </tr> + </table> + <br/> <br/> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic">Statistics</td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Stats Enabled</td> + <td width="78%" class="vtable" colspan="2"> + <input id="stats_enabled" name="stats_enabled" type="checkbox" value="yes" <?php if ($pconfig['stats_enabled']=='yes') echo "checked"; ?> onclick='updatevisibility();'> + </td> + </tr> + <tr class="haproxy_stats_visible" align="left" id='stats_realm_row' name='stats_realm_row'> + <td width="22%" valign="top" class="vncellreq">Stats Realm</td> + <td width="78%" class="vtable" colspan="2"> + <input id="stats_realm" name="stats_realm" type="text" <?if(isset($pconfig['stats_realm'])) echo "value=\"{$pconfig['stats_realm']}\"";?> size="64"><br/> + EXAMPLE: haproxystats + </td> + </tr> + <tr class="haproxy_stats_visible" align="left" id='stats_uri_row' name='stats_uri_row'> + <td width="22%" valign="top" class="vncellreq">Stats Uri</td> + <td width="78%" class="vtable" colspan="2"> + <input id="stats_uri" name="stats_uri" type="text" <?if(isset($pconfig['stats_uri'])) echo "value=\"{$pconfig['stats_uri']}\"";?> size="64"><br/> + EXAMPLE: /haproxy?stats + </td> + </tr> + <tr class="haproxy_stats_visible" align="left" id='stats_username_row' name='stats_username_row'> + <td width="22%" valign="top" class="vncellreq">Stats Username</td> + <td width="78%" class="vtable" colspan="2"> + <input id="stats_username" name="stats_username" type="text" <?if(isset($pconfig['stats_username'])) echo "value=\"".$pconfig['stats_username']."\"";?> size="64"> + </td> + </tr> + + <tr class="haproxy_stats_visible" align="left" id='stats_password_row' name='stats_password_row'> + <td width="22%" valign="top" class="vncellreq">Stats Password</td> + <td width="78%" class="vtable" colspan="2"> + <input id="stats_password" name="stats_password" type="password" <? + if(isset($pconfig['stats_password'])) + echo "value=\"".$pconfig['stats_password']."\""; + ?> size="64"> + <br/> + </td> + </tr> + <tr class="haproxy_stats_visible" align="left" id='stats_node_admin_row' name='stats_node_enabled_row'> + <td width="22%" valign="top" class="vncell">Stats Admin</td> + <td width="78%" class="vtable" colspan="2"> + <input id="stats_admin" name="stats_admin" type="checkbox" value="yes" <?php if ($pconfig['stats_admin']=='yes') echo "checked"; ?>> + <br/> + </td> + </tr> + <tr class="haproxy_stats_visible" align="left" id='stats_node_enabled_row' name='stats_node_enabled_row'> + <td width="22%" valign="top" class="vncell">Stats Enable Node Name</td> + <td width="78%" class="vtable" colspan="2"> + <input id="stats_node_enabled" name="stats_node_enabled" type="checkbox" value="yes" <?php if ($pconfig['stats_node_enabled']=='yes') echo "checked"; ?>> + <br/> + </td> + </tr> + <tr class="haproxy_stats_visible" align="left" id='stats_node_row' name='stats_node_row'> + <td width="22%" valign="top" class="vncell">Stats Node</td> + <td width="78%" class="vtable" colspan="2"> + <input id="stats_node" name="stats_node" type="text" <?if(isset($pconfig['stats_node'])) echo "value=\"{$pconfig['stats_node']}\"";?> size="64"><br/> + The node name is displayed in the stats and helps to differentiate which server in a cluster is actually serving clients.<br/> + Leave blank to use the system name. + </td> + </tr> + <tr class="haproxy_stats_visible" align="left" id='stats_desc_row' name='stats_desc_row'> + <td width="22%" valign="top" class="vncell">Stats Description</td> + <td width="78%" class="vtable" colspan="2"> + <input id="stats_desc" name="stats_desc" type="text" <?if(isset($pconfig['stats_node'])) echo "value=\"{$pconfig['stats_desc']}\"";?> size="64"><br/> + </td> + </tr> + <tr class="haproxy_stats_visible" align="left" id='stats_refresh_row' name='stats_refresh_row'> + <td width="22%" valign="top" class="vncell">Stats Refresh</td> + <td width="78%" class="vtable" colspan="2"> + <input id="stats_refresh" name="stats_refresh" type="text" <?if(isset($pconfig['stats_refresh'])) echo "value=\"{$pconfig['stats_refresh']}\"";?> size="10" maxlength="30"><br/> + Specify the refresh rate of the stats page in seconds, or specified time unit (us, ms, s, m, h, d). + </td> + </tr> + </table> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr align="left"> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save"> + <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> + <?php if (isset($id) && $a_pools[$id]): ?> + <input name="id" type="hidden" value="<?=$id;?>"> + <?php endif; ?> + </td> + </tr> + </table> + </div> + </form> +<br> +<?php include("fend.inc"); ?> +<script type="text/javascript"> +<? + phparray_to_javascriptarray($a_checktypes,"checktypes",Array('/*','/*/name','/*/descr')); +?> + browser_InnerText_support = (document.getElementsByTagName("body")[0].innerText != undefined) ? true : false; + + field_counter_js = 7; + rows = 1; + totalrows = <?php echo $counter; ?>; + loaded = <?php echo $counter; ?>; + updatevisibility(); +</script> +</body> +</html> + +<?php + +function row_helper() { + $options = <<<EOD + <option value='active' SELECTED>active</option>"+ +" <option value='backup'>backup</option>"+ +" <option value='disabled'>disabled</option>"+ +" <option value='inactive'>inactive</option> +EOD; + + echo <<<EOF +<script type="text/javascript"> +// Global Variables +var rowname = new Array(99); +var rowtype = new Array(99); +var newrow = new Array(99); +var rowsize = new Array(99); + +for (i = 0; i < 99; i++) { + rowname[i] = ''; + rowtype[i] = ''; + newrow[i] = ''; + rowsize[i] = '25'; +} + +var field_counter_js = 0; +var loaded = 0; +var is_streaming_progress_bar = 0; +var temp_streaming_text = ""; + +var addRowTo = (function() { + return (function (tableId) { + var d, tbody, tr, td, bgc, i, ii, j; + var btable, btbody, btr, btd; + + d = document; + tbody = d.getElementById(tableId).getElementsByTagName("tbody").item(0); + tr = d.createElement("tr"); + totalrows++; + for (i = 0; i < field_counter_js; i++) { + td = d.createElement("td"); + if(rowtype[i] == 'textbox') { + td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + + "'></input><input size='" + rowsize[i] + "' name='" + rowname[i] + totalrows + + "' id='" + rowname[i] + totalrows + "'></input> "; + } else if(rowtype[i] == 'select') { + td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + + "'></input><select size='" + rowsize[i] + "' name='" + rowname[i] + totalrows + + "' id='" + rowname[i] + totalrows + "'>$options</select> "; + } else { + td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + + "'></input><input type='checkbox' name='" + rowname[i] + totalrows + + "' id='" + rowname[i] + totalrows + "' value='yes'></input> "; + } + td.setAttribute("class","vtable"); + tr.appendChild(td); + } + td = d.createElement("td"); + td.rowSpan = "1"; + td.setAttribute("class","list"); + + // Recreate the button table. + btable = document.createElement("table"); + btable.setAttribute("border", "0"); + btable.setAttribute("cellspacing", "0"); + btable.setAttribute("cellpadding", "1"); + btbody = document.createElement("tbody"); + btr = document.createElement("tr"); + btd = document.createElement("td"); + btd.setAttribute("valign", "middle"); + btd.innerHTML = '<img src="/themes/' + theme + '/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="removeRow(this); return false;">'; + btr.appendChild(btd); + btd = document.createElement("td"); + btd.setAttribute("valign", "middle"); + btd.innerHTML = '<img src="/themes/' + theme + "/images/icons/icon_plus.gif\" title=\"duplicate entry\" width=\"17\" height=\"17\" border=\"0\" onclick=\"dupRow(" + totalrows + ", 'servertable'); return false;\">"; + btr.appendChild(btd); + btbody.appendChild(btr); + btable.appendChild(btbody); + + td.appendChild(btable); + tr.appendChild(td); + tbody.appendChild(tr); + }); +})(); + +function dupRow(rowId, tableId) { + var dupEl; + var newEl; + + addRowTo(tableId); + for (i = 0; i < field_counter_js; i++) { + dupEl = document.getElementById(rowname[i] + rowId); + newEl = document.getElementById(rowname[i] + totalrows); + if (dupEl && newEl) + if(rowtype[i] == 'checkbox') + newEl.checked = dupEl.checked; + else + newEl.value = dupEl.value; + } +} + +function deleteRow(rowId, tableId) { + var view = document.getElementById("tr_view_" + rowId); + var edit = document.getElementById("tr_edit_" + rowId); + + view.parentNode.removeChild(view); + edit.parentNode.removeChild(edit); +} + +function removeRow(el) { + var cel; + // Break out of one table first + while (el && el.nodeName.toLowerCase() != "table") + el = el.parentNode; + while (el && el.nodeName.toLowerCase() != "tr") + el = el.parentNode; + + if (el && el.parentNode) { + cel = el.getElementsByTagName("td").item(0); + el.parentNode.removeChild(el); + } +} +function editRow(num) { + var trview = document.getElementById('tr_view_' + num); + var tredit = document.getElementById('tr_edit_' + num); + + trview.style.display='none'; + tredit.style.display=''; +} + +function find_unique_field_name(field_name) { + // loop through field_name and strip off -NUMBER + var last_found_dash = 0; + for (var i = 0; i < field_name.length; i++) { + // is this a dash, if so, update + // last_found_dash + if (field_name.substr(i,1) == "-" ) + last_found_dash = i; + } + if (last_found_dash < 1) + return field_name; + return(field_name.substr(0,last_found_dash)); +} +</script> + +EOF; + +} + +?> diff --git a/config/haproxy-devel/haproxy_pools.php b/config/haproxy-devel/haproxy_pools.php new file mode 100644 index 00000000..2d0189a5 --- /dev/null +++ b/config/haproxy-devel/haproxy_pools.php @@ -0,0 +1,184 @@ +<?php +/* $Id: load_balancer_virtual_server.php,v 1.6.2.1 2006/01/02 23:46:24 sullrich Exp $ */ +/* + haproxy_pools.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> + Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once("guiconfig.inc"); +require_once("haproxy.inc"); + + +if (!is_array($config['installedpackages']['haproxy']['ha_pools']['item'])) { + $config['installedpackages']['haproxy']['ha_pools']['item'] = array(); +} +if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { + $config['installedpackages']['haproxy']['ha_backends']['item'] = array(); +} + +$a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; +$a_backends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + +if ($_POST) { + $pconfig = $_POST; + + if ($_POST['apply']) { + $result = haproxy_check_and_run($savemsg, true); + if ($result) + unlink_if_exists($d_haproxyconfdirty_path); + } +} + +if ($_GET['act'] == "del") { + if (isset($a_pools[$_GET['id']])) { + unset($a_pools[$_GET['id']]); + write_config(); + touch($d_haproxyconfdirty_path); + } + header("Location: haproxy_pools.php"); + exit; +} + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Services: HAProxy: Server pools"; +include("head.inc"); + +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<?php if($one_two): ?> +<p class="pgtitle"><?=$pgtitle?></p> +<?php endif; ?> +<form action="haproxy_pools.php" method="post"> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<?php if ($savemsg) print_info_box($savemsg); ?> +<?php if (file_exists($d_haproxyconfdirty_path)): ?><p> +<?php print_info_box_np("The haproxy configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> +<?php endif; ?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td class="tabnavtbl"> + <?php + /* active tabs */ + $tab_array = array(); + $tab_array[] = array("Settings", false, "haproxy_global.php"); + $tab_array[] = array("Listener", false, "haproxy_listeners.php"); + $tab_array[] = array("Server Pool", true, "haproxy_pools.php"); + display_top_tabs($tab_array); + ?> + </td></tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="5%" class="listhdrr">Advanced</td> + <td width="25%" class="listhdrr">Name</td> + <td width="10%" class="listhdrr">Servers</td> + <td width="10%" class="listhdrr">Check</td> + <td width="30%" class="listhdrr">Listener</td> + <td width="10%" class="list"></td> + </tr> +<?php + $img_adv = "/themes/{$g['theme']}/images/icons/icon_advanced.gif"; + $i = 0; + foreach ($a_pools as $pool){ + $fe_list = ""; + $sep = ""; + foreach ($a_backends as $backend) { + if($backend['backend_serverpool'] == $pool['name']) { + $fe_list .= $sep . $backend['name']; + $sep = ", "; + } + } + $textgray = $fe_list == "" ? " gray" : ""; + + if (is_array($pool['ha_servers'])) + $count = count($pool['ha_servers']['item']); + else + $count = 0; +?> + <tr class="<?=$textgray?>"> + <td class="listlr" ondblclick="document.location='haproxy_pool_edit.php?id=<?=$i;?>';"> + <? + if ($pool['stats_enabled']=='yes'){ + echo "<img src=\"./themes/{$g['theme']}/images/icons/icon_log_s.gif\"" . ' title="stats enabled" width="11" height="15" border="0">'; + } + $isadvset = ""; + if ($pool['advanced']) $isadvset .= "Per server pass thru\r\n"; + if ($pool['advanced_backend']) $isadvset .= "Backend pass thru\r\n"; + if ($isadvset) + echo "<img src=\"$img_adv\" title=\"" . gettext("advanced settings set") . ": {$isadvset}\" border=\"0\">"; + ?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_pool_edit.php?id=<?=$i;?>';"> + <?=$pool['name'];?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_pool_edit.php?id=<?=$i;?>';"> + <?=$count;?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_pool_edit.php?id=<?=$i;?>';"> + <?=$a_checktypes[$pool['check_type']]['name'];?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_pool_edit.php?id=<?=$i;?>';"> + <?=$fe_list;?> + </td> + <td class="list" nowrap> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td valign="middle"><a href="haproxy_pool_edit.php?id=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="haproxy_pools.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this entry?')"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="haproxy_pool_edit.php?dup=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + </tr> + </table> + </td> + </tr> +<?php + $i++; + } +?> + <tfoot> + <tr> + <td class="list" colspan="5"></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td valign="middle"><a href="haproxy_pool_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + </tr> + </table> + </td> + </tr> + </tfoot> + </table> + </div> + </table> + </form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/haproxy-devel/haproxy_socketinfo.inc b/config/haproxy-devel/haproxy_socketinfo.inc new file mode 100644 index 00000000..5b31afeb --- /dev/null +++ b/config/haproxy-devel/haproxy_socketinfo.inc @@ -0,0 +1,141 @@ +<?php +/* + Copyright 2011 Thomas Schaefer - Tomschaefer.org + Copyright 2011 Marcello Coutinho + Part of pfSense widgets (www.pfsense.com) + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* + Some mods made from pfBlocker widget to make this for HAProxy on Pfsense + Copyleft 2012 by jvorhees +*/ + +//set variables +$refresh_rate = 5000; //miliseconds +$show_frontends = "YES"; +$show_clients = "YES"; +$show_clients_traffic = "YES"; + +function haproxy_socket_command($command){ + $result = array(); + if (file_exists("/tmp/haproxy.socket")) { + $socket = stream_socket_client('unix:///tmp/haproxy.socket', $errno, $errstr); + if ($socket) { + fwrite($socket, "$command\n"); + while (!feof($socket)) { + $result[] = fgets($socket); + } + fclose($socket); + } + } + return $result; +} + +function haproxy_set_server_enabled($backend, $server, $enable) {//"enable be/server ?"/"disable be/server ?" + $enablecommand = $enable ? "enable" : "disable"; + return haproxy_socket_command("$enablecommand server $backend/$server"); +} + +function haproxy_get_statistics(){// "show stat" + $result = array(); + $frontends=array(); + $backends=array(); + $servers=array(); + + $result = haproxy_socket_command("show stat"); + + foreach($result as $line) { + list($pxname,$svname,$qcur,$qmax,$scur,$smax,$slim,$stot,$bin,$bout,$dreq,$dresp,$ereq,$econ,$eresp,$wretr,$wredis,$status,$weight,$act,$bck,$chkfail,$chkdown,$lastchg,$downtime,$qlimit,$pid,$iid,$sid,$throttle,$lbtot,$tracked,$type,$rate,$rate_lim,$rate_max,$check_status,$check_code,$check_duration,$hrsp_1xx,$hrsp_2xx,$hrsp_3xx,$hrsp_4xx,$hrsp_5xx,$hrsp_other,$hanafail,$req_rate,$req_rate_max,$req_tot,$cli_abrt,$srv_abrt,$comp_in,$comp_out,$comp_byp,$comp_rsp) = explode(",", $line); + #Retrieve data + switch ($svname) { + case "FRONTEND": + $frontends[] = array( + "pxname" => $pxname, + "scur" => $scur, + "slim" => $slim, + "status" => $status); + break; + case "BACKEND": + $backends[] = array( + "pxname" => $pxname, + "scur" => $scur, + "slim" => $slim, + "status" => $status); + break; + default: + $servers[] = array( + "pxname" => $pxname, + "svname" => $svname, + "scur" => $scur, + "status" => $status); + } + } + $result['frontends'] = $frontends; + $result['backends'] = $backends; + $result['servers'] = $servers; + return $result; +} + +function haproxy_get_clients($show_traffic = false){// "show sess" + $clients=array(); + $sessions = haproxy_socket_command("show sess"); + foreach($sessions as $line) { + list($sessid,$proto,$src,$fe,$be,$srv,$ts,$age,$calls,$rq,$rp,$s0,$s1,$exp) = explode(" ", $line); + #Retrieve data + $sessid = explode(":", $sessid); + $src = explode("=", $src); + $srcip = explode(":", $src[1]); + $srcport = explode(":", $src[1]); + $be = explode("=", $be); + $srv = explode("=", $srv); + $age = explode("=", $age); + $calls = explode("=", $calls); + $exp = explode("=", $exp); + $clients[] = array( + "sessid" => $sessid[0], + "src" => $src[1], + "srcip" => $srcip[0], + "srcport" => $srcport[1], + "be" => $be[1], + "srv" => $srv[1], + "age" => $age[1], + "calls" => $calls[1], + "exp" => $exp[1]); + } + if ($show_traffic) { + foreach($clients as &$client) { + $session_data = haproxy_socket_command("show sess {$client['sessid']}"); + $client['session_data'] = $session_data; + + $req = explode(" ",$session_data[13]); + $x = explode("=",$req[7]); + $client['session_datareq'] = $x[1]; + $res = explode(" ",$session_data[16]); + $x = explode("=",$res[7]); + $client['session_datares'] = $x[1]; + } + } + return $clients; +} + +?> diff --git a/config/haproxy-stable/haproxy.xml b/config/haproxy-stable/haproxy.xml index 3a0be0ec..50907cfe 100644 --- a/config/haproxy-stable/haproxy.xml +++ b/config/haproxy-stable/haproxy.xml @@ -98,7 +98,7 @@ <custom_php_install_command> $freebsdv=trim(`uname -r | cut -d'.' -f1`); conf_mount_rw(); - `fetch -q -o /usr/local/sbin/ http://www.pfsense.org/packages/config/haproxy-dev/binaries{$freebsdv}/haproxy`; + `fetch -q -o /usr/local/sbin/ http://files.pfsense.org/packages/7/haproxy-dev/haproxy`; exec("chmod a+rx /usr/local/sbin/haproxy"); haproxy_custom_php_install_command(); </custom_php_install_command> diff --git a/config/haproxy-stable/haproxy_global.php b/config/haproxy-stable/haproxy_global.php index f7864a4d..0e960611 100755 --- a/config/haproxy-stable/haproxy_global.php +++ b/config/haproxy-stable/haproxy_global.php @@ -79,7 +79,7 @@ if ($_POST) { $config['installedpackages']['haproxy']['logfacility'] = $_POST['logfacility'] ? $_POST['logfacility'] : false; $config['installedpackages']['haproxy']['loglevel'] = $_POST['loglevel'] ? $_POST['loglevel'] : false; $config['installedpackages']['haproxy']['syncpassword'] = $_POST['syncpassword'] ? $_POST['syncpassword'] : false; - $config['installedpackages']['haproxy']['advanced'] = base64_encode($_POST['advanced']) ? $_POST['advanced'] : false; + $config['installedpackages']['haproxy']['advanced'] = $_POST['advanced'] ? base64_encode($_POST['advanced']) : false; $config['installedpackages']['haproxy']['nbproc'] = $_POST['nbproc'] ? $_POST['nbproc'] : false; touch($d_haproxyconfdirty_path); write_config(); diff --git a/config/haproxy/haproxy.inc b/config/haproxy/haproxy.inc index 1e29f358..61957252 100644 --- a/config/haproxy/haproxy.inc +++ b/config/haproxy/haproxy.inc @@ -58,6 +58,9 @@ $a_acltypes[] = array('name' => 'path_contains', 'descr' => 'Path contains', $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', 'mode' => '', 'syntax' => 'src'); +//$a_acltypes[] = array('name' => 'ssl_sni_matches', 'descr' => 'Server Name Indication TLS extension matches', +// 'mode' => 'https', 'syntax' => 'req_ssl_sni -i'); + function haproxy_custom_php_deinstall_command() { exec("cd /var/db/pkg && pkg_delete `ls | grep haproxy`"); exec("rm /usr/local/pkg/haproxy.inc"); @@ -186,7 +189,7 @@ EOD; /* link to frontend */ foreach ($a_backends as $id => $be) { if ($a_backends[$id]['name'] == $oldserver['backend']) { - $a_backends[$id]['pool'] = $pool['name']; + $a_backends[$id]['backend_serverpool'] = $pool['name']; $pool['monitor_uri'] = $be['monitor_uri']; unset($a_backends[$id]['monitor_uri']); break; @@ -201,6 +204,29 @@ EOD; unset($config['installedpackages']['haproxy']['ha_servers']); write_config(); } + + /* XML update to: pkg v1.3 and 'pool' changed to 'backend_serverpool' because 'pool' was added to listtags() in xmlparse.inc */ + if (is_array($config['installedpackages']['haproxy']['ha_backends']['item'][0]['pool'])) + { + foreach($config['installedpackages']['haproxy']['ha_backends']['item'] as &$frontend) + { + $backend_serverpool = $frontend['pool'][0]; + $frontend['backend_serverpool'] = $backend_serverpool; + unset($frontend['pool']); + } + write_config(); + } + //also move setting for existing 2.0 installations as only the new variable is used + if (isset($config['installedpackages']['haproxy']['ha_backends']['item'][0]['pool'])) + { + foreach($config['installedpackages']['haproxy']['ha_backends']['item'] as &$frontend) + { + $backend_serverpool = $frontend['pool']; + $frontend['backend_serverpool'] = $backend_serverpool; + unset($frontend['pool']); + } + write_config(); + } conf_mount_ro(); @@ -420,7 +446,7 @@ function haproxy_writeconf() { foreach ($a_backends as $backend) { if($backend['status'] != 'active') continue; - if(!$backend['pool']) + if(!$backend['backend_serverpool']) continue; $bname = $backend['extaddr'] . ":" . $backend['port']; @@ -508,7 +534,7 @@ function haproxy_writeconf() { fwrite ($fd, "\tmaxconn\t\t\t" . $bind['max_connections'] . "\n"); if($bind['client_timeout']) - fwrite ($fd, "\tclitimeout\t\t" . $bind['client_timeout'] . "\n"); + fwrite ($fd, "\ttimeout client\t\t" . $bind['client_timeout'] . "\n"); // Combine the rest of the listener configs @@ -519,7 +545,7 @@ function haproxy_writeconf() { if(!is_array($a_acl)) $a_acl=array(); - $poolname = $bconfig['pool'] . "_" . strtolower($bconfig['type']); + $poolname = $bconfig['backend_serverpool'] . "_" . strtolower($bconfig['type']); // Create different pools if the svrport is set if ($bconfig['svrport'] > 0) @@ -564,7 +590,7 @@ function haproxy_writeconf() { if (is_array($a_pendingpl) && is_array($a_pools)) { foreach ($a_pendingpl as $pending) { foreach ($a_pools as $pool) { - if ($pending['frontend']['pool'] == $pool['name']) { + if ($pending['frontend']['backend_serverpool'] == $pool['name']) { write_backend($fd, $pending['name'], $pool, $pending['frontend']); } } @@ -576,15 +602,18 @@ function haproxy_writeconf() { if(isset($config['installedpackages']['haproxy']['enablesync'])) { if($config['installedpackages']['haproxy']['synchost1']) { haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost1'], + $config['installedpackages']['haproxy']['syncusername'], $config['installedpackages']['haproxy']['syncpassword']); } if($config['installedpackages']['haproxy']['synchost2']) { haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost2'], + $config['installedpackages']['haproxy']['syncusername'], $config['installedpackages']['haproxy']['syncpassword']); } if($config['installedpackages']['haproxy']['synchost3']) { haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost3'], - $config['installedpackages']['haproxy']['syncpassword']); + $config['installedpackages']['haproxy']['syncusername'], + $config['installedpackages']['haproxy']['syncpassword']); } } @@ -647,7 +676,7 @@ function haproxy_check_run($reload) { } -function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { +function haproxy_do_xmlrpc_sync($sync_to_ip, $username, $password) { global $config, $g; if(!$password) @@ -655,6 +684,9 @@ function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { if(!$sync_to_ip) return; + + if (empty($username)) + $username = "admin"; // Do not allow syncing to self. $donotsync = false; @@ -697,6 +729,7 @@ function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { unset($xml['synchost1']); unset($xml['synchost2']); unset($xml['synchost3']); + unset($xml['syncusername']); unset($xml['syncpassword']); /* assemble xmlrpc payload */ @@ -711,7 +744,7 @@ function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); + $cli->setCredentials($username, $password); if($g['debug']) $cli->setDebug(1); /* send our XMLRPC message and timeout after 250 seconds */ @@ -744,7 +777,7 @@ function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { log_error("HAProxy XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); + $cli->setCredentials($username, $password); $resp = $cli->send($msg, "250"); if(!$resp) { $error = "A communications error occurred while attempting HAProxy XMLRPC sync with {$url}:{$port} (exec_php)."; diff --git a/config/haproxy/haproxy_global.php b/config/haproxy/haproxy_global.php index 340c578b..c09b202f 100755 --- a/config/haproxy/haproxy_global.php +++ b/config/haproxy/haproxy_global.php @@ -82,8 +82,9 @@ if ($_POST) { $config['installedpackages']['haproxy']['logfacility'] = $_POST['logfacility'] ? $_POST['logfacility'] : false; $config['installedpackages']['haproxy']['loglevel'] = $_POST['loglevel'] ? $_POST['loglevel'] : false; $config['installedpackages']['haproxy']['carpdev'] = $_POST['carpdev'] ? $_POST['carpdev'] : false; + $config['installedpackages']['haproxy']['syncusername'] = $_POST['syncusername'] ? $_POST['syncusername'] : false; $config['installedpackages']['haproxy']['syncpassword'] = $_POST['syncpassword'] ? $_POST['syncpassword'] : false; - $config['installedpackages']['haproxy']['advanced'] = base64_encode($_POST['advanced']) ? $_POST['advanced'] : false; + $config['installedpackages']['haproxy']['advanced'] = $_POST['advanced'] ? base64_encode($_POST['advanced']) : false; $config['installedpackages']['haproxy']['nbproc'] = $_POST['nbproc'] ? $_POST['nbproc'] : false; touch($d_haproxyconfdirty_path); write_config(); @@ -95,6 +96,7 @@ if ($_POST) { $pconfig['enable'] = isset($config['installedpackages']['haproxy']['enable']); $pconfig['maxconn'] = $config['installedpackages']['haproxy']['maxconn']; $pconfig['enablesync'] = isset($config['installedpackages']['haproxy']['enablesync']); +$pconfig['syncusername'] = $config['installedpackages']['haproxy']['syncusername']; $pconfig['syncpassword'] = $config['installedpackages']['haproxy']['syncpassword']; $pconfig['synchost1'] = $config['installedpackages']['haproxy']['synchost1']; $pconfig['synchost2'] = $config['installedpackages']['haproxy']['synchost2']; @@ -336,6 +338,14 @@ function enable_change(enable_change) { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell">Synchronization username</td> + <td width="78%" class="vtable"> + <input name="syncusername" type="text" value="<?= empty($pconfig['syncusername']) ? 'admin' : $pconfig['syncusername'];?>"> + <br/> + <strong>Enter the username that will be used during configuration synchronization. This is generally "admin" or an admin-level privileged account on the target system.</strong> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell">Synchronization password</td> <td width="78%" class="vtable"> <input name="syncpassword" type="password" value="<?=$pconfig['syncpassword'];?>"> diff --git a/config/haproxy/haproxy_listeners.php b/config/haproxy/haproxy_listeners.php index ef67108b..1f6031c2 100755 --- a/config/haproxy/haproxy_listeners.php +++ b/config/haproxy/haproxy_listeners.php @@ -140,7 +140,7 @@ include("head.inc"); <?=$textss . $backend['type'] . $textse;?> </td> <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$i;?>';"> - <?=$textss . $backend['pool'] . $textse;?> + <?=$textss . $backend['backend_serverpool'] . $textse;?> </td> <td class="list" nowrap> <table border="0" cellspacing="0" cellpadding="1"> diff --git a/config/haproxy/haproxy_listeners_edit.php b/config/haproxy/haproxy_listeners_edit.php index 22be121b..1695b5d5 100755 --- a/config/haproxy/haproxy_listeners_edit.php +++ b/config/haproxy/haproxy_listeners_edit.php @@ -83,7 +83,7 @@ if (isset($id) && $a_backend[$id]) { $pconfig['type'] = $a_backend[$id]['type']; $pconfig['extaddr'] = $a_backend[$id]['extaddr']; - $pconfig['pool'] = $a_backend[$id]['pool']; + $pconfig['backend_serverpool'] = $a_backend[$id]['backend_serverpool']; $pconfig['max_connections'] = $a_backend[$id]['max_connections']; $pconfig['client_timeout'] = $a_backend[$id]['client_timeout']; $pconfig['port'] = $a_backend[$id]['port']; @@ -218,7 +218,7 @@ if ($_POST) { update_if_changed("port", $backend['port'], $_POST['port']); update_if_changed("svrport", $backend['svrport'], $_POST['svrport']); update_if_changed("extaddr", $backend['extaddr'], $_POST['extaddr']); - update_if_changed("pool", $backend['pool'], $_POST['pool']); + update_if_changed("backend_serverpool", $backend['backend_serverpool'], $_POST['backend_serverpool']); update_if_changed("max_connections", $backend['max_connections'], $_POST['max_connections']); update_if_changed("client_timeout", $backend['client_timeout'], $_POST['client_timeout']); update_if_changed("advanced", $backend['advanced'], base64_encode($_POST['advanced'])); @@ -507,22 +507,19 @@ include("head.inc"); </td> </tr> <tr> - <td width="22%" valign="top" class="vncellreq">Server pool</td> + <td width="22%" valign="top" class="vncellreq">Backend server pool</td> <td width="78%" class="vtable"> - <select name="pool" class="formfld"> + + <select id="backend_serverpool" name="backend_serverpool" class="formfld"> <?php if (is_array($a_pools)) { - foreach ($a_pools as $p): - ?> - <option value="<?=$p['name'];?>" <?php if ($p['name'] == $pconfig['pool']) echo "selected"; ?>> - <?=htmlspecialchars("{$p['name']}");?> - </option> - <?php - endforeach; + foreach ($a_pools as $p) { + $selected = $p['name'] == $pconfig['backend_serverpool'] ? 'selected' : ''; + $name = htmlspecialchars("{$p['name']}"); + echo "<option value=\"{$p['name']}\" $selected>$name</option>"; + } } else { - ?> - <option value="-">-</option> - <?php + echo "<option value=\"-\">-</option>"; } ?> </select> diff --git a/config/haproxy/haproxy_pool_edit.php b/config/haproxy/haproxy_pool_edit.php index d25f0675..4560bea2 100755 --- a/config/haproxy/haproxy_pool_edit.php +++ b/config/haproxy/haproxy_pool_edit.php @@ -133,8 +133,8 @@ if ($_POST) { $a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item']; for ( $i = 0; $i < count($a_backend); $i++) { - if ($a_backend[$i]['pool'] == $pool['name']) - $a_backend[$i]['pool'] = $_POST['name']; + if ($a_backend[$i]['backend_serverpool'] == $pool['name']) + $a_backend[$i]['backend_serverpool'] = $_POST['name']; } } diff --git a/config/haproxy/haproxy_pools.php b/config/haproxy/haproxy_pools.php index e11fb0c9..52b7650d 100755 --- a/config/haproxy/haproxy_pools.php +++ b/config/haproxy/haproxy_pools.php @@ -114,7 +114,7 @@ include("head.inc"); $fe_list = ""; $sep = ""; foreach ($a_backends as $backend) { - if($backend['pool'] == $pool['name']) { + if($backend['backend_serverpool'] == $pool['name']) { $fe_list .= $sep . $backend['name']; $sep = ", "; } diff --git a/config/imspector-dev/services_imspector_logs.php b/config/imspector-dev/services_imspector_logs.php index e44ef35f..adb3fa66 100644 --- a/config/imspector-dev/services_imspector_logs.php +++ b/config/imspector-dev/services_imspector_logs.php @@ -66,7 +66,6 @@ function convert_dir_list ($topdir) { return; $imspector_config = $config['installedpackages']['imspector']['config'][0]; $limit=(preg_match("/\d+/",$imspector_config['reportlimit'])?$imspector_config['reportlimit']:"50"); - file_put_contents("/tmp/teste.txt",$limit." teste",LOCK_EX); $count=0; if ($dh = opendir($topdir)) { while (($file = readdir($dh)) !== false) { @@ -180,6 +179,7 @@ include("head.inc"); </table> <?php +$csrf_token= csrf_get_tokens(); $zz = <<<EOD <script type="text/javascript"> var section = 'none'; @@ -205,7 +205,7 @@ function xmlhttpPost() } document.getElementById('im_status').style.display = "inline"; - self.xmlHttpReq.send("mode=render§ion=" + section); + self.xmlHttpReq.send("mode=render§ion=" + section + "&__csrf_magic={$csrf_token}"); } function updatepage(str) diff --git a/config/imspector-dev/services_imspector_logs2.php b/config/imspector-dev/services_imspector_logs2.php index 368edeec..30f63058 100644 --- a/config/imspector-dev/services_imspector_logs2.php +++ b/config/imspector-dev/services_imspector_logs2.php @@ -67,7 +67,6 @@ function convert_dir_list ($topdir) { return; $imspector_config = $config['installedpackages']['imspector']['config'][0]; $limit=(preg_match("/\d+/",$imspector_config['reportlimit'])?$imspector_config['reportlimit']:"50"); - file_put_contents("/tmp/teste.txt",$limit." teste",LOCK_EX); $count=0; if ($dh = opendir($topdir)) { while (($file = readdir($dh)) !== false) { @@ -188,6 +187,7 @@ include("head.inc"); </table> <?php +$csrf_token= csrf_get_tokens(); $zz = <<<EOD <script type="text/javascript"> var section = 'none'; @@ -213,7 +213,7 @@ function xmlhttpPost() } document.getElementById('im_status').style.display = "inline"; - self.xmlHttpReq.send("mode=render§ion=" + section); + self.xmlHttpReq.send("mode=render§ion=" + section + "&__csrf_magic={$csrf_token}"); } function updatepage(str) diff --git a/config/iperf.xml b/config/iperf.xml index 3de57441..e5de8b85 100644 --- a/config/iperf.xml +++ b/config/iperf.xml @@ -132,7 +132,7 @@ <type>input</type> </field> <field> - <fielddescr>Socket buffer bize</fielddescr> + <fielddescr>Socket buffer size</fielddescr> <fieldname>window</fieldname> <description>Enter the desired socket buffer size, if needed.</description> <type>input</type> diff --git a/config/iperfserver.xml b/config/iperfserver.xml index 99d8ba34..493c41c8 100644 --- a/config/iperfserver.xml +++ b/config/iperfserver.xml @@ -119,7 +119,7 @@ <type>input</type> </field> <field> - <fielddescr>Socket buffer bize</fielddescr> + <fielddescr>Socket buffer size</fielddescr> <fieldname>window</fieldname> <description>Enter the desired socket buffer size, if needed.</description> <type>input</type> diff --git a/config/jailctl/jailctl.xml b/config/jailctl/jailctl.xml index 079ddb6b..5ca6c459 100644 --- a/config/jailctl/jailctl.xml +++ b/config/jailctl/jailctl.xml @@ -60,7 +60,7 @@ <additional_files_needed> <prefix>/usr/sbin/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.com/packages/config/jailctl/sysinstall</item> + <item>http://www.mundounix.com.br/~gugabsd/sysinstall</item> </additional_files_needed> <tabs> diff --git a/config/jailctl/jailctl_settings.xml b/config/jailctl/jailctl_settings.xml index e82eea6c..ae09adaf 100644 --- a/config/jailctl/jailctl_settings.xml +++ b/config/jailctl/jailctl_settings.xml @@ -35,12 +35,9 @@ <description>Select a FTP server (mirror) to use for sysinstall</description> <type>select</type> <options> - <option><name>ftp.FreeBSD.org</name><value>ftp://ftp.FreeBSD.org/pub/FreeBSD/</value></option> - <option><name>ftp.no.FreeBSD.org</name><value>ftp://ftp.no.FreeBSD.org/pub/FreeBSD/</value></option> - <option><name>ftp.de.FreeBSD.org</name><value>ftp://ftp.de.FreeBSD.org/pub/FreeBSD/</value></option> - <option><name>ftp.se.FreeBSD.org</name><value>ftp://ftp.se.FreeBSD.org/pub/FreeBSD/</value></option> + <option><name>ftp-archive.freebsd.org</name><value>ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/</value></option> </options> - <default_value>ftp://ftp.FreeBSD.org/pub/FreeBSD/</default_value> + <default_value>ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/</default_value> </field> <field> <fielddescr>DNS servers</fielddescr> diff --git a/config/lcdproc-dev/lcdproc.xml b/config/lcdproc-dev/lcdproc.xml index 7b59bce0..3db83ccd 100644 --- a/config/lcdproc-dev/lcdproc.xml +++ b/config/lcdproc-dev/lcdproc.xml @@ -42,11 +42,6 @@ <prefix>/usr/local/lib/lcdproc/</prefix> <chmod>0755</chmod> </additional_files_needed> - <additional_files_needed> - <item>http://files.pfsense.org/misc/sdeclcd.so</item> - <prefix>/usr/local/lib/lcdproc/</prefix> - <chmod>0755</chmod> - </additional_files_needed> <service> <name>lcdproc</name> <rcfile>lcdproc.sh</rcfile> @@ -257,7 +252,7 @@ </option> <option> <value>sdeclcd</value> - <name>Watchguard Firebox with SDEC (x86 only)</name> + <name>Watchguard Firebox with SDEC</name> </option> <option> <value>sed1330</value> @@ -431,7 +426,7 @@ </field> <field> <fieldname>offbrightness</fieldname> - <fielddescr>Offrightness</fielddescr> + <fielddescr>Off brightness</fielddescr> <description>Set the off-brightness of the LCD panel. This value is used when the display is normally switched off in case LCDd is inactive. This option is not supported by all the LCD panels, leave "default" if unsure.</description> <type>select</type> <options> diff --git a/config/lcdproc/lcdproc.xml b/config/lcdproc/lcdproc.xml index bc03b761..32a8f900 100644 --- a/config/lcdproc/lcdproc.xml +++ b/config/lcdproc/lcdproc.xml @@ -38,22 +38,22 @@ <chmod>0755</chmod> </additional_files_needed> <additional_files_needed> - <item>http://www.pfsense.org/packages/config/lcdproc/bin/nexcom.so</item> + <item>http://files.pfsense.org/packages/lcdproc/nexcom.so</item> <prefix>/usr/local/lib/lcdproc/</prefix> <chmod>0755</chmod> </additional_files_needed> <additional_files_needed> - <item>http://www.pfsense.org/packages/config/lcdproc/bin/SureElec.so</item> + <item>http://files.pfsense.org/packages/lcdproc/SureElec.so</item> <prefix>/usr/local/lib/lcdproc/</prefix> <chmod>0755</chmod> </additional_files_needed> <additional_files_needed> - <item>http://www.pfsense.org/packages/config/lcdproc/bin/picolcd.so</item> + <item>http://files.pfsense.org/packages/lcdproc/picolcd.so</item> <prefix>/usr/local/lib/lcdproc/</prefix> <chmod>0755</chmod> </additional_files_needed> <additional_files_needed> - <item>http://www.pfsense.org/packages/config/lcdproc/bin/libusb.so.2</item> + <item>http://files.pfsense.org/packages/lcdproc/libusb.so.2</item> <prefix>/usr/local/lib/lcdproc/</prefix> <chmod>0755</chmod> </additional_files_needed> diff --git a/config/lightsquid/lightsquid.inc b/config/lightsquid/lightsquid.inc index 5fd89470..4b31bc30 100644 --- a/config/lightsquid/lightsquid.inc +++ b/config/lightsquid/lightsquid.inc @@ -294,16 +294,15 @@ function lightsquid_resync() { $ifmgr = $ifmgr . $realif[0] . ";"; } - # ? delete ? - $config['installedpackages']['squidcache']['config'][0]['ext_cachemanager'] = $ifmgr; - # now right - $config['installedpackages']['squidnac']['config'][0]['ext_cachemanager'] = $ifmgr; - - write_config(); - if (function_exists('squid_resync')) { - squid_resync(); - } - else update_log("Function 'squid_resync' not found."); + /* Only save and resync if we're actually making any changes. */ + if (strpos($config['installedpackages']['squidnac']['config'][0]['ext_cachemanager'], $ifmgr) === FALSE) { + $config['installedpackages']['squidnac']['config'][0]['ext_cachemanager'] = $ifmgr; + write_config(); + if (function_exists('squid_resync')) + squid_resync(); + else + update_log("Function 'squid_resync' not found."); + } } } diff --git a/config/lightsquid/sqstat.php b/config/lightsquid/sqstat.php index a56b604a..7b12b970 100644 --- a/config/lightsquid/sqstat.php +++ b/config/lightsquid/sqstat.php @@ -61,7 +61,7 @@ if ($_REQUEST['getactivity']) $pgtitle = "Proxy Squid: Realtime stat (sqstat)"; require_once("head.inc"); - +$csrf_token= csrf_get_tokens(); ?> <link href="sqstat.css" rel="stylesheet" type="text/css"/> @@ -79,7 +79,7 @@ function el(id) { function getactivity(action) { var url = "<?php echo ($_SERVER["PHP_SELF"]); ?>"; - var pars = "getactivity=yes"; + var pars = "getactivity=yes" + "<? echo '&__csrf_magic='.$csrf_token ?>"; var myAjax = new Ajax.Request( url, { @@ -414,4 +414,4 @@ function sqstat_get_real_interface_address($iface) return array($ip, long2ip(hexdec($netmask))); } -?>
\ No newline at end of file +?> diff --git a/config/mactovendor/bin/diag_arp.php_ b/config/mactovendor/bin/diag_arp.php_ index b72b73cd..97e9b4bc 100644 --- a/config/mactovendor/bin/diag_arp.php_ +++ b/config/mactovendor/bin/diag_arp.php_ @@ -1,339 +1,339 @@ -<?php
-/*
- diag_arp.php
- part of the pfSense project (http://www.pfsense.org)
- Copyright (C) 2004-2009 Scott Ullrich <sullrich@gmail.com>
-
- originally part of m0n0wall (http://m0n0.ch/wall)
- Copyright (C) 2005 Paul Taylor (paultaylor@winndixie.com) and Manuel Kasper <mk@neon1.net>.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-
-/*
- pfSense_BUILDER_BINARIES: /bin/cat /usr/sbin/arp
- pfSense_MODULE: arp
-*/
-
-##|+PRIV
-##|*IDENT=page-diagnostics-arptable
-##|*NAME=Diagnostics: ARP Table page
-##|*DESCR=Allow access to the 'Diagnostics: ARP Table' page.
-##|*MATCH=diag_arp.php*
-##|-PRIV
-
-@ini_set('zlib.output_compression', 0);
-@ini_set('implicit_flush', 1);
-
-require("guiconfig.inc");
-
-function leasecmp($a, $b) {
- return strcmp($a[$_GET['order']], $b[$_GET['order']]);
-}
-
-function adjust_gmt($dt) {
- $ts = strtotime($dt . " GMT");
- return strftime("%Y/%m/%d %H:%M:%S", $ts);
-}
-
-function remove_duplicate($array, $field) {
- foreach ($array as $sub)
- $cmp[] = $sub[$field];
- $unique = array_unique($cmp);
- foreach ($unique as $k => $rien)
- $new[] = $array[$k];
- return $new;
-}
-
-// Define path to AWK
-$awk = "/usr/bin/awk";
-
-// Read in leases file
-$leasesfile = "{$g['dhcpd_chroot_path']}/var/db/dhcpd.leases";
-
-/* this pattern sticks comments into a single array item */
-$cleanpattern = "'{ gsub(\"#.*\", \"\");} { gsub(\";\", \"\"); print;}'";
-
-/* We then split the leases file by } */
-$splitpattern = "'BEGIN { RS=\"}\";} {for (i=1; i<=NF; i++) printf \"%s \", \$i; printf \"}\\n\";}'";
-
-/* stuff the leases file in a proper format into a array by line */
-exec("cat {$leasesfile} | {$awk} {$cleanpattern} | {$awk} {$splitpattern}", $leases_content);
-$leases_count = count($leases_content);
-
-$pools = array();
-$leases = array();
-$i = 0;
-$l = 0;
-$p = 0;
-// Put everything together again
-while($i < $leases_count) {
- /* split the line by space */
- $data = explode(" ", $leases_content[$i]);
- /* walk the fields */
- $f = 0;
- $fcount = count($data);
- /* with less then 20 fields there is nothing useful */
- if($fcount < 20) {
- $i++;
- continue;
- }
- while($f < $fcount) {
- switch($data[$f]) {
- case "failover":
- $pools[$p]['name'] = $data[$f+2];
- $pools[$p]['mystate'] = $data[$f+7];
- $pools[$p]['peerstate'] = $data[$f+14];
- $pools[$p]['mydate'] = $data[$f+10];
- $pools[$p]['mydate'] .= " " . $data[$f+11];
- $pools[$p]['peerdate'] = $data[$f+17];
- $pools[$p]['peerdate'] .= " " . $data[$f+18];
- $p++;
- $i++;
- continue 3;
- case "lease":
- $leases[$l]['ip'] = $data[$f+1];
- $leases[$l]['type'] = "dynamic";
- $f = $f+2;
- break;
- case "starts":
- $leases[$l]['start'] = $data[$f+2];
- $leases[$l]['start'] .= " " . $data[$f+3];
- $f = $f+3;
- break;
- case "ends":
- $leases[$l]['end'] = $data[$f+2];
- $leases[$l]['end'] .= " " . $data[$f+3];
- $f = $f+3;
- break;
- case "tstp":
- $f = $f+3;
- break;
- case "tsfp":
- $f = $f+3;
- break;
- case "atsfp":
- $f = $f+3;
- break;
- case "cltt":
- $f = $f+3;
- break;
- case "binding":
- switch($data[$f+2]) {
- case "active":
- $leases[$l]['act'] = "active";
- break;
- case "free":
- $leases[$l]['act'] = "expired";
- $leases[$l]['online'] = "offline";
- break;
- case "backup":
- $leases[$l]['act'] = "reserved";
- $leases[$l]['online'] = "offline";
- break;
- }
- $f = $f+1;
- break;
- case "next":
- /* skip the next binding statement */
- $f = $f+3;
- break;
- case "hardware":
- $leases[$l]['mac'] = $data[$f+2];
- /* check if it's online and the lease is active */
- if($leases[$l]['act'] == "active") {
- $online = exec("/usr/sbin/arp -an |/usr/bin/awk '/{$leases[$l]['ip']}/ {print}'|wc -l");
- if ($online == 1) {
- $leases[$l]['online'] = 'online';
- } else {
- $leases[$l]['online'] = 'offline';
- }
- }
- $f = $f+2;
- break;
- case "client-hostname":
- if($data[$f+1] <> "") {
- $leases[$l]['hostname'] = preg_replace('/"/','',$data[$f+1]);
- } else {
- $hostname = gethostbyaddr($leases[$l]['ip']);
- if($hostname <> "") {
- $leases[$l]['hostname'] = $hostname;
- }
- }
- $f = $f+1;
- break;
- case "uid":
- $f = $f+1;
- break;
- }
- $f++;
- }
- $l++;
- $i++;
-}
-
-/* remove duplicate items by mac address */
-if(count($leases) > 0) {
- $leases = remove_duplicate($leases,"ip");
-}
-
-if(count($pools) > 0) {
- $pools = remove_duplicate($pools,"name");
- asort($pools);
-}
-
-// Put this in an easy to use form
-$dhcpmac = array();
-$dhcpip = array();
-
-foreach ($leases as $value) {
- $dhcpmac[$value['mac']] = $value['hostname'];
- $dhcpip[$value['ip']] = $value['hostname'];
-}
-
-exec("/usr/sbin/arp -an",$rawdata);
-
-$i = 0;
-
-/* if list */
-$ifdescrs = get_configured_interface_with_descr();
-
-foreach ($ifdescrs as $key =>$interface) {
- $hwif[$config['interfaces'][$key]['if']] = $interface;
-}
-
-$data = array();
-foreach ($rawdata as $line) {
- $elements = explode(' ',$line);
-
- if ($elements[3] != "(incomplete)") {
- $arpent = array();
- $arpent['ip'] = trim(str_replace(array('(',')'),'',$elements[1]));
- $arpent['mac'] = trim($elements[3]);
- $arpent['interface'] = trim($elements[5]);
- $data[] = $arpent;
- }
-}
-
-function _getHostName($mac,$ip)
-{
- global $dhcpmac, $dhcpip;
-
- if ($dhcpmac[$mac])
- return $dhcpmac[$mac];
- else if ($dhcpip[$ip])
- return $dhcpip[$ip];
- else if(gethostbyaddr($ip) <> "" and gethostbyaddr($ip) <> $ip)
- return gethostbyaddr($ip);
- else
- return "";
-}
-
-$pgtitle = array(gettext("Diagnostics"),gettext("ARP Table"));
-include("head.inc");
-
-?>
-
-<body link="#000000" vlink="#000000" alink="#000000">
-
-<?php include("fbegin.inc"); ?>
-
-<div id="loading">
- <img src="/themes/<?=$g['theme'];?>/images/misc/loader.gif"><?= gettext("Loading, please wait..."); ?>
- <p/>
-</div>
-
-<?php
-
-// Flush buffers out to client so that they see Loading, please wait....
-for ($i = 0; $i < ob_get_level(); $i++) { ob_end_flush(); }
-ob_implicit_flush(1);
-
-// Resolve hostnames and replace Z_ with "". The intention
-// is to sort the list by hostnames, alpha and then the non
-// resolvable addresses will appear last in the list.
-foreach ($data as &$entry) {
- $dns = trim(_getHostName($entry['mac'], $entry['ip']));
- if(trim($dns))
- $entry['dnsresolve'] = "$dns";
- else
- $entry['dnsresolve'] = "Z_ ";
-}
-
-// Sort the data alpha first
-$data = msort($data, "dnsresolve");
-
-// Load MAC-Manufacturer table
-$macs=file("/usr/local/pkg/mactovendor/mac-prefixes");
-if ($macs){
- foreach ($macs as $line){
- if (preg_match('/([0-9A-Fa-f]{6}) (.*)$/', $line, $matches)){
- /* store values like this $mac_man['000C29']='VMware' */
- $mac_man["$matches[1]"]=$matches[2];
- }
- }
-}
-
-?>
-<table width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr>
- <td>
- <table class="tabcont sortable" width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr>
- <td class="listhdrr"><?= gettext("IP address"); ?></td>
- <td class="listhdrr"><?= gettext("MAC address"); ?></td>
- <td class="listhdrr"><?= gettext("Hostname"); ?></td>
- <td class="listhdr"><?= gettext("Interface"); ?></td>
- <td class="list"></td>
- </tr>
- <?php foreach ($data as $entry): ?>
- <tr>
- <td class="listlr"><?=$entry['ip'];?></td>
- <td class="listr">
- <?php
- $mac=$entry['mac'];
- $mac_hi = strtoupper($mac[0] . $mac[1] . $mac[3] . $mac[4] . $mac[6] . $mac[7]);
- if(isset($mac_man[$mac_hi])){
- $mac_man_ar = explode(' ', $mac_man[$mac_hi]);
- print "<span title=\"$mac, {$mac_man[$mac_hi]}\">" . $mac_man_ar[0] . substr($mac, 8) . "</span>"; }
- else{ print $mac; }
- ?>
- </td>
- <td class="listr">
- <?php
- echo str_replace("Z_ ", "", $entry['dnsresolve']);
- ?>
- </td>
- <td class="listr"><?=$hwif[$entry['interface']];?></td>
- </tr>
- <?php endforeach; ?>
- </table>
- </td>
- </tr>
-</table>
-
-<?php include("fend.inc"); ?>
-
-<script type="text/javascript">
- $('loading').innerHTML = '';
-</script>
+<?php +/* + diag_arp.php + part of the pfSense project (http://www.pfsense.org) + Copyright (C) 2004-2009 Scott Ullrich <sullrich@gmail.com> + + originally part of m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2005 Paul Taylor (paultaylor@winndixie.com) and Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* + pfSense_BUILDER_BINARIES: /bin/cat /usr/sbin/arp + pfSense_MODULE: arp +*/ + +##|+PRIV +##|*IDENT=page-diagnostics-arptable +##|*NAME=Diagnostics: ARP Table page +##|*DESCR=Allow access to the 'Diagnostics: ARP Table' page. +##|*MATCH=diag_arp.php* +##|-PRIV + +@ini_set('zlib.output_compression', 0); +@ini_set('implicit_flush', 1); + +require("guiconfig.inc"); + +function leasecmp($a, $b) { + return strcmp($a[$_GET['order']], $b[$_GET['order']]); +} + +function adjust_gmt($dt) { + $ts = strtotime($dt . " GMT"); + return strftime("%Y/%m/%d %H:%M:%S", $ts); +} + +function remove_duplicate($array, $field) { + foreach ($array as $sub) + $cmp[] = $sub[$field]; + $unique = array_unique($cmp); + foreach ($unique as $k => $rien) + $new[] = $array[$k]; + return $new; +} + +// Define path to AWK +$awk = "/usr/bin/awk"; + +// Read in leases file +$leasesfile = "{$g['dhcpd_chroot_path']}/var/db/dhcpd.leases"; + +/* this pattern sticks comments into a single array item */ +$cleanpattern = "'{ gsub(\"#.*\", \"\");} { gsub(\";\", \"\"); print;}'"; + +/* We then split the leases file by } */ +$splitpattern = "'BEGIN { RS=\"}\";} {for (i=1; i<=NF; i++) printf \"%s \", \$i; printf \"}\\n\";}'"; + +/* stuff the leases file in a proper format into a array by line */ +exec("cat {$leasesfile} | {$awk} {$cleanpattern} | {$awk} {$splitpattern}", $leases_content); +$leases_count = count($leases_content); + +$pools = array(); +$leases = array(); +$i = 0; +$l = 0; +$p = 0; +// Put everything together again +while($i < $leases_count) { + /* split the line by space */ + $data = explode(" ", $leases_content[$i]); + /* walk the fields */ + $f = 0; + $fcount = count($data); + /* with less then 20 fields there is nothing useful */ + if($fcount < 20) { + $i++; + continue; + } + while($f < $fcount) { + switch($data[$f]) { + case "failover": + $pools[$p]['name'] = $data[$f+2]; + $pools[$p]['mystate'] = $data[$f+7]; + $pools[$p]['peerstate'] = $data[$f+14]; + $pools[$p]['mydate'] = $data[$f+10]; + $pools[$p]['mydate'] .= " " . $data[$f+11]; + $pools[$p]['peerdate'] = $data[$f+17]; + $pools[$p]['peerdate'] .= " " . $data[$f+18]; + $p++; + $i++; + continue 3; + case "lease": + $leases[$l]['ip'] = $data[$f+1]; + $leases[$l]['type'] = "dynamic"; + $f = $f+2; + break; + case "starts": + $leases[$l]['start'] = $data[$f+2]; + $leases[$l]['start'] .= " " . $data[$f+3]; + $f = $f+3; + break; + case "ends": + $leases[$l]['end'] = $data[$f+2]; + $leases[$l]['end'] .= " " . $data[$f+3]; + $f = $f+3; + break; + case "tstp": + $f = $f+3; + break; + case "tsfp": + $f = $f+3; + break; + case "atsfp": + $f = $f+3; + break; + case "cltt": + $f = $f+3; + break; + case "binding": + switch($data[$f+2]) { + case "active": + $leases[$l]['act'] = "active"; + break; + case "free": + $leases[$l]['act'] = "expired"; + $leases[$l]['online'] = "offline"; + break; + case "backup": + $leases[$l]['act'] = "reserved"; + $leases[$l]['online'] = "offline"; + break; + } + $f = $f+1; + break; + case "next": + /* skip the next binding statement */ + $f = $f+3; + break; + case "hardware": + $leases[$l]['mac'] = $data[$f+2]; + /* check if it's online and the lease is active */ + if($leases[$l]['act'] == "active") { + $online = exec("/usr/sbin/arp -an |/usr/bin/awk '/{$leases[$l]['ip']}/ {print}'|wc -l"); + if ($online == 1) { + $leases[$l]['online'] = 'online'; + } else { + $leases[$l]['online'] = 'offline'; + } + } + $f = $f+2; + break; + case "client-hostname": + if($data[$f+1] <> "") { + $leases[$l]['hostname'] = preg_replace('/"/','',$data[$f+1]); + } else { + $hostname = gethostbyaddr($leases[$l]['ip']); + if($hostname <> "") { + $leases[$l]['hostname'] = $hostname; + } + } + $f = $f+1; + break; + case "uid": + $f = $f+1; + break; + } + $f++; + } + $l++; + $i++; +} + +/* remove duplicate items by mac address */ +if(count($leases) > 0) { + $leases = remove_duplicate($leases,"ip"); +} + +if(count($pools) > 0) { + $pools = remove_duplicate($pools,"name"); + asort($pools); +} + +// Put this in an easy to use form +$dhcpmac = array(); +$dhcpip = array(); + +foreach ($leases as $value) { + $dhcpmac[$value['mac']] = $value['hostname']; + $dhcpip[$value['ip']] = $value['hostname']; +} + +exec("/usr/sbin/arp -an",$rawdata); + +$i = 0; + +/* if list */ +$ifdescrs = get_configured_interface_with_descr(); + +foreach ($ifdescrs as $key =>$interface) { + $hwif[$config['interfaces'][$key]['if']] = $interface; +} + +$data = array(); +foreach ($rawdata as $line) { + $elements = explode(' ',$line); + + if ($elements[3] != "(incomplete)") { + $arpent = array(); + $arpent['ip'] = trim(str_replace(array('(',')'),'',$elements[1])); + $arpent['mac'] = trim($elements[3]); + $arpent['interface'] = trim($elements[5]); + $data[] = $arpent; + } +} + +function _getHostName($mac,$ip) +{ + global $dhcpmac, $dhcpip; + + if ($dhcpmac[$mac]) + return $dhcpmac[$mac]; + else if ($dhcpip[$ip]) + return $dhcpip[$ip]; + else if(gethostbyaddr($ip) <> "" and gethostbyaddr($ip) <> $ip) + return gethostbyaddr($ip); + else + return ""; +} + +$pgtitle = array(gettext("Diagnostics"),gettext("ARP Table")); +include("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000"> + +<?php include("fbegin.inc"); ?> + +<div id="loading"> + <img src="/themes/<?=$g['theme'];?>/images/misc/loader.gif"><?= gettext("Loading, please wait..."); ?> + <p/> +</div> + +<?php + +// Flush buffers out to client so that they see Loading, please wait.... +for ($i = 0; $i < ob_get_level(); $i++) { ob_end_flush(); } +ob_implicit_flush(1); + +// Resolve hostnames and replace Z_ with "". The intention +// is to sort the list by hostnames, alpha and then the non +// resolvable addresses will appear last in the list. +foreach ($data as &$entry) { + $dns = trim(_getHostName($entry['mac'], $entry['ip'])); + if(trim($dns)) + $entry['dnsresolve'] = "$dns"; + else + $entry['dnsresolve'] = "Z_ "; +} + +// Sort the data alpha first +$data = msort($data, "dnsresolve"); + +// Load MAC-Manufacturer table +$macs=file("/usr/local/pkg/mactovendor/mac-prefixes"); +if ($macs){ + foreach ($macs as $line){ + if (preg_match('/([0-9A-Fa-f]{6}) (.*)$/', $line, $matches)){ + /* store values like this $mac_man['000C29']='VMware' */ + $mac_man["$matches[1]"]=$matches[2]; + } + } +} + +?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <table class="tabcont sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="listhdrr"><?= gettext("IP address"); ?></td> + <td class="listhdrr"><?= gettext("MAC address"); ?></td> + <td class="listhdrr"><?= gettext("Hostname"); ?></td> + <td class="listhdr"><?= gettext("Interface"); ?></td> + <td class="list"></td> + </tr> + <?php foreach ($data as $entry): ?> + <tr> + <td class="listlr"><?=$entry['ip'];?></td> + <td class="listr"> + <?php + $mac=$entry['mac']; + $mac_hi = strtoupper($mac[0] . $mac[1] . $mac[3] . $mac[4] . $mac[6] . $mac[7]); + if(isset($mac_man[$mac_hi])){ + $mac_man_ar = explode(' ', $mac_man[$mac_hi]); + print "<span title=\"$mac, {$mac_man[$mac_hi]}\">" . $mac_man_ar[0] . substr($mac, 8) . "</span>"; } + else{ print $mac; } + ?> + </td> + <td class="listr"> + <?php + echo str_replace("Z_ ", "", $entry['dnsresolve']); + ?> + </td> + <td class="listr"><?=$hwif[$entry['interface']];?></td> + </tr> + <?php endforeach; ?> + </table> + </td> + </tr> +</table> + +<?php include("fend.inc"); ?> + +<script type="text/javascript"> + $('loading').innerHTML = ''; +</script> diff --git a/config/mactovendor/bin/status_dhcp_leases.php_ b/config/mactovendor/bin/status_dhcp_leases.php_ index 58ef71b0..311b617c 100644 --- a/config/mactovendor/bin/status_dhcp_leases.php_ +++ b/config/mactovendor/bin/status_dhcp_leases.php_ @@ -1,434 +1,434 @@ -<?php
-/* $Id$ */
-/*
- status_dhcp_leases.php
- Copyright (C) 2004-2009 Scott Ullrich
- All rights reserved.
-
- originially part of m0n0wall (http://m0n0.ch/wall)
- Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-
-/*
- pfSense_BUILDER_BINARIES: /usr/bin/awk /bin/cat /usr/sbin/arp /usr/bin/wc /usr/bin/grep
- pfSense_MODULE: dhcpserver
-*/
-
-##|+PRIV
-##|*IDENT=page-status-dhcpleases
-##|*NAME=Status: DHCP leases page
-##|*DESCR=Allow access to the 'Status: DHCP leases' page.
-##|*MATCH=status_dhcp_leases.php*
-##|-PRIV
-
-require("guiconfig.inc");
-
-$pgtitle = array(gettext("Status"),gettext("DHCP leases"));
-
-$leasesfile = "{$g['dhcpd_chroot_path']}/var/db/dhcpd.leases";
-
-if (($_GET['deleteip']) && (is_ipaddr($_GET['deleteip']))) {
- /* Stop DHCPD */
- killbyname("dhcpd");
-
- /* Read existing leases */
- $leases_contents = explode("\n", file_get_contents($leasesfile));
- $newleases_contents = array();
- $i=0;
- while ($i < count($leases_contents)) {
- /* Find the lease(s) we want to delete */
- if ($leases_contents[$i] == "lease {$_GET['deleteip']} {") {
- /* Skip to the end of the lease declaration */
- do {
- $i++;
- } while ($leases_contents[$i] != "}");
- } else {
- /* It's a line we want to keep, copy it over. */
- $newleases_contents[] = $leases_contents[$i];
- }
- $i++;
- }
-
- /* Write out the new leases file */
- $fd = fopen($leasesfile, 'w');
- fwrite($fd, implode("\n", $newleases_contents));
- fclose($fd);
-
- /* Restart DHCP Service */
- services_dhcpd_configure();
- header("Location: status_dhcp_leases.php?all={$_GET['all']}");
-}
-
-include("head.inc");
-
-?>
-
-<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
-<?php include("fbegin.inc"); ?>
-<?php
-
-function leasecmp($a, $b) {
- return strcmp($a[$_GET['order']], $b[$_GET['order']]);
-}
-
-function adjust_gmt($dt) {
- $ts = strtotime($dt . " GMT");
- return strftime("%Y/%m/%d %H:%M:%S", $ts);
-}
-
-function remove_duplicate($array, $field)
-{
- foreach ($array as $sub)
- $cmp[] = $sub[$field];
- $unique = array_unique(array_reverse($cmp,true));
- foreach ($unique as $k => $rien)
- $new[] = $array[$k];
- return $new;
-}
-
-$awk = "/usr/bin/awk";
-/* this pattern sticks comments into a single array item */
-$cleanpattern = "'{ gsub(\"#.*\", \"\");} { gsub(\";\", \"\"); print;}'";
-/* We then split the leases file by } */
-$splitpattern = "'BEGIN { RS=\"}\";} {for (i=1; i<=NF; i++) printf \"%s \", \$i; printf \"}\\n\";}'";
-
-/* stuff the leases file in a proper format into a array by line */
-exec("/bin/cat {$leasesfile} | {$awk} {$cleanpattern} | {$awk} {$splitpattern}", $leases_content);
-$leases_count = count($leases_content);
-exec("/usr/sbin/arp -an", $rawdata);
-$arpdata = array();
-foreach ($rawdata as $line) {
- $elements = explode(' ',$line);
- if ($elements[3] != "(incomplete)") {
- $arpent = array();
- $arpent['ip'] = trim(str_replace(array('(',')'),'',$elements[1]));
- // $arpent['mac'] = trim($elements[3]);
- // $arpent['interface'] = trim($elements[5]);
- $arpdata[] = $arpent['ip'];
- }
-}
-
-$pools = array();
-$leases = array();
-$i = 0;
-$l = 0;
-$p = 0;
-
-// Put everything together again
-while($i < $leases_count) {
- /* split the line by space */
- $data = explode(" ", $leases_content[$i]);
- /* walk the fields */
- $f = 0;
- $fcount = count($data);
- /* with less then 20 fields there is nothing useful */
- if($fcount < 20) {
- $i++;
- continue;
- }
- while($f < $fcount) {
- switch($data[$f]) {
- case "failover":
- $pools[$p]['name'] = $data[$f+2];
- $pools[$p]['mystate'] = $data[$f+7];
- $pools[$p]['peerstate'] = $data[$f+14];
- $pools[$p]['mydate'] = $data[$f+10];
- $pools[$p]['mydate'] .= " " . $data[$f+11];
- $pools[$p]['peerdate'] = $data[$f+17];
- $pools[$p]['peerdate'] .= " " . $data[$f+18];
- $p++;
- $i++;
- continue 3;
- case "lease":
- $leases[$l]['ip'] = $data[$f+1];
- $leases[$l]['type'] = "dynamic";
- $f = $f+2;
- break;
- case "starts":
- $leases[$l]['start'] = $data[$f+2];
- $leases[$l]['start'] .= " " . $data[$f+3];
- $f = $f+3;
- break;
- case "ends":
- $leases[$l]['end'] = $data[$f+2];
- $leases[$l]['end'] .= " " . $data[$f+3];
- $f = $f+3;
- break;
- case "tstp":
- $f = $f+3;
- break;
- case "tsfp":
- $f = $f+3;
- break;
- case "atsfp":
- $f = $f+3;
- break;
- case "cltt":
- $f = $f+3;
- break;
- case "binding":
- switch($data[$f+2]) {
- case "active":
- $leases[$l]['act'] = "active";
- break;
- case "free":
- $leases[$l]['act'] = "expired";
- $leases[$l]['online'] = "offline";
- break;
- case "backup":
- $leases[$l]['act'] = "reserved";
- $leases[$l]['online'] = "offline";
- break;
- }
- $f = $f+1;
- break;
- case "next":
- /* skip the next binding statement */
- $f = $f+3;
- break;
- case "hardware":
- $leases[$l]['mac'] = $data[$f+2];
- /* check if it's online and the lease is active */
- if (in_array($leases[$l]['ip'], $arpdata)) {
- $leases[$l]['online'] = 'online';
- } else {
- $leases[$l]['online'] = 'offline';
- }
- $f = $f+2;
- break;
- case "client-hostname":
- if($data[$f+1] <> "") {
- $leases[$l]['hostname'] = preg_replace('/"/','',$data[$f+1]);
- } else {
- $hostname = gethostbyaddr($leases[$l]['ip']);
- if($hostname <> "") {
- $leases[$l]['hostname'] = $hostname;
- }
- }
- $f = $f+1;
- break;
- case "uid":
- $f = $f+1;
- break;
- }
- $f++;
- }
- $l++;
- $i++;
-}
-
-/* remove duplicate items by mac address */
-if(count($leases) > 0) {
- $leases = remove_duplicate($leases,"ip");
-}
-
-if(count($pools) > 0) {
- $pools = remove_duplicate($pools,"name");
- asort($pools);
-}
-
-foreach($config['interfaces'] as $ifname => $ifarr) {
- if (is_array($config['dhcpd'][$ifname]) &&
- is_array($config['dhcpd'][$ifname]['staticmap'])) {
- foreach($config['dhcpd'][$ifname]['staticmap'] as $static) {
- $slease = array();
- $slease['ip'] = $static['ipaddr'];
- $slease['type'] = "static";
- $slease['mac'] = $static['mac'];
- $slease['start'] = "";
- $slease['end'] = "";
- $slease['hostname'] = htmlentities($static['hostname']);
- $slease['act'] = "static";
- $online = exec("/usr/sbin/arp -an |/usr/bin/grep {$slease['mac']}| /usr/bin/wc -l|/usr/bin/awk '{print $1;}'");
- if ($online == 1) {
- $slease['online'] = 'online';
- } else {
- $slease['online'] = 'offline';
- }
- $leases[] = $slease;
- }
- }
-}
-
-if ($_GET['order'])
- usort($leases, "leasecmp");
-
-/* only print pool status when we have one */
-if(count($pools) > 0) {
-?>
-<table class="tabcont sortable" width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr>
- <td class="listhdrr"><?=gettext("Failover Group"); ?></a></td>
- <td class="listhdrr"><?=gettext("My State"); ?></a></td>
- <td class="listhdrr"><?=gettext("Since"); ?></a></td>
- <td class="listhdrr"><?=gettext("Peer State"); ?></a></td>
- <td class="listhdrr"><?=gettext("Since"); ?></a></td>
- </tr>
-<?php
-foreach ($pools as $data) {
- echo "<tr>\n";
- echo "<td class=\"listlr\">{$fspans}{$data['name']}{$fspane} </td>\n";
- echo "<td class=\"listr\">{$fspans}{$data['mystate']}{$fspane} </td>\n";
- echo "<td class=\"listr\">{$fspans}" . adjust_gmt($data['mydate']) . "{$fspane} </td>\n";
- echo "<td class=\"listr\">{$fspans}{$data['peerstate']}{$fspane} </td>\n";
- echo "<td class=\"listr\">{$fspans}" . adjust_gmt($data['peerdate']) . "{$fspane} </td>\n";
- echo "<td class=\"list\" valign=\"middle\" width=\"17\"> </td>\n";
- echo "<td class=\"list\" valign=\"middle\" width=\"17\"> </td>\n";
- echo "</tr>\n";
-}
-
-?>
-</table>
-
-<?php
-/* only print pool status when we have one */
-}
-?>
-
-<p>
-
-<table class="tabcont sortable" width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr>
- <td class="listhdrr"><a href="#"><?=gettext("IP address"); ?></a></td>
- <td class="listhdrr"><a href="#"><?=gettext("MAC address"); ?></a></td>
- <td class="listhdrr"><a href="#"><?=gettext("Hostname"); ?></a></td>
- <td class="listhdrr"><a href="#"><?=gettext("Start"); ?></a></td>
- <td class="listhdrr"><a href="#"><?=gettext("End"); ?></a></td>
- <td class="listhdrr"><a href="#"><?=gettext("Online"); ?></a></td>
- <td class="listhdrr"><a href="#"><?=gettext("Lease Type"); ?></a></td>
- </tr>
-<?php
-// Load MAC-Manufacturer table
-$macs=file("/usr/local/pkg/mactovendor/mac-prefixes");
-if ($macs){
- foreach ($macs as $line){
- if (preg_match('/([0-9A-Fa-f]{6}) (.*)$/', $line, $matches)){
- /* store values like this $mac_man['000C29']='VMware' */
- $mac_man["$matches[1]"]=$matches[2];
- }
- }
-}
-
-foreach ($leases as $data) {
- if (($data['act'] == "active") || ($data['act'] == "static") || ($_GET['all'] == 1)) {
- if ($data['act'] != "active" && $data['act'] != "static") {
- $fspans = "<span class=\"gray\">";
- $fspane = "</span>";
- } else {
- $fspans = $fspane = "";
- }
- $lip = ip2ulong($data['ip']);
- if ($data['act'] == "static") {
- foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) {
- if(is_array($dhcpifconf['staticmap'])) {
- foreach ($dhcpifconf['staticmap'] as $staticent) {
- if ($data['ip'] == $staticent['ipaddr']) {
- $data['if'] = $dhcpif;
- break;
- }
- }
- }
- /* exit as soon as we have an interface */
- if ($data['if'] != "")
- break;
- }
- } else {
- foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) {
- if (($lip >= ip2ulong($dhcpifconf['range']['from'])) && ($lip <= ip2ulong($dhcpifconf['range']['to']))) {
- $data['if'] = $dhcpif;
- break;
- }
- }
- }
- echo "<tr>\n";
- echo "<td class=\"listlr\">{$fspans}{$data['ip']}{$fspane} </td>\n";
- $mac=$data['mac'];
- $mac_hi = strtoupper($mac[0] . $mac[1] . $mac[3] . $mac[4] . $mac[6] . $mac[7]);
- if ($data['online'] != "online") {
- if(isset($mac_man[$mac_hi])){ // Manufacturer for this MAC is defined
- $mac_man_ar = explode(' ', $mac_man[$mac_hi]);
- echo "<td class=\"listr\">{$fspans}<a href=\"services_wol.php?if={$data['if']}&mac=$mac\" title=\"" . gettext("$mac, {$mac_man[$mac_hi]} - send Wake on LAN packet to this MAC address") ."\">" . $mac_man_ar[0] . substr($mac, 8) . "</a>{$fspane} </td>\n";
- }else{
- echo "<td class=\"listr\">{$fspans}<a href=\"services_wol.php?if={$data['if']}&mac={$data['mac']}\" title=\"" . gettext("send Wake on LAN packet to this MAC address") ."\">{$data['mac']}</a>{$fspane} </td>\n";
- }
- } else {
- if(isset($mac_man[$mac_hi])){ // Manufacturer for this MAC is defined
- $mac_man_ar = explode(' ', $mac_man[$mac_hi]);
- echo "<td class=\"listr\">{$fspans}<span title=\"$mac, {$mac_man[$mac_hi]}\">" . $mac_man_ar[0] . substr($mac, 8) . "</span>{$fspane} </td>\n";
- }else{
- echo "<td class=\"listr\">{$fspans}{$data['mac']}{$fspane} </td>\n";
- }
- }
- echo "<td class=\"listr\">{$fspans}" . htmlentities($data['hostname']) . "{$fspane} </td>\n";
- if ($data['type'] != "static") {
- echo "<td class=\"listr\">{$fspans}" . adjust_gmt($data['start']) . "{$fspane} </td>\n";
- echo "<td class=\"listr\">{$fspans}" . adjust_gmt($data['end']) . "{$fspane} </td>\n";
- } else {
- echo "<td class=\"listr\">{$fspans} n/a {$fspane} </td>\n";
- echo "<td class=\"listr\">{$fspans} n/a {$fspane} </td>\n";
- }
- echo "<td class=\"listr\">{$fspans}{$data['online']}{$fspane} </td>\n";
- echo "<td class=\"listr\">{$fspans}{$data['act']}{$fspane} </td>\n";
-
- if ($data['type'] == "dynamic") {
- echo "<td valign=\"middle\"><a href=\"services_dhcp_edit.php?if={$data['if']}&mac={$data['mac']}&hostname={$data['hostname']}\">";
- echo "<img src=\"/themes/{$g['theme']}/images/icons/icon_plus.gif\" width=\"17\" height=\"17\" border=\"0\" title=\"" . gettext("add a static mapping for this MAC address") ."\"></a></td>\n";
- } else {
- echo "<td class=\"list\" valign=\"middle\">";
- echo "<img src=\"/themes/{$g['theme']}/images/icons/icon_plus_mo.gif\" width=\"17\" height=\"17\" border=\"0\"></td>\n";
- }
-
- echo "<td valign=\"middle\"><a href=\"services_wol_edit.php?if={$data['if']}&mac={$data['mac']}&descr={$data['hostname']}\">";
- echo "<img src=\"/themes/{$g['theme']}/images/icons/icon_wol_all.gif\" width=\"17\" height=\"17\" border=\"0\" title=\"" . gettext("add a Wake on LAN mapping for this MAC address") ."\"></a></td>\n";
-
- /* Only show the button for offline dynamic leases */
- if (($data['type'] == "dynamic") && ($data['online'] != "online")) {
- echo "<td class=\"list\" valign=\"middle\"><a href=\"status_dhcp_leases.php?deleteip={$data['ip']}&all=" . htmlspecialchars($_GET['all']) . "\">";
- echo "<img src=\"/themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"17\" height=\"17\" border=\"0\" title=\"" . gettext("delete this DHCP lease") . "\"></a></td>\n";
- }
- echo "</tr>\n";
- }
-}
-
-?>
-</table>
-<p>
-<form action="status_dhcp_leases.php" method="GET">
-<input type="hidden" name="order" value="<?=htmlspecialchars($_GET['order']);?>">
-<?php if ($_GET['all']): ?>
-<input type="hidden" name="all" value="0">
-<input type="submit" class="formbtn" value="<?=gettext("Show active and static leases only"); ?>">
-<?php else: ?>
-<input type="hidden" name="all" value="1">
-<input type="submit" class="formbtn" value="<?=gettext("Show all configured leases"); ?>">
-<?php endif; ?>
-</form>
-<?php if($leases == 0): ?>
-<p><strong><?=gettext("No leases file found. Is the DHCP server active"); ?>?</strong></p>
-<?php endif; ?>
-
-<?php include("fend.inc"); ?>
-</body>
-</html>
+<?php +/* $Id$ */ +/* + status_dhcp_leases.php + Copyright (C) 2004-2009 Scott Ullrich + All rights reserved. + + originially part of m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* + pfSense_BUILDER_BINARIES: /usr/bin/awk /bin/cat /usr/sbin/arp /usr/bin/wc /usr/bin/grep + pfSense_MODULE: dhcpserver +*/ + +##|+PRIV +##|*IDENT=page-status-dhcpleases +##|*NAME=Status: DHCP leases page +##|*DESCR=Allow access to the 'Status: DHCP leases' page. +##|*MATCH=status_dhcp_leases.php* +##|-PRIV + +require("guiconfig.inc"); + +$pgtitle = array(gettext("Status"),gettext("DHCP leases")); + +$leasesfile = "{$g['dhcpd_chroot_path']}/var/db/dhcpd.leases"; + +if (($_GET['deleteip']) && (is_ipaddr($_GET['deleteip']))) { + /* Stop DHCPD */ + killbyname("dhcpd"); + + /* Read existing leases */ + $leases_contents = explode("\n", file_get_contents($leasesfile)); + $newleases_contents = array(); + $i=0; + while ($i < count($leases_contents)) { + /* Find the lease(s) we want to delete */ + if ($leases_contents[$i] == "lease {$_GET['deleteip']} {") { + /* Skip to the end of the lease declaration */ + do { + $i++; + } while ($leases_contents[$i] != "}"); + } else { + /* It's a line we want to keep, copy it over. */ + $newleases_contents[] = $leases_contents[$i]; + } + $i++; + } + + /* Write out the new leases file */ + $fd = fopen($leasesfile, 'w'); + fwrite($fd, implode("\n", $newleases_contents)); + fclose($fd); + + /* Restart DHCP Service */ + services_dhcpd_configure(); + header("Location: status_dhcp_leases.php?all={$_GET['all']}"); +} + +include("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<?php + +function leasecmp($a, $b) { + return strcmp($a[$_GET['order']], $b[$_GET['order']]); +} + +function adjust_gmt($dt) { + $ts = strtotime($dt . " GMT"); + return strftime("%Y/%m/%d %H:%M:%S", $ts); +} + +function remove_duplicate($array, $field) +{ + foreach ($array as $sub) + $cmp[] = $sub[$field]; + $unique = array_unique(array_reverse($cmp,true)); + foreach ($unique as $k => $rien) + $new[] = $array[$k]; + return $new; +} + +$awk = "/usr/bin/awk"; +/* this pattern sticks comments into a single array item */ +$cleanpattern = "'{ gsub(\"#.*\", \"\");} { gsub(\";\", \"\"); print;}'"; +/* We then split the leases file by } */ +$splitpattern = "'BEGIN { RS=\"}\";} {for (i=1; i<=NF; i++) printf \"%s \", \$i; printf \"}\\n\";}'"; + +/* stuff the leases file in a proper format into a array by line */ +exec("/bin/cat {$leasesfile} | {$awk} {$cleanpattern} | {$awk} {$splitpattern}", $leases_content); +$leases_count = count($leases_content); +exec("/usr/sbin/arp -an", $rawdata); +$arpdata = array(); +foreach ($rawdata as $line) { + $elements = explode(' ',$line); + if ($elements[3] != "(incomplete)") { + $arpent = array(); + $arpent['ip'] = trim(str_replace(array('(',')'),'',$elements[1])); + // $arpent['mac'] = trim($elements[3]); + // $arpent['interface'] = trim($elements[5]); + $arpdata[] = $arpent['ip']; + } +} + +$pools = array(); +$leases = array(); +$i = 0; +$l = 0; +$p = 0; + +// Put everything together again +while($i < $leases_count) { + /* split the line by space */ + $data = explode(" ", $leases_content[$i]); + /* walk the fields */ + $f = 0; + $fcount = count($data); + /* with less then 20 fields there is nothing useful */ + if($fcount < 20) { + $i++; + continue; + } + while($f < $fcount) { + switch($data[$f]) { + case "failover": + $pools[$p]['name'] = $data[$f+2]; + $pools[$p]['mystate'] = $data[$f+7]; + $pools[$p]['peerstate'] = $data[$f+14]; + $pools[$p]['mydate'] = $data[$f+10]; + $pools[$p]['mydate'] .= " " . $data[$f+11]; + $pools[$p]['peerdate'] = $data[$f+17]; + $pools[$p]['peerdate'] .= " " . $data[$f+18]; + $p++; + $i++; + continue 3; + case "lease": + $leases[$l]['ip'] = $data[$f+1]; + $leases[$l]['type'] = "dynamic"; + $f = $f+2; + break; + case "starts": + $leases[$l]['start'] = $data[$f+2]; + $leases[$l]['start'] .= " " . $data[$f+3]; + $f = $f+3; + break; + case "ends": + $leases[$l]['end'] = $data[$f+2]; + $leases[$l]['end'] .= " " . $data[$f+3]; + $f = $f+3; + break; + case "tstp": + $f = $f+3; + break; + case "tsfp": + $f = $f+3; + break; + case "atsfp": + $f = $f+3; + break; + case "cltt": + $f = $f+3; + break; + case "binding": + switch($data[$f+2]) { + case "active": + $leases[$l]['act'] = "active"; + break; + case "free": + $leases[$l]['act'] = "expired"; + $leases[$l]['online'] = "offline"; + break; + case "backup": + $leases[$l]['act'] = "reserved"; + $leases[$l]['online'] = "offline"; + break; + } + $f = $f+1; + break; + case "next": + /* skip the next binding statement */ + $f = $f+3; + break; + case "hardware": + $leases[$l]['mac'] = $data[$f+2]; + /* check if it's online and the lease is active */ + if (in_array($leases[$l]['ip'], $arpdata)) { + $leases[$l]['online'] = 'online'; + } else { + $leases[$l]['online'] = 'offline'; + } + $f = $f+2; + break; + case "client-hostname": + if($data[$f+1] <> "") { + $leases[$l]['hostname'] = preg_replace('/"/','',$data[$f+1]); + } else { + $hostname = gethostbyaddr($leases[$l]['ip']); + if($hostname <> "") { + $leases[$l]['hostname'] = $hostname; + } + } + $f = $f+1; + break; + case "uid": + $f = $f+1; + break; + } + $f++; + } + $l++; + $i++; +} + +/* remove duplicate items by mac address */ +if(count($leases) > 0) { + $leases = remove_duplicate($leases,"ip"); +} + +if(count($pools) > 0) { + $pools = remove_duplicate($pools,"name"); + asort($pools); +} + +foreach($config['interfaces'] as $ifname => $ifarr) { + if (is_array($config['dhcpd'][$ifname]) && + is_array($config['dhcpd'][$ifname]['staticmap'])) { + foreach($config['dhcpd'][$ifname]['staticmap'] as $static) { + $slease = array(); + $slease['ip'] = $static['ipaddr']; + $slease['type'] = "static"; + $slease['mac'] = $static['mac']; + $slease['start'] = ""; + $slease['end'] = ""; + $slease['hostname'] = htmlentities($static['hostname']); + $slease['act'] = "static"; + $online = exec("/usr/sbin/arp -an |/usr/bin/grep {$slease['mac']}| /usr/bin/wc -l|/usr/bin/awk '{print $1;}'"); + if ($online == 1) { + $slease['online'] = 'online'; + } else { + $slease['online'] = 'offline'; + } + $leases[] = $slease; + } + } +} + +if ($_GET['order']) + usort($leases, "leasecmp"); + +/* only print pool status when we have one */ +if(count($pools) > 0) { +?> +<table class="tabcont sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="listhdrr"><?=gettext("Failover Group"); ?></a></td> + <td class="listhdrr"><?=gettext("My State"); ?></a></td> + <td class="listhdrr"><?=gettext("Since"); ?></a></td> + <td class="listhdrr"><?=gettext("Peer State"); ?></a></td> + <td class="listhdrr"><?=gettext("Since"); ?></a></td> + </tr> +<?php +foreach ($pools as $data) { + echo "<tr>\n"; + echo "<td class=\"listlr\">{$fspans}{$data['name']}{$fspane} </td>\n"; + echo "<td class=\"listr\">{$fspans}{$data['mystate']}{$fspane} </td>\n"; + echo "<td class=\"listr\">{$fspans}" . adjust_gmt($data['mydate']) . "{$fspane} </td>\n"; + echo "<td class=\"listr\">{$fspans}{$data['peerstate']}{$fspane} </td>\n"; + echo "<td class=\"listr\">{$fspans}" . adjust_gmt($data['peerdate']) . "{$fspane} </td>\n"; + echo "<td class=\"list\" valign=\"middle\" width=\"17\"> </td>\n"; + echo "<td class=\"list\" valign=\"middle\" width=\"17\"> </td>\n"; + echo "</tr>\n"; +} + +?> +</table> + +<?php +/* only print pool status when we have one */ +} +?> + +<p> + +<table class="tabcont sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="listhdrr"><a href="#"><?=gettext("IP address"); ?></a></td> + <td class="listhdrr"><a href="#"><?=gettext("MAC address"); ?></a></td> + <td class="listhdrr"><a href="#"><?=gettext("Hostname"); ?></a></td> + <td class="listhdrr"><a href="#"><?=gettext("Start"); ?></a></td> + <td class="listhdrr"><a href="#"><?=gettext("End"); ?></a></td> + <td class="listhdrr"><a href="#"><?=gettext("Online"); ?></a></td> + <td class="listhdrr"><a href="#"><?=gettext("Lease Type"); ?></a></td> + </tr> +<?php +// Load MAC-Manufacturer table +$macs=file("/usr/local/pkg/mactovendor/mac-prefixes"); +if ($macs){ + foreach ($macs as $line){ + if (preg_match('/([0-9A-Fa-f]{6}) (.*)$/', $line, $matches)){ + /* store values like this $mac_man['000C29']='VMware' */ + $mac_man["$matches[1]"]=$matches[2]; + } + } +} + +foreach ($leases as $data) { + if (($data['act'] == "active") || ($data['act'] == "static") || ($_GET['all'] == 1)) { + if ($data['act'] != "active" && $data['act'] != "static") { + $fspans = "<span class=\"gray\">"; + $fspane = "</span>"; + } else { + $fspans = $fspane = ""; + } + $lip = ip2ulong($data['ip']); + if ($data['act'] == "static") { + foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) { + if(is_array($dhcpifconf['staticmap'])) { + foreach ($dhcpifconf['staticmap'] as $staticent) { + if ($data['ip'] == $staticent['ipaddr']) { + $data['if'] = $dhcpif; + break; + } + } + } + /* exit as soon as we have an interface */ + if ($data['if'] != "") + break; + } + } else { + foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) { + if (($lip >= ip2ulong($dhcpifconf['range']['from'])) && ($lip <= ip2ulong($dhcpifconf['range']['to']))) { + $data['if'] = $dhcpif; + break; + } + } + } + echo "<tr>\n"; + echo "<td class=\"listlr\">{$fspans}{$data['ip']}{$fspane} </td>\n"; + $mac=$data['mac']; + $mac_hi = strtoupper($mac[0] . $mac[1] . $mac[3] . $mac[4] . $mac[6] . $mac[7]); + if ($data['online'] != "online") { + if(isset($mac_man[$mac_hi])){ // Manufacturer for this MAC is defined + $mac_man_ar = explode(' ', $mac_man[$mac_hi]); + echo "<td class=\"listr\">{$fspans}<a href=\"services_wol.php?if={$data['if']}&mac=$mac\" title=\"" . gettext("$mac, {$mac_man[$mac_hi]} - send Wake on LAN packet to this MAC address") ."\">" . $mac_man_ar[0] . substr($mac, 8) . "</a>{$fspane} </td>\n"; + }else{ + echo "<td class=\"listr\">{$fspans}<a href=\"services_wol.php?if={$data['if']}&mac={$data['mac']}\" title=\"" . gettext("send Wake on LAN packet to this MAC address") ."\">{$data['mac']}</a>{$fspane} </td>\n"; + } + } else { + if(isset($mac_man[$mac_hi])){ // Manufacturer for this MAC is defined + $mac_man_ar = explode(' ', $mac_man[$mac_hi]); + echo "<td class=\"listr\">{$fspans}<span title=\"$mac, {$mac_man[$mac_hi]}\">" . $mac_man_ar[0] . substr($mac, 8) . "</span>{$fspane} </td>\n"; + }else{ + echo "<td class=\"listr\">{$fspans}{$data['mac']}{$fspane} </td>\n"; + } + } + echo "<td class=\"listr\">{$fspans}" . htmlentities($data['hostname']) . "{$fspane} </td>\n"; + if ($data['type'] != "static") { + echo "<td class=\"listr\">{$fspans}" . adjust_gmt($data['start']) . "{$fspane} </td>\n"; + echo "<td class=\"listr\">{$fspans}" . adjust_gmt($data['end']) . "{$fspane} </td>\n"; + } else { + echo "<td class=\"listr\">{$fspans} n/a {$fspane} </td>\n"; + echo "<td class=\"listr\">{$fspans} n/a {$fspane} </td>\n"; + } + echo "<td class=\"listr\">{$fspans}{$data['online']}{$fspane} </td>\n"; + echo "<td class=\"listr\">{$fspans}{$data['act']}{$fspane} </td>\n"; + + if ($data['type'] == "dynamic") { + echo "<td valign=\"middle\"><a href=\"services_dhcp_edit.php?if={$data['if']}&mac={$data['mac']}&hostname={$data['hostname']}\">"; + echo "<img src=\"/themes/{$g['theme']}/images/icons/icon_plus.gif\" width=\"17\" height=\"17\" border=\"0\" title=\"" . gettext("add a static mapping for this MAC address") ."\"></a></td>\n"; + } else { + echo "<td class=\"list\" valign=\"middle\">"; + echo "<img src=\"/themes/{$g['theme']}/images/icons/icon_plus_mo.gif\" width=\"17\" height=\"17\" border=\"0\"></td>\n"; + } + + echo "<td valign=\"middle\"><a href=\"services_wol_edit.php?if={$data['if']}&mac={$data['mac']}&descr={$data['hostname']}\">"; + echo "<img src=\"/themes/{$g['theme']}/images/icons/icon_wol_all.gif\" width=\"17\" height=\"17\" border=\"0\" title=\"" . gettext("add a Wake on LAN mapping for this MAC address") ."\"></a></td>\n"; + + /* Only show the button for offline dynamic leases */ + if (($data['type'] == "dynamic") && ($data['online'] != "online")) { + echo "<td class=\"list\" valign=\"middle\"><a href=\"status_dhcp_leases.php?deleteip={$data['ip']}&all=" . htmlspecialchars($_GET['all']) . "\">"; + echo "<img src=\"/themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"17\" height=\"17\" border=\"0\" title=\"" . gettext("delete this DHCP lease") . "\"></a></td>\n"; + } + echo "</tr>\n"; + } +} + +?> +</table> +<p> +<form action="status_dhcp_leases.php" method="GET"> +<input type="hidden" name="order" value="<?=htmlspecialchars($_GET['order']);?>"> +<?php if ($_GET['all']): ?> +<input type="hidden" name="all" value="0"> +<input type="submit" class="formbtn" value="<?=gettext("Show active and static leases only"); ?>"> +<?php else: ?> +<input type="hidden" name="all" value="1"> +<input type="submit" class="formbtn" value="<?=gettext("Show all configured leases"); ?>"> +<?php endif; ?> +</form> +<?php if($leases == 0): ?> +<p><strong><?=gettext("No leases file found. Is the DHCP server active"); ?>?</strong></p> +<?php endif; ?> + +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/mactovendor/bin/status_interfaces.php_ b/config/mactovendor/bin/status_interfaces.php_ index 36c95a0c..1d8f8c9c 100644 --- a/config/mactovendor/bin/status_interfaces.php_ +++ b/config/mactovendor/bin/status_interfaces.php_ @@ -1,353 +1,353 @@ -<?php
-/* $Id$ */
-/*
- status_interfaces.php
- part of pfSense
- Copyright (C) 2009 Scott Ullrich <sullrich@gmail.com>.
- All rights reserved.
-
- originally part of m0n0wall (http://m0n0.ch/wall)
- Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-/*
- pfSense_MODULE: interfaces
-*/
-
-##|+PRIV
-##|*IDENT=page-status-interfaces
-##|*NAME=Status: Interfaces page
-##|*DESCR=Allow access to the 'Status: Interfaces' page.
-##|*MATCH=status_interfaces.php*
-##|-PRIV
-
-require_once("guiconfig.inc");
-
-if ($_GET['if']) {
- $interface = $_GET['if'];
- if ($_GET['action'] == "Disconnect" || $_GET['action'] == "Release") {
- interface_bring_down($interface);
- } else if ($_GET['action'] == "Connect" || $_GET['action'] == "Renew") {
- interface_configure($interface);
- }
- header("Location: status_interfaces.php");
- exit;
-}
-
-$pgtitle = array(gettext("Status"),gettext("Interfaces"));
-include("head.inc");
-
-?>
-
-<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
-<?php include("fbegin.inc"); ?>
-<table width="100%" border="0" cellspacing="0" cellpadding="0">
-<?php
- $i = 0;
- $ifdescrs = get_configured_interface_with_descr(false, true);
- foreach ($ifdescrs as $ifdescr => $ifname):
- $ifinfo = get_interface_info($ifdescr);
- // Load MAC-Manufacturer table
- $macs=file("/usr/local/pkg/mactovendor/mac-prefixes");
- if ($macs){
- foreach ($macs as $line){
- if (preg_match('/([0-9A-Fa-f]{6}) (.*)$/', $line, $matches)){
- /* store values like this $mac_man['000C29']='VMware' */
- $mac_man["$matches[1]"]=$matches[2];
- }
- }
- }
-?>
-<?php if ($i): ?>
- <tr>
- <td colspan="8" class="list" height="12"></td>
- </tr>
-<?php endif; ?>
- <tr>
- <td colspan="2" class="listtopic">
- <?=htmlspecialchars($ifname);?> <?=gettext("interface"); ?> (<?=htmlspecialchars($ifinfo['hwif']);?>)
- </td>
- </tr>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("Status"); ?></td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($ifinfo['status']);?>
- </td>
- </tr>
- <?php if ($ifinfo['dhcplink']): ?>
- <tr>
- <td width="22%" class="vncellt">
- DHCP
- </td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($ifinfo['dhcplink']);?>
- <?php if ($ifinfo['dhcplink'] == "up"): ?>
- <a href="status_interfaces.php?action=Release&if=<?php echo $ifdescr; ?>">
- <input type="button" name="<?php echo $ifdescr; ?>" value="<?=gettext("Release");?>" class="formbtns">
- <?php else: ?>
- <a href="status_interfaces.php?action=Renew&if=<?php echo $ifdescr; ?>">
- <input type="button" name="<?php echo $ifdescr; ?>" value="<?=gettext("Renew");?>" class="formbtns">
- <?php endif; ?>
- </a>
- </td>
- </tr>
- <?php endif; if ($ifinfo['pppoelink']): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("PPPoE"); ?></td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($ifinfo['pppoelink']);?>
- <?php if ($ifinfo['pppoelink'] == "up"): ?>
- <a href="status_interfaces.php?action=Disconnect&if=<?php echo $ifdescr; ?>">
- <input type="button" name="<?php echo $ifdescr; ?>" value="<?=gettext("Disconnect");?>" class="formbtns">
- <?php else: ?>
- <a href="status_interfaces.php?action=Connect&if=<?php echo $ifdescr; ?>">
- <input type="button" name="<?php echo $ifdescr; ?>" value="<?=gettext("Connect");?>" class="formbtns">
- <?php endif; ?>
- </a>
- </td>
- </tr>
- <?php endif; if ($ifinfo['pptplink']): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("PPTP"); ?></td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($ifinfo['pptplink']);?>
- <?php if ($ifinfo['pptplink'] == "up"): ?>
- <a href="status_interfaces.php?action=Disconnect&if=<?php echo $ifdescr; ?>">
- <input type="button" name="<?php echo $ifdescr; ?>" value="<?=gettext("Disconnect");?>" class="formbtns">
- <?php else: ?>
- <a href="status_interfaces.php?action=Connect&if=<?php echo $ifdescr; ?>">
- <input type="button" name="<?php echo $ifdescr; ?>" value="<?=gettext("Connect");?>" class="formbtns">
- <?php endif; ?>
- </a>
- </td>
- </tr>
- <?php endif; if ($ifinfo['ppplink']): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("PPP"); ?></td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($ifinfo['pppinfo']);?>
- <?php if ($ifinfo['ppplink'] == "up"): ?>
- <a href="status_interfaces.php?action=Disconnect&if=<?php echo $ifdescr; ?>">
- <input type="button" name="<?php echo $ifdescr; ?>" value="<?=gettext("Disconnect");?>" class="formbtns">
- <?php else: ?>
- <?php if (!$ifinfo['nodevice']): ?>
- <a href="status_interfaces.php?action=Connect&if=<?php echo $ifdescr; ?>">
- <input type="button" name="<?php echo $ifdescr; ?>" value="<?=gettext("Connect");?>" class="formbtns">
- <?php endif; ?>
- <?php endif; ?>
- </a>
- </td>
- </tr>
- <?php endif; if ($ifinfo['ppp_uptime'] || $ifinfo['ppp_uptime_accumulated']): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("Uptime ");?><?php if ($ifinfo['ppp_uptime_accumulated']) echo "(historical)"; ?></td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($ifinfo['ppp_uptime']);?> <?=htmlspecialchars($ifinfo['ppp_uptime_accumulated']);?>
- </td>
- </tr>
- <?php endif; if ($ifinfo['macaddr']): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("MAC address");?></td>
- <td width="78%" class="listr">
- <?php
- $mac=$ifinfo['macaddr'];
- $mac_hi = strtoupper($mac[0] . $mac[1] . $mac[3] . $mac[4] . $mac[6] . $mac[7]);
- if(isset($mac_man[$mac_hi])){
- $mac_man_ar = explode(' ', $mac_man[$mac_hi]);
- print "<span title=\"$mac, {$mac_man[$mac_hi]}\">" . $mac_man_ar[0] . substr($mac, 8) . "</span>"; }
- else {print htmlspecialchars($mac);}
- ?>
- </td>
- </tr>
- <?php endif; if ($ifinfo['status'] != "down"): ?>
- <?php if ($ifinfo['dhcplink'] != "down" && $ifinfo['pppoelink'] != "down" && $ifinfo['pptplink'] != "down"): ?>
- <?php if ($ifinfo['ipaddr']): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("IP address");?></td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($ifinfo['ipaddr']);?>
-
- </td>
- </tr>
- <?php endif; ?><?php if ($ifinfo['subnet']): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("Subnet mask");?></td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($ifinfo['subnet']);?>
- </td>
- </tr>
- <?php endif; ?><?php if ($ifinfo['gateway']): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("Gateway");?></td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($config['interfaces'][$ifdescr]['gateway']);?>
- <?=htmlspecialchars($ifinfo['gateway']);?>
- </td>
- </tr>
- <?php endif; if ($ifdescr == "wan" && file_exists("{$g['varetc_path']}/resolv.conf")): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("ISP DNS servers");?></td>
- <td width="78%" class="listr">
- <?php
- $dns_servers = get_dns_servers();
- foreach($dns_servers as $dns) {
- echo "{$dns}<br>";
- }
- ?>
- </td>
- </tr>
- <?php endif; endif; if ($ifinfo['media']): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("Media");?></td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($ifinfo['media']);?>
- </td>
- </tr>
-<?php endif; ?><?php if ($ifinfo['channel']): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("Channel");?></td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($ifinfo['channel']);?>
- </td>
- </tr>
-<?php endif; ?><?php if ($ifinfo['ssid']): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("SSID");?></td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($ifinfo['ssid']);?>
- </td>
- </tr>
-<?php endif; ?><?php if ($ifinfo['bssid']): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("BSSID");?></td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($ifinfo['bssid']);?>
- </td>
- </tr>
-<?php endif; ?><?php if ($ifinfo['rate']): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("Rate");?></td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($ifinfo['rate']);?>
- </td>
- </tr>
-<?php endif; ?><?php if ($ifinfo['rssi']): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("RSSI");?></td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($ifinfo['rssi']);?>
- </td>
- </tr>
-<?php endif; ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("In/out packets");?></td>
- <td width="78%" class="listr">
- <?php
- echo htmlspecialchars($ifinfo['inpkts'] . "/" . $ifinfo['outpkts'] . " (");
- echo htmlspecialchars(format_bytes($ifinfo['inbytes']) . "/" . format_bytes($ifinfo['outbytes']) . ")");
- ?>
- </td>
- </tr>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("In/out packets (pass)");?></td>
- <td width="78%" class="listr">
- <?php
- echo htmlspecialchars($ifinfo['inpktspass'] . "/" . $ifinfo['outpktspass'] . " (");
- echo htmlspecialchars(format_bytes($ifinfo['inbytespass']) . "/" . format_bytes($ifinfo['outbytespass']) . ")");
- ?>
- </td>
- </tr>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("In/out packets (block)");?></td>
- <td width="78%" class="listr">
- <?php
- echo htmlspecialchars($ifinfo['inpktsblock'] . "/" . $ifinfo['outpktsblock'] . " (");
- echo htmlspecialchars(format_bytes($ifinfo['inbytesblock']) . "/" . format_bytes($ifinfo['outbytesblock']) . ")");
- ?>
- </td>
- </tr>
-<?php if (isset($ifinfo['inerrs'])): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("In/out errors");?></td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($ifinfo['inerrs'] . "/" . $ifinfo['outerrs']);?>
- </td>
- </tr>
-<?php endif; ?>
-<?php if (isset($ifinfo['collisions'])): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("Collisions");?></td>
- <td width="78%" class="listr">
- <?=htmlspecialchars($ifinfo['collisions']);?>
- </td>
- </tr>
-<?php endif; ?>
-<?php endif; ?>
-<?php if ($ifinfo['bridge']): ?>
- <tr>
- <td width="22%" class="vncellt"><?php printf(gettext("Bridge (%s)"),$ifinfo['bridgeint']);?></td>
- <td width="78%" class="listr">
- <?=$ifinfo['bridge'];?>
- </td>
- </tr>
-<?php endif; ?>
-<?php if(file_exists("/usr/bin/vmstat")): ?>
-<?php
- $real_interface = "";
- $interrupt_total = "";
- $interrupt_sec = "";
- $real_interface = $ifinfo['hwif'];
- $interrupt_total = `vmstat -i | grep $real_interface | awk '{ print $3 }'`;
- $interrupt_sec = `vmstat -i | grep $real_interface | awk '{ print $4 }'`;
- if(strstr($interrupt_total, "hci")) {
- $interrupt_total = `vmstat -i | grep $real_interface | awk '{ print $4 }'`;
- $interrupt_sec = `vmstat -i | grep $real_interface | awk '{ print $5 }'`;
- }
- unset($interrupt_total); // XXX: FIX ME! Need a regex and parse correct data 100% of the time.
-?>
-<?php if($interrupt_total): ?>
- <tr>
- <td width="22%" class="vncellt"><?=gettext("Interrupts/Second");?></td>
- <td width="78%" class="listr">
- <?php
- echo $interrupt_total . " " . gettext("total");
- echo "<br/>";
- echo $interrupt_sec . " " . gettext("rate");
- ?>
- </td>
- </tr>
-<?php endif; ?>
-<?php endif; ?>
-<?php $i++; endforeach; ?>
-</table>
-
-<br/>
-
-</strong><?php printf(gettext("Using dial-on-demand will bring the connection up again if any packet ".
-"triggers it. To substantiate this point: disconnecting manually ".
-"will %snot%s prevent dial-on-demand from making connections ".
-"to the outside! Don't use dial-on-demand if you want to make sure that the line ".
-"is kept disconnected."),'<strong>','</strong>')?>
-
-<?php include("fend.inc"); ?>
+<?php +/* $Id$ */ +/* + status_interfaces.php + part of pfSense + Copyright (C) 2009 Scott Ullrich <sullrich@gmail.com>. + All rights reserved. + + originally part of m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* + pfSense_MODULE: interfaces +*/ + +##|+PRIV +##|*IDENT=page-status-interfaces +##|*NAME=Status: Interfaces page +##|*DESCR=Allow access to the 'Status: Interfaces' page. +##|*MATCH=status_interfaces.php* +##|-PRIV + +require_once("guiconfig.inc"); + +if ($_GET['if']) { + $interface = $_GET['if']; + if ($_GET['action'] == "Disconnect" || $_GET['action'] == "Release") { + interface_bring_down($interface); + } else if ($_GET['action'] == "Connect" || $_GET['action'] == "Renew") { + interface_configure($interface); + } + header("Location: status_interfaces.php"); + exit; +} + +$pgtitle = array(gettext("Status"),gettext("Interfaces")); +include("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<table width="100%" border="0" cellspacing="0" cellpadding="0"> +<?php + $i = 0; + $ifdescrs = get_configured_interface_with_descr(false, true); + foreach ($ifdescrs as $ifdescr => $ifname): + $ifinfo = get_interface_info($ifdescr); + // Load MAC-Manufacturer table + $macs=file("/usr/local/pkg/mactovendor/mac-prefixes"); + if ($macs){ + foreach ($macs as $line){ + if (preg_match('/([0-9A-Fa-f]{6}) (.*)$/', $line, $matches)){ + /* store values like this $mac_man['000C29']='VMware' */ + $mac_man["$matches[1]"]=$matches[2]; + } + } + } +?> +<?php if ($i): ?> + <tr> + <td colspan="8" class="list" height="12"></td> + </tr> +<?php endif; ?> + <tr> + <td colspan="2" class="listtopic"> + <?=htmlspecialchars($ifname);?> <?=gettext("interface"); ?> (<?=htmlspecialchars($ifinfo['hwif']);?>) + </td> + </tr> + <tr> + <td width="22%" class="vncellt"><?=gettext("Status"); ?></td> + <td width="78%" class="listr"> + <?=htmlspecialchars($ifinfo['status']);?> + </td> + </tr> + <?php if ($ifinfo['dhcplink']): ?> + <tr> + <td width="22%" class="vncellt"> + DHCP + </td> + <td width="78%" class="listr"> + <?=htmlspecialchars($ifinfo['dhcplink']);?> + <?php if ($ifinfo['dhcplink'] == "up"): ?> + <a href="status_interfaces.php?action=Release&if=<?php echo $ifdescr; ?>"> + <input type="button" name="<?php echo $ifdescr; ?>" value="<?=gettext("Release");?>" class="formbtns"> + <?php else: ?> + <a href="status_interfaces.php?action=Renew&if=<?php echo $ifdescr; ?>"> + <input type="button" name="<?php echo $ifdescr; ?>" value="<?=gettext("Renew");?>" class="formbtns"> + <?php endif; ?> + </a> + </td> + </tr> + <?php endif; if ($ifinfo['pppoelink']): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("PPPoE"); ?></td> + <td width="78%" class="listr"> + <?=htmlspecialchars($ifinfo['pppoelink']);?> + <?php if ($ifinfo['pppoelink'] == "up"): ?> + <a href="status_interfaces.php?action=Disconnect&if=<?php echo $ifdescr; ?>"> + <input type="button" name="<?php echo $ifdescr; ?>" value="<?=gettext("Disconnect");?>" class="formbtns"> + <?php else: ?> + <a href="status_interfaces.php?action=Connect&if=<?php echo $ifdescr; ?>"> + <input type="button" name="<?php echo $ifdescr; ?>" value="<?=gettext("Connect");?>" class="formbtns"> + <?php endif; ?> + </a> + </td> + </tr> + <?php endif; if ($ifinfo['pptplink']): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("PPTP"); ?></td> + <td width="78%" class="listr"> + <?=htmlspecialchars($ifinfo['pptplink']);?> + <?php if ($ifinfo['pptplink'] == "up"): ?> + <a href="status_interfaces.php?action=Disconnect&if=<?php echo $ifdescr; ?>"> + <input type="button" name="<?php echo $ifdescr; ?>" value="<?=gettext("Disconnect");?>" class="formbtns"> + <?php else: ?> + <a href="status_interfaces.php?action=Connect&if=<?php echo $ifdescr; ?>"> + <input type="button" name="<?php echo $ifdescr; ?>" value="<?=gettext("Connect");?>" class="formbtns"> + <?php endif; ?> + </a> + </td> + </tr> + <?php endif; if ($ifinfo['ppplink']): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("PPP"); ?></td> + <td width="78%" class="listr"> + <?=htmlspecialchars($ifinfo['pppinfo']);?> + <?php if ($ifinfo['ppplink'] == "up"): ?> + <a href="status_interfaces.php?action=Disconnect&if=<?php echo $ifdescr; ?>"> + <input type="button" name="<?php echo $ifdescr; ?>" value="<?=gettext("Disconnect");?>" class="formbtns"> + <?php else: ?> + <?php if (!$ifinfo['nodevice']): ?> + <a href="status_interfaces.php?action=Connect&if=<?php echo $ifdescr; ?>"> + <input type="button" name="<?php echo $ifdescr; ?>" value="<?=gettext("Connect");?>" class="formbtns"> + <?php endif; ?> + <?php endif; ?> + </a> + </td> + </tr> + <?php endif; if ($ifinfo['ppp_uptime'] || $ifinfo['ppp_uptime_accumulated']): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("Uptime ");?><?php if ($ifinfo['ppp_uptime_accumulated']) echo "(historical)"; ?></td> + <td width="78%" class="listr"> + <?=htmlspecialchars($ifinfo['ppp_uptime']);?> <?=htmlspecialchars($ifinfo['ppp_uptime_accumulated']);?> + </td> + </tr> + <?php endif; if ($ifinfo['macaddr']): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("MAC address");?></td> + <td width="78%" class="listr"> + <?php + $mac=$ifinfo['macaddr']; + $mac_hi = strtoupper($mac[0] . $mac[1] . $mac[3] . $mac[4] . $mac[6] . $mac[7]); + if(isset($mac_man[$mac_hi])){ + $mac_man_ar = explode(' ', $mac_man[$mac_hi]); + print "<span title=\"$mac, {$mac_man[$mac_hi]}\">" . $mac_man_ar[0] . substr($mac, 8) . "</span>"; } + else {print htmlspecialchars($mac);} + ?> + </td> + </tr> + <?php endif; if ($ifinfo['status'] != "down"): ?> + <?php if ($ifinfo['dhcplink'] != "down" && $ifinfo['pppoelink'] != "down" && $ifinfo['pptplink'] != "down"): ?> + <?php if ($ifinfo['ipaddr']): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("IP address");?></td> + <td width="78%" class="listr"> + <?=htmlspecialchars($ifinfo['ipaddr']);?> + + </td> + </tr> + <?php endif; ?><?php if ($ifinfo['subnet']): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("Subnet mask");?></td> + <td width="78%" class="listr"> + <?=htmlspecialchars($ifinfo['subnet']);?> + </td> + </tr> + <?php endif; ?><?php if ($ifinfo['gateway']): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("Gateway");?></td> + <td width="78%" class="listr"> + <?=htmlspecialchars($config['interfaces'][$ifdescr]['gateway']);?> + <?=htmlspecialchars($ifinfo['gateway']);?> + </td> + </tr> + <?php endif; if ($ifdescr == "wan" && file_exists("{$g['varetc_path']}/resolv.conf")): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("ISP DNS servers");?></td> + <td width="78%" class="listr"> + <?php + $dns_servers = get_dns_servers(); + foreach($dns_servers as $dns) { + echo "{$dns}<br>"; + } + ?> + </td> + </tr> + <?php endif; endif; if ($ifinfo['media']): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("Media");?></td> + <td width="78%" class="listr"> + <?=htmlspecialchars($ifinfo['media']);?> + </td> + </tr> +<?php endif; ?><?php if ($ifinfo['channel']): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("Channel");?></td> + <td width="78%" class="listr"> + <?=htmlspecialchars($ifinfo['channel']);?> + </td> + </tr> +<?php endif; ?><?php if ($ifinfo['ssid']): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("SSID");?></td> + <td width="78%" class="listr"> + <?=htmlspecialchars($ifinfo['ssid']);?> + </td> + </tr> +<?php endif; ?><?php if ($ifinfo['bssid']): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("BSSID");?></td> + <td width="78%" class="listr"> + <?=htmlspecialchars($ifinfo['bssid']);?> + </td> + </tr> +<?php endif; ?><?php if ($ifinfo['rate']): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("Rate");?></td> + <td width="78%" class="listr"> + <?=htmlspecialchars($ifinfo['rate']);?> + </td> + </tr> +<?php endif; ?><?php if ($ifinfo['rssi']): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("RSSI");?></td> + <td width="78%" class="listr"> + <?=htmlspecialchars($ifinfo['rssi']);?> + </td> + </tr> +<?php endif; ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("In/out packets");?></td> + <td width="78%" class="listr"> + <?php + echo htmlspecialchars($ifinfo['inpkts'] . "/" . $ifinfo['outpkts'] . " ("); + echo htmlspecialchars(format_bytes($ifinfo['inbytes']) . "/" . format_bytes($ifinfo['outbytes']) . ")"); + ?> + </td> + </tr> + <tr> + <td width="22%" class="vncellt"><?=gettext("In/out packets (pass)");?></td> + <td width="78%" class="listr"> + <?php + echo htmlspecialchars($ifinfo['inpktspass'] . "/" . $ifinfo['outpktspass'] . " ("); + echo htmlspecialchars(format_bytes($ifinfo['inbytespass']) . "/" . format_bytes($ifinfo['outbytespass']) . ")"); + ?> + </td> + </tr> + <tr> + <td width="22%" class="vncellt"><?=gettext("In/out packets (block)");?></td> + <td width="78%" class="listr"> + <?php + echo htmlspecialchars($ifinfo['inpktsblock'] . "/" . $ifinfo['outpktsblock'] . " ("); + echo htmlspecialchars(format_bytes($ifinfo['inbytesblock']) . "/" . format_bytes($ifinfo['outbytesblock']) . ")"); + ?> + </td> + </tr> +<?php if (isset($ifinfo['inerrs'])): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("In/out errors");?></td> + <td width="78%" class="listr"> + <?=htmlspecialchars($ifinfo['inerrs'] . "/" . $ifinfo['outerrs']);?> + </td> + </tr> +<?php endif; ?> +<?php if (isset($ifinfo['collisions'])): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("Collisions");?></td> + <td width="78%" class="listr"> + <?=htmlspecialchars($ifinfo['collisions']);?> + </td> + </tr> +<?php endif; ?> +<?php endif; ?> +<?php if ($ifinfo['bridge']): ?> + <tr> + <td width="22%" class="vncellt"><?php printf(gettext("Bridge (%s)"),$ifinfo['bridgeint']);?></td> + <td width="78%" class="listr"> + <?=$ifinfo['bridge'];?> + </td> + </tr> +<?php endif; ?> +<?php if(file_exists("/usr/bin/vmstat")): ?> +<?php + $real_interface = ""; + $interrupt_total = ""; + $interrupt_sec = ""; + $real_interface = $ifinfo['hwif']; + $interrupt_total = `vmstat -i | grep $real_interface | awk '{ print $3 }'`; + $interrupt_sec = `vmstat -i | grep $real_interface | awk '{ print $4 }'`; + if(strstr($interrupt_total, "hci")) { + $interrupt_total = `vmstat -i | grep $real_interface | awk '{ print $4 }'`; + $interrupt_sec = `vmstat -i | grep $real_interface | awk '{ print $5 }'`; + } + unset($interrupt_total); // XXX: FIX ME! Need a regex and parse correct data 100% of the time. +?> +<?php if($interrupt_total): ?> + <tr> + <td width="22%" class="vncellt"><?=gettext("Interrupts/Second");?></td> + <td width="78%" class="listr"> + <?php + echo $interrupt_total . " " . gettext("total"); + echo "<br/>"; + echo $interrupt_sec . " " . gettext("rate"); + ?> + </td> + </tr> +<?php endif; ?> +<?php endif; ?> +<?php $i++; endforeach; ?> +</table> + +<br/> + +</strong><?php printf(gettext("Using dial-on-demand will bring the connection up again if any packet ". +"triggers it. To substantiate this point: disconnecting manually ". +"will %snot%s prevent dial-on-demand from making connections ". +"to the outside! Don't use dial-on-demand if you want to make sure that the line ". +"is kept disconnected."),'<strong>','</strong>')?> + +<?php include("fend.inc"); ?> diff --git a/config/mactovendor/bin/status_wireless.php_ b/config/mactovendor/bin/status_wireless.php_ index fbc35538..8e54e06e 100644 --- a/config/mactovendor/bin/status_wireless.php_ +++ b/config/mactovendor/bin/status_wireless.php_ @@ -1,208 +1,208 @@ -<?php
-/*
- status_wireless.php
- Copyright (C) 2004 Scott Ullrich
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-/*
- pfSense_MODULE: interfaces
-*/
-
-##|+PRIV
-##|*IDENT=page-diagnostics-wirelessstatus
-##|*NAME=Status: Wireless page
-##|*DESCR=Allow access to the 'Status: Wireless' page.
-##|*MATCH=status_wireless.php*
-##|-PRIV
-
-require_once("guiconfig.inc");
-
-$pgtitle = array(gettext("Status"),gettext("Wireless"));
-include("head.inc");
-
-$if = $_POST['if'];
-if($_GET['if'] <> "")
- $if = $_GET['if'];
-
-$ciflist = get_configured_interface_with_descr();
-if(empty($if)) {
- /* Find the first interface
- that is wireless */
- foreach($ciflist as $interface => $ifdescr) {
- if(is_interface_wireless(get_real_interface($interface))) {
- $if = $interface;
- break;
- }
- }
-}
-?>
-
-<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
-<?php
-include("fbegin.inc");
-?>
-<form action="status_wireless.php" method="post">
-<?php if ($savemsg) print_info_box($savemsg); ?>
-
-<table width="100%" border="0" cellpadding="0" cellspacing="0">
-<tr><td>
-<?php
-$tab_array = array();
-foreach($ciflist as $interface => $ifdescr) {
- if (is_interface_wireless(get_real_interface($interface))) {
- $enabled = false;
- if($if == $interface)
- $enabled = true;
- $tab_array[] = array(gettext("Status") . " ({$ifdescr})", $enabled, "status_wireless.php?if={$interface}");
- }
-}
-$rwlif = get_real_interface($if);
-if($_POST['rescanwifi'] <> "") {
- mwexec_bg("/sbin/ifconfig {$rwlif} scan 2>&1");
- $savemsg = gettext("Rescan has been initiated in the background. Refresh this page in 10 seconds to see the results.");
-}
-if ($savemsg) print_info_box($savemsg);
-display_top_tabs($tab_array);
-?>
-</td></tr>
-<tr><td>
-<div id="mainarea">
-<table class="tabcont" colspan="3" cellpadding="3" width="100%">
-<?php
-
- // Load MAC-Manufacturer table
- $macs=file("/usr/local/pkg/mactovendor/mac-prefixes");
- if ($macs){
- foreach ($macs as $line){
- if (preg_match('/([0-9A-Fa-f]{6}) (.*)$/', $line, $matches)){
- /* store values like this $mac_man['000C29']='VMware' */
- $mac_man["$matches[1]"]=$matches[2];
- }
- }
- }
-
- /* table header */
- print "<input type=\"hidden\" name=\"if\" id=\"if\" value=\"{$if}\">\n";
- print "<tr><td colspan=7><b><input type=\"submit\" name=\"rescanwifi\" id=\"rescanwifi\" value=\"Rescan\"><br/></td></tr>\n";
- print "<tr><td colspan=7><b>" . gettext("Nearby access points or ad-hoc peers") . ".<br/></td></tr>\n";
- print "\n<tr>";
- print "<tr bgcolor='#990000'>";
- print "<td><b><font color='#ffffff'>SSID</td>";
- print "<td><b><font color='#ffffff'>BSSID</td>";
- print "<td><b><font color='#ffffff'>CHAN</td>";
- print "<td><b><font color='#ffffff'>RATE</td>";
- print "<td><b><font color='#ffffff'>RSSI</td>";
- print "<td><b><font color='#ffffff'>INT</td>";
- print "<td><b><font color='#ffffff'>CAPS</td>";
- print "</tr>\n\n";
-
- exec("/sbin/ifconfig {$rwlif} list scan 2>&1", $states, $ret);
- /* Skip Header */
- array_shift($states);
-
- $counter=0;
- foreach($states as $state) {
- /* Split by Mac address for the SSID Field */
- $split = preg_split("/([0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f])/i", $state);
- preg_match("/([0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f])/i", $state, $bssid);
- $ssid = htmlspecialchars($split[0]);
- $bssid = $bssid[0];
- /* Split the rest by using spaces for this line using the 2nd part */
- $split = preg_split("/[ ]+/i", $split[1]);
- $channel = $split[1];
- $rate = $split[2];
- $rssi = $split[3];
- $int = $split[4];
- $caps = "$split[5] $split[6] $split[7] $split[8] $split[9] $split[10] $split[11] ";
-
- print "<tr>";
- print "<td>{$ssid}</td>";
- $mac_hi = strtoupper($bssid[0] . $bssid[1] . $bssid[3] . $bssid[4] . $bssid[6] . $bssid[7]);
- if(isset($mac_man[$mac_hi])){
- $mac_man_ar = explode(' ', $mac_man[$mac_hi]);
- print "<td><span title=\"$bssid, {$mac_man[$mac_hi]}\">" . $mac_man_ar[0] . substr($bssid, 8) . "</span></td>";
- }else
- print "<td>{$bssid}</td>";
- print "<td>{$channel}</td>";
- print "<td>{$rate}</td>";
- print "<td>{$rssi}</td>";
- print "<td>{$int}</td>";
- print "<td>{$caps}</td>";
- print "</tr>\n";
- }
-
- print "</table><table class=\"tabcont\" colspan=\"3\" cellpadding=\"3\" width=\"100%\">";
-
- /* table header */
- print "\n<tr>";
- print "<tr><td colspan=7><b>" . gettext("Associated or ad-hoc peers") . "<br/></td></tr>\n";
- print "<tr bgcolor='#990000'>";
- print "<td><b><font color='#ffffff'>ADDR</td>";
- print "<td><b><font color='#ffffff'>AID</td>";
- print "<td><b><font color='#ffffff'>CHAN</td>";
- print "<td><b><font color='#ffffff'>RATE</td>";
- print "<td><b><font color='#ffffff'>RSSI</td>";
- print "<td><b><font color='#ffffff'>IDLE</td>";
- print "<td><b><font color='#ffffff'>TXSEQ</td>";
- print "<td><b><font color='#ffffff'>RXSEQ</td>";
- print "<td><b><font color='#ffffff'>CAPS</td>";
- print "<td><b><font color='#ffffff'>ERP</td>";
- print "</tr>\n\n";
-
- $states = array();
- exec("/sbin/ifconfig {$rwlif} list sta 2>&1", $states, $ret);
- array_shift($states);
-
- $counter=0;
- foreach($states as $state) {
- $split = preg_split("/[ ]+/i", $state);
- /* Split the rest by using spaces for this line using the 2nd part */
- print "<tr>";
- print "<td>{$split[0]}</td>";
- print "<td>{$split[1]}</td>";
- print "<td>{$split[2]}</td>";
- print "<td>{$split[3]}</td>";
- print "<td>{$split[4]}</td>";
- print "<td>{$split[5]}</td>";
- print "<td>{$split[6]}</td>";
- print "<td>{$split[7]}</td>";
- print "<td>{$split[8]}</td>";
- print "<td>{$split[9]}</td>";
- print "</tr>\n";
- }
-
-/* XXX: what stats to we get for adhoc mode? */
-
-?>
-</table>
-</div><br>
- <b>Flags:</b> A = authorized, E = Extended Rate (802.11g), P = Power save mode<br>
- <b>Capabilities:</b> E = ESS (infrastructure mode), I = IBSS (ad-hoc mode), P = privacy (WEP/TKIP/AES),
- S = Short preamble, s = Short slot time
-</td></tr>
-</table>
-
-<?php include("fend.inc"); ?>
-</body>
-</html>
+<?php +/* + status_wireless.php + Copyright (C) 2004 Scott Ullrich + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* + pfSense_MODULE: interfaces +*/ + +##|+PRIV +##|*IDENT=page-diagnostics-wirelessstatus +##|*NAME=Status: Wireless page +##|*DESCR=Allow access to the 'Status: Wireless' page. +##|*MATCH=status_wireless.php* +##|-PRIV + +require_once("guiconfig.inc"); + +$pgtitle = array(gettext("Status"),gettext("Wireless")); +include("head.inc"); + +$if = $_POST['if']; +if($_GET['if'] <> "") + $if = $_GET['if']; + +$ciflist = get_configured_interface_with_descr(); +if(empty($if)) { + /* Find the first interface + that is wireless */ + foreach($ciflist as $interface => $ifdescr) { + if(is_interface_wireless(get_real_interface($interface))) { + $if = $interface; + break; + } + } +} +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php +include("fbegin.inc"); +?> +<form action="status_wireless.php" method="post"> +<?php if ($savemsg) print_info_box($savemsg); ?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php +$tab_array = array(); +foreach($ciflist as $interface => $ifdescr) { + if (is_interface_wireless(get_real_interface($interface))) { + $enabled = false; + if($if == $interface) + $enabled = true; + $tab_array[] = array(gettext("Status") . " ({$ifdescr})", $enabled, "status_wireless.php?if={$interface}"); + } +} +$rwlif = get_real_interface($if); +if($_POST['rescanwifi'] <> "") { + mwexec_bg("/sbin/ifconfig {$rwlif} scan 2>&1"); + $savemsg = gettext("Rescan has been initiated in the background. Refresh this page in 10 seconds to see the results."); +} +if ($savemsg) print_info_box($savemsg); +display_top_tabs($tab_array); +?> +</td></tr> +<tr><td> +<div id="mainarea"> +<table class="tabcont" colspan="3" cellpadding="3" width="100%"> +<?php + + // Load MAC-Manufacturer table + $macs=file("/usr/local/pkg/mactovendor/mac-prefixes"); + if ($macs){ + foreach ($macs as $line){ + if (preg_match('/([0-9A-Fa-f]{6}) (.*)$/', $line, $matches)){ + /* store values like this $mac_man['000C29']='VMware' */ + $mac_man["$matches[1]"]=$matches[2]; + } + } + } + + /* table header */ + print "<input type=\"hidden\" name=\"if\" id=\"if\" value=\"{$if}\">\n"; + print "<tr><td colspan=7><b><input type=\"submit\" name=\"rescanwifi\" id=\"rescanwifi\" value=\"Rescan\"><br/></td></tr>\n"; + print "<tr><td colspan=7><b>" . gettext("Nearby access points or ad-hoc peers") . ".<br/></td></tr>\n"; + print "\n<tr>"; + print "<tr bgcolor='#990000'>"; + print "<td><b><font color='#ffffff'>SSID</td>"; + print "<td><b><font color='#ffffff'>BSSID</td>"; + print "<td><b><font color='#ffffff'>CHAN</td>"; + print "<td><b><font color='#ffffff'>RATE</td>"; + print "<td><b><font color='#ffffff'>RSSI</td>"; + print "<td><b><font color='#ffffff'>INT</td>"; + print "<td><b><font color='#ffffff'>CAPS</td>"; + print "</tr>\n\n"; + + exec("/sbin/ifconfig {$rwlif} list scan 2>&1", $states, $ret); + /* Skip Header */ + array_shift($states); + + $counter=0; + foreach($states as $state) { + /* Split by Mac address for the SSID Field */ + $split = preg_split("/([0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f])/i", $state); + preg_match("/([0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f]\:[0-9a-f][[0-9a-f])/i", $state, $bssid); + $ssid = htmlspecialchars($split[0]); + $bssid = $bssid[0]; + /* Split the rest by using spaces for this line using the 2nd part */ + $split = preg_split("/[ ]+/i", $split[1]); + $channel = $split[1]; + $rate = $split[2]; + $rssi = $split[3]; + $int = $split[4]; + $caps = "$split[5] $split[6] $split[7] $split[8] $split[9] $split[10] $split[11] "; + + print "<tr>"; + print "<td>{$ssid}</td>"; + $mac_hi = strtoupper($bssid[0] . $bssid[1] . $bssid[3] . $bssid[4] . $bssid[6] . $bssid[7]); + if(isset($mac_man[$mac_hi])){ + $mac_man_ar = explode(' ', $mac_man[$mac_hi]); + print "<td><span title=\"$bssid, {$mac_man[$mac_hi]}\">" . $mac_man_ar[0] . substr($bssid, 8) . "</span></td>"; + }else + print "<td>{$bssid}</td>"; + print "<td>{$channel}</td>"; + print "<td>{$rate}</td>"; + print "<td>{$rssi}</td>"; + print "<td>{$int}</td>"; + print "<td>{$caps}</td>"; + print "</tr>\n"; + } + + print "</table><table class=\"tabcont\" colspan=\"3\" cellpadding=\"3\" width=\"100%\">"; + + /* table header */ + print "\n<tr>"; + print "<tr><td colspan=7><b>" . gettext("Associated or ad-hoc peers") . "<br/></td></tr>\n"; + print "<tr bgcolor='#990000'>"; + print "<td><b><font color='#ffffff'>ADDR</td>"; + print "<td><b><font color='#ffffff'>AID</td>"; + print "<td><b><font color='#ffffff'>CHAN</td>"; + print "<td><b><font color='#ffffff'>RATE</td>"; + print "<td><b><font color='#ffffff'>RSSI</td>"; + print "<td><b><font color='#ffffff'>IDLE</td>"; + print "<td><b><font color='#ffffff'>TXSEQ</td>"; + print "<td><b><font color='#ffffff'>RXSEQ</td>"; + print "<td><b><font color='#ffffff'>CAPS</td>"; + print "<td><b><font color='#ffffff'>ERP</td>"; + print "</tr>\n\n"; + + $states = array(); + exec("/sbin/ifconfig {$rwlif} list sta 2>&1", $states, $ret); + array_shift($states); + + $counter=0; + foreach($states as $state) { + $split = preg_split("/[ ]+/i", $state); + /* Split the rest by using spaces for this line using the 2nd part */ + print "<tr>"; + print "<td>{$split[0]}</td>"; + print "<td>{$split[1]}</td>"; + print "<td>{$split[2]}</td>"; + print "<td>{$split[3]}</td>"; + print "<td>{$split[4]}</td>"; + print "<td>{$split[5]}</td>"; + print "<td>{$split[6]}</td>"; + print "<td>{$split[7]}</td>"; + print "<td>{$split[8]}</td>"; + print "<td>{$split[9]}</td>"; + print "</tr>\n"; + } + +/* XXX: what stats to we get for adhoc mode? */ + +?> +</table> +</div><br> + <b>Flags:</b> A = authorized, E = Extended Rate (802.11g), P = Power save mode<br> + <b>Capabilities:</b> E = ESS (infrastructure mode), I = IBSS (ad-hoc mode), P = privacy (WEP/TKIP/AES), + S = Short preamble, s = Short slot time +</td></tr> +</table> + +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/mailreport/mail_reports.inc b/config/mailreport/mail_reports.inc index 8ab31301..85b67ddf 100644 --- a/config/mailreport/mail_reports.inc +++ b/config/mailreport/mail_reports.inc @@ -29,6 +29,7 @@ POSSIBILITY OF SUCH DAMAGE. */ +require_once("globals.inc"); require_once("config.inc"); require_once("filter.inc"); require_once("rrd.inc"); @@ -42,6 +43,28 @@ $graph_length = array( "year" => 31622400, "4year" => 126489600); +$logfile_friendly = array( + "dhcpd" => "DHCP", + "filter" => "Firewall (raw)", + "gateways" => "Gateway Events", + "installer" => "Installation", + "ipsec" => "IPsec VPN", + "l2tps" => "L2TP Server (raw)", + "lighttpd" => "Web Server (lighttpd)", + "ntpd" => "NTP", + "openvpn" => "OpenVPN", + "poes" => "PPPoE Server (raw)", + "portalauth" => "Captive Portal Authentication", + "ppp" => "PPP", + "pptps" => "PPTP Server (raw)", + "relayd" => "Load Balancer (relayd)", + "resolver" => "DNS Resolver", + "routing" => "Routing", + "system" => "System", + "vpn" => "PPTP/L2TP/PPPoE Server Login Events", + "wireless" => "Wireless" +); + function get_dates($curperiod, $graph) { global $graph_length; $now = time(); @@ -162,7 +185,7 @@ function set_mail_report_cron_jobs($a_mailreports) { include('phpmailer/class.phpmailer.php'); -function mail_report_send($headertext, $attachments) { +function mail_report_send($headertext, $cmdtext, $logtext, $attachments) { global $config, $g; if (empty($config['notifications']['smtp']['ipaddress'])) @@ -191,7 +214,11 @@ function mail_report_send($headertext, $attachments) { $address = $config['notifications']['smtp']['notifyemailaddress']; $mail->AddAddress($address, "Report Recipient"); $mail->Subject = "{$config['system']['hostname']}.{$config['system']['domain']} Graph Report: {$headertext}"; - $mail->Body .= "This is a periodic graph report from your firewall, {$config['system']['hostname']}.{$config['system']['domain']}.<br/><br/>Current report: {$headertext}\n"; + $mail->Body .= "This is a periodic report from your firewall, {$config['system']['hostname']}.{$config['system']['domain']}.<br /><br />Current report: {$headertext}<br />\n<br />\n"; + if (!empty($cmdtext)) + $mail->Body .= $cmdtext; + if (!empty($logtext)) + $mail->Body .= $logtext; if(is_array($attachments)) { foreach($attachments as $filename) { $shortname = basename($filename); @@ -203,7 +230,7 @@ function mail_report_send($headertext, $attachments) { if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; } else { - echo "<strong>Message sent to {$userid}!</strong>\n"; + echo "<strong>Message sent to {$address}!</strong>\n"; } } @@ -1201,4 +1228,32 @@ function timeDiff($time, $opt = array()) { return $str; } +function mail_report_get_log($logfile, $tail, $grepfor) { + global $g, $config; + $logfile = "{$g['varlog_path']}/{$logfile}"; + $logarr = ""; + $grepline = " "; + if(is_array($grepfor)) + foreach($grepfor as $agrep) + $grepline .= " | grep \"$agrep\""; + if($config['system']['disablesyslogclog']) { + exec("cat {$logfile}{$grepline} | /usr/bin/tail -n {$tail}", $logarr); + } else { + if(isset($config['system']['usefifolog'])) { + exec("/usr/sbin/fifolog_reader {$logfile}{$grepline} | /usr/bin/tail -n {$tail}", $logarr); + } else { + exec("/usr/sbin/clog {$logfile}{$grepline}| grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail -n {$tail}", $logarr); + } + } + return($logarr); +} + +function get_friendly_log_name($logfile) { + global $logfile_friendly; + $friendly = str_replace(".log", "", $logfile); + if (!empty($logfile_friendly[$friendly])) + $friendly = $logfile_friendly[$friendly]; + return $friendly; +} + ?> diff --git a/config/mailreport/mail_reports_generate.php b/config/mailreport/mail_reports_generate.php index 7ff7b71e..a784c596 100644 --- a/config/mailreport/mail_reports_generate.php +++ b/config/mailreport/mail_reports_generate.php @@ -53,17 +53,42 @@ if (!$config['mailreports']['schedule'][$id]) exit; $thisreport = $config['mailreports']['schedule'][$id]; +$cmds = $thisreport['cmd']['row']; +$logs = $thisreport['log']['row']; $graphs = $thisreport['row']; -// No graphs on the report, bail! -if (!is_array($graphs) || !(count($graphs) > 0)) - exit; +// If there is nothing to do, bail! +if ((!is_array($cmds) || !(count($cmds) > 0)) + && (!is_array($logs) || !(count($logs) > 0)) + && (!is_array($graphs) || !(count($graphs) > 0))) + return; // Print report header +// Print command output +$cmdtext = ""; +foreach ($cmds as $cmd) { + $output = ""; + $cmdtext .= "Command output: {$cmd['descr']} (" . htmlspecialchars($cmd['detail']) . ")<br />\n"; + exec($cmd['detail'], $output); + $cmdtext .= "<pre>\n"; + $cmdtext .= implode("\n", $output); + $cmdtext .= "\n</pre>"; +} + +// Print log output +$logtext = ""; +foreach ($logs as $log) { + $lines = empty($log['lines']) ? 50 : $log['lines']; + $filter = empty($log['detail']) ? null : array($log['detail']); + $logtext .= "Log output: " . get_friendly_log_name($log['logfile']) . " ({$log['logfile']})<br />\n"; + $logtext .= "<pre>\n"; + $logtext .= implode("\n", mail_report_get_log($log['logfile'], $lines, $filter)); + $logtext .= "\n</pre>"; +} + // For each graph, print a header and the graph $attach = array(); -$idx=0; foreach ($graphs as $thisgraph) { $dates = get_dates($thisgraph['period'], $thisgraph['timespan']); $start = $dates['start']; @@ -71,6 +96,6 @@ foreach ($graphs as $thisgraph) { $attach[] = mail_report_generate_graph($thisgraph['graph'], $thisgraph['style'], $thisgraph['timespan'], $start, $end); } -mail_report_send($thisreport['descr'], $attach); +mail_report_send($thisreport['descr'], $cmdtext, $logtext, $attach); ?>
\ No newline at end of file diff --git a/config/mailreport/mailreport.xml b/config/mailreport/mailreport.xml index 613ac42f..d27d3a28 100644 --- a/config/mailreport/mailreport.xml +++ b/config/mailreport/mailreport.xml @@ -37,7 +37,7 @@ ]]> </copyright> <name>mailreport</name> - <version>1.0</version> + <version>2.0.4</version> <title>Status: Mail Reports</title> <additional_files_needed> <prefix>/usr/local/bin/</prefix> @@ -70,11 +70,19 @@ </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> + <item>http://www.pfsense.com/packages/config/mailreport/status_mail_report_add_cmd.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <item>http://www.pfsense.com/packages/config/mailreport/status_mail_report_add_log.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> <item>http://www.pfsense.com/packages/config/mailreport/status_mail_report_add_graph.php</item> </additional_files_needed> <menu> - <name>RRD E-Mail Reports</name> - <tooltiptext>Setup periodic e-mail reports with RRD graphs.</tooltiptext> + <name>E-Mail Reports</name> + <tooltiptext>Setup periodic e-mail reports.</tooltiptext> <section>Status</section> <url>/status_mail_report.php</url> </menu> diff --git a/config/mailreport/status_mail_report.php b/config/mailreport/status_mail_report.php index 4dc195bc..b1705fac 100644 --- a/config/mailreport/status_mail_report.php +++ b/config/mailreport/status_mail_report.php @@ -74,11 +74,13 @@ include("head.inc"); <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td><div id="mainarea"> <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td colspan="4">Here you can define a list of reports, containing multiple RRD graphs, to be sent by e-mail. </td></tr> + <tr><td colspan="4">Here you can define a list of reports to be sent by e-mail. </td></tr> <tr><td> </td></tr> <tr> - <td width="45%" class="listhdr"><?=gettext("Description");?></td> - <td width="35%" class="listhdr"><?=gettext("Schedule");?></td> + <td width="35%" class="listhdr"><?=gettext("Description");?></td> + <td width="25%" class="listhdr"><?=gettext("Schedule");?></td> + <td width="10%" class="listhdr"><?=gettext("Cmds");?></td> + <td width="10%" class="listhdr"><?=gettext("Logs");?></td> <td width="10%" class="listhdr"><?=gettext("Graphs");?></td> <td width="10%" class="list"><a href="status_mail_report_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> </tr> @@ -86,6 +88,8 @@ include("head.inc"); <tr ondblclick="document.location='status_mail_report_edit.php?id=<?=$i;?>'"> <td class="listlr"><?php echo $mailreport['descr']; ?></td> <td class="listlr"><?php echo $mailreport['schedule_friendly']; ?></td> + <td class="listlr"><?php echo count($mailreport['cmd']['row']); ?></td> + <td class="listlr"><?php echo count($mailreport['log']['row']); ?></td> <td class="listlr"><?php echo count($mailreport['row']); ?></td> <td valign="middle" nowrap class="list"> <a href="status_mail_report_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0"></a> @@ -95,7 +99,7 @@ include("head.inc"); </tr> <?php $i++; endforeach; ?> <tr> - <td class="list" colspan="3"></td> + <td class="list" colspan="5"></td> <td class="list"><a href="status_mail_report_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> </tr> <tr> diff --git a/config/mailreport/status_mail_report_add_cmd.php b/config/mailreport/status_mail_report_add_cmd.php new file mode 100644 index 00000000..7693f7a4 --- /dev/null +++ b/config/mailreport/status_mail_report_add_cmd.php @@ -0,0 +1,146 @@ +<?php +/* $Id$ */ +/* + status_rrd_graph.php + Part of pfSense + Copyright (C) 2011 Jim Pingle <jimp@pfsense.org> + Portions Copyright (C) 2007-2011 Seth Mos <seth.mos@dds.nl> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* + pfSense_MODULE: system +*/ + +##|+PRIV +##|*IDENT=page-status-rrdgraphs +##|*NAME=Status: RRD Graphs page +##|*DESCR=Allow access to the 'Status: RRD Graphs' page. +##|*MATCH=status_rrd_graph.php* +##|-PRIV + +require("guiconfig.inc"); +require_once("mail_reports.inc"); + +$reportid = $_REQUEST['reportid']; +$id = $_REQUEST['id']; + +if (!is_array($config['mailreports']['schedule'])) + $config['mailreports']['schedule'] = array(); + +$a_mailreports = &$config['mailreports']['schedule']; + +if (!isset($reportid) || !isset($a_mailreports[$reportid])) { + header("Location: status_mail_report.php"); + return; +} + +if (!is_array($a_mailreports[$reportid]['cmd']['row'])) { + $a_mailreports[$reportid]['cmd'] = array(); + $a_mailreports[$reportid]['cmd']['row'] = array(); +} +$a_cmds = $a_mailreports[$reportid]['cmd']['row']; + +if (isset($id) && $a_cmds[$id]) { + $pconfig = $a_cmds[$id]; +} else { + $pconfig = array(); +} + +if (isset($id) && !($a_cmds[$id])) { + header("Location: status_mail_report_edit.php?id={$reportid}"); + return; +} + +if ($_POST) { + unset($_POST['__csrf_magic']); + $pconfig = $_POST; + + if (isset($id) && $a_cmds[$id]) + $a_cmds[$id] = $pconfig; + else + $a_cmds[] = $pconfig; + + $a_mailreports[$reportid]['cmd']['row'] = $a_cmds; + + write_config(); + header("Location: status_mail_report_edit.php?id={$reportid}"); + return; +} + + +$pgtitle = array(gettext("Status"),gettext("Add Mail Report Command")); +include("head.inc"); +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td><div id="mainarea"> + <form action="status_mail_report_add_cmd.php" method="post" name="iform" id="iform"> + <table class="tabcont" width="100%" border="0" cellpadding="1" cellspacing="1"> + <tr> + <td class="listtopic" colspan="2">Command Settings</td> + </tr> + <tr> + <td width="20%" class="listhdr"> + <?=gettext("Name:");?> + </td> + <td width="80%" class="listhdr"> + <input name="descr" type="text" class="formfld unknown" id="descr" size="20" value="<?=htmlspecialchars($pconfig['descr']);?>"> + </td> + </tr> + <tr> + <td class="listhdr"> + <?=gettext("Command:");?> + </td> + <td class="listhdr"> + <input name="detail" type="text" class="formfld unknown" id="detail" size="60" value="<?=htmlspecialchars($pconfig['detail']);?>"> + </td> + </tr> + <tr> + <td> </td> + <td> + <br/>NOTE: Use full paths to commands to ensure they run properly. The command will be run during the report and its stdout output will be included in the report body. Be extremely careful what commands you choose to run, the same warnings apply as those when using Diagnostics > Command. + <br/> + <br/>Do not use this solely as a way to run a command on a schedule, use the Cron package for that purpose instead. + </td> + </tr> + <tr> + <td colspan="2" align="center"> + <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>"> + <a href="status_mail_report_edit.php?id=<?php echo $reportid;?>"><input name="cancel" type="button" class="formbtn" value="<?=gettext("Cancel");?>"></a> + <input name="reportid" type="hidden" value="<?=htmlspecialchars($reportid);?>"> + <?php if (isset($id) && $a_graphs[$id]): ?> + <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>"> + <?php endif; ?> + </td> + <td></td> + </tr> + </table> + </form> + </div></td></tr> +</table> + +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/mailreport/status_mail_report_add_graph.php b/config/mailreport/status_mail_report_add_graph.php index c0287367..165124f3 100644 --- a/config/mailreport/status_mail_report_add_graph.php +++ b/config/mailreport/status_mail_report_add_graph.php @@ -50,13 +50,8 @@ if(! isset($config['rrd']['enable'])) { header("Location: status_rrd_graph_settings.php"); } -$reportid = $_GET['reportid']; -if (isset($_POST['reportid'])) - $reportid = $_POST['reportid']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; +$reportid = $_REQUEST['reportid']; +$id = $_REQUEST['id']; if (!is_array($config['mailreports']['schedule'])) $config['mailreports']['schedule'] = array(); @@ -65,7 +60,7 @@ $a_mailreports = &$config['mailreports']['schedule']; if (!isset($reportid) || !isset($a_mailreports[$reportid])) { header("Location: status_mail_report.php"); - exit; + return; } if (!is_array($a_mailreports[$reportid]['row'])) @@ -80,7 +75,7 @@ if (isset($id) && $a_graphs[$id]) { if (isset($id) && !($a_graphs[$id])) { header("Location: status_mail_report_edit.php?id={$reportid}"); - exit; + return; } @@ -159,7 +154,7 @@ if ($_POST) { write_config(); header("Location: status_mail_report_edit.php?id={$reportid}"); - exit; + return; } diff --git a/config/mailreport/status_mail_report_add_log.php b/config/mailreport/status_mail_report_add_log.php new file mode 100644 index 00000000..75d092b5 --- /dev/null +++ b/config/mailreport/status_mail_report_add_log.php @@ -0,0 +1,162 @@ +<?php +/* $Id$ */ +/* + status_rrd_graph.php + Part of pfSense + Copyright (C) 2011 Jim Pingle <jimp@pfsense.org> + Portions Copyright (C) 2007-2011 Seth Mos <seth.mos@dds.nl> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* + pfSense_MODULE: system +*/ + +##|+PRIV +##|*IDENT=page-status-rrdgraphs +##|*NAME=Status: RRD Graphs page +##|*DESCR=Allow access to the 'Status: RRD Graphs' page. +##|*MATCH=status_rrd_graph.php* +##|-PRIV + +require("guiconfig.inc"); +require_once("mail_reports.inc"); + +$reportid = $_REQUEST['reportid']; +$id = $_REQUEST['id']; + +if (!is_array($config['mailreports']['schedule'])) + $config['mailreports']['schedule'] = array(); + +$a_mailreports = &$config['mailreports']['schedule']; + +if (!isset($reportid) || !isset($a_mailreports[$reportid])) { + header("Location: status_mail_report.php"); + return; +} + +if (!is_array($a_mailreports[$reportid]['log']['row'])) { + $a_mailreports[$reportid]['log'] = array(); + $a_mailreports[$reportid]['log']['row'] = array(); +} +$a_logs = $a_mailreports[$reportid]['log']['row']; + +if (isset($id) && $a_logs[$id]) { + $pconfig = $a_logs[$id]; +} else { + $pconfig = array(); +} + +if (isset($id) && !($a_logs[$id])) { + header("Location: status_mail_report_edit.php?id={$reportid}"); + return; +} + +$logpath = "/var/log/"; +chdir($logpath); +$logfiles = glob("*.log"); + +sort($logfiles); + +if ($_POST) { + unset($_POST['__csrf_magic']); + $pconfig = $_POST; + + if (isset($id) && $a_logs[$id]) + $a_logs[$id] = $pconfig; + else + $a_logs[] = $pconfig; + + $a_mailreports[$reportid]['log']['row'] = $a_logs; + + write_config(); + header("Location: status_mail_report_edit.php?id={$reportid}"); + return; +} + + +$pgtitle = array(gettext("Status"),gettext("Add Mail Report Log")); +include("head.inc"); +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td><div id="mainarea"> + <form action="status_mail_report_add_log.php" method="post" name="iform" id="iform"> + <table class="tabcont" width="100%" border="0" cellpadding="1" cellspacing="1"> + <tr> + <td class="listtopic" colspan="2">Log Settings</td> + </tr> + <tr> + <td width="20%" class="listhdr"> + <?=gettext("Logs:");?> + </td> + <td width="80%" class="listhdr"> + <select name="logfile" class="formselect" style="z-index: -10;"> + <?php + foreach ($logfiles as $logfile) { + echo "<option value=\"{$logfile}\""; + if ($pconfig['logfile'] == $logfile) { + echo " selected"; + } + echo ">" . htmlspecialchars(get_friendly_log_name($logfile)) . "</option>\n"; + } + ?> + </select> + </td> + </tr> + <tr> + <td width="20%" class="listhdr"> + <?=gettext("# Rows:");?> + </td> + <td width="80%" class="listhdr"> + <input name="lines" type="text" class="formfld unknown" id="lines" size="10" value="<?=htmlspecialchars($pconfig['lines']);?>"> + </td> + </tr> + <tr> + <td class="listhdr"> + <?=gettext("Filter:");?> + </td> + <td class="listhdr"> + <input name="detail" type="text" class="formfld unknown" id="detail" size="60" value="<?=htmlspecialchars($pconfig['detail']);?>"> + </td> + </tr> + <tr> + <td colspan="2" align="center"> + <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>"> + <a href="status_mail_report_edit.php?id=<?php echo $reportid;?>"><input name="cancel" type="button" class="formbtn" value="<?=gettext("Cancel");?>"></a> + <input name="reportid" type="hidden" value="<?=htmlspecialchars($reportid);?>"> + <?php if (isset($id) && $a_logs[$id]): ?> + <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>"> + <?php endif; ?> + </td> + <td></td> + </tr> + </table> + </form> + </div></td></tr> +</table> + +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/mailreport/status_mail_report_edit.php b/config/mailreport/status_mail_report_edit.php index 3102e958..dcfa6d98 100644 --- a/config/mailreport/status_mail_report_edit.php +++ b/config/mailreport/status_mail_report_edit.php @@ -44,16 +44,13 @@ require_once("mail_reports.inc"); /* if the rrd graphs are not enabled redirect to settings page */ if(! isset($config['rrd']['enable'])) { header("Location: status_rrd_graph_settings.php"); - exit; + return; } -$graphid = $_GET['graphid']; -if (isset($_POST['graphid'])) - $graphid = $_POST['graphid']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; +$cmdid = $_REQUEST['cmdid']; +$logid = $_REQUEST['logid']; +$graphid = $_REQUEST['graphid']; +$id = $_REQUEST['id']; if (!is_array($config['mailreports']['schedule'])) $config['mailreports']['schedule'] = array(); @@ -63,19 +60,40 @@ if (isset($id) && $a_mailreports[$id]) { if (!is_array($a_mailreports[$id]['row'])) $a_mailreports[$id]['row'] = array(); $pconfig = $a_mailreports[$id]; + $a_cmds = $a_mailreports[$id]['cmd']['row']; + $a_logs = $a_mailreports[$id]['log']['row']; $a_graphs = $a_mailreports[$id]['row']; -} else { +} + +if (!is_array($pconfig)) $pconfig = array(); +if (!is_array($a_cmds)) + $a_cmds = array(); +if (!is_array($a_logs)) + $a_logs = array(); +if (!is_array($a_graphs)) $a_graphs = array(); -} + if ($_GET['act'] == "del") { - if ($a_graphs[$graphid]) { + if (is_numeric($cmdid) && $a_cmds[$cmdid]) { + unset($a_cmds[$cmdid]); + $a_mailreports[$id]['cmd']['row'] = $a_cmds; + write_config(); + header("Location: status_mail_report_edit.php?id={$id}"); + return; + } elseif (is_numeric($logid) && $a_logs[$logid]) { + unset($a_logs[$logid]); + $a_mailreports[$id]['log']['row'] = $a_logs; + write_config(); + header("Location: status_mail_report_edit.php?id={$id}"); + return; + } elseif (is_numeric($graphid) && $a_graphs[$graphid]) { unset($a_graphs[$graphid]); $a_mailreports[$id]['row'] = $a_graphs; write_config(); header("Location: status_mail_report_edit.php?id={$id}"); - exit; + return; } } @@ -97,7 +115,7 @@ if ($_POST) { if ($_POST['Submit'] == "Send Now") { mwexec_bg("/usr/local/bin/mail_reports_generate.php {$id}"); header("Location: status_mail_report_edit.php?id={$id}"); - exit; + return; } $friendly = ""; @@ -124,7 +142,9 @@ if ($_POST) { unset($pconfig['dayofmonth']); } - // Copy graphs back into the schedule. + // Copy back into the schedule. + $pconfig['cmd']["row"] = $a_cmds; + $pconfig['log']["row"] = $a_logs; $pconfig["row"] = $a_graphs; $pconfig['schedule_friendly'] = $friendly; @@ -139,7 +159,7 @@ if ($_POST) { write_config(); configure_cron(); header("Location: status_mail_report.php"); - exit; + return; } $pgtitle = array(gettext("Status"),gettext("Edit Mail Reports")); @@ -220,6 +240,78 @@ include("head.inc"); <td></td> </tr> <tr> + <td class="listtopic" colspan="4">Report Commands</td> + <td></td> + </tr> + <tr> + <td width="30%" class="listhdr"><?=gettext("Name");?></td> + <td width="60%" colspan="3" class="listhdr"><?=gettext("Command");?></td> + <td width="10%" class="list"> + <?php if (isset($id) && $a_mailreports[$id]): ?> + <a href="status_mail_report_add_cmd.php?reportid=<?php echo $id ;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a> + </td> + <?php else: ?> + </td> + <tr><td colspan="5" align="center"><br/>Save the report first, then items may be added.<br/></td></tr> + <?php endif; ?> + </tr> + <?php $i = 0; foreach ($a_cmds as $cmd): ?> + <tr ondblclick="document.location='status_mail_report_add_cmd.php?reportid=<?php echo $id ;?>&id=<?=$i;?>'"> + <td class="listlr"><?php echo htmlspecialchars($cmd['descr']); ?></td> + <td colspan="3" class="listlr"><?php echo htmlspecialchars($cmd['detail']); ?></td> + <td valign="middle" nowrap class="list"> + <a href="status_mail_report_add_cmd.php?reportid=<?php echo $id ;?>&id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0"></a> + + <a href="status_mail_report_edit.php?act=del&id=<?php echo $id ;?>&cmdid=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this entry?");?>')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a> + </td> + </tr> + <?php $i++; endforeach; ?> + <tr> + <td class="list" colspan="4"></td> + <td class="list"> + <?php if (isset($id) && $a_mailreports[$id]): ?> + <a href="status_mail_report_add_cmd.php?reportid=<?php echo $id ;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a> + <?php endif; ?> + </td> + </tr> + <tr> + <td class="listtopic" colspan="4">Report Logs</td> + <td></td> + </tr> + <tr> + <td width="30%" class="listhdr"><?=gettext("Log");?></td> + <td width="20%" class="listhdr"><?=gettext("# Rows");?></td> + <td width="40%" colspan="2" class="listhdr"><?=gettext("Filter");?></td> + <td width="10%" class="list"> + <?php if (isset($id) && $a_mailreports[$id]): ?> + <a href="status_mail_report_add_log.php?reportid=<?php echo $id ;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a> + </td> + <?php else: ?> + </td> + <tr><td colspan="5" align="center"><br/>Save the report first, then items may be added.<br/></td></tr> + <?php endif; ?> + </tr> + <?php $i = 0; foreach ($a_logs as $log): ?> + <tr ondblclick="document.location='status_mail_report_add_log.php?reportid=<?php echo $id ;?>&id=<?=$i;?>'"> + <td class="listlr"><?php echo get_friendly_log_name($log['logfile']); ?></td> + <td class="listlr"><?php echo $log['lines']; ?></td> + <td colspan="2" class="listlr"><?php echo $log['detail']; ?></td> + <td valign="middle" nowrap class="list"> + <a href="status_mail_report_add_log.php?reportid=<?php echo $id ;?>&id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0"></a> + + <a href="status_mail_report_edit.php?act=del&id=<?php echo $id ;?>&logid=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this entry?");?>')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a> + </td> + </tr> + <?php $i++; endforeach; ?> + <tr> + <td class="list" colspan="4"></td> + <td class="list"> + <?php if (isset($id) && $a_mailreports[$id]): ?> + <a href="status_mail_report_add_log.php?reportid=<?php echo $id ;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a> + <?php endif; ?> + </td> + </tr> + <tr> <td class="listtopic" colspan="4">Report Graphs</td> <td></td> </tr> @@ -234,7 +326,7 @@ include("head.inc"); </td> <?php else: ?> </td> - <tr><td colspan="5" align="center"><br/>Save the report first, then you may add graphs.<br/></td></tr> + <tr><td colspan="5" align="center"><br/>Save the report first, then items may be added.<br/></td></tr> <?php endif; ?> </tr> <?php $i = 0; foreach ($a_graphs as $graph): @@ -246,7 +338,7 @@ include("head.inc"); } $prettyprint = ucwords(implode(" :: ", $optionc)); ?> - <tr ondblclick="document.location='status_mail_report_edit.php?id=<?=$i;?>'"> + <tr ondblclick="document.location='status_mail_report_add_graph.php?reportid=<?php echo $id ;?>&id=<?=$i;?>'"> <td class="listlr"><?php echo $prettyprint; ?></td> <td class="listlr"><?php echo $graph['style']; ?></td> <td class="listlr"><?php echo $graph['timespan']; ?></td> diff --git a/config/mailscanner/mailscanner.inc b/config/mailscanner/mailscanner.inc index 3ff4cd40..1ba0a4ca 100644 --- a/config/mailscanner/mailscanner.inc +++ b/config/mailscanner/mailscanner.inc @@ -2,16 +2,16 @@ /* postfix.inc part of the Postfix package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright + 2. Redistributions in binary form MUST reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. @@ -32,6 +32,12 @@ require_once("util.inc"); require("globals.inc"); #require("guiconfig.inc"); +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('MAILSCANNER_LOCALBASE', '/usr/pbi/mailscanner-' . php_uname("m")); +else + define('MAILSCANNER_LOCALBASE','/usr/local'); + $uname=posix_uname(); if ($uname['machine']=='amd64') ini_set('memory_limit', '250M'); @@ -40,7 +46,7 @@ function ms_text_area_decode($text){ return preg_replace('/\r\n/', "\n",base64_decode($text)); } -function sync_package_mailscanner() { +function sync_package_mailscanner($via_rpc=false) { global $config; # detect boot process @@ -51,7 +57,7 @@ function sync_package_mailscanner() { $boot_process="on"; } exec('/bin/pgrep -f MailScanner',$pgrep_out); - if (count($pgrep_out) > 0 && isset($boot_process)) + if (count($pgrep_out) > 0 && isset($boot_process) && $via_rpc==false) return; #check default config @@ -254,7 +260,7 @@ function sync_package_mailscanner() { Language Strings = %report-dir%/languages.conf */ #check files - $mailscanner_dir="/usr/local/etc/MailScanner"; + $mailscanner_dir=MAILSCANNER_LOCALBASE ."/etc/MailScanner"; if($attachments['filename_rules'] == ""){ $config['installedpackages']['msattachments']['config'][0]['filename_rules']=base64_encode(file_get_contents($mailscanner_dir.'/archives.filename.rules.conf.sample')); @@ -303,7 +309,7 @@ Language Strings = %report-dir%/languages.conf $load_samples++; } - $report_dir="/usr/local/share/MailScanner/reports/".strtolower($report['language']); + $report_dir=MAILSCANNER_LOCALBASE."/share/MailScanner/reports/".strtolower($report['language']); #CHECK REPORT FILES $report_files= array('deletedbadcontent' => 'deleted.content.message.txt', 'deletedbadfilename' => 'deleted.filename.message.txt', @@ -383,12 +389,13 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf chown ("/var/spool/MailScanner/{$msc_dir}",'postfix'); } } - chown ('/var/spool/postfix','postfix'); + if (is_dir('/var/spool/postfix')) + chown ('/var/spool/postfix','postfix'); $mlang=strtolower($report['language']); - $mfiles[]="/usr/local/etc/MailScanner/virus.scanners.conf"; - $mfiles[]="/usr/local/share/MailScanner/reports/{$mlang}/inline.spam.warning.txt"; - $mfiles[]="/usr/local/share/MailScanner/reports/{$mlang}/languages.conf"; + $mfiles[]= MAILSCANNER_LOCALBASE. "/etc/MailScanner/virus.scanners.conf"; + $mfiles[]= MAILSCANNER_LOCALBASE. "/share/MailScanner/reports/{$mlang}/inline.spam.warning.txt"; + $mfiles[]= MAILSCANNER_LOCALBASE. "/share/MailScanner/reports/{$mlang}/languages.conf"; foreach ($mfiles as $mfile) if (! file_exists ($mfile) && file_exists($mfile.".sample")) @@ -511,7 +518,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf file_put_contents($report_dir.'/inline.warning.html',$warning_html,LOCK_EX); #check virus_scanner options - $libexec_dir="/usr/local/libexec/MailScanner/"; + $libexec_dir=MAILSCANNER_LOCALBASE. "/libexec/MailScanner/"; if ($virus_scanning == "yes"){ if ($antivirus['virus_scanner'] =="none"){ unlink_if_exists($libexec_dir.'clamav-autoupdate'); @@ -543,7 +550,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf chmod ($libexec_dir.'clamav-autoupdate',0755); if (!file_exists('/var/db/clamav/main.cvd')){ log_error('No clamav database found, running freshclam in background.'); - mwexec_bg('/usr/local/bin/freshclam'); + mwexec_bg(MAILSCANNER_LOCALBASE. '/bin/freshclam'); } #clamav-wrapper file @@ -557,7 +564,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf } #freshclam conf file - $cconf="/usr/local/etc/freshclam.conf"; + $cconf=MAILSCANNER_LOCALBASE. "/etc/freshclam.conf"; if (file_exists($conf)){ $cconf_file=file_get_contents($cconf); if (preg_match('/DatabaseOwner clamav/',$cconf_file)){ @@ -567,7 +574,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf } #clamd conf file - $cconf="/usr/local/etc/clamd.conf"; + $cconf=MAILSCANNER_LOCALBASE. "/etc/clamd.conf"; if (file_exists($conf)){ $cconf_file=file_get_contents($cconf); if (preg_match('/User clamav/',$cconf_file)){ @@ -576,7 +583,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf } } #clamd script file - $script='/usr/local/etc/rc.d/clamav-clamd'; + $script=MAILSCANNER_LOCALBASE. '/etc/rc.d/clamav-clamd'; if (file_exists($script)){ $script_file=file($script); foreach ($script_file as $script_line){ @@ -590,7 +597,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf } } file_put_contents($script, $new_clamav_startup, LOCK_EX); - + mwexec("/usr/sbin/pw user show postfix || /usr/sbin/pw user add -n postfix -s /usr/sbin/nologin"); chmod ($script,0755); if($config['installedpackages']['mailscanner']['config'][0]['enable']){ if (is_process_running('clamd')){ @@ -617,7 +624,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf } #check dcc config file - $script='/usr/local/dcc/dcc_conf'; + $script=MAILSCANNER_LOCALBASE. '/dcc/dcc_conf'; if (file_exists($script)){ $script_file=file_get_contents($script); if (preg_match('/DCCIFD_ENABLE=off/',$script_file)){ @@ -627,7 +634,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf } #check dcc startup script - $script='/usr/local/etc/rc.d/dccifd'; + $script=MAILSCANNER_LOCALBASE. '/etc/rc.d/dccifd'; if (file_exists($script)){ $script_file=file_get_contents($script); if (preg_match('/NO/',$script_file)){ @@ -654,13 +661,13 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf } } - $script='/usr/local/etc/rc.d/mailscanner'; + $script=MAILSCANNER_LOCALBASE. '/etc/rc.d/mailscanner'; #fix MIME::ToolUtils deprecated function and usecure dependency calls in /usr/local/sbin/mailscanner - $cconf="/usr/local/sbin/mailscanner"; + $cconf=MAILSCANNER_LOCALBASE. "/sbin/mailscanner"; if (file_exists($cconf)){ #check perl's version - exec('find /usr/local/lib/perl5/site_perl -name Df.pm',$find_out); + exec('find '.MAILSCANNER_LOCALBASE. '/lib/perl5/site_perl -name Df.pm',$find_out); $perl_bin="perl"; foreach($find_out as $perl_dir){ if (preg_match ('@usr/local/lib/perl5/site_perl/([.0-9]+)/mach/Filesys/Df.pm@',$perl_dir,$perl_match)) @@ -670,12 +677,12 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf $cconf_file=file_get_contents($cconf); $pattern2[0]='@#!/usr.*bin/perl.*I@'; $pattern2[1]='/\smy .current = config MIME::ToolUtils/'; - $replacement2[0]='#!/usr/local/bin/'.$perl_bin.' -U -I'; + $replacement2[0]='#!'.MAILSCANNER_LOCALBASE. "/bin/{$perl_bin} -U -I"; $replacement2[1]=' #my $current = config MIME::ToolUtils'; if (preg_match('@#!/usr.*bin/perl.*I@',$cconf_file)){ $cconf_file=preg_replace($pattern2,$replacement2,$cconf_file); file_put_contents($cconf, $cconf_file, LOCK_EX); - } + } } if (file_exists($script)){ $script_file=file_get_contents($script); @@ -710,22 +717,56 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf if (isset($boot_process)) return; - $synconchanges = $config['installedpackages']['mailscannersync']['config'][0]['synconchanges']; - if(!$synconchanges && !$syncondbchanges) - return; - - log_error("[MailScanner] mailscanner_xmlrpc_sync.php is starting."); - foreach ($config['installedpackages']['mailscannersync']['config'] as $rs ){ - foreach($rs['row'] as $sh){ - $sync_to_ip = $sh['ipaddress']; - $password = $sh['password']; - $sync_type = $sh['sync_type']; - if($password && $sync_to_ip) - mailscanner_do_xmlrpc_sync($sync_to_ip, $password,$sync_type); + /* Uses XMLRPC to synchronize the changes to a remote node */ + if (is_array($config['installedpackages']['mailscannersync'])){ + $mailscanner_sync=$config['installedpackages']['mailscannersync']['config'][0]; + $synctimeout = $mailscanner_sync['synctimeout']; + $synconchanges = $mailscanner_sync['synconchanges']; + switch ($synconchanges){ + case "manual": + if (is_array($mailscanner_sync[row])){ + $rs=$mailscanner_sync[row]; + } + else{ + log_error("[Mailscanner] xmlrpc sync is enabled but there is no hosts to push mailscanner config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['ipaddress']=$system_carp['synchronizetoip']; + $rs[0]['username']=$system_carp['username']; + $rs[0]['password']=$system_carp['password']; + $rs[0]['enabless']=true; + if (! is_ipaddr($system_carp['synchronizetoip'])){ + log_error("[Mailscanner] xmlrpc sync is enabled but there is no system backup hosts to push mailscanner config."); + return; + } + } + else{ + log_error("[Mailscanner] xmlrpc sync is enabled but there is no system backup hosts to push mailscanner config."); + return; + } + break; + default: + return; + break; } - } - log_error("[postfix] postfix_xmlrpc_sync.php is ending."); - + if (is_array($rs)){ + log_error("[Mailscanner] xmlrpc sync is starting."); + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + if($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if($sh['password'] && $sh['ipaddress'] && $sh['enabless']) + mailscanner_do_xmlrpc_sync($sh['ipaddress'], $username, $sh['password'],$sh['sync_type'],$synctimeout); + } + log_error("[Mailscanner] xmlrpc sync is ending."); + } + } } function mailscanner_validate_input($post, &$input_errors) { @@ -751,23 +792,29 @@ function mailscanner_php_install_command() { function mailscanner_php_deinstall_command() { exec('/bin/pgrep -f MailScanner',$pgrep_out); if (count($pgreg_out) > 0){ - mwexec("/usr/local/etc/rc.d/mailscanner stop"); + mwexec(MAILSCANNER_LOCALBASE. "/etc/rc.d/mailscanner stop"); sleep(1); conf_mount_rw(); - unlink_if_exists("/usr/local/etc/rc.d/mailscanner"); + unlink_if_exists(MAILSCANNER_LOCALBASE. "/etc/rc.d/mailscanner"); conf_mount_ro(); } } -function mailscanner_do_xmlrpc_sync($sync_to_ip, $password,$sync_type) { +function mailscanner_do_xmlrpc_sync($sync_to_ip,$username,$password,$sync_type,$synctimeout) { global $config, $g; + if(!$username) + $username="admin"; + if(!$password) return; if(!$sync_to_ip) return; + if(!$synctimeout) + $synctimeout=120; + $xmlrpc_sync_neighbor = $sync_to_ip; if($config['system']['webgui']['protocol'] != "") { $synchronizetoip = $config['system']['webgui']['protocol']; @@ -808,18 +855,18 @@ function mailscanner_do_xmlrpc_sync($sync_to_ip, $password,$sync_type) { $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); + $cli->setCredentials($username, $password); if($g['debug']) $cli->setDebug(1); - /* send our XMLRPC message and timeout after 250 seconds */ - $resp = $cli->send($msg, "250"); + /* send our XMLRPC message and timeout after $synctimeout seconds */ + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting mailscanner XMLRPC sync with {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "Mailscanner Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting mailscanner XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "mailscanner Settings Sync", ""); @@ -830,7 +877,7 @@ function mailscanner_do_xmlrpc_sync($sync_to_ip, $password,$sync_type) { /* tell postfix to reload our settings on the destionation sync host. */ $method = 'pfsense.exec_php'; $execcmd = "require_once('/usr/local/pkg/mailscanner.inc');\n"; - $execcmd .= "sync_package_mailscanner();"; + $execcmd .= "sync_package_mailscanner(true);"; /* assemble xmlrpc payload */ $params = array( @@ -841,15 +888,15 @@ function mailscanner_do_xmlrpc_sync($sync_to_ip, $password,$sync_type) { log_error("mailscanner XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - $resp = $cli->send($msg, "250"); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting mailscanner XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "mailscanner Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting mailscanner XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "mailscanner Settings Sync", ""); diff --git a/config/mailscanner/mailscanner_antivirus.xml b/config/mailscanner/mailscanner_antivirus.xml index a6b94c0b..4a3bfe6c 100644 --- a/config/mailscanner/mailscanner_antivirus.xml +++ b/config/mailscanner/mailscanner_antivirus.xml @@ -100,9 +100,9 @@ <option><name>Virus Scanning (yes)</name><value>VirusScanning</value></option> <option><name>Deliver Disinfected Files (no)</name><value>DeliverDisinfectedFiles</value></option> <option><name>Still Deliver Silent Viruses (no)</name><value>StillDeliverSilentViruses</value></option> - <option><name>Block Encrypted Messages (no)</name><value>BlockEncryptedMessagese</value></option> + <option><name>Block Encrypted Messages (no)</name><value>BlockEncryptedMessages</value></option> <option><name>Block Unencrypted Messages (no)</name><value>BlockUnencryptedMessages</value></option> - <option><name>Allow Password-Protected Archives (no)</name><value>AllowPassword-ProtectedArchive</value></option> + <option><name>Allow Password-Protected Archives (no)</name><value>AllowPassword-ProtectedArchives</value></option> <option><name>Check Filenames In Password-Protected Archives (yes)</name><value>CheckFilenamesInPassword-ProtectedArchives</value></option> </options> <size>08</size> diff --git a/config/mailscanner/mailscanner_sync.xml b/config/mailscanner/mailscanner_sync.xml index da31e853..46f7dbfe 100644 --- a/config/mailscanner/mailscanner_sync.xml +++ b/config/mailscanner/mailscanner_sync.xml @@ -9,7 +9,7 @@ /* postfix_sync.xml part of the Postfix package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -17,10 +17,10 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright + 2. Redistributions in binary form MUST reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. @@ -90,10 +90,32 @@ <type>listtopic</type> </field> <field> - <fielddescr>Automatically sync mailscanner configuration changes</fielddescr> + <fielddescr>Sync method</fielddescr> <fieldname>synconchanges</fieldname> - <description>pfSense will automatically sync changes to the hosts defined below.</description> - <type>checkbox</type> + <description>Automatically sync postfix mailscanner changes.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>250</default_value> + <options> + <option><name>250 seconds(Default)</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>30 seconds</name><value>30</value></option> + </options> </field> <field> <fielddescr>Remote Server</fielddescr> @@ -101,6 +123,11 @@ <type>rowhelper</type> <rowhelper> <rowhelperfield> + <fielddescr>Enable</fielddescr> + <fieldname>enabless</fieldname> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> <fielddescr>IP Address</fielddescr> <fieldname>ipaddress</fieldname> <description>IP Address of remote server</description> diff --git a/config/nrpe2/nrpe2.inc b/config/nrpe2/nrpe2.inc index cd3fa013..25964b16 100644 --- a/config/nrpe2/nrpe2.inc +++ b/config/nrpe2/nrpe2.inc @@ -159,8 +159,12 @@ function nrpe2_custom_php_write_config() { conf_mount_rw(); $cmds = array(); foreach ($config['installedpackages']['nrpe2']['config'][0]['row'] as $cmd) { + $sudo_bin = "/usr/local/bin/sudo"; + $sudo = (isset($cmd['sudo']) && is_executable($sudo_bin)) ? "{$sudo_bin} " : ""; + $wcmd = !empty($cmd['warning']) ? "-w {$cmd['warning']}" : ""; + $ccmd = !empty($cmd['critical']) ? "-c {$cmd['critical']}" : ""; if (is_executable("{$nagios_check_path}/{$cmd['command']}")) - $cmds[] = "command[{$cmd['name']}]={$nagios_check_path}/{$cmd['command']} -w {$cmd['warning']} -c {$cmd['critical']} {$cmd['extra']}\n"; + $cmds[] = "command[{$cmd['name']}]={$sudo}{$nagios_check_path}/{$cmd['command']} {$wcmd} {$ccmd} {$cmd['extra']}\n"; } $commands = implode($cmds); diff --git a/config/nrpe2/nrpe2.xml b/config/nrpe2/nrpe2.xml index cb99aacb..5b84b97f 100644 --- a/config/nrpe2/nrpe2.xml +++ b/config/nrpe2/nrpe2.xml @@ -3,7 +3,7 @@ <description>Nagios NRPEv2</description> <requirements>Describe your package requirements here</requirements> <name>nrpe2</name> - <version>2.11</version> + <version>2.2</version> <title>NRPEv2</title> <aftersaveredirect>/pkg_edit.php?xml=nrpe2.xml&id=0</aftersaveredirect> <include_file>/usr/local/pkg/nrpe2.inc</include_file> @@ -81,6 +81,11 @@ <required/> </rowhelperfield> <rowhelperfield> + <fielddescr>Sudo</fielddescr> + <fieldname>sudo</fieldname> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> <fielddescr>Command</fielddescr> <fieldname>command</fieldname> <type>select_source</type> diff --git a/config/nut/nut.xml b/config/nut/nut.xml index 75a5c246..9600beff 100644 --- a/config/nut/nut.xml +++ b/config/nut/nut.xml @@ -599,6 +599,10 @@ <name>pw</name> <value>pw</value> </option> + <option> + <name>cyberpower</name> + <value>cyberpower</value> + </option> </options> </field> <field> diff --git a/config/openbgpd/openbgpd.inc b/config/openbgpd/openbgpd.inc index 573745be..e1619a55 100644 --- a/config/openbgpd/openbgpd.inc +++ b/config/openbgpd/openbgpd.inc @@ -3,7 +3,7 @@ /* $Id$ */ /* openbgpd.inc - Copyright (C) 2007 Scott Ullrich (sullrich@gmail.com) + Copyright (C) 2007 Scott Ullrich (sullrich@gmail.com) part of pfSense All rights reserved. @@ -34,6 +34,12 @@ require_once("service-utils.inc"); define('PKG_BGPD_CONFIG_BASE', '/var/etc/openbgpd'); +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('PKG_BGPD_BIN', '/usr/pbi/openbgpd-' . php_uname("m") . '/sbin'); +else + define('PKG_BGPD_BIN','/usr/local/sbin'); + define('PKG_BGPD_LOGIN', "_bgpd"); define('PKG_BGPD_UID', "130"); define('PKG_BGPD_GROUP', "_bgpd"); @@ -51,132 +57,133 @@ function openbgpd_install_conf() { $pkg_gecos = PKG_BGPD_GECOS; $pkg_homedir = PKG_BGPD_HOMEDIR; $pkg_shell = PKG_BGPD_SHELL; + $pkg_bin = PKG_BGPD_BIN; conf_mount_rw(); // Since we need to embed this in a string, copy to a var. Can't embed constnats. $bgpd_config_base = PKG_BGPD_CONFIG_BASE; - if ($config['installedpackages']['openbgpd']['rawconfig'] && $config['installedpackages']['openbgpd']['rawconfig']['item']) { - // if there is a raw config specified in the config.xml use that instead of the assisted config - $conffile = implode("\n",$config['installedpackages']['openbgpd']['rawconfig']['item']); - //$conffile = $config['installedpackages']['openbgpd']['rawconfig']; - } else { - // generate bgpd.conf based on the assistant - if($config['installedpackages']['openbgpd']['config']) - $openbgpd_conf = &$config['installedpackages']['openbgpd']['config'][0]; - if($config['installedpackages']['openbgpd']['config'][0]['row']) - $openbgpd_rows = &$config['installedpackages']['openbgpd']['config'][0]['row']; - if($config['installedpackages']['openbgpdgroups']['config']) - $openbgpd_groups = &$config['installedpackages']['openbgpdgroups']['config']; - if($config['installedpackages']['openbgpdneighbors']['config']) - $openbgpd_neighbors = &$config['installedpackages']['openbgpdneighbors']['config']; - - $conffile = "# This file was created by the package manager. Do not edit!\n\n"; - $setkeycf = ""; - - // Setup AS # - if($openbgpd_conf['asnum']) - $conffile .= "AS {$openbgpd_conf['asnum']}\n"; - - if($openbgpd_conf['fibupdate']) - $conffile .= "fib-update {$openbgpd_conf['fibupdate']}\n"; - - // Setup holdtime if defined. Default is 90. - if($openbgpd_conf['holdtime']) - $conffile .= "holdtime {$openbgpd_conf['holdtime']}\n"; - - // Specify listen ip - if($openbgpd_conf['listenip']) - $conffile .= "listen on {$openbgpd_conf['listenip']}\n"; - - // Specify router id - if($openbgpd_conf['routerid']) - $conffile .= "router-id {$openbgpd_conf['routerid']}\n"; - - // Handle advertised networks - if($config['installedpackages']['openbgpd']['config'][0]['row']) - if(is_array($openbgpd_rows)) - foreach($openbgpd_rows as $row) - $conffile .= "network {$row['networks']}\n"; - - // Attach neighbors to their respective group owner - if(is_array($openbgpd_groups)) { - foreach($openbgpd_groups as $group) { - $conffile .= "group \"{$group['name']}\" {\n"; - $conffile .= " remote-as {$group['remoteas']}\n"; - if(is_array($openbgpd_neighbors)) { - foreach($openbgpd_neighbors as $neighbor) { - if($neighbor['groupname'] == $group['name']) { - $conffile .= " neighbor {$neighbor['neighbor']} {\n"; - $conffile .= " descr \"{$neighbor['descr']}\"\n"; - $setkeycf .= "delete {$openbgpd_conf['listenip']} {$neighbor['neighbor']} tcp 0x1000;\n"; - if($neighbor['md5sigpass']) { - $setkeycf .= "add {$openbgpd_conf['listenip']} {$neighbor['neighbor']} tcp 0x1000 -A tcp-md5 \"{$neighbor['md5sigpass']}\";\n"; - $conffile .= " tcp md5sig password {$neighbor['md5sigpass']}\n"; - } - if($neighbor['md5sigkey']) { - $setkeycf .= "add {$openbgpd_conf['listenip']} {$neighbor['neighbor']} tcp 0x1000 -A tcp-md5 0x{$neighbor['md5sigkey']};\n"; - $conffile .= " tcp md5sig key {$neighbor['md5sigkey']}\n"; - } - foreach($neighbor['row'] as $row) { - $conffile .= " {$row['parameters']} {$row['parmvalue']} \n"; - } - $conffile .= "}\n"; - } - } - } - $conffile .= "}\n"; - } - } - - // Handle neighbors that do not have a group assigned to them - if(is_array($openbgpd_neighbors)) { - foreach($openbgpd_neighbors as $neighbor) { - $used_this_item = false; - if($neighbor['groupname'] == "") { - $conffile .= "neighbor {$neighbor['neighbor']} {\n"; - $conffile .= " descr \"{$neighbor['descr']}\"\n"; - $setkeycf .= "delete {$openbgpd_conf['listenip']} {$neighbor['neighbor']} tcp 0x1000;\n"; - if ($neighbor['md5sigpass']) { - $setkeycf .= "add {$openbgpd_conf['listenip']} {$neighbor['neighbor']} tcp 0x1000 -A tcp-md5 \"{$neighbor['md5sigpass']}\";\n"; - $conffile .= " tcp md5sig password {$neighbor['md5sigpass']}\n"; - } - if ($neighbor['md5sigkey']) { - $setkeycf .= "add {$openbgpd_conf['listenip']} {$neighbor['neighbor']} tcp 0x1000 -A tcp-md5 0x{$neighbor['md5sigkey']};\n"; - $conffile .= " tcp md5sig key {$neighbor['md5sigkey']}\n"; - } - $used_this_item = true; - foreach($neighbor['row'] as $row) { - $conffile .= " {$row['parameters']} {$row['parmvalue']} \n"; - } - } - if($used_this_item) - $conffile .= "}\n"; - } - } - - // OpenBGPD filters - $conffile .= "deny from any\n"; - $conffile .= "deny to any\n"; - if(is_array($openbgpd_neighbors)) { - foreach($openbgpd_neighbors as $neighbor) { - $conffile .= "allow from {$neighbor['neighbor']}\n"; - $conffile .= "allow to {$neighbor['neighbor']}\n"; - } - } - } - safe_mkdir($bgpd_config_base); - $fd = fopen("{$bgpd_config_base}/bgpd.conf", "w"); + if ($config['installedpackages']['openbgpd']['rawconfig'] && $config['installedpackages']['openbgpd']['rawconfig']['item']) { + // if there is a raw config specified in the config.xml use that instead of the assisted config + $conffile = implode("\n",$config['installedpackages']['openbgpd']['rawconfig']['item']); + //$conffile = $config['installedpackages']['openbgpd']['rawconfig']; + } else { + // generate bgpd.conf based on the assistant + if($config['installedpackages']['openbgpd']['config']) + $openbgpd_conf = &$config['installedpackages']['openbgpd']['config'][0]; + if($config['installedpackages']['openbgpd']['config'][0]['row']) + $openbgpd_rows = &$config['installedpackages']['openbgpd']['config'][0]['row']; + if($config['installedpackages']['openbgpdgroups']['config']) + $openbgpd_groups = &$config['installedpackages']['openbgpdgroups']['config']; + if($config['installedpackages']['openbgpdneighbors']['config']) + $openbgpd_neighbors = &$config['installedpackages']['openbgpdneighbors']['config']; + + $conffile = "# This file was created by the package manager. Do not edit!\n\n"; + + // Setup AS # + if($openbgpd_conf['asnum']) + $conffile .= "AS {$openbgpd_conf['asnum']}\n"; + + if($openbgpd_conf['fibupdate']) + $conffile .= "fib-update {$openbgpd_conf['fibupdate']}\n"; + + // Setup holdtime if defined. Default is 90. + if($openbgpd_conf['holdtime']) + $conffile .= "holdtime {$openbgpd_conf['holdtime']}\n"; + + // Specify listen ip + if($openbgpd_conf['listenip']) + $conffile .= "listen on {$openbgpd_conf['listenip']}\n"; + + // Specify router id + if($openbgpd_conf['routerid']) + $conffile .= "router-id {$openbgpd_conf['routerid']}\n"; + + // Handle advertised networks + if($config['installedpackages']['openbgpd']['config'][0]['row']) + if(is_array($openbgpd_rows)) + foreach($openbgpd_rows as $row) + $conffile .= "network {$row['networks']}\n"; + + // Attach neighbors to their respective group owner + if(is_array($openbgpd_groups)) { + foreach($openbgpd_groups as $group) { + $conffile .= "group \"{$group['name']}\" {\n"; + $conffile .= " remote-as {$group['remoteas']}\n"; + if(is_array($openbgpd_neighbors)) { + foreach($openbgpd_neighbors as $neighbor) { + if($neighbor['groupname'] == $group['name']) { + $conffile .= "\tneighbor {$neighbor['neighbor']} {\n"; + $conffile .= "\t\tdescr \"{$neighbor['descr']}\"\n"; + if($neighbor['md5sigpass']) { + $conffile .= "\t\ttcp md5sig password {$neighbor['md5sigpass']}\n"; + } + if($neighbor['md5sigkey']) { + $conffile .= "\t\ttcp md5sig key {$neighbor['md5sigkey']}\n"; + } + $setlocaladdr = true; + if (is_array($neighbor['row'])) { + foreach($neighbor['row'] as $row) { + if ($row['parameters'] == "local-address") + $setlocaladdr = false; + $conffile .= "\t\t{$row['parameters']} {$row['parmvalue']} \n"; + } + } + if ($setlocaladdr == true) + $conffile .= "\t\tlocal-address {$openbgpd_conf['listenip']}\n"; + $conffile .= "}\n"; + } + } + } + $conffile .= "}\n"; + } + } - // Write out the configuration file - fwrite($fd, $conffile); + // Handle neighbors that do not have a group assigned to them + if(is_array($openbgpd_neighbors)) { + foreach($openbgpd_neighbors as $neighbor) { + if($neighbor['groupname'] == "") { + $conffile .= "neighbor {$neighbor['neighbor']} {\n"; + $conffile .= "\tdescr \"{$neighbor['descr']}\"\n"; + if ($neighbor['md5sigpass']) { + $conffile .= "\ttcp md5sig password {$neighbor['md5sigpass']}\n"; + } + if ($neighbor['md5sigkey']) { + $conffile .= "\ttcp md5sig key {$neighbor['md5sigkey']}\n"; + } + $setlocaladdr = true; + if (is_array($neighbor['row'])) { + foreach($neighbor['row'] as $row) { + if ($row['parameters'] == "local-address") + $setlocaladdr = false; + $conffile .= "\t{$row['parameters']} {$row['parmvalue']} \n"; + } + } + if ($setlocaladdr == true) + $conffile .= "\tlocal-address {$openbgpd_conf['listenip']}\n"; + $conffile .= "}\n"; + } + } + } - // Close file handle - fclose($fd); + // OpenBGPD filters + $conffile .= "deny from any\n"; + $conffile .= "deny to any\n"; + if(is_array($openbgpd_neighbors)) { + foreach($openbgpd_neighbors as $neighbor) { + $conffile .= "allow from {$neighbor['neighbor']}\n"; + $conffile .= "allow to {$neighbor['neighbor']}\n"; + } + } + } + safe_mkdir($bgpd_config_base); + // Write out the configuration file + @file_put_contents("{$bgpd_config_base}/bgpd.conf", $conffile); + @chmod("{$bgpd_config_base}/bgpd.conf", 0600); // Create rc.d file $rc_file_stop = <<<EOF -killall -9 bgpd +killall -TERM bgpd EOF; $rc_file_start = <<<EOF @@ -188,12 +195,14 @@ if [ `pw usershow {$pkg_login} 2>&1 | grep -c "pw: no such user"` -gt 0 ]; then fi /bin/mkdir -p {$bgpd_config_base} -chmod u+rw,go-rw {$bgpd_config_base}/bgpd.conf /usr/sbin/chown -R root:wheel {$bgpd_config_base} +/bin/chmod 0600 {$bgpd_config_base}/bgpd.conf NUMBGPD=`ps auxw | grep -c '[b]gpd.*parent'` if [ \${NUMBGPD} -lt 1 ] ; then - /usr/local/sbin/bgpd -f {$bgpd_config_base}/bgpd.conf + {$pkg_bin}/bgpd -f {$bgpd_config_base}/bgpd.conf +else + {$pkg_bin}/bgpctl reload fi EOF; write_rcfile(array( @@ -203,17 +212,11 @@ EOF; ) ); - // TCP-MD5 support on freebsd. See tcp(5) for more - $fd = fopen("{$g['tmp_path']}/bgpdsetkey.conf", "w"); - fwrite($fd, $setkeycf ); - fclose($fd); - exec("setkey -f {$g['tmp_path']}/bgpdsetkey.conf"); - // bgpd process running? if so reload, else start. if(is_openbgpd_running() == true) { - exec("bgpctl reload"); + exec("{$pkg_bin}/bgpctl reload"); } else { - exec("bgpd"); + exec("{$pkg_bin}/bgpd -f {$bgpd_config_base}/bgpd.conf"); } conf_mount_ro(); @@ -230,34 +233,19 @@ function openbgpd_get_raw_config() { // serialize the raw openbgpd config file to config.xml function openbgpd_put_raw_config($conffile) { - global $config; - if ($conffile == "") - unset($config['installedpackages']['openbgpd']['rawconfig']); - else { - $config['installedpackages']['openbgpd']['rawconfig'] = array(); - $config['installedpackages']['openbgpd']['rawconfig']['item'] = explode("\n",$_POST['openbgpd_raw']); - //$config['installedpackages']['openbgpd']['rawconfig'] = $conffile; - } + global $config; + if ($conffile == "") + unset($config['installedpackages']['openbgpd']['rawconfig']); + else { + $config['installedpackages']['openbgpd']['rawconfig'] = array(); + $config['installedpackages']['openbgpd']['rawconfig']['item'] = explode("\n",$_POST['openbgpd_raw']); + //$config['installedpackages']['openbgpd']['rawconfig'] = $conffile; + } } function deinstall_openbgpd() { global $config, $g; - if($config['installedpackages']['openbgpd']['config']) - $openbgpd_conf = &$config['installedpackages']['openbgpd']['config'][0]; - if($config['installedpackages']['openbgpdneighbors']['config']) - $openbgpd_neighbors = &$config['installedpackages']['openbgpdneighbors']['config']; - $setkeycf = ""; - if(is_array($openbgpd_neighbors)) { - foreach($openbgpd_neighbors as $neighbor) - $setkeycf .= "delete {$openbgpd_conf['listenip']} {$neighbor['neighbor']} tcp 0x1000;\n"; - } - // Clear all SADB entries used. - $fd = fopen("{$g['tmp_path']}/bgpdsetkey.conf", "w"); - fwrite($fd, $setkeycf ); - fclose($fd); - exec("setkey -f {$g['tmp_path']}/bgpdsetkey.conf"); - exec("rm /usr/local/etc/rc.d/bgpd.sh"); exec("rm /usr/local/www/openbgpd_status.php"); exec("killall bgpd"); @@ -362,4 +350,4 @@ function is_openbgpd_running() { return false; } -?>
\ No newline at end of file +?> diff --git a/config/openbgpd/openbgpd.xml b/config/openbgpd/openbgpd.xml index 2d28de0f..58107d48 100644 --- a/config/openbgpd/openbgpd.xml +++ b/config/openbgpd/openbgpd.xml @@ -151,7 +151,7 @@ <description></description> <rowhelper> <rowhelperfield> - <fielddescr>Announce the specified network as belonging to our AS. If set to connected, routes to directly attached networks will be announced. If set to static, all static routes will be announced.</fielddescr> + <fielddescr>Announce the specified network as belonging to our AS. If set to "(inet|inet6)connected", inet or inet6 routes to directly attached networks will be announced. If set to "(inet|inet6) static", all inet or inet6 static routes will be announced.</fielddescr> <fieldname>networks</fieldname> <description>Network that you would like to advertise</description> <type>input</type> diff --git a/config/openbgpd/openbgpd_neighbors.xml b/config/openbgpd/openbgpd_neighbors.xml index efa82384..5553c022 100644 --- a/config/openbgpd/openbgpd_neighbors.xml +++ b/config/openbgpd/openbgpd_neighbors.xml @@ -100,13 +100,13 @@ <field> <fielddescr>TCP-MD5 key</fielddescr> <fieldname>md5sigkey</fieldname> - <description>The md5 key to communicate with the peer. Does not work with Cisco BGP routers.</description> + <description>The md5 key to communicate with the peer. Does not work with Cisco BGP routers. If the Local Addr option is not set listening ip will be used.</description> <type>input</type> </field> <field> <fielddescr>TCP-MD5 password</fielddescr> <fieldname>md5sigpass</fieldname> - <description>The md5 password to communicate with the peer. Use this when communicating with a Cisco BGP router.</description> + <description>The md5 password to communicate with the peer. Use this when communicating with a Cisco BGP router. If the Local Addr option is not set listenning ip will be used.</description> <type>input</type> </field> <field> diff --git a/config/openbgpd/openbgpd_status.php b/config/openbgpd/openbgpd_status.php index b493236f..99076d12 100644 --- a/config/openbgpd/openbgpd_status.php +++ b/config/openbgpd/openbgpd_status.php @@ -3,7 +3,7 @@ /* openbgpd_status.php part of pfSense (http://www.pfsense.com/) - Copyright (C) 2007 Scott Ullrich (sullrich@gmail.com) + Copyright (C) 2007 Scott Ullrich (sullrich@gmail.com) All rights reserved. Redistribution and use in source and binary forms, with or without @@ -30,6 +30,28 @@ require("guiconfig.inc"); +$commands = array(); + +defCmdT("summary", "OpenBGPD Summary", "/usr/local/sbin/bgpctl show summary"); +defCmdT("interfaces", "OpenBGPD Interfaces", "/usr/local/sbin/bgpctl show interfaces"); +defCmdT("routing", "OpenBGPD Routing", "/usr/local/sbin/bgpctl show rib", true, 4); +defCmdT("forwarding", "OpenBGPD Forwarding", "/usr/local/sbin/bgpctl show fib", true, 5); +defCmdT("network", "OpenBGPD Network", "/usr/local/sbin/bgpctl show network"); +defCmdT("nexthops", "OpenBGPD Nexthops", "/usr/local/sbin/bgpctl show nexthop"); +defCmdT("ip", "OpenBGPD IP", "/usr/local/sbin/bgpctl show ip bgp", true, 4); +defCmdT("neighbors", "OpenBGPD Neighbors", "/usr/local/sbin/bgpctl show neighbor"); + +if (isset($_REQUEST['isAjax'])) { + if (isset($_REQUEST['cmd']) && isset($commands[$_REQUEST['cmd']])) { + echo "{$_REQUEST['cmd']}\n"; + if (isset($_REQUEST['count'])) + echo " of " . countCmdT($commands[$_REQUEST['cmd']]['command']) . " items"; + else + echo htmlspecialchars_decode(doCmdT($commands[$_REQUEST['cmd']]['command'], $_REQUEST['limit'], $_REQUEST['filter'], $_REQUEST['header_size'])); + } + exit; +} + if ($config['version'] >= 6) $pgtitle = array("OpenBGPD", "Status"); else @@ -37,84 +59,178 @@ else include("head.inc"); -function doCmdT($title, $command) { - echo "<p>\n"; - echo "<a name=\"" . $title . "\">\n"; - echo "<table width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n"; - echo "<tr><td class=\"listtopic\">" . $title . "</td></tr>\n"; - echo "<tr><td class=\"listlr\"><pre>"; /* no newline after pre */ - - if ($command == "dumpconfigxml") { - $fd = @fopen("/conf/config.xml", "r"); - if ($fd) { - while (!feof($fd)) { - $line = fgets($fd); - /* remove sensitive contents */ - $line = preg_replace("/<password>.*?<\\/password>/", "<password>xxxxx</password>", $line); - $line = preg_replace("/<pre-shared-key>.*?<\\/pre-shared-key>/", "<pre-shared-key>xxxxx</pre-shared-key>", $line); - $line = preg_replace("/<rocommunity>.*?<\\/rocommunity>/", "<rocommunity>xxxxx</rocommunity>", $line); - $line = str_replace("\t", " ", $line); - echo htmlspecialchars($line,ENT_NOQUOTES); - } - } - fclose($fd); - } else { - $execOutput = ""; - $execStatus = ""; - exec ($command . " 2>&1", $execOutput, $execStatus); - for ($i = 0; isset($execOutput[$i]); $i++) { - if ($i > 0) { - echo "\n"; - } - echo htmlspecialchars($execOutput[$i],ENT_NOQUOTES); +function doCmdT($command, $limit = "all", $filter = "", $header_size = 0) { + $grepline = ""; + if (!empty($filter)) { + $ini = ($header_size > 0 ? $header_size+1 : 1); + $grepline = " | /usr/bin/sed -e '{$ini},\$ { /" . escapeshellarg(htmlspecialchars($filter)) . "/!d; };'"; + } + if (is_numeric($limit) && $limit > 0) { + $limit += $header_size; + $headline = " | /usr/bin/head -n {$limit}"; + } + + $fd = popen("{$command}{$grepline}{$headline} 2>&1", "r"); + $ct = 0; + $result = ""; + while (($line = fgets($fd)) !== FALSE) { + $result .= htmlspecialchars($line, ENT_NOQUOTES); + if ($ct++ > 1000) { + ob_flush(); + $ct = 0; } } - echo "</pre></tr>\n"; - echo "</table>\n"; + pclose($fd); + + return $result; } -/* Execute a command, giving it a title which is the same as the command. */ -function doCmd($command) { - doCmdT($command,$command); +function countCmdT($command) { + $fd = popen("{$command} 2>&1", "r"); + $c = 0; + while (fgets($fd) !== FALSE) + $c++; + + pclose($fd); + + return $c; } -/* Define a command, with a title, to be executed later. */ -function defCmdT($title, $command) { - global $commands; - $title = htmlspecialchars($title,ENT_NOQUOTES); - $commands[] = array($title, $command); +function showCmdT($idx, $data) { + echo "<p>\n"; + echo "<a name=\"" . $data['title'] . "\"> </a>\n"; + echo "<table width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n"; + echo "<tr><td colspan=\"2\" class=\"listtopic\">" . $data['title'] . "</td></tr>\n"; + + $limit_default = "all"; + if ($data['has_filter']) { + $limit_options = array("10", "50", "100", "200", "500", "1000", "all"); + $limit_default = "100"; + + echo "<tr><td class=\"listhdr\" style=\"font-weight:bold;\">\n"; + echo "Display <select onchange=\"update_filter('{$idx}','{$data['header_size']}');\" name=\"{$idx}_limit\" id=\"{$idx}_limit\">\n"; + foreach ($limit_options as $item) + echo "<option value='{$item}' " . ($item == $limit_default ? "selected" : "") . ">{$item}</option>\n"; + echo "</select> <span name=\"{$idx}_count\" id=\"{$idx}_count\">items</span></td>\n"; + echo "<td class=\"listhdr\" align=\"right\" style=\"font-weight:bold;\">Filter expression: \n"; + echo "<input type=\"text\" name=\"{$idx}_filter\" id=\"{$idx}_filter\" class=\"formfld search\" value=\"" . htmlspecialchars($_REQUEST["{$idx}_filter"]) . "\" size=\"30\" />\n"; + echo "<input type=\"button\" class=\"formbtn\" value=\"Filter\" onclick=\"update_filter('{$idx}','{$data['header_size']}');\" />\n"; + echo "</td></tr>\n"; + } + + echo "<tr><td colspan=\"2\" class=\"listlr\"><pre id=\"{$idx}\">"; /* no newline after pre */ + echo "Gathering data, please wait...\n"; + echo "</pre></td></tr>\n"; + echo "</table>\n"; } -/* Define a command, with a title which is the same as the command, - * to be executed later. - */ -function defCmd($command) { - defCmdT($command,$command); +/* Define a command, with a title, to be executed later. */ +function defCmdT($idx, $title, $command, $has_filter = false, $header_size = 0) { + global $commands; + $title = htmlspecialchars($title,ENT_NOQUOTES); + $commands[$idx] = array( + 'title' => $title, + 'command' => $command, + 'has_filter' => $has_filter, + 'header_size' => $header_size); } /* List all of the commands as an index. */ function listCmds() { - global $commands; - echo "<p>This status page includes the following information:\n"; - echo "<ul width=\"700\">\n"; - for ($i = 0; isset($commands[$i]); $i++ ) { - echo "<li><strong><a href=\"#" . $commands[$i][0] . "\">" . $commands[$i][0] . "</a></strong></li>\n"; - } - echo "</ul>\n"; + global $commands; + echo "<p>This status page includes the following information:\n"; + echo "<ul width=\"700\">\n"; + foreach ($commands as $idx => $command) + echo "<li><strong><a href=\"#" . $command['title'] . "\">" . $command['title'] . "</a></strong></li>\n"; + echo "</ul>\n"; } /* Execute all of the commands which were defined by a call to defCmd. */ function execCmds() { - global $commands; - for ($i = 0; isset($commands[$i]); $i++ ) { - doCmdT($commands[$i][0], $commands[$i][1]); - } + global $commands; + foreach ($commands as $idx => $command) + showCmdT($idx, $command); } ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<script type="text/javascript"> +//<![CDATA[ + + function update_count(cmd, header_size) { + var url = "openbgpd_status.php"; + var params = "isAjax=true&count=true&cmd=" + cmd + "&header_size=" + header_size; + var myAjax = new Ajax.Request( + url, + { + method: 'post', + parameters: params, + onComplete: update_count_callback + }); + } + + function update_count_callback(transport) { + // First line contain field id to be updated + var responseTextArr = transport.responseText.split("\n"); + + document.getElementById(responseTextArr[0] + "_count").innerHTML = responseTextArr[1]; + } + + function update_filter(cmd, header_size) { + var url = "openbgpd_status.php"; + var filter = ""; + var limit = "all"; + var limit_field = document.getElementById(cmd + "_limit"); + if (limit_field) { + var index = limit_field.selectedIndex; + limit = limit_field.options[index].value; + filter = document.getElementById(cmd + "_filter").value; + } + var params = "isAjax=true&cmd=" + cmd + "&limit=" + limit + "&filter=" + filter + "&header_size=" + header_size; + var myAjax = new Ajax.Request( + url, + { + method: 'post', + parameters: params, + onComplete: update_filter_callback + }); + } + + function update_filter_callback(transport) { + // First line contain field id to be updated + var responseTextArr = transport.responseText.split("\n"); + var id = responseTextArr.shift(); + + document.getElementById(id).textContent = responseTextArr.join("\n"); + } + +//]]> +</script> + <?php include("fbegin.inc"); ?> +<script type="text/javascript"> +//<![CDATA[ + + function exec_all_cmds() { +<?php + foreach ($commands as $idx => $command) { + if ($command['has_filter']) + echo "\t\tupdate_count('{$idx}', {$command['header_size']});\n"; + echo "\t\tupdate_filter('{$idx}', {$command['header_size']});\n"; + } +?> + } + +if (typeof jQuery == 'undefined') + document.observe('dom:loaded', function(){setTimeout('exec_all_cmds()', 5000);}); +else + jQuery(document).ready(function(){setTimeout('exec_all_cmds()', 5000);}); + +//]]> +</script> + <?php if ($config['version'] < 6) echo '<p class="pgtitle">' . $pgtitle . '</font></p>'; @@ -135,37 +251,17 @@ function execCmds() { ?> </table> <table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td class="tabcont" > - <form action="tinydns_status.php" method="post"> - </form> - </td> - </tr> - <tr> - <td class="tabcont" > - -<?php - -defCmdT("OpenBGPD Summary","bgpctl show summary"); -defCmdT("OpenBGPD Interfaces","bgpctl show interfaces"); -defCmdT("OpenBGPD Routing","bgpctl show rib"); -defCmdT("OpenBGPD Forwarding","bgpctl show fib"); -defCmdT("OpenBGPD Network","bgpctl show network"); -defCmdT("OpenBGPD Network","bgpctl show network"); -defCmdT("OpenBGPD Nexthops","bgpctl show nexthop"); -defCmdT("OpenBGPD IP","bgpctl show ip bgp"); -defCmdT("OpenBGPD Neighbors","bgpctl show neighbor"); + <tr> + <td class="tabcont" > -?> - <div id="cmdspace" style="width:100%"> - <?php listCmds(); ?> - - <?php execCmds(); ?> - </div> - - </table> - </td> - </tr> + <div id="cmdspace" style="width:100%"> + <?php listCmds(); ?> + + <?php execCmds(); ?> + </div> + + </td> + </tr> </table> </div> diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index 1ab962da..ac006d20 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -61,7 +61,7 @@ function openvpn_client_export_deinstall() { conf_mount_ro(); } -function openvpn_client_export_prefix($srvid, $usrid = null) { +function openvpn_client_export_prefix($srvid, $usrid = null, $crtid = null) { global $config; // lookup server settings @@ -75,12 +75,13 @@ function openvpn_client_export_prefix($srvid, $usrid = null) { $prot = ($settings['protocol'] == 'UDP' ? 'udp' : $settings['protocol']); $port = $settings['local_port']; - $username = ""; - //$config['openvpn']['openvpn-server']; + $filename_addition = ""; if ($usrid && is_numeric($usrid)) - $username = "-".$config['system']['user'][$usrid]['name']; + $filename_addition = "-".$config['system']['user'][$usrid]['name']; + elseif ($crtid && is_numeric($crtid) && function_exists("cert_get_cn")) + $filename_addition = "-" . str_replace(' ', '_', cert_get_cn($config['cert'][$crtid]['crt'])); - return "{$host}-{$prot}-{$port}{$username}"; + return "{$host}-{$prot}-{$port}{$filename_addition}"; } function openvpn_client_pem_to_pk12($outpath, $outpass, $crtpath, $keypath, $capath = false) { @@ -116,13 +117,17 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) { // lookup server certificate info $server_cert = lookup_cert($settings['certref']); - $server_ca = lookup_ca($server_cert['caref']); - if (!$server_cert || !$server_ca) { - $input_errors[] = "Could not locate certificate."; - return false; - } - if (function_exists("cert_get_cn")) { - $servercn = cert_get_cn($server_cert['crt']); + if (!$server_cert) + { + $input_errors[] = "Could not locate server certificate."; + } else { + $server_ca = lookup_ca($server_cert['caref']); + if (!$server_ca) { + $input_errors[] = "Could not locate the CA reference for the server certificate."; + } + if (function_exists("cert_get_cn")) { + $servercn = cert_get_cn($server_cert['crt']); + } } // lookup user info @@ -130,7 +135,6 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) { $user = $config['system']['user'][$usrid]; if (!$user) { $input_errors[] = "Could not find user settings."; - return false; } } @@ -142,17 +146,23 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) { $cert = $config['cert'][$crtid]; } if (!$cert) - return false; - // If $cert is not an array, it's a certref not a cert. - if (!is_array($cert)) - $cert = lookup_cert($cert); + { + $input_errors[] = "Could not find client certificate."; + } else { + // If $cert is not an array, it's a certref not a cert. + if (!is_array($cert)) + $cert = lookup_cert($cert); + } } elseif (($settings['mode'] == "server_tls") || (($settings['mode'] == "server_tls_user") && ($settings['authmode'] != "Local Database"))) { $cert = $config['cert'][$crtid]; if (!$cert) - return false; + $input_errors[] = "Could not find client certifficate."; } else $nokeys = true; + if ($input_errors) + return false; + return array($settings, $server_cert, $server_ca, $servercn, $user, $cert, $nokeys); } @@ -160,6 +170,7 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese global $config, $input_errors, $g; $nl = ($doslines) ? "\r\n" : "\n"; + $conf = ""; $validconfig = openvpn_client_export_validate_config($srvid, $usrid, $crtid); if ($validconfig) { @@ -185,38 +196,48 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese $server_host = $useaddr; $server_port = $settings['local_port']; - $proto = (strtoupper($settings['protocol']) == 'UDP' ? 'udp' : "tcp-client"); + $proto = (strtoupper($settings['protocol']) == 'UDP' ? 'udp' : "tcp"); + if (($expformat == "inlineios") && ($proto == "tcp-client")) + $proto = "tcp"; $cipher = $settings['crypto']; // add basic settings $devmode = empty($settings['dev_mode']) ? "tun" : $settings['dev_mode']; - $conf = "dev {$devmode}{$nl}"; - if(! empty($settings['tunnel_networkv6'])) { + if (($expformat != "inlinedroid") && ($expformat != "inlineios")) + $conf .= "dev {$devmode}{$nl}"; + if(!empty($settings['tunnel_networkv6']) && ($expformat != "inlinedroid") && ($expformat != "inlineios")) { $conf .= "tun-ipv6{$nl}"; } $conf .= "persist-tun{$nl}"; $conf .= "persist-key{$nl}"; - $conf .= "proto {$proto}{$nl}"; + +// if ((($expformat != "inlinedroid") && ($expformat != "inlineios")) && ($proto == "tcp")) +// $conf .= "proto tcp-client{$nl}"; $conf .= "cipher {$cipher}{$nl}"; $conf .= "tls-client{$nl}"; $conf .= "client{$nl}"; - $conf .= "resolv-retry infinite{$nl}"; - $conf .= "remote {$server_host} {$server_port}{$nl}"; - if (!empty($servercn)) { + if (($expformat != "inlinedroid") && ($expformat != "inlineios")) + $conf .= "resolv-retry infinite{$nl}"; + $conf .= "remote {$server_host} {$server_port} {$proto}{$nl}"; + if (!empty($servercn) && ($expformat != "inlineios")) { $qw = ($quoteservercn) ? "\"" : ""; $conf .= "tls-remote {$qw}{$servercn}{$qw}{$nl}"; } if (!empty($proxy)) { - if ($proto == "udp") { - $input_errors[] = "This server uses UDP protocol and cannot communicate with HTTP proxy."; - return; + if ($proxy['proxy_type'] == "http") { + if ($proto == "udp") { + $input_errors[] = "This server uses UDP protocol and cannot communicate with HTTP proxy."; + return; + } + $conf .= "http-proxy {$proxy['ip']} {$proxy['port']} "; } - $conf .= "http-proxy {$proxy['ip']} {$proxy['port']} "; + if ($proxy['proxy_type'] == "socks") + $conf .= "socks-proxy {$proxy['ip']} {$proxy['port']} "; if ($proxy['proxy_authtype'] != "none") { if (!isset($proxy['passwdfile'])) - $proxy['passwdfile'] = openvpn_client_export_prefix($srvid, $usrid) . "-proxy"; + $proxy['passwdfile'] = openvpn_client_export_prefix($srvid, $usrid, $crtid) . "-proxy"; $conf .= " {$proxy['passwdfile']} {$proxy['proxy_authtype']}"; } $conf .= "{$nl}"; @@ -231,14 +252,10 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese } // add key settings - $prefix = openvpn_client_export_prefix($srvid, $usrid); + $prefix = openvpn_client_export_prefix($srvid, $usrid, $crtid); $cafile = "{$prefix}-ca.crt"; if($nokeys == false) { - if ($expformat == "inline") { - $conf .= "ca [inline]{$nl}"; - $conf .= "cert [inline]{$nl}"; - $conf .= "key [inline]{$nl}"; - } elseif ($expformat == "yealink_t28") { + if ($expformat == "yealink_t28") { $conf .= "ca /yealink/config/openvpn/keys/ca.crt{$nl}"; $conf .= "cert /yealink/config/openvpn/keys/client1.crt{$nl}"; $conf .= "key /yealink/config/openvpn/keys/client1.key{$nl}"; @@ -257,20 +274,16 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese } elseif ($usetoken) { $conf .= "ca {$cafile}{$nl}"; $conf .= "cryptoapicert \"SUBJ:{$user['name']}\"{$nl}"; - } else { + } elseif (substr($expformat, 0, 6) != "inline") { $conf .= "pkcs12 {$prefix}.p12{$nl}"; } } else if ($settings['mode'] == "server_user") { - if ($expformat == "inline") - $conf .= "ca [inline]{$nl}"; - else + if (substr($expformat, 0, 6) != "inline") $conf .= "ca {$cafile}{$nl}"; } if ($settings['tls'] && !$skiptls) { - if ($expformat == "inline") - $conf .= "tls-auth [inline] 1{$nl}"; - elseif ($expformat == "yealink_t28") + if ($expformat == "yealink_t28") $conf .= "tls-auth /yealink/config/openvpn/keys/ta.key 1{$nl}"; elseif ($expformat == "yealink_t38g") $conf .= "tls-auth /phone/config/openvpn/keys/ta.key 1{$nl}"; @@ -278,7 +291,7 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese $conf .= "tls-auth /config/openvpn/keys/ta.key 1{$nl}"; elseif ($expformat == "snom") $conf .= "tls-auth /openvpn/ta.key 1{$nl}"; - else + elseif (substr($expformat, 0, 6) != "inline") $conf .= "tls-auth {$prefix}-tls.key 1{$nl}"; } @@ -330,7 +343,7 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese case "zip": // create template directory $tempdir = "{$g['tmp_path']}/{$prefix}"; - mkdir($tempdir, 0700, true); + @mkdir($tempdir, 0700, true); file_put_contents("{$tempdir}/{$prefix}.ovpn", $conf); @@ -355,23 +368,32 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese else openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile, $cafile); } - exec("cd {$tempdir}/.. && /usr/local/bin/zip -r {$g['tmp_path']}/{$prefix}-config.zip {$prefix}"); + $command = "cd " . escapeshellarg("{$tempdir}/..") + . " && /usr/local/bin/zip -r " + . escapeshellarg("{$g['tmp_path']}/{$prefix}-config.zip") + . " " . escapeshellarg($prefix); + exec($command); // Remove temporary directory - exec("rm -rf {$tempdir}"); - return $g['tmp_path'] . "/{$prefix}-config.zip"; + exec("rm -rf " . escapeshellarg($tempdir)); + return "{$g['tmp_path']}/{$prefix}-config.zip"; break; case "inline": + case "inlinedroid": + case "inlineios": // Inline CA - $conf .= "<ca>{$nl}" . base64_decode($server_ca['crt']) . "</ca>{$nl}"; + $conf .= "<ca>{$nl}" . trim(base64_decode($server_ca['crt'])) . "{$nl}</ca>{$nl}"; if ($settings['mode'] != "server_user") { // Inline Cert - $conf .= "<cert>{$nl}" . base64_decode($cert['crt']) . "</cert>{$nl}"; + $conf .= "<cert>{$nl}" . trim(base64_decode($cert['crt'])) . "{$nl}</cert>{$nl}"; // Inline Key - $conf .= "<key>{$nl}" . base64_decode($cert['prv']) . "</key>{$nl}"; + $conf .= "<key>{$nl}" . trim(base64_decode($cert['prv'])) . "{$nl}</key>{$nl}"; + } else { + // Work around OpenVPN Connect assuming you have a client cert even when you don't need one + $conf .= "setenv CLIENT_CERT 0{$nl}"; } // Inline TLS if ($settings['tls']) { - $conf .= "<tls-auth>{$nl}" . base64_decode($settings['tls']) . "</tls-auth>{$nl} key-direction 1{$nl}"; + $conf .= "<tls-auth>{$nl}" . trim(base64_decode($settings['tls'])) . "{$nl}</tls-auth>{$nl} key-direction 1{$nl}"; } return $conf; break; @@ -478,7 +500,7 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quot exec("/bin/cp {$tempdir}/{$client_install_exe} {$tempdir}/openvpn-install.exe"); // write configuration file - $prefix = openvpn_client_export_prefix($srvid, $usrid); + $prefix = openvpn_client_export_prefix($srvid, $usrid, $crtid); $cfgfile = "{$confdir}/{$prefix}-config.ovpn"; if (!empty($proxy) && $proxy['proxy_authtype'] != "none") { $proxy['passwdfile'] = "{$prefix}-password"; @@ -580,7 +602,7 @@ function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $usead $tempdir = $tempdir . "/Viscosity.visc/"; // write cofiguration file - $prefix = openvpn_client_export_prefix($srvid, $usrid); + $prefix = openvpn_client_export_prefix($srvid, $usrid, $crtid); if (!empty($proxy) && $proxy['proxy_authtype'] != "none") { $proxy['passwdfile'] = "config-password"; $pwdfle = "{$proxy['user']}\n"; @@ -714,7 +736,7 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco $conf .= "persist-key\n"; $conf .= "proto {$proto}\n"; $conf .= "cipher {$cipher}\n"; - $conf .= "client\n"; + $conf .= "pull\n"; $conf .= "resolv-retry infinite\n"; $conf .= "remote {$server_host} {$server_port}\n"; if ($settings['local_network']) { @@ -734,11 +756,15 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco $conf .= "ping-timer-rem\n"; if (!empty($proxy)) { - if ($proto == "udp") { - $input_errors[] = "This server uses UDP protocol and cannot communicate with HTTP proxy."; - return; + if ($proxy['proxy_type'] == "http") { + if ($proto == "udp") { + $input_errors[] = "This server uses UDP protocol and cannot communicate with HTTP proxy."; + return; + } + $conf .= "http-proxy {$proxy['ip']} {$proxy['port']} "; } - $conf .= "http-proxy {$proxy['ip']} {$proxy['port']} "; + if ($proxy['proxy_type'] == "socks") + $conf .= "socks-proxy {$proxy['ip']} {$proxy['port']} "; if ($proxy['proxy_authtype'] != "none") { if (!isset($proxy['passwdfile'])) $proxy['passwdfile'] = openvpn_client_export_prefix($srvid) . "-proxy"; diff --git a/config/openvpn-client-export/openvpn-client-export.xml b/config/openvpn-client-export/openvpn-client-export.xml index 02949cbd..f90ac2cf 100755 --- a/config/openvpn-client-export/openvpn-client-export.xml +++ b/config/openvpn-client-export/openvpn-client-export.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="utf-8" ?> <packagegui> <name>OpenVPN Client Export</name> - <version>0.24</version> + <version>1.0.11</version> <title>OpenVPN Client Export</title> <include_file>/usr/local/pkg/openvpn-client-export.inc</include_file> <backup_file></backup_file> diff --git a/config/openvpn-client-export/source/dotnet2.nsh b/config/openvpn-client-export/source/dotnet2.nsh index 5ec356e3..272f1bb3 100644 --- a/config/openvpn-client-export/source/dotnet2.nsh +++ b/config/openvpn-client-export/source/dotnet2.nsh @@ -1,93 +1,93 @@ -; Plugin for installing .NET Framework v2.0
-; Written by Christopher St. John
-; for EncounterPRO Healthcare Resources, Inc.
-
-!ifndef DOTNET2_INCLUDED
-!define DOTNET2_INCLUDED
-
-; -----------------------------------------
-; Includes
- !include "WordFunc.nsh"
- !insertmacro VersionCompare
- !include LogicLib.nsh
-
-; -----------------------------------------
-; Defines
- ; Direct-download location of .NET 2.0 redist
- !define BASE_URL http://download.microsoft.com/download
- !define URL_DOTNET_1033 "${BASE_URL}/5/6/7/567758a3-759e-473e-bf8f-52154438565a/dotnetfx.exe"
-
-; -----------------------------------------
-; Variables
- Var DotNetVersion2
- Var InstallDotNet2
-
-; -----------------------------------------
-; Functions
-Function GetDotNETVersion2
- Push $0
- Push $1
-
- System::Call "mscoree::GetCORVersion(w .r0, i 1024, *i r2) i .r1"
- StrCmp $1 0 +2
- StrCpy $0 0
-
- Pop $1
- Exch $0
-FunctionEnd
-
-; -----------------------------------------
-; Macros
-!macro CheckForDotNET2
- ; Check .NET version
- StrCpy $InstallDotNET2 "No"
- Call GetDotNETVersion2
- Pop $0
- StrCpy $DotNetVersion2 $0
-
- ${If} $0 == "not found"
- StrCpy $InstallDotNET2 "Yes"
- MessageBox MB_OK|MB_ICONINFORMATION "Installer requires that the .NET Framework 2.0 is installed. The .NET Framework will be downloaded and installed automatically during installation."
- Return
- ${EndIf}
-
- StrCpy $0 $0 "" 1 # skip "v"
-
- ${VersionCompare} $0 "2.0" $1
- ${If} $1 == 2
- StrCpy $InstallDotNET2 "Yes"
- MessageBox MB_OK|MB_ICONINFORMATION "Installer requires that the .NET Framework 2.0 is installed. The .NET Framework will be downloaded and installed automatically during installation."
- Return
- ${EndIf}
-!macroend
-
-!macro InstallDotNET2
- ; Get .NET if required
- ${If} $InstallDotNET2 == "Yes"
- DetailPrint "Downloading .NET Framework v2.0..."
- ;SetDetailsView hide
- NSISdl::download /TIMEOUT=30000 "${URL_DOTNET_1033}" "$INSTDIR\dotnetfx.exe"
- Pop $1
-
- ${If} $1 != "success"
- DetailPrint "Download failed: $1"
- Delete "$INSTDIR\dotnetfx.exe"
- Abort "Installation Cancelled"
- ${EndIf}
-
- DetailPrint "Installing .NET Framework v2.0..."
- ExecWait '"$INSTDIR\dotnetfx.exe" /q:a /c:"install /passive"' $1
- ${If} $1 == 0
- DetailPrint ".NET Framework v2.0 successfully installed."
- ${ElseIf} $1 == 3010
- MessageBox MB_OK ".NET Framework v2.0 has been installed and requires a reboot. Please restart the computer and run this installer again."
- Abort ".NET Framework v2.0 requires reboot."
- ${Else}
- MessageBox MB_OK ".NET Framework v2.0 reports a failure during installation ($1). Please try to install .NET Framework v2.0 via Windows Update before running this installer again."
- Abort ".NET Framework v2.0 installation failed ($1)."
- ${EndIf}
- Delete "$INSTDIR\dotnetfx.exe"
- ${EndIf}
-!macroend
-
+; Plugin for installing .NET Framework v2.0 +; Written by Christopher St. John +; for EncounterPRO Healthcare Resources, Inc. + +!ifndef DOTNET2_INCLUDED +!define DOTNET2_INCLUDED + +; ----------------------------------------- +; Includes + !include "WordFunc.nsh" + !insertmacro VersionCompare + !include LogicLib.nsh + +; ----------------------------------------- +; Defines + ; Direct-download location of .NET 2.0 redist + !define BASE_URL http://download.microsoft.com/download + !define URL_DOTNET_1033 "${BASE_URL}/5/6/7/567758a3-759e-473e-bf8f-52154438565a/dotnetfx.exe" + +; ----------------------------------------- +; Variables + Var DotNetVersion2 + Var InstallDotNet2 + +; ----------------------------------------- +; Functions +Function GetDotNETVersion2 + Push $0 + Push $1 + + System::Call "mscoree::GetCORVersion(w .r0, i 1024, *i r2) i .r1" + StrCmp $1 0 +2 + StrCpy $0 0 + + Pop $1 + Exch $0 +FunctionEnd + +; ----------------------------------------- +; Macros +!macro CheckForDotNET2 + ; Check .NET version + StrCpy $InstallDotNET2 "No" + Call GetDotNETVersion2 + Pop $0 + StrCpy $DotNetVersion2 $0 + + ${If} $0 == "not found" + StrCpy $InstallDotNET2 "Yes" + MessageBox MB_OK|MB_ICONINFORMATION "Installer requires that the .NET Framework 2.0 is installed. The .NET Framework will be downloaded and installed automatically during installation." + Return + ${EndIf} + + StrCpy $0 $0 "" 1 # skip "v" + + ${VersionCompare} $0 "2.0" $1 + ${If} $1 == 2 + StrCpy $InstallDotNET2 "Yes" + MessageBox MB_OK|MB_ICONINFORMATION "Installer requires that the .NET Framework 2.0 is installed. The .NET Framework will be downloaded and installed automatically during installation." + Return + ${EndIf} +!macroend + +!macro InstallDotNET2 + ; Get .NET if required + ${If} $InstallDotNET2 == "Yes" + DetailPrint "Downloading .NET Framework v2.0..." + ;SetDetailsView hide + NSISdl::download /TIMEOUT=30000 "${URL_DOTNET_1033}" "$INSTDIR\dotnetfx.exe" + Pop $1 + + ${If} $1 != "success" + DetailPrint "Download failed: $1" + Delete "$INSTDIR\dotnetfx.exe" + Abort "Installation Cancelled" + ${EndIf} + + DetailPrint "Installing .NET Framework v2.0..." + ExecWait '"$INSTDIR\dotnetfx.exe" /q:a /c:"install /passive"' $1 + ${If} $1 == 0 + DetailPrint ".NET Framework v2.0 successfully installed." + ${ElseIf} $1 == 3010 + MessageBox MB_OK ".NET Framework v2.0 has been installed and requires a reboot. Please restart the computer and run this installer again." + Abort ".NET Framework v2.0 requires reboot." + ${Else} + MessageBox MB_OK ".NET Framework v2.0 reports a failure during installation ($1). Please try to install .NET Framework v2.0 via Windows Update before running this installer again." + Abort ".NET Framework v2.0 installation failed ($1)." + ${EndIf} + Delete "$INSTDIR\dotnetfx.exe" + ${EndIf} +!macroend + !endif
\ No newline at end of file diff --git a/config/openvpn-client-export/vpn_openvpn_export.php b/config/openvpn-client-export/vpn_openvpn_export.php index e7c94ae6..c2a54432 100755 --- a/config/openvpn-client-export/vpn_openvpn_export.php +++ b/config/openvpn-client-export/vpn_openvpn_export.php @@ -3,7 +3,7 @@ vpn_openvpn_export.php Copyright (C) 2008 Shrew Soft Inc. - Copyright (C) 2010 Ermal Lu�i + Copyright (C) 2010 Ermal Luçi All rights reserved. Redistribution and use in source and binary forms, with or without @@ -80,7 +80,7 @@ foreach($a_server as $sindex => $server) { } } elseif (($server['mode'] == "server_tls") || (($server['mode'] == "server_tls_user") && ($server['authmode'] != "Local Database"))) { foreach($a_cert as $cindex => $cert) { - if ($cert['caref'] != $server['caref']) + if (($cert['caref'] != $server['caref']) || ($cert['refid'] == $server['certref'])) continue; $ras_cert_entry['cindex'] = $cindex; $ras_cert_entry['certname'] = $cert['descr']; @@ -140,7 +140,7 @@ if (!empty($act)) { $quoteservercn = $_GET['quoteservercn']; $usetoken = $_GET['usetoken']; - if ($usetoken && ($act == "confinline")) + if ($usetoken && (substr($act, 0, 10) == "confinline")) $input_errors[] = "You cannot use Microsoft Certificate Storage with an Inline configuration."; if ($usetoken && (($act == "conf_yealink_t28") || ($act == "conf_yealink_t38g") || ($act == "conf_yealink_t38g2") || ($act == "conf_snom"))) $input_errors[] = "You cannot use Microsoft Certificate Storage with a Yealink or SNOM configuration."; @@ -159,6 +159,7 @@ if (!empty($act)) { $input_errors[] = "You need to specify a port for the proxy ip."; } else $proxy['port'] = $_GET['proxy_port']; + $proxy['proxy_type'] = $_GET['proxy_type']; $proxy['proxy_authtype'] = $_GET['proxy_authtype']; if ($_GET['proxy_authtype'] != "none") { if (empty($_GET['proxy_user'])) { @@ -172,7 +173,7 @@ if (!empty($act)) { } } - $exp_name = openvpn_client_export_prefix($srvid, $usrid); + $exp_name = openvpn_client_export_prefix($srvid, $usrid, $crtid); if(substr($act, 0, 4) == "conf") { switch ($act) { @@ -200,6 +201,14 @@ if (!empty($act)) { $exp_name = urlencode($exp_name."-config.ovpn"); $expformat = "inline"; break; + case "confinlinedroid": + $exp_name = urlencode($exp_name."-android-config.ovpn"); + $expformat = "inlinedroid"; + break; + case "confinlineios": + $exp_name = urlencode($exp_name."-ios-config.ovpn"); + $expformat = "inlineios"; + break; default: $exp_name = urlencode($exp_name."-config.ovpn"); $expformat = "baseconf"; @@ -222,7 +231,7 @@ if (!empty($act)) { } if (empty($input_errors)) { - if (($act == "conf") || ($act == "confinline")) { + if (($act == "conf") || (substr($act, 0, 10) == "confinline")) { $exp_size = strlen($exp_path); } else { $exp_size = filesize($exp_path); @@ -232,7 +241,7 @@ if (!empty($act)) { header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename={$exp_name}"); header("Content-Length: $exp_size"); - if (($act == "conf") || ($act == "confinline")) { + if (($act == "conf") || (substr($act, 0, 10) == "confinline")) { echo $exp_path; } else { readfile($exp_path); @@ -248,9 +257,9 @@ include("head.inc"); <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> -<script language="JavaScript"> - var viscosityAvailable = false; -<!-- +<script type="text/javascript"> +//<![CDATA[ +var viscosityAvailable = false; var servers = new Array(); <?php foreach ($ras_server as $sindex => $server): ?> @@ -337,6 +346,8 @@ function download_begin(act, i, j) { if (document.getElementById("useproxypass").value != 'none') useproxypass = 1; + var proxytype = document.getElementById("useproxytype").value; + var proxyauth = document.getElementById("useproxypass").value; var proxyuser = document.getElementById("proxyuser").value; var proxypass = document.getElementById("proxypass").value; @@ -375,6 +386,7 @@ function download_begin(act, i, j) { if (usepass) dlurl += "&password=" + escape(pass); if (useproxy) { + dlurl += "&proxy_type=" + escape(proxytype); dlurl += "&proxy_addr=" + escape(proxyaddr); dlurl += "&proxy_port=" + escape(proxyport); dlurl += "&proxy_authtype=" + escape(proxyauth); @@ -408,20 +420,28 @@ function server_changed() { cell1.className = "listr"; cell1.innerHTML = users[i][3]; cell2.className = "listr"; - cell2.innerHTML = "<a href='javascript:download_begin(\"conf\"," + i + ", -1)'>Configuration</a>"; - cell2.innerHTML += "<br/>"; - cell2.innerHTML += "<a href='javascript:download_begin(\"confinline\"," + i + ", -1)'>Inline Configuration</a>"; - cell2.innerHTML += "<br/>"; - cell2.innerHTML += "<a href='javascript:download_begin(\"confzip\"," + i + ", -1)'>Configuration archive</a>"; - cell2.innerHTML += "<br/>Windows Installers:<br/>"; + cell2.innerHTML = "- Standard Configurations:<br\/>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"confzip\"," + i + ", -1)'>Archive<\/a>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"conf\"," + i + ", -1)'>Config Only<\/a>"; + cell2.innerHTML += "<br\/>- Inline Configurations:<br\/>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"confinlinedroid\"," + i + ", -1)'>Android<\/a>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ", -1)'>2.2</a>"; + cell2.innerHTML += "<a href='javascript:download_begin(\"confinlineios\"," + i + ", -1)'>OpenVPN Connect (iOS/Android)<\/a>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x86\"," + i + ", -1)'>2.3-x86 (Beta)</a>"; + cell2.innerHTML += "<a href='javascript:download_begin(\"confinline\"," + i + ", -1)'>Others<\/a>"; + cell2.innerHTML += "<br\/>- Windows Installers:<br\/>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ", -1)'>2.2<\/a>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x86\"," + i + ", -1)'>2.3-x86<\/a>"; // cell2.innerHTML += " "; -// cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\"," + i + ", -1)'>2.3-x64 (Beta)</a>"; - cell2.innerHTML += "<br/>"; - cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ", -1)'>Viscosity Bundle</a>"; +// cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\"," + i + ", -1)'>2.3-x64<\/a>"; + cell2.innerHTML += "<br\/>- Mac OSX:<br\/>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ", -1)'>Viscosity Bundle<\/a>"; } for (j=0; j < certs.length; j++) { var row = table.insertRow(table.rows.length); @@ -437,30 +457,38 @@ function server_changed() { cell1.className = "listr"; cell1.innerHTML = certs[j][1]; cell2.className = "listr"; - cell2.innerHTML = "<a href='javascript:download_begin(\"conf\", -1," + j + ")'>Configuration</a>"; - cell2.innerHTML += "<br/>"; - cell2.innerHTML += "<a href='javascript:download_begin(\"confinline\", -1," + j + ")'>Inline Configuration</a>"; - cell2.innerHTML += "<br/>"; - cell2.innerHTML += "<a href='javascript:download_begin(\"confzip\", -1," + j + ")'>Configuration archive</a>"; - cell2.innerHTML += "<br/>Windows Installers:<br/>"; + cell2.innerHTML = "- Standard Configurations:<br\/>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"confzip\", -1," + j + ")'>Archive<\/a>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"conf\", -1," + j + ")'>File Only<\/a>"; + cell2.innerHTML += "<br\/>- Inline Configurations:<br\/>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"confinlinedroid\", -1," + j + ")'>Android<\/a>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"inst\", -1," + j + ")'>2.2</a>"; + cell2.innerHTML += "<a href='javascript:download_begin(\"confinlineios\", -1," + j + ")'>OpenVPN Connect (iOS/Android)<\/a>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x86\", -1," + j + ")'>2.3-x86 (Beta)</a>"; + cell2.innerHTML += "<a href='javascript:download_begin(\"confinline\", -1," + j + ")'>Others<\/a>"; + cell2.innerHTML += "<br\/>- Windows Installers:<br\/>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst\", -1," + j + ")'>2.2<\/a>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x86\", -1," + j + ")'>2.3-x86<\/a>"; // cell2.innerHTML += " "; -// cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\", -1," + j + ")'>2.3-x64 (Beta)</a>"; - cell2.innerHTML += "<br/>"; - cell2.innerHTML += "<a href='javascript:download_begin(\"visc\", -1," + j + ")'>Viscosity Bundle</a>"; +// cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\", -1," + j + ")'>2.3-x64<\/a>"; + cell2.innerHTML += "<br\/>- Mac OSX:<br\/>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"visc\", -1," + j + ")'>Viscosity Bundle<\/a>"; if (servers[index][2] == "server_tls") { - cell2.innerHTML += "<br/>Yealink SIP Handsets: <br/>"; + cell2.innerHTML += "<br\/>- Yealink SIP Handsets: <br\/>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"conf_yealink_t28\", -1," + j + ")'>T28</a>"; + cell2.innerHTML += "<a href='javascript:download_begin(\"conf_yealink_t28\", -1," + j + ")'>T28<\/a>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"conf_yealink_t38g\", -1," + j + ")'>T38G (1)</a>"; + cell2.innerHTML += "<a href='javascript:download_begin(\"conf_yealink_t38g\", -1," + j + ")'>T38G (1)<\/a>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"conf_yealink_t38g2\", -1," + j + ")'>T38G (2)</a>"; - cell2.innerHTML += "<br/>"; - cell2.innerHTML += "<a href='javascript:download_begin(\"conf_snom\", -1," + j + ")'>SNOM SIP Handset</a>"; + cell2.innerHTML += "<a href='javascript:download_begin(\"conf_yealink_t38g2\", -1," + j + ")'>T38G (2)<\/a>"; + cell2.innerHTML += "<br\/>"; + cell2.innerHTML += "- <a href='javascript:download_begin(\"conf_snom\", -1," + j + ")'>SNOM SIP Handset<\/a>"; } } if (servers[index][2] == 'server_user') { @@ -473,20 +501,28 @@ function server_changed() { cell1.className = "listr"; cell1.innerHTML = "none"; cell2.className = "listr"; - cell2.innerHTML = "<a href='javascript:download_begin(\"conf\"," + i + ")'>Configuration</a>"; - cell2.innerHTML += "<br/>"; - cell2.innerHTML += "<a href='javascript:download_begin(\"confinline\"," + i + ")'>Inline Configuration</a>"; - cell2.innerHTML += "<br/>"; - cell2.innerHTML += "<a href='javascript:download_begin(\"confzip\"," + i + ")'>Configuration archive</a>"; - cell2.innerHTML += "<br/>Windows Installers:<br/>"; + cell2.innerHTML = "- Standard Configurations:<br\/>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"confzip\"," + i + ")'>Archive<\/a>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"conf\"," + i + ")'>File Only<\/a>"; + cell2.innerHTML += "<br\/>- Inline Configurations:<br\/>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"confinlinedroid\"," + i + ")'>Android<\a>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ")'>2.2</a>"; + cell2.innerHTML += "<a href='javascript:download_begin(\"confinlineios\"," + i + ")'>OpenVPN Connect (iOS/Android)<\/a>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x86\"," + i + ")'>2.3-x86 (Beta)</a>"; + cell2.innerHTML += "<a href='javascript:download_begin(\"confinline\"," + i + ")'>Others<\/a>"; + cell2.innerHTML += "<br\/>- Windows Installers:<br\/>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ")'>2.2<\/a>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x86\"," + i + ")'>2.3-x86<\/a>"; // cell2.innerHTML += " "; -// cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\"," + i + ")'>2.3-x64 (Beta)</a>"; - cell2.innerHTML += "<br/>"; - cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ")'>Viscosity Bundle</a>"; +// cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\"," + i + ")'>2.3-x64<\/a>"; + cell2.innerHTML += "<br\/>- Mac OSX:<br\/>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ")'>Viscosity Bundle<\/a>"; } } @@ -510,13 +546,13 @@ function usepass_changed() { function useproxy_changed(obj) { if ((obj.id == "useproxy" && obj.checked) || - $(obj.id + 'pass').value != 'none') { + (obj.id == "useproxypass" && (obj.value != 'none'))) { $(obj.id + '_opts').show(); } else { $(obj.id + '_opts').hide(); } } -//--> +//]]> </script> <?php if ($input_errors) @@ -524,7 +560,7 @@ function useproxy_changed(obj) { if ($savemsg) print_info_box($savemsg); ?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="openvpn export"> <tr> <td> <?php @@ -542,11 +578,11 @@ function useproxy_changed(obj) { <tr> <td id="mainarea"> <div class="tabcont"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <table width="100%" border="0" cellpadding="6" cellspacing="0" summary="main area"> <tr> <td width="22%" valign="top" class="vncellreq">Remote Access Server</td> <td width="78%" class="vtable"> - <select name="server" id="server" class="formselect" onChange="server_changed()"> + <select name="server" id="server" class="formselect" onchange="server_changed()"> <?php foreach($ras_server as & $server): ?> <option value="<?=$server['sindex'];?>"><?=$server['name'];?></option> <?php endforeach; ?> @@ -556,10 +592,10 @@ function useproxy_changed(obj) { <tr> <td width="22%" valign="top" class="vncell">Host Name Resolution</td> <td width="78%" class="vtable"> - <table border="0" cellpadding="2" cellspacing="0"> + <table border="0" cellpadding="2" cellspacing="0" summary="name resolution"> <tr> <td> - <select name="useaddr" id="useaddr" class="formselect" onChange="useaddr_changed(this)"> + <select name="useaddr" id="useaddr" class="formselect" onchange="useaddr_changed(this)"> <option value="serveraddr" >Interface IP Address</option> <option value="serverhostname" >Installation hostname</option> <?php if (is_array($config['dyndnses']['dyndns'])): ?> @@ -567,11 +603,16 @@ function useproxy_changed(obj) { <option value="<?php echo $ddns["host"] ?>">DynDNS: <?php echo $ddns["host"] ?></option> <?php endforeach; ?> <?php endif; ?> + <?php if (is_array($config['dnsupdates']['dnsupdate'])): ?> + <?php foreach ($config['dnsupdates']['dnsupdate'] as $ddns): ?> + <option value="<?php echo $ddns["host"] ?>">DynDNS: <?php echo $ddns["host"] ?></option> + <?php endforeach; ?> + <?php endif; ?> <option value="other">Other</option> </select> <br /> - <div style="display:none;" name="HostName" id="HostName"> - <input name="useaddr_hostname" id="useaddr_hostname" /> + <div style="display:none;" id="HostName"> + <input name="useaddr_hostname" id="useaddr_hostname" size="40" /> <span class="vexpl"> Enter the hostname or IP address the client will use to connect to this server. </span> @@ -584,10 +625,10 @@ function useproxy_changed(obj) { <tr> <td width="22%" valign="top" class="vncell">Quote Server CN</td> <td width="78%" class="vtable"> - <table border="0" cellpadding="2" cellspacing="0"> + <table border="0" cellpadding="2" cellspacing="0" summary="quote server cn"> <tr> <td> - <input name="quoteservercn" id="quoteservercn" type="checkbox" value="yes"> + <input name="quoteservercn" id="quoteservercn" type="checkbox" value="yes" /> </td> <td> <span class="vexpl"> @@ -601,10 +642,10 @@ function useproxy_changed(obj) { <tr> <td width="22%" valign="top" class="vncell">Certificate Export Options</td> <td width="78%" class="vtable"> - <table border="0" cellpadding="2" cellspacing="0"> + <table border="0" cellpadding="2" cellspacing="0" summary="export options"> <tr> <td> - <input name="usetoken" id="usetoken" type="checkbox" value="yes"> + <input name="usetoken" id="usetoken" type="checkbox" value="yes" /> </td> <td> <span class="vexpl"> @@ -613,10 +654,10 @@ function useproxy_changed(obj) { </td> </tr> </table> - <table border="0" cellpadding="2" cellspacing="0"> + <table border="0" cellpadding="2" cellspacing="0" summary="checkbox for password"> <tr> <td> - <input name="usepass" id="usepass" type="checkbox" value="yes" onClick="usepass_changed()"> + <input name="usepass" id="usepass" type="checkbox" value="yes" onclick="usepass_changed()" /> </td> <td> <span class="vexpl"> @@ -625,7 +666,7 @@ function useproxy_changed(obj) { </td> </tr> </table> - <table border="0" cellpadding="2" cellspacing="0" id="usepass_opts" style="display:none"> + <table border="0" cellpadding="2" cellspacing="0" id="usepass_opts" style="display:none" summary="password"> <tr> <td align="right"> <span class="vexpl"> @@ -650,57 +691,70 @@ function useproxy_changed(obj) { </td> </tr> <tr> - <td width="22%" valign="top" class="vncell">Use HTTP Proxy</td> + <td width="22%" valign="top" class="vncell">Use Proxy</td> <td width="78%" class="vtable"> - <table border="0" cellpadding="2" cellspacing="0"> + <table border="0" cellpadding="2" cellspacing="0" summary="http proxy"> <tr> <td> - <input name="useproxy" id="useproxy" type="checkbox" value="yes" onClick="useproxy_changed(this)"> + <input name="useproxy" id="useproxy" type="checkbox" value="yes" onclick="useproxy_changed(this)" /> </td> <td> <span class="vexpl"> - Use HTTP proxy to communicate with the server. + Use proxy to communicate with the server. </span> </td> </tr> </table> - <table border="0" cellpadding="2" cellspacing="0" id="useproxy_opts" style="display:none"> + <table border="0" cellpadding="2" cellspacing="0" id="useproxy_opts" style="display:none" summary="user options"> <tr> - <td align="right" width='25%'> + <td align="right" width="25%"> + <span class="vexpl"> + Type : + </span> + </td> + <td> + <select name="useproxytype" id="useproxytype" class="formselect"> + <option value="http">HTTP</option> + <option value="socks">Socks</option> + </select> + </td> + </tr> + <tr> + <td align="right" width="25%"> <span class="vexpl"> IP Address : </span> </td> <td> - <input name="proxyaddr" id="proxyaddr" class="formfld unknown" size="20" value="" /> + <input name="proxyaddr" id="proxyaddr" class="formfld unknown" size="30" value="" /> </td> </tr> <tr> - <td align="right" width='25%'> + <td align="right" width="25%"> <span class="vexpl"> Port : </span> + </td> <td> <input name="proxyport" id="proxyport" class="formfld unknown" size="5" value="" /> </td> </tr> - <br /> <tr> <td width="25%"> - + <br /> </td> <td> - <select name="useproxypass" id="useproxypass" class="formselect" onChange="useproxy_changed(this)"> + <select name="useproxypass" id="useproxypass" class="formselect" onchange="useproxy_changed(this)"> <option value="none">none</option> <option value="basic">basic</option> <option value="ntlm">ntlm</option> </select> <span class="vexpl"> - Choose HTTP proxy authentication if any. + Choose proxy authentication if any. </span> <br /> - <table border="0" cellpadding="2" cellspacing="0" id="useproxypass_opts" style="display:none"> + <table border="0" cellpadding="2" cellspacing="0" id="useproxypass_opts" style="display:none" summary="name and password"> <tr> <td align="right" width="25%"> <span class="vexpl"> @@ -726,6 +780,7 @@ function useproxy_changed(obj) { <span class="vexpl"> Confirm : </span> + </td> <td> <input name="proxyconf" id="proxyconf" type="password" class="formfld pwd" size="20" value="" /> </td> @@ -739,16 +794,16 @@ function useproxy_changed(obj) { <tr> <td width="22%" valign="top" class="vncell">Management Interface<br/>OpenVPNManager</td> <td width="78%" class="vtable"> - <table border="0" cellpadding="2" cellspacing="0"> + <table border="0" cellpadding="2" cellspacing="0" summary="openvpn manager"> <tr> <td> - <input name="openvpnmanager" id="openvpnmanager" type="checkbox" value="yes"> + <input name="openvpnmanager" id="openvpnmanager" type="checkbox" value="yes" /> </td> <td> <span class="vexpl"> This will change the generated .ovpn configuration to allow for usage of the management interface. And include the OpenVPNManager program in the "Windows Installers". With this OpenVPN can be used also by non-administrator users. - This is also usefull for Windows7/Vista systems where elevated permissions are needed to add routes to the system. + This is also useful for Windows Vista/7/8 systems where elevated permissions are needed to add routes to the system. </span> </td> </tr> @@ -761,7 +816,7 @@ function useproxy_changed(obj) { <tr> <td width="22%" valign="top" class="vncell">Additional configuration options</td> <td width="78%" class="vtable"> - <textarea rows="6" cols="78" name="advancedoptions" id="advancedoptions"></textarea><br/> + <textarea rows="6" cols="68" name="advancedoptions" id="advancedoptions"></textarea><br/> <?=gettext("Enter any additional options you would like to add to the OpenVPN client export configuration here, separated by a line break or semicolon"); ?><br/> <?=gettext("EXAMPLE: remote-random"); ?>; </td> @@ -770,27 +825,43 @@ function useproxy_changed(obj) { <td colspan="2" valign="top" class="listtopic">Client Install Packages</td> </tr> </table> - <table width="100%" id="users" width="100%" border="0" cellpadding="0" cellspacing="0"> + <table width="100%" id="users" border="0" cellpadding="0" cellspacing="0" summary="heading"> <tr> <td width="25%" class="listhdrr"><?=gettext("User");?></td> - <td width="50%" class="listhdrr"><?=gettext("Certificate Name");?></td> - <td width="25%" class="listhdrr"><?=gettext("Export");?></td> + <td width="35%" class="listhdrr"><?=gettext("Certificate Name");?></td> + <td width="40%" class="listhdrr"><?=gettext("Export");?></td> </tr> </table> - <table width="100%" width="100%" border="0" cellpadding="5" cellspacing="10"> + <table width="100%" border="0" cellpadding="0" cellspacing="5" summary="note"> <tr> <td align="right" valign="top" width="5%"><?= gettext("NOTE:") ?></td> <td><?= gettext("If you expect to see a certain client in the list but it is not there, it is usually due to a CA mismatch between the OpenVPN server instance and the client certificates found in the User Manager.") ?></td> </tr> + <tr> + <td colspan="2"><br/><strong><?= gettext("Links to OpenVPN clients for various platforms:") ?></strong></td> + </tr> + <tr> + <td> </td> + <td> + <a href="http://openvpn.net/index.php/open-source/downloads.html"><?= gettext("OpenVPN Community Client") ?></a> - <?=gettext("Binaries for Windows, Source for other platforms. Packaged above in the Windows Installers")?> + <br/><a href="https://play.google.com/store/apps/details?id=de.blinkt.openvpn"><?= gettext("OpenVPN For Android") ?></a> - <?=gettext("Recommended client for Android")?> + <br/><a href="http://www.featvpn.com/"><?= gettext("FEAT VPN For Android") ?></a> - <?=gettext("For older versions of Android")?> + <br/><?= gettext("OpenVPN Connect") ?>: <a href="https://play.google.com/store/apps/details?id=net.openvpn.openvpn"><?=gettext("Android (Google Play)")?></a> or <a href="https://itunes.apple.com/us/app/openvpn-connect/id590379981"><?=gettext("iOS (App Store)")?></a> - <?= gettext("Recommended client for iOS") ?> + <br/><a href="http://www.sparklabs.com/viscosity/"><?= gettext("Viscosity") ?></a> - <?= gettext("Recommended client for Mac OSX") ?> + <br/><a href="http://code.google.com/p/tunnelblick/"><?= gettext("Tunnelblick") ?></a> - <?= gettext("Free client for OSX") ?> + </td> + </tr> </table> </div> </td> </tr> </table> -<script language="JavaScript"> -<!-- +<script type="text/javascript"> +//<![CDATA[ server_changed(); -//--> +//]]> </script> -</body> + <?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/openvpn-client-export/vpn_openvpn_export_shared.php b/config/openvpn-client-export/vpn_openvpn_export_shared.php index d2a555e7..da77870a 100644 --- a/config/openvpn-client-export/vpn_openvpn_export_shared.php +++ b/config/openvpn-client-export/vpn_openvpn_export_shared.php @@ -3,7 +3,7 @@ vpn_openvpn_export.php Copyright (C) 2008 Shrew Soft Inc. - Copyright (C) 2010 Ermal Luçi + Copyright (C) 2010 Ermal Luçi All rights reserved. Redistribution and use in source and binary forms, with or without @@ -98,6 +98,7 @@ if(($act == "skconf") || ($act == "skzipconf")) { $input_errors[] = "You need to specify a port for the proxy ip."; } else $proxy['port'] = $_GET['proxy_port']; + $proxy['proxy_type'] = $_GET['proxy_type']; $proxy['proxy_authtype'] = $_GET['proxy_authtype']; if ($_GET['proxy_authtype'] != "none") { if (empty($_GET['proxy_user'])) { @@ -151,9 +152,9 @@ include("head.inc"); <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> -<script language="JavaScript"> - var viscosityAvailable = false; -<!-- +<script type="text/javascript"> +//<![CDATA[ +var viscosityAvailable = false; var servers = new Array(); <?php foreach ($ras_server as $sindex => $server): ?> @@ -193,6 +194,8 @@ function download_begin(act) { if (document.getElementById("useproxypass").value != 'none') useproxypass = 1; + var proxytype = document.getElementById("useproxytype").value; + var proxyauth = document.getElementById("useproxypass").value; var proxyuser = document.getElementById("proxyuser").value; var proxypass = document.getElementById("proxypass").value; @@ -218,6 +221,7 @@ function download_begin(act) { dlurl += "&srvid=" + servers[index][0]; dlurl += "&useaddr=" + useaddr; if (useproxy) { + dlurl += "&proxy_type=" + escape(proxytype); dlurl += "&proxy_addr=" + proxyaddr; dlurl += "&proxy_port=" + proxyport; dlurl += "&proxy_authtype=" + proxyauth; @@ -245,9 +249,9 @@ function server_changed() { cell0.className = "listlr"; cell0.innerHTML = "Other Shared Key OS Client"; cell1.className = "listr"; - cell1.innerHTML = "<a href='javascript:download_begin(\"skconf\")'>Configuration</a>"; - cell1.innerHTML += "<br/>"; - cell1.innerHTML += "<a href='javascript:download_begin(\"skzipconf\")'>Configuration archive</a>"; + cell1.innerHTML = "<a href='javascript:download_begin(\"skconf\")'>Configuration<\/a>"; + cell1.innerHTML += "<br\/>"; + cell1.innerHTML += "<a href='javascript:download_begin(\"skzipconf\")'>Configuration archive<\/a>"; } } @@ -263,13 +267,13 @@ function useaddr_changed(obj) { function useproxy_changed(obj) { if ((obj.id == "useproxy" && obj.checked) || - $(obj.id + 'pass').value != 'none') { + (obj.id == "useproxypass" && (obj.value != 'none'))) { $(obj.id + '_opts').show(); } else { $(obj.id + '_opts').hide(); } } -//--> +//]]> </script> <?php if ($input_errors) @@ -277,7 +281,7 @@ function useproxy_changed(obj) { if ($savemsg) print_info_box($savemsg); ?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="openvpn export shared"> <tr> <td> <?php @@ -295,11 +299,11 @@ function useproxy_changed(obj) { <tr> <td id="mainarea"> <div class="tabcont"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <table width="100%" border="0" cellpadding="6" cellspacing="0" summary="main area"> <tr> <td width="22%" valign="top" class="vncellreq">Shared Key Server</td> <td width="78%" class="vtable"> - <select name="server" id="server" class="formselect" onChange="server_changed()"> + <select name="server" id="server" class="formselect" onchange="server_changed()"> <?php foreach($ras_server as & $server): ?> <option value="<?=$server['sindex'];?>"><?=$server['name'];?></option> <?php endforeach; ?> @@ -309,10 +313,10 @@ function useproxy_changed(obj) { <tr> <td width="22%" valign="top" class="vncell">Host Name Resolution</td> <td width="78%" class="vtable"> - <table border="0" cellpadding="2" cellspacing="0"> + <table border="0" cellpadding="2" cellspacing="0" summary="host name resolution"> <tr> <td> - <select name="useaddr" id="useaddr" class="formselect" onChange="useaddr_changed(this)"> + <select name="useaddr" id="useaddr" class="formselect" onchange="useaddr_changed(this)"> <option value="serveraddr" >Interface IP Address</option> <option value="serverhostname" >Installation hostname</option> <?php if (is_array($config['dyndnses']['dyndns'])): ?> @@ -323,8 +327,8 @@ function useproxy_changed(obj) { <option value="other">Other</option> </select> <br /> - <div style="display:none;" name="HostName" id="HostName"> - <input name="useaddr_hostname" id="useaddr_hostname" /> + <div style="display:none;" id="HostName"> + <input name="useaddr_hostname" id="useaddr_hostname" size="40" /> <span class="vexpl"> Enter the hostname or IP address the client will use to connect to this server. </span> @@ -335,57 +339,70 @@ function useproxy_changed(obj) { </td> </tr> <tr> - <td width="22%" valign="top" class="vncell">Use HTTP Proxy</td> + <td width="22%" valign="top" class="vncell">Use Proxy</td> <td width="78%" class="vtable"> - <table border="0" cellpadding="2" cellspacing="0"> + <table border="0" cellpadding="2" cellspacing="0" summary="http proxy"> <tr> <td> - <input name="useproxy" id="useproxy" type="checkbox" value="yes" onClick="useproxy_changed(this)"> + <input name="useproxy" id="useproxy" type="checkbox" value="yes" onclick="useproxy_changed(this)" /> </td> <td> <span class="vexpl"> - Use HTTP proxy to communicate with the server. + Use proxy to communicate with the server. </span> </td> </tr> </table> - <table border="0" cellpadding="2" cellspacing="0" id="useproxy_opts" style="display:none"> + <table border="0" cellpadding="2" cellspacing="0" id="useproxy_opts" style="display:none" summary="user options"> <tr> - <td align="right" width='25%'> + <td align="right" width="25%"> + <span class="vexpl"> + Type : + </span> + </td> + <td> + <select name="useproxytype" id="useproxytype" class="formselect"> + <option value="http">HTTP</option> + <option value="socks">Socks</option> + </select> + </td> + </tr> + <tr> + <td align="right" width="25%"> <span class="vexpl"> IP Address : </span> </td> <td> - <input name="proxyaddr" id="proxyaddr" class="formfld unknown" size="20" value="" /> + <input name="proxyaddr" id="proxyaddr" class="formfld unknown" size="30" value="" /> </td> </tr> <tr> - <td align="right" width='25%'> + <td align="right" width="25%"> <span class="vexpl"> Port : </span> + </td> <td> <input name="proxyport" id="proxyport" class="formfld unknown" size="5" value="" /> </td> </tr> - <br /> <tr> <td width="25%"> - + <br /> </td> <td> - <select name="useproxypass" id="useproxypass" class="formselect" onChange="useproxy_changed(this)"> + <select name="useproxypass" id="useproxypass" class="formselect" onchange="useproxy_changed(this)"> <option value="none">none</option> <option value="basic">basic</option> <option value="ntlm">ntlm</option> </select> <span class="vexpl"> - Choose HTTP proxy authentication if any. + Choose proxy authentication if any. </span> <br /> - <table border="0" cellpadding="2" cellspacing="0" id="useproxypass_opts" style="display:none"> + <table border="0" cellpadding="2" cellspacing="0" id="useproxypass_opts" style="display:none" summary="name and password"> <tr> <td align="right" width="25%"> <span class="vexpl"> @@ -411,6 +428,7 @@ function useproxy_changed(obj) { <span class="vexpl"> Confirm : </span> + </td> <td> <input name="proxyconf" id="proxyconf" type="password" class="formfld pwd" size="20" value="" /> </td> @@ -428,26 +446,27 @@ function useproxy_changed(obj) { <td colspan="2" valign="top" class="listtopic">Client Configuration Packages</td> </tr> </table> - <table width="100%" id="clients" width="100%" border="0" cellpadding="0" cellspacing="0"> + <table width="100%" id="clients" border="0" cellpadding="0" cellspacing="0" summary="heading"> <tr> <td width="25%" class="listhdrr"><?=gettext("Client Type");?></td> <td width="50%" class="listhdrr"><?=gettext("Export");?></td> </tr> </table> - <table width="100%" width="100%" border="0" cellpadding="5" cellspacing="10"> + <table width="100%" border="0" cellpadding="5" cellspacing="10" summary="note"> <tr> <td align="right" valign="top" width="5%"><?= gettext("NOTE:") ?></td> - <td><?= gettext("NOTE: These are shared key configurations for use in site-to-site tunnels with other routers. Shared key tunnels are not normally used for remote access connections to end users.") ?></td> + <td><?= gettext("These are shared key configurations for use in site-to-site tunnels with other routers. Shared key tunnels are not normally used for remote access connections to end users.") ?></td> </tr> </table> </div> </td> </tr> </table> -<script language="JavaScript"> -<!-- +<script type="text/javascript"> +//<![CDATA[ server_changed(); -//--> +//]]> </script> -</body> <?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/openvpn_tapfix_20x/openvpn_tapfix_203.patch b/config/openvpn_tapfix_20x/openvpn_tapfix_203.patch new file mode 100644 index 00000000..897a1199 --- /dev/null +++ b/config/openvpn_tapfix_20x/openvpn_tapfix_203.patch @@ -0,0 +1,290 @@ +diff --git /etc/inc/openvpn.inc.orig /etc/inc/openvpn.inc +index 777b395..701a032 100644 +--- a/etc/inc/openvpn.inc ++++ b/etc/inc/openvpn.inc +@@ -394,19 +394,37 @@ function openvpn_reconfigure($mode, $settings) { + // If the CIDR is less than a /30, OpenVPN will complain if you try to + // use the server directive. It works for a single client without it. + // See ticket #1417 +- if ($cidr < 30) { ++ if (!empty($ip) && !empty($mask) && ($cidr < 30)) { + $conf .= "server {$ip} {$mask}\n"; + $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; + } + case 'p2p_shared_key': +- list($ip1, $ip2) = openvpn_get_interface_ip($ip, $mask); +- $conf .= "ifconfig $ip1 $ip2\n"; ++ if (!empty($ip) && !empty($mask)) { ++ list($ip1, $ip2) = openvpn_get_interface_ip($ip, $mask); ++ $conf .= "ifconfig $ip1 $ip2\n"; ++ } + break; + case 'server_tls': + case 'server_user': + case 'server_tls_user': +- $conf .= "server {$ip} {$mask}\n"; +- $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; ++ if (!empty($ip) && !empty($mask)) { ++ $conf .= "server {$ip} {$mask}\n"; ++ $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; ++ } else { ++ if ($settings['serverbridge_dhcp']) { ++ if ((!empty($settings['serverbridge_interface'])) && (strcmp($settings['serverbridge_interface'], "none"))) { ++ $biface_ip=get_interface_ip($settings['serverbridge_interface']); ++ $biface_sm=gen_subnet_mask(get_interface_subnet($settings['serverbridge_interface'])); ++ if (is_ipaddr($biface_ip) && is_ipaddr($settings['serverbridge_dhcp_start']) && is_ipaddr($settings['serverbridge_dhcp_end'])) { ++ $conf .= "server-bridge {$biface_ip} {$biface_sm} {$settings['serverbridge_dhcp_start']} {$settings['serverbridge_dhcp_end']}\n"; ++ } else { ++ $conf .= "mode server\n"; ++ } ++ } else { ++ $conf .= "mode server\n"; ++ } ++ } ++ } + break; + } + +@@ -452,7 +452,9 @@ function openvpn_reconfigure($mode, $settings) { + case 'server_user': + $conf .= "client-cert-not-required\n"; + case 'server_tls_user': +- $conf .= "username-as-common-name\n"; ++ /* username-as-common-name is not compatible with server-bridge */ ++ if (stristr($conf, "server-bridge") === false) ++ $conf .= "username-as-common-name\n"; + if (!empty($settings['authmode'])) { + $authcfgs = explode(",", $settings['authmode']); + $sed = "\$authmodes=array("; + +diff --git /usr/local/www/vpn_openvpn_server.php.orig /usr/local/www/vpn_openvpn_server.php +index 0ef67a7..bd9f527 100644 +--- a/usr/local/www/vpn_openvpn_server.php ++++ b/usr/local/www/vpn_openvpn_server.php +@@ -147,6 +147,11 @@ if($_GET['act']=="edit"){ + $pconfig['dynamic_ip'] = $a_server[$id]['dynamic_ip']; + $pconfig['pool_enable'] = $a_server[$id]['pool_enable']; + ++ $pconfig['serverbridge_dhcp'] = $a_server[$id]['serverbridge_dhcp']; ++ $pconfig['serverbridge_interface'] = $a_server[$id]['serverbridge_interface']; ++ $pconfig['serverbridge_dhcp_start'] = $a_server[$id]['serverbridge_dhcp_start']; ++ $pconfig['serverbridge_dhcp_end'] = $a_server[$id]['serverbridge_dhcp_end']; ++ + $pconfig['dns_domain'] = $a_server[$id]['dns_domain']; + if ($pconfig['dns_domain']) + $pconfig['dns_domain_enable'] = true; +@@ -188,7 +193,6 @@ if($_GET['act']=="edit"){ + $pconfig['duplicate_cn'] = isset($a_server[$id]['duplicate_cn']); + } + } +- + if ($_POST) { + + unset($input_errors); +@@ -284,9 +288,22 @@ if ($_POST) { + $reqdfieldsn = array(gettext('Shared key')); + } + +- $reqdfields[] = 'tunnel_network'; +- $reqdfieldsn[] = gettext('Tunnel network'); +- ++ if ($pconfig['dev_mode'] != "tap") { ++ $reqdfields[] = 'tunnel_network'; ++ $reqdfieldsn[] = gettext('Tunnel network'); ++ } else { ++ if ($pconfig['serverbridge_dhcp'] && $pconfig['tunnel_network']) ++ $input_errors[] = gettext("Using a tunnel network and server bridge settings together is not allowed."); ++ if (($pconfig['serverbridge_dhcp_start'] && !$pconfig['serverbridge_dhcp_end']) ++ || (!$pconfig['serverbridge_dhcp_start'] && $pconfig['serverbridge_dhcp_end'])) ++ $input_errors[] = gettext("Server Bridge DHCP Start and End must both be empty, or defined."); ++ if (($pconfig['serverbridge_dhcp_start'] && !is_ipaddr($pconfig['serverbridge_dhcp_start']))) ++ $input_errors[] = gettext("Server Bridge DHCP Start must be an IPv4 address."); ++ if (($pconfig['serverbridge_dhcp_end'] && !is_ipaddr($pconfig['serverbridge_dhcp_end']))) ++ $input_errors[] = gettext("Server Bridge DHCP End must be an IPv4 address."); ++ if (ip2ulong($pconfig['serverbridge_dhcp_start']) > ip2ulong($pconfig['serverbridge_dhcp_end'])) ++ $input_errors[] = gettext("The Server Bridge DHCP range is invalid (start higher than end)."); ++ } + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!$input_errors) { +@@ -341,6 +358,11 @@ if ($_POST) { + $server['dynamic_ip'] = $pconfig['dynamic_ip']; + $server['pool_enable'] = $pconfig['pool_enable']; + ++ $server['serverbridge_dhcp'] = $pconfig['serverbridge_dhcp']; ++ $server['serverbridge_interface'] = $pconfig['serverbridge_interface']; ++ $server['serverbridge_dhcp_start'] = $pconfig['serverbridge_dhcp_start']; ++ $server['serverbridge_dhcp_end'] = $pconfig['serverbridge_dhcp_end']; ++ + if ($pconfig['dns_domain_enable']) + $server['dns_domain'] = $pconfig['dns_domain']; + +@@ -559,6 +581,56 @@ function netbios_change() { + } + } + ++function tuntap_change() { ++ ++ mindex = document.iform.mode.selectedIndex; ++ mvalue = document.iform.mode.options[mindex].value; ++ ++ switch(mvalue) { ++ case "p2p_tls": ++ case "p2p_shared_key": ++ p2p = true; ++ break; ++ default: ++ p2p = false; ++ break; ++ } ++ ++ index = document.iform.dev_mode.selectedIndex; ++ value = document.iform.dev_mode.options[index].value; ++ switch(value) { ++ case "tun": ++ document.getElementById("ipv4_tunnel_network").className="vncellreq"; ++ document.getElementById("serverbridge_dhcp").style.display="none"; ++ document.getElementById("serverbridge_interface").style.display="none"; ++ document.getElementById("serverbridge_dhcp_start").style.display="none"; ++ document.getElementById("serverbridge_dhcp_end").style.display="none"; ++ break; ++ case "tap": ++ document.getElementById("ipv4_tunnel_network").className="vncell"; ++ if (!p2p) { ++ document.getElementById("serverbridge_dhcp").style.display=""; ++ document.getElementById("serverbridge_interface").style.display=""; ++ document.getElementById("serverbridge_dhcp_start").style.display=""; ++ document.getElementById("serverbridge_dhcp_end").style.display=""; ++ if (document.iform.serverbridge_dhcp.checked) { ++ document.iform.serverbridge_interface.disabled = false; ++ document.iform.serverbridge_dhcp_start.disabled = false; ++ document.iform.serverbridge_dhcp_end.disabled = false; ++ } else { ++ document.iform.serverbridge_interface.disabled = true; ++ document.iform.serverbridge_dhcp_start.disabled = true; ++ document.iform.serverbridge_dhcp_end.disabled = true; ++ } ++ } else { ++ document.iform.serverbridge_dhcp.disabled = true; ++ document.iform.serverbridge_interface.disabled = true; ++ document.iform.serverbridge_dhcp_start.disabled = true; ++ document.iform.serverbridge_dhcp_end.disabled = true; ++ } ++ break; ++ } ++} + //--> + </script> + <?php +@@ -619,7 +691,7 @@ if ($savemsg) + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Server Mode");?></td> + <td width="78%" class="vtable"> +- <select name='mode' id='mode' class="formselect" onchange='mode_change()'> ++ <select name='mode' id='mode' class="formselect" onchange='mode_change(); tuntap_change()'> + <?php + foreach ($openvpn_server_modes as $name => $desc): + $selected = ""; +@@ -666,7 +738,7 @@ if ($savemsg) + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Device Mode"); ?></td> + <td width="78%" class="vtable"> +- <select name="dev_mode" class="formselect"> ++ <select name="dev_mode" class="formselect" onchange='tuntap_change()'> + <?php + foreach ($openvpn_dev_mode as $device): + $selected = ""; +@@ -976,7 +1048,7 @@ if ($savemsg) + <td colspan="2" valign="top" class="listtopic"><?=gettext("Tunnel Settings"); ?></td> + </tr> + <tr> +- <td width="22%" valign="top" class="vncellreq"><?=gettext("Tunnel Network"); ?></td> ++ <td width="22%" valign="top" class="vncellreq" id="ipv4_tunnel_network"><?=gettext("Tunnel Network"); ?></td> + <td width="78%" class="vtable"> + <input name="tunnel_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['tunnel_network']);?>"> + <br> +@@ -989,6 +1061,76 @@ if ($savemsg) + "to connecting clients. (see Address Pool)"); ?> + </td> + </tr> ++ <tr id="serverbridge_dhcp"> ++ <td width="22%" valign="top" class="vncell"><?=gettext("Bridge DHCP"); ?></td> ++ <td width="78%" class="vtable"> ++ <table border="0" cellpadding="2" cellspacing="0"> ++ <tr> ++ <td> ++ <?php set_checked($pconfig['serverbridge_dhcp'],$chk); ?> ++ <input name="serverbridge_dhcp" type="checkbox" value="yes" <?=$chk;?> onchange='tuntap_change()' /> ++ </td> ++ <td> ++ <span class="vexpl"> ++ <?=gettext("Allow clients on the bridge to obtain DHCP."); ?><br> ++ </span> ++ </td> ++ </tr> ++ </table> ++ </td> ++ </tr> ++ <tr id="serverbridge_interface"> ++ <td width="22%" valign="top" class="vncell"><?=gettext("Bridge Interface"); ?></td> ++ <td width="78%" class="vtable"> ++ <select name="serverbridge_interface" class="formselect"> ++ <?php ++ $serverbridge_interface['none'] = "none"; ++ $serverbridge_interface = array_merge($serverbridge_interface, get_configured_interface_with_descr()); ++ $carplist = get_configured_carp_interface_list(); ++ foreach ($carplist as $cif => $carpip) ++ $serverbridge_interface[$cif.'|'.$carpip] = $carpip." (".get_vip_descr($carpip).")"; ++ $aliaslist = get_configured_ip_aliases_list(); ++ foreach ($aliaslist as $aliasip => $aliasif) ++ $serverbridge_interface[$aliasif.'|'.$aliasip] = $aliasip." (".get_vip_descr($aliasip).")"; ++ foreach ($serverbridge_interface as $iface => $ifacename): ++ $selected = ""; ++ if ($iface == $pconfig['serverbridge_interface']) ++ $selected = "selected"; ++ ?> ++ <option value="<?=$iface;?>" <?=$selected;?>> ++ <?=htmlspecialchars($ifacename);?> ++ </option> ++ <?php endforeach; ?> ++ </select> <br> ++ <?=gettext("The interface to which this tap instance will be, " . ++ "bridged. This is not done automatically. You must assign this " . ++ "interface and create the bridge separately. " . ++ "This setting controls which existing IP address and subnet " . ++ "mask are used by OpenVPN for the bridge. Setting this to " . ++ "'none' will cause the Server Bridge DHCP settings below to be ignored."); ?> ++ </td> ++ </tr> ++ <tr id="serverbridge_dhcp_start"> ++ <td width="22%" valign="top" class="vncell"><?=gettext("Server Bridge DHCP Start"); ?></td> ++ <td width="78%" class="vtable"> ++ <input name="serverbridge_dhcp_start" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['serverbridge_dhcp_start']);?>"> ++ <br> ++ <?=gettext("When using tap mode as multi-point server, " . ++ "you may optionally supply a DHCP range to use on the " . ++ "interface to which this tap instance is bridged. " . ++ "If these settings are left blank, DHCP will be passed " . ++ "through to the LAN, and the interface setting above " . ++ "will be ignored."); ?> ++ </td> ++ </tr> ++ <tr id="serverbridge_dhcp_end"> ++ <td width="22%" valign="top" class="vncell"><?=gettext("Server Bridge DHCP End"); ?></td> ++ <td width="78%" class="vtable"> ++ <input name="serverbridge_dhcp_end" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['serverbridge_dhcp_end']);?>"> ++ <br> ++ <?=gettext(""); ?> ++ </td> ++ </tr> + <tr id="gwredir_opts"> + <td width="22%" valign="top" class="vncell"><?=gettext("Redirect Gateway"); ?></td> + <td width="78%" class="vtable"> +@@ -1486,6 +1628,7 @@ dns_server_change(); + wins_server_change(); + ntp_server_change(); + netbios_change(); ++tuntap_change(); + //--> + </script> + </body> diff --git a/config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc index 197a5e25..8f574212 100644 --- a/config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc +++ b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc @@ -2,15 +2,22 @@ function openvpn_tapfix_20x_install() { global $g, $config; - + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,5); + switch ($pfs_version) { + case "2.0.3": + $patch_file = "openvpn_tapfix_203.patch"; + break; + default: + $patch_file = "openvpn_tapfix_20x.patch"; + } // Test to make sure the patch is not already applied. - $out = `patch -fslC --reverse -p1 -b .before_openvpn_tapfix_20x -d / -i /usr/local/pkg/openvpn_tapfix_20x.patch |& grep -ci reject`; + $out = `patch -fslC --reverse -p1 -b .before_openvpn_tapfix_20x -d / -i /usr/local/pkg/{$patch_file} |& grep -ci reject`; if ($out == 0) { // If the patch has not already been applied, test to see if it will apply cleanly. - $out = `patch -fsNlC -p1 -b .before_openvpn_tapfix_20x -d / -i /usr/local/pkg/openvpn_tapfix_20x.patch |& grep -ci reject`; + $out = `patch -fsNlC -p1 -b .before_openvpn_tapfix_20x -d / -i /usr/local/pkg/{$patch_file} |& grep -ci reject`; if ($out == 0) { // The patch should apply cleanly, let 'er rip. - mwexec("patch -fsNl -p1 -b .before_openvpn_tapfix_20x -d / -i /usr/local/pkg/openvpn_tapfix_20x.patch "); + mwexec("patch -fsNl -p1 -b .before_openvpn_tapfix_20x -d / -i /usr/local/pkg/{$patch_file} "); } } } diff --git a/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch index 35925ea8..ed4232bb 100644 --- a/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch +++ b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch @@ -281,7 +281,7 @@ index 0ef67a7..bd9f527 100644 + </td> + </tr> + <tr id="serverbridge_dhcp_end"> -+ <td width="22%" valign="top" class="vncell"><?=gettext("Server Bridge DHCP Start"); ?></td> ++ <td width="22%" valign="top" class="vncell"><?=gettext("Server Bridge DHCP End"); ?></td> + <td width="78%" class="vtable"> + <input name="serverbridge_dhcp_end" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['serverbridge_dhcp_end']);?>"> + <br> diff --git a/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml index 17a59947..a9754610 100644 --- a/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml +++ b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml @@ -46,7 +46,7 @@ <requirements>pfSense 2.0.x</requirements> <faq>None</faq> <name>OpenVPN tap Bridging Fix</name> - <version>0.1</version> + <version>0.4</version> <title>OpenVPN tap Bridging Fix</title> <include_file>/usr/local/pkg/openvpn_tapfix_20x.inc</include_file> <additional_files_needed> @@ -59,6 +59,11 @@ <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/openvpn_tapfix_20x/openvpn_tapfix_203.patch</item> + </additional_files_needed> <custom_php_install_command> openvpn_tapfix_20x_install(); </custom_php_install_command> diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc index 58b93bb5..c40d742e 100755 --- a/config/pf-blocker/pfblocker.inc +++ b/config/pf-blocker/pfblocker.inc @@ -52,29 +52,6 @@ function cb_get_real_interface_address($iface) { return array($ip, long2ip(hexdec($netmask))); } -function pfblocker_Range2CIDR($ip_min, $ip_max) { - #function called without any args - if ($ip_min == "" || $ip_max == "") - return ""; - #function called with same ip in min and max - if ($ip_min == $ip_max) - return $ip_min. "/32"; - #convert ip to decimal numbers - $ip_min_long=ip2long($ip_min); - $ip_max_long=ip2long($ip_max); - #check long results - if ($ip_min_long == -1 || $ip_max_long == -1) - return ""; - #identify bits mask - $bits=(32 -strlen(decbin($ip_max_long - $ip_min_long))); - if ($bits < 0) - return ""; - #identify first ip on range network - $network=long2ip( $ip_min_long & ((1<<32)-(1<<(32-$bits))-1) ); - #print decbin($ip_min_long)."\n".$network."\n"; - return $network . "/". $bits; -} - function sync_package_pfblocker($cron="") { global $g,$config; @@ -290,10 +267,12 @@ function sync_package_pfblocker($cron="") { foreach ($url_list as $line){ # Network range 192.168.0.0-192.168.0.254 if (preg_match("/(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)/",$line,$matches)){ - $cidr= pfblocker_Range2CIDR($matches[1],$matches[2]); - if ($cidr != ""){ - ${$alias}.= $cidr."\n"; - $new_file.= $cidr."\n"; + $a_cidr = ip_range_to_subnet_array($matches[1],$matches[2]); + if (is_array($a_cidr)) { + foreach ($a_cidr as $cidr) { + ${$alias}.= $cidr."\n"; + $new_file.= $cidr."\n"; + } } } # CIDR format 192.168.0.0/16 diff --git a/config/pf-blocker/pfblocker_lists.xml b/config/pf-blocker/pfblocker_lists.xml index b9f92b9c..4bde4b49 100755 --- a/config/pf-blocker/pfblocker_lists.xml +++ b/config/pf-blocker/pfblocker_lists.xml @@ -129,7 +129,7 @@ <description><![CDATA[Enter lists Alias Names.<br> Example: Badguys<br> Do not include pfBlocker name, it's done by package.<br> - <strong>International, special or space caracters will be ignored in firewall alias names.</strong><br>]]></description> + <strong>International, special or space characters will be ignored in firewall alias names.</strong><br>]]></description> <type>input</type> <size>20</size> </field> @@ -142,8 +142,8 @@ <field> <fielddescr><![CDATA[Lists]]></fielddescr> <fieldname>none</fieldname> - <description><![CDATA['Format' - Choose the file format that url will retrieve or local file format.<br> - 'Url or local file' - Add direct link to list (Example: <a target=_new href='http://list.iblocklist.com/?list=bt_ads&fileformat=p2p&archiveformat=gz'>Ads</a>, + <description><![CDATA['Format' - Choose the file format that URL will retrieve or local file format.<br> + 'URL or local file' - Add direct link to list (Example: <a target=_new href='http://list.iblocklist.com/?list=bt_ads&fileformat=p2p&archiveformat=gz'>Ads</a>, <a target=_new href='http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p&archiveformat=gz'>Spyware</a>, <a target=_new href='http://list.iblocklist.com/?list=bt_proxy&fileformat=p2p&archiveformat=gz'>Proxies</a> )<br> <br><strong>Note: </strong><br> @@ -165,7 +165,7 @@ </options> </rowhelperfield> <rowhelperfield> - <fielddescr>Url or localfile</fielddescr> + <fielddescr>URL or localfile</fielddescr> <fieldname>url</fieldname> <type>input</type> <size>75</size> diff --git a/config/phpsysinfo/phpsysinfo.xml b/config/phpsysinfo/phpsysinfo.xml index 3cbe4a5b..116643a4 100644 --- a/config/phpsysinfo/phpsysinfo.xml +++ b/config/phpsysinfo/phpsysinfo.xml @@ -75,7 +75,7 @@ <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0644</chmod> - <item>http://www.pfsense.com/packages/config/phpsysinfo/bin/phpsysinfo-2.5.4.tar.gz</item> + <item>http://files.pfsense.org/packages/phpsysinfo-2.5.4.tar.gz</item> </additional_files_needed> <fields> <field> diff --git a/config/postfix/postfix.inc b/config/postfix/postfix.inc index e64f8cca..193ec6c7 100644..100755 --- a/config/postfix/postfix.inc +++ b/config/postfix/postfix.inc @@ -3,14 +3,14 @@ postfix.inc part of the Postfix package for pfSense Copyright (C) 2010 Erik Fonnesbeck - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -34,6 +34,13 @@ require_once("functions.inc"); require_once("pkg-utils.inc"); require_once("globals.inc"); +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('POSTFIX_LOCALBASE', '/usr/pbi/postfix-' . php_uname("m")); +else + define('POSTFIX_LOCALBASE','/usr/local'); + + $uname=posix_uname(); if ($uname['machine']=='amd64') ini_set('memory_limit', '250M'); @@ -57,7 +64,7 @@ function sync_relay_recipients($via_cron="cron"){ if ($config['installedpackages']['postfixrecipients']['config']) { $relay_recipients=""; $relay_ldap_recipients=""; - $ad_export="/usr/local/etc/postfix/adexport.pl"; + $ad_export= "/usr/local/bin/adexport.pl"; $postfix_enabled=$config['installedpackages']['postfix']['config'][0]['enable_postfix']; if (is_array($config['installedpackages']['postfixrecipients']['config'])) { $relay_ldap_recipients=""; @@ -73,7 +80,7 @@ function sync_relay_recipients($via_cron="cron"){ #validate cront job if ($via_cron == "gui"){ #running via pfsense gui, not time for ldap fetch. - $ldap_recipients='/usr/local/etc/postfix/relay_ldap_recipients.txt'; + $ldap_recipients= POSTFIX_LOCALBASE. '/etc/postfix/relay_ldap_recipients.txt'; if (!file_exists($ldap_recipients)) system('/usr/bin/touch '. $ldap_recipients); $relay_ldap_recipients=file_get_contents($ldap_recipients); @@ -83,7 +90,7 @@ function sync_relay_recipients($via_cron="cron"){ $ldap_temp=array(); foreach ($postfix_recipients_config['row'] as $postfix_ldap) { print "extracting from ".$postfix_ldap['dc']."..."; - $filename="/usr/local/etc/postfix/relay_ldap_recipients.".$postfix_ldap['dc'].".txt"; + $filename=POSTFIX_LOCALBASE."/etc/postfix/relay_ldap_recipients.".$postfix_ldap['dc'].".txt"; exec($ad_export." ".$postfix_ldap['dc']." ".$postfix_ldap['cn']." ".$postfix_ldap['username']." ".$postfix_ldap['password'],$ldap_fetch,$status); if ($status == 0){ #write backup conf for ldap server @@ -115,20 +122,20 @@ function sync_relay_recipients($via_cron="cron"){ $relay_ldap_recipients.=($recipient != ""?preg_replace("/\s+/","",$recipient)." OK\n":""); #save ldap relay recipients - file_put_contents("/usr/local/etc/postfix/relay_ldap_recipients.txt",$relay_ldap_recipients, LOCK_EX); + file_put_contents(POSTFIX_LOCALBASE."/etc/postfix/relay_ldap_recipients.txt",$relay_ldap_recipients, LOCK_EX); } } } #save all relay recipients, remove duplicates and reload postfix - $recipients_file="/usr/local/etc/postfix/relay_recipients"; + $recipients_file=POSTFIX_LOCALBASE."/etc/postfix/relay_recipients"; file_put_contents($recipients_file.".unsort",$relay_ldap_recipients."\n".$relay_recipients, LOCK_EX); exec('/usr/bin/sort -u '.$recipients_file.'.unsort > '.$recipients_file); unlink_if_exists($recipients_file.'.unsort'); - exec("/usr/local/sbin/postmap /usr/local/etc/postfix/relay_recipients"); + exec(POSTFIX_LOCALBASE."/sbin/postmap ".POSTFIX_LOCALBASE."/etc/postfix/relay_recipients"); mwexec("/usr/local/sbin/postfix reload"); } if($relay_recipients !="" || $relay_ldap_recipients!="") - return("relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients\n"); + return("relay_recipient_maps = hash:".POSTFIX_LOCALBASE."/etc/postfix/relay_recipients\n"); } function check_cron(){ @@ -137,7 +144,7 @@ function check_cron(){ $new_cron=array(); $cron_cmd_sqlite = ""; $cron_postfix_sqlite=""; - $cron_cmd="/usr/local/bin/php -q /usr/local/www/postfix_recipients.php"; + $cron_cmd= "/usr/local/bin/php -q /usr/local/www/postfix_recipients.php"; $postfix_enabled=$config['installedpackages']['postfix']['config'][0]['enable_postfix']; #check ldap update if (is_array($config['installedpackages']['postfixrecipients']['config'])) @@ -271,9 +278,10 @@ function check_cron(){ } -function sync_package_postfix() { +function sync_package_postfix($via_rpc="no") { global $config; + log_error("sync_package_postfix called with via_rpc={$via_rpc}"); # detect boot process if (is_array($_POST)){ if (preg_match("/\w+/",$_POST['__csrf_magic'])) @@ -282,7 +290,7 @@ function sync_package_postfix() { $boot_process="on"; } - if(is_process_running("master") && isset($boot_process)) + if(is_process_running("master") && isset($boot_process) && $via_rpc=="no") return; #check patch in /etc/inc/config. @@ -353,17 +361,23 @@ function sync_package_postfix() { $copyright=<<<ABOUT #Part of the Postfix package for pfSense #Copyright (C) 2010 Erik Fonnesbeck -#Copyright (C) 2011 Marcello Coutinho +#Copyright (C) 2011-2013 Marcello Coutinho #All rights reserved. #DO NOT EDIT THIS FILE ABOUT; +$pf_dir=POSTFIX_LOCALBASE; $postfix_main=<<<EOF #main.cf\ {$copyright} -mynetworks = /usr/local/etc/postfix/mynetwork_table +mynetworks = {$pf_dir}/etc/postfix/mynetwork_table mynetworks_style = host +access_map_reject_code= 554 +access_map_defer_code = 451 +unverified_recipient_reject_code = 550 +unknown_client_reject_code = 550 +unknown_hostname_reject_code = 550 EOF; #Header Maps @@ -373,22 +387,26 @@ EOF; } #Header Maps if ($config['installedpackages']['postfixacl']['config'][0]['header_maps']){ - $postfix_main .= "header_checks = pcre:/usr/local/etc/postfix/header_check\n"; + $postfix_main .= "header_checks = pcre:".POSTFIX_LOCALBASE."/etc/postfix/header_check\n"; $postfix_main .= "header_size_limit = 1024000\n"; $header_check = px_text_area_decode($config['installedpackages']['postfixacl']['config'][0]['header_maps']); } + #Helo Maps + if ($config['installedpackages']['postfixacl']['config'][0]['helo_maps']){ + $helo_check = px_text_area_decode($config['installedpackages']['postfixacl']['config'][0]['helo_maps']); + } #Sender access if ($config['installedpackages']['postfixacl']['config'][0]['sender_access']){ $sender_access = px_text_area_decode($config['installedpackages']['postfixacl']['config'][0]['sender_access']); } #MIME Maps if ($config['installedpackages']['postfixacl']['config'][0]['mime_maps']){ - $postfix_main .= "mime_header_checks = pcre:/usr/local/etc/postfix/mime_check\n"; + $postfix_main .= "mime_header_checks = pcre:".POSTFIX_LOCALBASE."/etc/postfix/mime_check\n"; $mime_check = px_text_area_decode($config['installedpackages']['postfixacl']['config'][0]['mime_maps']); } #Body Maps if ($config['installedpackages']['postfixacl']['config'][0]['body_maps']){ - $postfix_main .= "body_checks = pcre:/usr/local/etc/postfix/body_check\n"; + $postfix_main .= "body_checks = pcre:".POSTFIX_LOCALBASE."/etc/postfix/body_check\n"; $body_check = px_text_area_decode($config['installedpackages']['postfixacl']['config'][0]['body_maps']); } #Client CIDR @@ -406,7 +424,7 @@ EOF; } $postfix_main .= px_text_area_decode($postfix_config['maincf'])."\n". "relay_domains ={$relay_domains}\n" . - "transport_maps = hash:/usr/local/etc/postfix/transport\n" . + "transport_maps = hash:".POSTFIX_LOCALBASE."/etc/postfix/transport\n" . "local_recipient_maps =\n" . $all_relay_recipients. "mydestination =\n" . @@ -444,7 +462,16 @@ EOF; break; } } - $reject_unknown_helo_hostname=($antispam['reject_unknown_helo_hostname']?"reject_unknown_helo_hostname":""); + if ($antispam['reject_unknown_helo_hostname']){ + $reject_unknown_helo_hostname = <<<EOF +smtpd_helo_restrictions = check_helo_access pcre:{$pf_dir}/etc/postfix/helo_check, + reject_unknown_helo_hostname, + reject_invalid_helo_hostname, + reject_non_fqdn_helo_hostname, + permit + +EOF; + } if ($antispam['header_check'] == "strong") { $postfix_main .= <<<EOF @@ -456,7 +483,7 @@ smtpd_delay_reject = yes # Don't talk to mail systems that don't know their own hostname. smtpd_helo_required = yes -smtpd_helo_restrictions ={$reject_unknown_helo_hostname} +{$reject_unknown_helo_hostname} smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, @@ -467,8 +494,8 @@ smtpd_sender_restrictions = reject_non_fqdn_sender, # Allow connections from specified local clients and strong check everybody else. smtpd_client_restrictions = permit_mynetworks, reject_unauth_destination, - check_client_access pcre:/usr/local/etc/postfix/cal_pcre, - check_client_access cidr:/usr/local/etc/postfix/cal_cidr, + check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre, + check_client_access cidr:{$pf_dir}/etc/postfix/cal_cidr, reject_unknown_client_hostname, reject_unauth_pipelining, reject_multi_recipient_bounce, @@ -477,14 +504,14 @@ smtpd_client_restrictions = permit_mynetworks, smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, - check_client_access pcre:/usr/local/etc/postfix/cal_pcre, - check_client_access cidr:/usr/local/etc/postfix/cal_cidr, - check_sender_access hash:/usr/local/etc/postfix/sender_access, - reject_invalid_helo_hostname, + check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre, + check_client_access cidr:{$pf_dir}/etc/postfix/cal_cidr, + check_sender_access hash:{$pf_dir}/etc/postfix/sender_access, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_multi_recipient_bounce, + reject_unverified_recipient, SPFSPFSPFRBLRBLRBL EOF; @@ -497,7 +524,7 @@ smtpd_delay_reject = yes # Don't talk to mail systems that don't know their own hostname. smtpd_helo_required = yes -smtpd_helo_restrictions = {$reject_unknown_helo_hostname} +{$reject_unknown_helo_hostname} smtpd_sender_restrictions = reject_unknown_sender_domain, RBLRBLRBL @@ -505,18 +532,18 @@ smtpd_sender_restrictions = reject_unknown_sender_domain, # Allow connections from specified local clients and rbl check everybody else if rbl check are set. smtpd_client_restrictions = permit_mynetworks, reject_unauth_destination, - check_sender_access hash:/usr/local/etc/postfix/sender_access, - check_client_access pcre:/usr/local/etc/postfix/cal_pcre, - check_client_access cidr:/usr/local/etc/postfix/cal_cidr + check_sender_access hash:{$pf_dir}/etc/postfix/sender_access, + check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre, + check_client_access cidr:{$pf_dir}/etc/postfix/cal_cidr RBLRBLRBL # Whitelisting: local clients may specify any destination domain. #, smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, - check_sender_access hash:/usr/local/etc/postfix/sender_access, - check_client_access pcre:/usr/local/etc/postfix/cal_pcre, - check_client_access cidr:/usr/local/etc/postfix/cal_cidr, + check_sender_access hash:{$pf_dir}/etc/postfix/sender_access, + check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre, + check_client_access cidr:{$pf_dir}/etc/postfix/cal_cidr, SPFSPFSPFRBLRBLRBL EOF; @@ -578,7 +605,7 @@ switch ($antispam['zombie_blocker']) $postfix_main.="postscreen_greet_action = ".$antispam['zombie_blocker']."\n"; } - $postfix_main.="postscreen_access_list = permit_mynetworks,\n\t\t\tcidr:/usr/local/etc/postfix/cal_cidr\n"; + $postfix_main.="postscreen_access_list = permit_mynetworks,\n\t\t\tcidr:".POSTFIX_LOCALBASE."/etc/postfix/cal_cidr\n"; $postfix_main.="postscreen_dnsbl_action= ".$antispam['zombie_blocker']."\n"; $postfix_main.="postscreen_blacklist_action= ".$antispam['zombie_blocker']."\n"; @@ -626,7 +653,7 @@ MASTEREOF; foreach (explode(",", $ifaces) as $i => $iface) { $real_ifaces[] = px_get_real_interface_address($iface); if($real_ifaces[$i][0]) { - $postfix_master .=$real_ifaces[$i][0].":25 inet n - n - 1 smtpd\n\t-o user=postfix\n"; + $postfix_master .=$real_ifaces[$i][0].":25 inet n - n - - smtpd\n"; } } @@ -670,20 +697,21 @@ MASTEREOF2; conf_mount_rw(); log_error("Writing out configuration"); - file_put_contents("/usr/local/etc/postfix/main.cf", $postfix_main, LOCK_EX); - file_put_contents("/usr/local/etc/postfix/master.cf", $postfix_master, LOCK_EX); - file_put_contents("/usr/local/etc/postfix/transport", $transport, LOCK_EX); - file_put_contents("/usr/local/etc/postfix/sender_access", $sender_access, LOCK_EX); - file_put_contents("/usr/local/etc/postfix/cal_cidr", $cal_cidr, LOCK_EX); - file_put_contents("/usr/local/etc/postfix/cal_pcre", $cal_pcre, LOCK_EX); - file_put_contents("/usr/local/etc/postfix/header_check", $header_check, LOCK_EX); - file_put_contents("/usr/local/etc/postfix/mime_check", $mime_check, LOCK_EX); - file_put_contents("/usr/local/etc/postfix/body_check", $body_check, LOCK_EX); - file_put_contents("/usr/local/etc/postfix/mynetwork_table", $mynetworks, LOCK_EX); + file_put_contents(POSTFIX_LOCALBASE."/etc/postfix/main.cf", $postfix_main, LOCK_EX); + file_put_contents(POSTFIX_LOCALBASE."/etc/postfix/master.cf", $postfix_master, LOCK_EX); + file_put_contents(POSTFIX_LOCALBASE."/etc/postfix/transport", $transport, LOCK_EX); + file_put_contents(POSTFIX_LOCALBASE."/etc/postfix/sender_access", $sender_access, LOCK_EX); + file_put_contents(POSTFIX_LOCALBASE."/etc/postfix/cal_cidr", $cal_cidr, LOCK_EX); + file_put_contents(POSTFIX_LOCALBASE."/etc/postfix/cal_pcre", $cal_pcre, LOCK_EX); + file_put_contents(POSTFIX_LOCALBASE."/etc/postfix/header_check", $header_check, LOCK_EX); + file_put_contents(POSTFIX_LOCALBASE."/etc/postfix/helo_check", $helo_check, LOCK_EX); + file_put_contents(POSTFIX_LOCALBASE."/etc/postfix/mime_check", $mime_check, LOCK_EX); + file_put_contents(POSTFIX_LOCALBASE."/etc/postfix/body_check", $body_check, LOCK_EX); + file_put_contents(POSTFIX_LOCALBASE."/etc/postfix/mynetwork_table", $mynetworks, LOCK_EX); $FILES=array("transport","sender_access"); foreach ($FILES as $file) { - mwexec("/usr/local/sbin/postmap /usr/local/etc/postfix/".$file); + mwexec(POSTFIX_LOCALBASE."/sbin/postmap ".POSTFIX_LOCALBASE."/etc/postfix/".$file); } #check postix dirs @@ -704,12 +732,13 @@ MASTEREOF2; postfix_start(); #Do not sync during boot - if(!isset($boot_process)) + if(!isset($boot_process) || $via_rpc=="yes") postfix_sync_on_changes(); } function postfix_start(){ global $config; + $pf_dir=POSTFIX_LOCALBASE; $start=<<<EOF sysctl kern.ipc.nmbclusters=65536 @@ -717,20 +746,18 @@ function postfix_start(){ sysctl kern.maxfiles=131072 sysctl kern.maxfilesperproc=104856 sysctl kern.threads.max_threads_per_proc=4096 - /usr/local/sbin/postfix start + {$pf_dir}/sbin/postfix start EOF; - $stop = "/usr/local/sbin/postfix stop\n"; + $stop = POSTFIX_LOCALBASE."/sbin/postfix stop\n"; log_error("Writing rc_file"); write_rcfile(array("file" => "postfix.sh", "start" => $start, "stop" => $stop)); - conf_mount_ro(); - sleep(1); - if ($config['installedpackages']['postfix']['config'][0]['enable_postfix']){ + if (is_array($config['installedpackages']['postfix']) && $config['installedpackages']['postfix']['config'][0]['enable_postfix']){ log_error("Reloading/starting postfix"); system('/bin/chmod +x /usr/local/etc/rc.d/postfix.sh'); - mwexec_bg("/usr/local/sbin/postfix reload || /usr/local/etc/rc.d/postfix.sh start"); + mwexec_bg(POSTFIX_LOCALBASE."/sbin/postfix reload || /usr/local/etc/rc.d/postfix.sh start"); log_error("Postfix setup completed"); } else{ @@ -738,6 +765,8 @@ EOF; mwexec("/usr/local/etc/rc.d/postfix.sh stop"); system('/bin/chmod -x /usr/local/etc/rc.d/postfix.sh'); } + + conf_mount_ro(); } function postfix_validate_input($post, &$input_errors) { @@ -773,7 +802,8 @@ function postfix_php_install_command() { function postfix_php_deinstall_command() { global $config; #disable service - $config['installedpackages']['postfix']['config'][0]['enable_postfix']=""; + if (is_array($config['installedpackages']['postfix'])) + $config['installedpackages']['postfix']['config'][0]['enable_postfix']=""; write_config(); sync_package_postfix(); conf_mount_rw(); @@ -783,33 +813,75 @@ function postfix_php_deinstall_command() { /* Uses XMLRPC to synchronize the changes to a remote node */ function postfix_sync_on_changes() { - global $config, $g; - $synconchanges = $config['installedpackages']['postfixsync']['config'][0]['synconchanges']; - $syncondbchanges= $config['installedpackages']['postfixsync']['config'][0]['rsync']; - if(!$synconchanges && !$syncondbchanges) - return; - log_error("[postfix] postfix_xmlrpc_sync.php is starting."); - foreach ($config['installedpackages']['postfixsync']['config'] as $rs ){ - foreach($rs['row'] as $sh){ - $sync_to_ip = $sh['ipaddress']; - $password = $sh['password']; - $sync_type = $sh['sync_type']; - if($password && $sync_to_ip) - postfix_do_xmlrpc_sync($sync_to_ip, $password,$sync_type); + global $config, $g; + if (is_array($config['installedpackages']['postfixsync']['config'])){ + $postfix_sync=$config['installedpackages']['postfixsync']['config'][0]; + $synctimeout = $postfix_sync['synctimeout']; + $synconchanges = $postfix_sync['synconchanges']; + switch ($synconchanges){ + case "manual": + if (is_array($postfix_sync[row])){ + $rs=$postfix_sync[row]; + } + else{ + log_error("[postfix] xmlrpc sync is enabled but there is no hosts to push postfix config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['ipaddress']=$system_carp['synchronizetoip']; + $rs[0]['username']=$system_carp['username']; + $rs[0]['password']=$system_carp['password']; + $rs[0]['enabless']=true; + $rs[0]['sync_type']="xmlrpc"; + if (! is_ipaddr($system_carp['synchronizetoip'])){ + log_error("[postfix] xmlrpc sync is enabled but there is no system backup hosts to push postfix config."); + return; + } + } + else{ + log_error("[postfix] xmlrpc sync is enabled but there is no system backup hosts to push postfix config."); + return; + } + break; + default: + return; + break; } - } - log_error("[postfix] postfix_xmlrpc_sync.php is ending."); + if (is_array($rs)){ + log_error("[postfix] xmlrpc sync is starting."); + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + if($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if($sh['password'] && $sh['ipaddress'] && $sh['enabless']) + postfix_do_xmlrpc_sync($sh['ipaddress'], $username, $sh['password'],$sh['sync_type'],$synctimeout); + } + log_error("[postfix] xmlrpc sync is ending."); + } + } } + /* Do the actual XMLRPC sync */ -function postfix_do_xmlrpc_sync($sync_to_ip, $password,$sync_type) { +function postfix_do_xmlrpc_sync($sync_to_ip,$username,$password,$sync_type,$synctimeout) { global $config, $g; + if(!$username) + $username="admin"; + if(!$password) return; if(!$sync_to_ip) return; + + if(!$synctimeout) + $synctimeout=120; $xmlrpc_sync_neighbor = $sync_to_ip; if($config['system']['webgui']['protocol'] != "") { @@ -851,18 +923,18 @@ function postfix_do_xmlrpc_sync($sync_to_ip, $password,$sync_type) { $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); + $cli->setCredentials($username, $password); if($g['debug']) $cli->setDebug(1); - /* send our XMLRPC message and timeout after 250 seconds */ - $resp = $cli->send($msg, "250"); + /* send our XMLRPC message and timeout after $sync_timeout seconds */ + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting postfix XMLRPC sync with {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "Postfix Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting postfix XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "Postfix Settings Sync", ""); @@ -873,7 +945,7 @@ function postfix_do_xmlrpc_sync($sync_to_ip, $password,$sync_type) { /* tell postfix to reload our settings on the destionation sync host. */ $method = 'pfsense.exec_php'; $execcmd = "require_once('/usr/local/pkg/postfix.inc');\n"; - $execcmd .= "sync_package_postfix();"; + $execcmd .= "sync_package_postfix('yes');"; /* assemble xmlrpc payload */ $params = array( @@ -884,15 +956,15 @@ function postfix_do_xmlrpc_sync($sync_to_ip, $password,$sync_type) { log_error("postfix XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - $resp = $cli->send($msg, "250"); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting postfix XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "postfix Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting postfix XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "postfix Settings Sync", ""); diff --git a/config/postfix/postfix.php b/config/postfix/postfix.php index ff42918c..a11af2dd 100644 --- a/config/postfix/postfix.php +++ b/config/postfix/postfix.php @@ -2,14 +2,14 @@ /* postfix.php part of pfSense (http://www.pfsense.com/) - Copyright (C) 2011 Marcello Coutinho <marcellocoutinho@gmail.com> + Copyright (C) 2011-2013 Marcello Coutinho <marcellocoutinho@gmail.com> based on varnish_view_config. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright diff --git a/config/postfix/postfix.xml b/config/postfix/postfix.xml index 51ddf601..25f7a81d 100644 --- a/config/postfix/postfix.xml +++ b/config/postfix/postfix.xml @@ -10,7 +10,7 @@ postfix.xml part of the Postfix package for pfSense Copyright (C) 2010 Erik Fonnesbeck - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ @@ -19,7 +19,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -142,7 +142,7 @@ </additional_files_needed> <additional_files_needed> <item>http://www.pfsense.org/packages/config/postfix/adexport.pl</item> - <prefix>/usr/local/etc/postfix/</prefix> + <prefix>/usr/local/bin/</prefix> <chmod>0755</chmod> </additional_files_needed> <tabs> diff --git a/config/postfix/postfix_acl.xml b/config/postfix/postfix_acl.xml index efc72721..4eeda7a4 100644 --- a/config/postfix/postfix_acl.xml +++ b/config/postfix/postfix_acl.xml @@ -5,11 +5,11 @@ <copyright> <![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ========================================================================== */post /* postfix.xml part of the Postfix package for pfSense - Copyright (C) 2010 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -17,10 +17,10 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright + 2. Redistributions in binary form MUST reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. @@ -115,6 +115,20 @@ <encoding>base64</encoding> </field> <field> + <fielddescr>Helo</fielddescr> + <fieldname>helo_maps</fieldname> + <description><![CDATA[<strong>PCRE filters</strong><a href=http://www.postfix.org/pcre_table.5.html> that are applied to initial message helo info. Hint:<br> + /^tmpstr.*/ REJECT<br> + /^myserver.local/ REJECT external server with local domain info<br> + /^trusted_network.local/ DUNNO trusted remote misconfigured server<br> + See http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions for more help]]> + </description> + <type>textarea</type> + <cols>83</cols> + <rows>15</rows> + <encoding>base64</encoding> + </field> + <field> <fielddescr>Sender</fielddescr> <fieldname>sender_access</fieldname> <description><![CDATA[<strong>HASH filters</strong> that implements whitelisting and blacklisting of full or partial email addresses and domains as specified in the MAIL FROM field :<br> diff --git a/config/postfix/postfix_queue.php b/config/postfix/postfix_queue.php index 914ad88e..76bed31f 100755 --- a/config/postfix/postfix_queue.php +++ b/config/postfix/postfix_queue.php @@ -2,14 +2,14 @@ /* postfix_view_config.php part of pfSense (http://www.pfsense.com/) - Copyright (C) 2011 Marcello Coutinho <marcellocoutinho@gmail.com> + Copyright (C) 2011-2013 Marcello Coutinho <marcellocoutinho@gmail.com> based on varnish_view_config. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -33,11 +33,17 @@ require("guiconfig.inc"); $uname=posix_uname(); if ($uname['machine']=='amd64') ini_set('memory_limit', '250M'); - + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('POSTFIX_LOCALBASE', '/usr/pbi/postfix-' . php_uname("m")); +else + define('POSTFIX_LOCALBASE','/usr/local'); + function get_cmd(){ if ($_REQUEST['cmd'] =='mailq'){ #exec("/usr/local/bin/mailq" . escapeshellarg('^'.$m.$j." ".$hour.".*".$grep)." /var/log/maillog", $lists); - exec("/usr/local/bin/mailq", $mailq); + exec(POSTFIX_LOCALBASE."/bin/mailq", $mailq); print '<table class="tabcont" width="100%" border="0" cellpadding="8" cellspacing="0">'; print '<tr><td colspan="6" valign="top" class="listtopic">'.gettext($_REQUEST['cmd']." Results").'</td></tr>'; print '<tr><td class="listlr"><strong>SID</strong></td>'; @@ -67,9 +73,9 @@ function get_cmd(){ } if ($_REQUEST['cmd'] =='qshape'){ if ($_REQUEST['qshape']!="") - exec("/usr/local/bin/qshape -".preg_replace("/\W/","",$_REQUEST['type'])." ". preg_replace("/\W/","",$_REQUEST['qshape']), $qshape); + exec(POSTFIX_LOCALBASE."/bin/qshape -".preg_replace("/\W/","",$_REQUEST['type'])." ". preg_replace("/\W/","",$_REQUEST['qshape']), $qshape); else - exec("/usr/local/bin/qshape", $qshape); + exec(POSTFIX_LOCALBASE."/bin/qshape", $qshape); print '<table class="tabcont" width="100%" border="0" cellpadding="8" cellspacing="0">'; print '<tr><td colspan="12" valign="top" class="listtopic">'.gettext($_REQUEST['cmd']." Results").'</td></tr>'; $td='<td valign="top" class="listlr">'; diff --git a/config/postfix/postfix_recipients.php b/config/postfix/postfix_recipients.php index 0deb2f79..8d7db416 100644 --- a/config/postfix/postfix_recipients.php +++ b/config/postfix/postfix_recipients.php @@ -1,4 +1,4 @@ -<?php
-require_once ('/usr/local/pkg/postfix.inc');
-sync_relay_recipients("cron");
+<?php +require_once ('/usr/local/pkg/postfix.inc'); +sync_relay_recipients("cron"); ?>
\ No newline at end of file diff --git a/config/postfix/postfix_search.php b/config/postfix/postfix_search.php index 2b831f72..a1cf6b3f 100755 --- a/config/postfix/postfix_search.php +++ b/config/postfix/postfix_search.php @@ -2,14 +2,14 @@ /* postfix_search.php part of pfSense (http://www.pfsense.com/) - Copyright (C) 2011 Marcello Coutinho <marcellocoutinho@gmail.com> + Copyright (C) 2011-2013 Marcello Coutinho <marcellocoutinho@gmail.com> based on varnish_view_config. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright diff --git a/config/postfix/postfix_sync.xml b/config/postfix/postfix_sync.xml index 08a62d87..88617fbf 100644 --- a/config/postfix/postfix_sync.xml +++ b/config/postfix/postfix_sync.xml @@ -9,7 +9,7 @@ /* postfix_sync.xml part of the Postfix package for pfSense - Copyright (C) 2010 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -20,7 +20,7 @@ 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright + 2. Redistributions in binary form MUST reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. @@ -100,23 +100,46 @@ <type>listtopic</type> </field> <field> - <fielddescr>Automatically sync Postfix configuration changes</fielddescr> + <fielddescr>Sync method</fielddescr> <fieldname>synconchanges</fieldname> - <description><![CDATA[pfSense will automatically sync changes to the hosts defined below.<br><br> - Remote server options are:<br> - <strong>XMLRPC Sync</strong> - Forward postfix settings to other pfsense boxes. Remote password required<br> - <strong>Share Database To</strong> - Allow other pfsense boxes to fetch maillog data via xml. Remote password NOT required.<br> - <strong>Fetch Database From</strong> - Merge logs from other pfsense boxes to this local database. Remote password required.<br> - <strong>Disabled</strong> - Ignore this host while sync.<br><br> - While sharing databases, you must setup 'Share Database To' in one box and 'Fetch Database From' on other box.]]></description> - <type>checkbox</type> + <description>Automatically sync postfix configuration changes.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>250</default_value> + <options> + <option><name>250 seconds(Default)</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>30 seconds</name><value>30</value></option> + </options> </field> <field> <fielddescr><![CDATA[Remote Server]]></fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> + <dontdisplayname/> + <usecolspan2/> <rowhelper> <rowhelperfield> + <fielddescr>Enable</fielddescr> + <fieldname>enabless</fieldname> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> <fielddescr>Sync Type </fielddescr> <fieldname>sync_type</fieldname> <type>select</type> @@ -126,18 +149,22 @@ <option><name>Fetch Database From</name><value>fetch</value></option> <option><name>Disabled</name><value>disabled</value></option> </options> - <description><![CDATA[<strong>Default: Strong</strong><br> - Enable sender, client, recipients and rfc verification.<br>]]></description> </rowhelperfield> - <rowhelperfield> - <fielddescr>IP Address</fielddescr> + <fielddescr>Remote Server IP</fielddescr> <fieldname>ipaddress</fieldname> <description>IP Address of remote server</description> <type>input</type> <size>10</size> </rowhelperfield> <rowhelperfield> + <fielddescr>Username</fielddescr> + <fieldname>username</fieldname> + <description>Username for remote server.</description> + <type>input</type> + <size>10</size> + </rowhelperfield> + <rowhelperfield> <fielddescr>Password</fielddescr> <fieldname>password</fieldname> <description>Password for remote server.</description> @@ -148,9 +175,15 @@ <fielddescr>Description</fielddescr> <fieldname>description</fieldname> <type>input</type> - <size>25</size> + <size>27</size> </rowhelperfield> </rowhelper> + <description><![CDATA[<br>Sync types Description:<br><br> + <strong>XMLRPC Sync</strong> - Forward postfix settings to other pfsense boxes. Remote password required<br> + <strong>Share Database To</strong> - Allow other pfsense boxes to fetch maillog data via xml. Remote password NOT required.<br> + <strong>Fetch Database From</strong> - Merge logs from other pfsense boxes to this local database. Remote password required.<br> + <strong>Disabled</strong> - Ignore this host while sync.<br><br> + While sharing databases works only when you select 'Sync to host(s) defined below' on sync method and you must setup 'Share Database To' in source box and 'Fetch Database From' on destination box.]]></description> </field> </fields> <custom_php_install_command> diff --git a/config/postfix/postfix_view_config.php b/config/postfix/postfix_view_config.php index 2c0b973e..5e1f6271 100644 --- a/config/postfix/postfix_view_config.php +++ b/config/postfix/postfix_view_config.php @@ -2,14 +2,14 @@ /* postfix_view_config.php part of pfSense (http://www.pfsense.com/) - Copyright (C) 2011 Marcello Coutinho <marcellocoutinho@gmail.com> + Copyright (C) 2011-2013 Marcello Coutinho <marcellocoutinho@gmail.com> based on varnish_view_config. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -29,15 +29,21 @@ */ require("guiconfig.inc"); +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('POSTFIX_LOCALBASE', '/usr/pbi/postfix-' . php_uname("m")); +else + define('POSTFIX_LOCALBASE','/usr/local'); + function get_file($file){ - $files['main']="/usr/local/etc/postfix/main.cf"; - $files['master']="/usr/local/etc/postfix/master.cf"; - $files['recipients']="/usr/local/etc/postfix/relay_recipients"; - $files['header']="/usr/local/etc/postfix/header_check"; - $files['mime']="/usr/local/etc/postfix/mime_check"; - $files['body']="/usr/local/etc/postfix/body_check"; - $files['cidr']="/usr/local/etc/postfix/cal_cidr"; - $files['pcre']="/usr/local/etc/postfix/cal_pcre"; + $files['main']=POSTFIX_LOCALBASE."/etc/postfix/main.cf"; + $files['master']=POSTFIX_LOCALBASE."/etc/postfix/master.cf"; + $files['recipients']=POSTFIX_LOCALBASE."/etc/postfix/relay_recipients"; + $files['header']=POSTFIX_LOCALBASE."/etc/postfix/header_check"; + $files['mime']=POSTFIX_LOCALBASE."/etc/postfix/mime_check"; + $files['body']=POSTFIX_LOCALBASE."/etc/postfix/body_check"; + $files['cidr']=POSTFIX_LOCALBASE."/etc/postfix/cal_cidr"; + $files['pcre']=POSTFIX_LOCALBASE."/etc/postfix/cal_pcre"; if ($files[$file]!="" && file_exists($files[$file])){ print '<textarea rows="50" cols="100%">'; diff --git a/config/quagga_ospfd/quagga_ospfd.inc b/config/quagga_ospfd/quagga_ospfd.inc index 598d3c00..aabd27a8 100644 --- a/config/quagga_ospfd/quagga_ospfd.inc +++ b/config/quagga_ospfd/quagga_ospfd.inc @@ -243,6 +243,20 @@ function quagga_ospfd_install_conf() { fwrite($fd, $zebraconffile); fclose($fd); + $carp_ip_status_check = ""; + if (is_ipaddr($ospfd_conf['carpstatusip'])) { + $carpcheckinterface = trim(find_carp_interface($ospfd_conf['carpstatusip'])); + $carp_ip_status_check = <<<EOF + +CARP_STATUS=`/sbin/ifconfig {$carpcheckinterface} | /usr/bin/grep carp: | /usr/bin/awk '{print \$2;}'` +if [ \${CARP_STATUS} != "MASTER" ]; then + exit; +fi + +EOF; + } + + // Create rc.d file $rc_file_stop = <<<EOF if [ -e /var/run/quagga/zebra.pid ]; then @@ -274,6 +288,7 @@ fi killall -9 zebra 2>/dev/null killall -9 ospfd 2>/dev/null sleep 1 +{$carp_ip_status_check} /usr/local/sbin/zebra -d -f {$quagga_config_base}/zebra.conf /usr/local/sbin/ospfd -d -f {$quagga_config_base}/ospfd.conf EOF; @@ -290,7 +305,24 @@ EOF; exec("chmod u+rw,go-rw {$quagga_config_base}/zebra.conf"); // Kick off newly created rc.d script - exec("/usr/local/etc/rc.d/quagga.sh restart"); + if (is_ipaddr($ospfd_conf['carpstatusip'])) { + $status = quagga_get_carp_status_by_ip($ospfd_conf['carpstatusip']); + switch (strtoupper($status)) { + // Stop the service if the VIP is in BACKUP or INIT state. + case "BACKUP": + case "INIT": + exec("/usr/local/etc/rc.d/quagga.sh stop"); + break; + // Start the service if the VIP is MASTER state. + case "MASTER": + // Assume it's up if the status can't be determined. + default: + exec("/usr/local/etc/rc.d/quagga.sh restart"); + break; + } + } else { + exec("/usr/local/etc/rc.d/quagga.sh restart"); + } // Back to RO mount for NanoBSD and friends conf_mount_ro(); @@ -345,4 +377,18 @@ function quagga_ospfd_put_raw_config($conffile) { } } +function quagga_get_carp_status_by_ip($ipaddr) { + $iface = trim(find_carp_interface($ipaddr)); + if ($iface) { + $status = get_carp_interface_status($iface); + // If there is no status for that interface, return null. + if (!$status) + $status = null; + } else { + // If there is no VIP by that IP, return null. + $status = null; + } + return $status; +} + ?> diff --git a/config/quagga_ospfd/quagga_ospfd.xml b/config/quagga_ospfd/quagga_ospfd.xml index d1e96efa..a03f9e3c 100644 --- a/config/quagga_ospfd/quagga_ospfd.xml +++ b/config/quagga_ospfd/quagga_ospfd.xml @@ -1,6 +1,6 @@ <packagegui> <name>quagga_ospfd</name> - <version>0.5</version> + <version>0.5.4</version> <title>Services: Quagga OSPFd</title> <include_file>/usr/local/pkg/quagga_ospfd.inc</include_file> <aftersaveredirect>pkg_edit.php?xml=quagga_ospfd.xml&id=0</aftersaveredirect> @@ -176,6 +176,13 @@ </rowhelperfield> </rowhelper> </field> + <field> + <fielddescr>CARP Status IP</fielddescr> + <fieldname>carpstatusip</fieldname> + <description>IP address used to determine the CARP status. When the VIP is in BACKUP status, quagga will not be started. <br/>NOTE: Requires changes to /etc/rc.carpmaster to start quagga and /etc/rc.carpbackup to stop quagga or it will not be fully effective.</description> + <type>input</type> + <size>25</size> + </field> </fields> <custom_php_resync_config_command> quagga_ospfd_install_conf(); diff --git a/config/quagga_ospfd/status_ospfd.php b/config/quagga_ospfd/status_ospfd.php index 438347ff..dc6c6aea 100644 --- a/config/quagga_ospfd/status_ospfd.php +++ b/config/quagga_ospfd/status_ospfd.php @@ -68,13 +68,11 @@ function doCmdT($title, $command) { $execOutput = ""; $execStatus = ""; - exec ($command . " 2>&1", $execOutput, $execStatus); - for ($i = 0; isset($execOutput[$i]); $i++) { - if ($i > 0) { - echo "\n"; - } - echo htmlspecialchars($execOutput[$i],ENT_NOQUOTES); + $fd = popen("{$command} 2>&1", "r"); + while (($line = fgets($fd)) !== FALSE) { + echo htmlspecialchars($line, ENT_NOQUOTES); } + pclose($fd); echo "</pre></tr>\n"; echo "</table>\n"; } diff --git a/config/routed/routed.inc b/config/routed/routed.inc index 59967e8c..f7ace8a5 100644 --- a/config/routed/routed.inc +++ b/config/routed/routed.inc @@ -32,43 +32,42 @@ function setup_routed() { global $config; $gw = ""; + if (!is_array($config['installedpackages']['routed'])) + return; + if (!is_array($config['installedpackages']['routed']['config'])) + return; if (isset($config['installedpackages']['routed']['config'][0]['enable']) && - $config['installedpackages']['routed']['config'][0]['enable'] == "on") { - /* if user selected individual interfaces */ - $ifdescrs = array ("wan", "lan"); - for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { - if(isset($config['interfaces']['opt' . $j]['enable'])) - $ifdescrs['opt' . $j] = "opt" . $j; - } - - $ifarr = explode(",", $config['installedpackages']['routed']['config'][0]['iface_array']); - if (count($ifarr) != 0) { - foreach($ifdescrs as $ifdescr => $ifname) { - if (in_array($ifname, $ifarr)) { - $gw .= setup_etc_gateways($ifname, 'enable'); - } else { - $gw .= setup_etc_gateways($ifname, 'disable'); + $config['installedpackages']['routed']['config'][0]['enable'] == "on") { + /* if user selected individual interfaces */ + $ifarr = array_flip(explode(",", $config['installedpackages']['routed']['config'][0]['iface_array'])); + $allifs = get_interface_arr(); + if (!empty($ifarr)) { + foreach($allifs as $ifname) { + $friendly_ifname = convert_real_interface_to_friendly_interface_name($ifname); + if (array_key_exists($friendly_ifname, $ifarr)) + $gw .= setup_etc_gateways($ifname, 'enable'); + else + $gw .= setup_etc_gateways($ifname, 'disable'); } - } - } else { - /* setup for all interfaces */ - $gw = setup_etc_gateways(); - } - $fd = fopen("/etc/gateways", "w"); - fwrite($fd, $gw); - fclose($fd); + } else + /* setup for all interfaces */ + $gw = setup_etc_gateways(); + conf_mount_rw(); + file_put_contents("/etc/gateways", $gw); + conf_mount_ro(); restart_routed(); - } else { + } else stop_routed(); - } } function setup_etc_gateways($iface="", $mode="") { global $config; + $ret = ""; if ($iface != "") { - $realif=convert_friendly_interface_to_real_interface_name(strtoupper($iface)); - $ret = "if={$realif} "; + $realif=convert_friendly_interface_to_real_interface_name($iface); + if (!empty($realif)) + $ret = "if={$realif} "; } switch($mode) { @@ -79,10 +78,18 @@ function setup_etc_gateways($iface="", $mode="") { if ($passwd != "") { $ret .= "passwd={$passwd} "; } + $add_no_ag = $config['installedpackages']['routed']['config'][0]['enable_no_ag']; + $add_no_super_ag = $config['installedpackages']['routed']['config'][0]['enable_no_super_ag']; + if($add_no_ag == "on") { + $ret .= "no_ag "; + } + if($add_no_super_ag == "on") { + $ret .= "no_super_ag "; + } } break; case "disable": - $ret .= "no_rip "; + $ret .= "no_rip_out no_solicit no_rdisc no_rdisc_adv"; break; default: @@ -95,11 +102,11 @@ function setup_etc_gateways($iface="", $mode="") { } function start_routed() { - mwexec("/sbin/routed"); + mwexec_bg("/sbin/routed"); } function stop_routed() { - mwexec("killall routed"); + killbyname("routed"); } function restart_routed() { diff --git a/config/routed/routed.xml b/config/routed/routed.xml index d7767a5b..b722a28d 100644 --- a/config/routed/routed.xml +++ b/config/routed/routed.xml @@ -1,55 +1,44 @@ <?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. + <copyright> + /* $Id$ */ + /* + part of pfSense (http://www.pfsense.org/) - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Copyright (C) 2006 Bill Marquette - bill.marquette@gmail.com. + All rights reserved. - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + </copyright> <name>routed</name> <version>1.1</version> <title>Services: RIP</title> - <aftersaveredirect>pkg_edit.php?xml=routed.xml&id=0</aftersaveredirect> - <include_file>routed.inc</include_file> + <include_file>/usr/local/pkg/routed.inc</include_file> + + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/routed/routed.inc</item> + </additional_files_needed> + <!-- Menu is where this packages menu will appear --> <menu> <name>RIP</name> @@ -61,15 +50,12 @@ <tab> <text>ROUTED Settings</text> <url>/pkg_edit.php?xml=routed.xml</url> - <active/> + <active/> </tab> </tabs> <!-- configpath gets expanded out automatically and config items will be stored in that location --> <configpath>['installedpackages']['routed']['config']</configpath> - <additional_files_needed> - <item>http://www.pfsense.org/packages/config/routed/routed.inc</item> - </additional_files_needed> <!-- fields gets invoked when the user adds or edits a item. the following items will be parsed and rendered for the user as a gui with input, and selectboxes. --> <fields> @@ -78,29 +64,29 @@ <fieldname>enable</fieldname> <description>Enables the Routing Information Protocol daemon</description> <type>checkbox</type> - <enablefields>iface_array,ripversion,passwd</enablefields> + <enablefields>iface_array[],ripversion,passwd,enable_no_ag,enable_no_super_ag</enablefields> </field> <field> <fielddescr>Interfaces</fielddescr> <fieldname>iface_array</fieldname> - <description>Select the interfaces that RIP will bind to. You can use the CTRL or COMMAND key to select multiple interfaces.</description> - <type>interfaces_selection</type> - <size>3</size> - <required /> <value>lan</value> <multiple>true</multiple> + <size>3</size> + <type>interfaces_selection</type> + <description>Select the interfaces that RIP will bind to. You can use the CTRL or COMMAND key to select multiple interfaces.</description> + <required /> </field> <field> <fielddescr>RIP Version</fielddescr> <fieldname>ripversion</fieldname> <type>select</type> - <required /> <default_value>2</default_value> <options> <option><name>RIP Version 1</name><value>1</value></option> <option><name>RIP Version 2</name><value>2</value></option> </options> <typehint>Select which RIP version the daemon will listen/advertise using.</typehint> + <required /> </field> <field> <fielddescr>RIPv2 password</fielddescr> @@ -110,14 +96,27 @@ </description> <type>input</type> </field> + <field> + <fielddescr>no_ag</fielddescr> + <fieldname>enable_no_ag</fieldname> + <description>turns off aggregation of subnets in RIPv1 and RIPv2 responses.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>no_super_ag</fielddescr> + <fieldname>enable_no_super_ag</fieldname> + <description>turns off aggregation of networks into supernets in RIPv2 responses.</description> + <type>checkbox</type> + </field> </fields> - <custom_php_command_before_form> - </custom_php_command_before_form> + <aftersaveredirect>pkg_edit.php?xml=routed.xml&id=0</aftersaveredirect> + <custom_php_command_before_form> + </custom_php_command_before_form> <custom_delete_php_command> </custom_delete_php_command> <custom_php_resync_config_command> conf_mount_rw(); - setup_routed(); + setup_routed(); conf_mount_ro(); </custom_php_resync_config_command> <custom_php_install_command> diff --git a/config/sarg/sarg.inc b/config/sarg/sarg.inc index 5d0a91a5..32cca7ed 100644 --- a/config/sarg/sarg.inc +++ b/config/sarg/sarg.inc @@ -434,31 +434,63 @@ function sarg_validate_input($post, &$input_errors) { } } - /* Uses XMLRPC to synchronize the changes to a remote node */ function sarg_sync_on_changes() { global $config, $g; - - log_error("[sarg] sarg_xmlrpc_sync.php is starting."); - $synconchanges = $config['installedpackages']['sargsync']['config'][0]['synconchanges']; - if(!$synconchanges) - return; - foreach ($config['installedpackages']['sargsync']['config'] as $rs ){ - foreach($rs['row'] as $sh){ - $sync_to_ip = $sh['ipaddress']; - $password = $sh['password']; - if($sh['username']) - $username = $sh['username']; - else - $username = 'admin'; - if($password && $sync_to_ip) - sarg_do_xmlrpc_sync($sync_to_ip, $username, $password); + if (is_array($config['installedpackages']['sargsync']['config'])){ + $sarg_sync=$config['installedpackages']['sargsync']['config'][0]; + $synconchanges = $sarg_sync['synconchanges']; + $synctimeout = $sarg_sync['synctimeout']; + switch ($synconchanges){ + case "manual": + if (is_array($sarg_sync[row])){ + $rs=$sarg_sync[row]; + } + else{ + log_error("[sarg] xmlrpc sync is enabled but there is no hosts to push on sarg config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['ipaddress']=$system_carp['synchronizetoip']; + $rs[0]['username']=$system_carp['username']; + $rs[0]['password']=$system_carp['password']; + if ($system_carp['synchronizetoip'] =="" || $system_carp['username']==""){ + log_error("[sarg] xmlrpc sync is enabled but there is no system backup hosts to push sarg config."); + return; + } + + } + else{ + log_error("[sarg] xmlrpc sync is enabled but there is no system backup hosts to push sarg config."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)){ + log_error("[sarg] xmlrpc sync is starting."); + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if($password && $sync_to_ip) + sarg_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout); + } + log_error("[sarg] xmlrpc sync is ending."); } - } - log_error("[sarg] sarg_xmlrpc_sync.php is ending."); + } } + /* Do the actual XMLRPC sync */ -function sarg_do_xmlrpc_sync($sync_to_ip, $username, $password) { +function sarg_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout) { global $config, $g; if(!$username) @@ -469,7 +501,10 @@ function sarg_do_xmlrpc_sync($sync_to_ip, $username, $password) { if(!$sync_to_ip) return; - + + if(!$synctimeout) + $synctimeout="150"; + $xmlrpc_sync_neighbor = $sync_to_ip; if($config['system']['webgui']['protocol'] != "") { $synchronizetoip = $config['system']['webgui']['protocol']; @@ -504,15 +539,15 @@ function sarg_do_xmlrpc_sync($sync_to_ip, $username, $password) { $cli->setCredentials($username, $password); if($g['debug']) $cli->setDebug(1); - /* send our XMLRPC message and timeout after 250 seconds */ - $resp = $cli->send($msg, "250"); + /* send our XMLRPC message and timeout after $synctimeout seconds */ + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting sarg XMLRPC sync with {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "sarg Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting sarg XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "sarg Settings Sync", ""); @@ -534,14 +569,14 @@ function sarg_do_xmlrpc_sync($sync_to_ip, $username, $password) { $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting sarg XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "sarg Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting sarg XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "sarg Settings Sync", ""); diff --git a/config/sarg/sarg_sync.xml b/config/sarg/sarg_sync.xml index 6c81b3f8..6cff7b6d 100755 --- a/config/sarg/sarg_sync.xml +++ b/config/sarg/sarg_sync.xml @@ -84,8 +84,30 @@ <field> <fielddescr>Automatically sync sarg configuration changes</fielddescr> <fieldname>synconchanges</fieldname> - <description>pfSense will automatically sync changes to the hosts defined below.</description> - <type>checkbox</type> + <description>Select a sync method for sarg.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>250</default_value> + <options> + <option><name>250 seconds(Default)</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>30 seconds</name><value>30</value></option> + </options> </field> <field> <fielddescr>Remote Server</fielddescr> diff --git a/config/snort/snort.inc b/config/snort/snort.inc index d930c08b..f1f5ad9b 100644..100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -33,18 +33,52 @@ require_once("pfsense-utils.inc"); require_once("config.inc"); require_once("functions.inc"); +require_once("service-utils.inc"); +require_once("pkg-utils.inc"); // Needed on 2.0 because of filter_get_vpns_list() require_once("filter.inc"); +// Snort GUI needs some extra PHP memory space to manipulate large rules arrays +ini_set("memory_limit", "192M"); + +// Explicitly declare this as global so it works through function call includes +global $rebuild_rules; + /* package version */ -$snort_version = "2.9.2.3"; -$pfSense_snort_version = "2.5.2"; +$snort_version = "2.9.4.6"; +$pfSense_snort_version = "2.5.9"; $snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}"; -$snort_rules_file = "snortrules-snapshot-2923.tar.gz"; -$emerging_threats_version = "2.9.3"; -define("SNORTDIR", "/usr/local/etc/snort"); + +// Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI) +if (floatval(php_uname("r")) >= 8.3) { + exec("/usr/local/sbin/pbi_info | grep 'snort-{$snort_version}' | xargs /usr/local/sbin/pbi_info | awk '/Prefix/ {print $2}'",$pbidirarray); + $snort_pbidir = "{$pbidirarray[0]}"; + /* In case this is an initial Snort install and pbi_info() above returned null, set a sane default value */ + if (empty($snort_pbidir)) + $snort_pbidir = "/usr/pbi/snort-" . php_uname("m"); + define("SNORTDIR", "{$snort_pbidir}/etc/snort"); + define("SNORTLIBDIR", "{$snort_pbidir}/lib/snort"); +} +else { + define("SNORTDIR", "/usr/local/etc/snort"); + define("SNORTLIBDIR", "/usr/local/lib/snort"); +} + +/* Define some useful constants for Snort */ define("SNORTLOGDIR", "/var/log/snort"); +define("VRT_DNLD_FILENAME", "snortrules-snapshot-2946.tar.gz"); +define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); +define("ET_VERSION", "2.9.0"); +define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); +define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); +define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/"); +define("FLOWBITS_FILENAME", "flowbit-required.rules"); +define("ENFORCING_RULES_FILENAME", "snort.rules"); +define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); + +/* Rebuild Rules Flag -- if "true", rebuild enforcing rules and flowbit-rules files */ +$rebuild_rules = false; if (!is_array($config['installedpackages']['snortglobal'])) $config['installedpackages']['snortglobal'] = array(); @@ -67,19 +101,6 @@ function snort_get_blocked_ips() { return $blocked_ips_array; } -function snort_get_rule_part($source, $beginning, $ending, $start_pos) { - - $beginning_pos = strpos($source, $beginning, $start_pos); - if (!$beginning_pos) - return false; - $middle_pos = $beginning_pos + strlen($beginning); - $source = substr($source, $middle_pos); - $ending_pos = strpos($source, $ending, 0); - if (!$ending_pos) - return false; - return substr($source, 0, $ending_pos); -} - function snort_generate_id() { global $config; @@ -96,6 +117,88 @@ function snort_generate_id() { return $snort_uuid; } +function snort_load_suppress_sigs($snortcfg, $track_by=false) { + + global $config; + + /**********************************************************/ + /* This function loads the GEN_ID and SIG_ID for all the */ + /* suppressed alert entries from the Suppression List of */ + /* the passed Snort interface. The results are returned */ + /* in an array with GEN_ID and SIG_ID as the primary */ + /* keys. Any "track by_src" or "track by_dst" entries */ + /* in the Suppression List are tacked on as additional */ + /* keys in the array along with the IP address in either */ + /* IPv4 or IPv6 format when $track_by is passed as true. */ + /* */ + /* Sample returned array: */ + /* $suppress[1][2069] = "suppress" */ + /* $suppress[1][2070]['by_src']['10.1.1.5'] = "suppress" */ + /* $suppress[1][2070]['by_dst']['10.1.1.6'] = "suppress" */ + /* */ + /**********************************************************/ + + $suppress = array(); + + if (!is_array($config['installedpackages']['snortglobal'])) + return; + if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + return; + if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) + return; + $a_suppress = $config['installedpackages']['snortglobal']['suppress']['item']; + + foreach ($a_suppress as $a_id => $alist) { + if ($alist['name'] == $snortcfg['suppresslistname']) { + if (!empty($alist['suppresspassthru'])) { + $tmplist = str_replace("\r", "", base64_decode($alist['suppresspassthru'])); + $tmp = explode("\n", $tmplist); + foreach ($tmp as $line) { + // Skip any blank lines + if (trim($line, " \n") == "") + continue; + // Skip any comment lines + if (preg_match('/^\s*#/', $line)) + continue; + /* See if entry suppresses GID:SID for all hosts */ + if (preg_match('/\s*suppress\s*gen_id\b\s*(\d+),\s*sig_id\b\s*(\d+)\s*$/i', $line, $matches)) { + $genid = $matches[1]; + $sigid = $matches[2]; + if (!empty($genid) && !empty($sigid)) + $suppress[$genid][$sigid] = "suppress"; + } + + /* Get "track by IP" entries if requested */ + if ($track_by) { + /* See if entry suppresses only by SRC or DST IPv4 address */ + if (preg_match('/\s*suppress\s*gen_id\b\s*(\d+),\s*sig_id\b\s*(\d+),\s*track\s*(by_src|by_dst),\s*ip\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/i', $line, $matches)) { + $genid = $matches[1]; + $sigid = $matches[2]; + $whichip = trim($matches[3]); + $ip = $matches[4]; + if (!empty($genid) && !empty($sigid) && !empty($whichip) && !empty($ip)) + $suppress[$genid][$sigid][$whichip][$ip] = "suppress"; + } + /* See if entry suppresses only by SRC or DST IPv6 address */ + if (preg_match('/\s*suppress\s*gen_id\b\s*(\d+),\s*sig_id\b\s*(\d+),\s*track\s*(by_src|by_dst),\s*ip\s*([0-9a-f\.:]+)\s*$/i', $line, $matches)) { + $genid = $matches[1]; + $sigid = $matches[2]; + $whichip = trim($matches[3]); + $ip = trim($matches[4]); + if (!empty($genid) && !empty($sigid) && !empty($whichip) && !empty($ip)) + $suppress[$genid][$sigid][$whichip][$ip] = "suppress"; + } + } + } + unset($tmp); + } + break; + } + } + unset($alist); + return $suppress; +} + /* func builds custom white lists */ function snort_find_list($find_name, $type = 'whitelist') { global $config; @@ -114,100 +217,146 @@ function snort_find_list($find_name, $type = 'whitelist') { return array(); } -/* func builds custom whitelests */ +/* func builds custom whitelists and the HOME_NET variable */ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { - global $config, $g; - /* Add loopback to whitelist (ftphelper) */ - $home_net = "127.0.0.1 "; + /***********************************************************/ + /* The default is to build a HOME_NET variable unless */ + /* '$whitelist' is set to 'true' when calling. */ + /***********************************************************/ + + global $config, $g, $aliastable, $filterdns; + $home_net = array(); if ($listname == 'default' || empty($listname)) { - $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes'; + $localnet = 'yes'; $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes'; } else { - $whitelist = snort_find_list($listname); - if (empty($whitelist)) - return $whitelist; - $wanip = $whitelist['wanips']; - $wangw = $whitelist['wangateips']; - $wandns = $whitelist['wandnsips']; - $vips = $whitelist['vips']; - $vpns = $whitelist['vpnips']; - if (!empty($whitelist['address']) && is_alias($whitelist['address'])) { - $home_net .= trim(filter_expand_alias($whitelist['address'])); - $home_net .= " "; + $list = snort_find_list($listname); + if (empty($list)) + return $list; + $localnet = $list['localnets']; + $wanip = $list['wanips']; + $wangw = $list['wangateips']; + $wandns = $list['wandnsips']; + $vips = $list['vips']; + $vpns = $list['vpnips']; + if (!empty($list['address']) && is_alias($list['address'])) { + $home_net = explode(" ", trim(filter_expand_alias($list['address']))); } } - /* build an interface array list */ - if (function_exists('get_configured_interface_list')) - $int_array = get_configured_interface_list(); + /* Always add loopback to HOME_NET and whitelist (ftphelper) */ + if (!in_array("127.0.0.1", $home_net)) + $home_net[] = "127.0.0.1"; + + /********************************************************************/ + /* Always put the interface running Snort in HOME_NET and whitelist */ + /* unless it's the WAN. WAN options are handled further down. */ + /* If the user specifically chose not to include LOCAL_NETS in the */ + /* WHITELIST, then do not include the Snort interface subnet in the */ + /* WHITELIST. We do include the actual LAN interface IP for Snort, */ + /* though, to prevent locking out the firewall itself. */ + /********************************************************************/ + $snortip = get_interface_ip($snortcfg['interface']); + if (!$whitelist || $localnet == 'yes' || empty($localnet)) { + if (is_ipaddr($snortip)) { + if ($snortcfg['interface'] <> "wan") { + $sn = get_interface_subnet($snortcfg['interface']); + $ip = gen_subnet($snortip, $sn) . "/{$sn}"; + if (!in_array($ip, $home_net)) + $home_net[] = $ip; + } + } + } else { - $int_array = array('lan'); - for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) - if(isset($config['interfaces']['opt' . $j]['enable'])) - $int_array[] = "opt{$j}"; - } - - /* iterate through interface list and write out whitelist items - * and also compile a home_net list for snort. - */ - foreach ($int_array as $int) { - /* calculate interface subnet information */ - if (function_exists('get_interface_ip')) { + if (is_ipaddr($snortip)) { + if (!in_array($snortip, $home_net)) + $home_net[] = $snortip; + } + } + + /* Handle IPv6 if available (2.1 and higher) */ + if (function_exists('get_interface_ipv6')) { + $snortip = get_interface_ipv6($snortcfg['interface']); + if (!$whitelist || $localnet == 'yes' || empty($localnet)) { + if (is_ipaddrv6($snortip)) { + if ($snortcfg['interface'] <> "wan") { + $sn = get_interface_subnetv6($snortcfg['interface']); + $ip = gen_subnetv6($snortip, $sn). "/{$sn}"; + if (!in_array($ip, $home_net)) + $home_net[] = $ip; + } + } + } + else { + if (is_ipaddrv6($snortip)) { + if (!in_array($snortip, $home_net)) + $home_net[] = $snortip; + } + } + } + + if (!$whitelist || $localnet == 'yes' || empty($localnet)) { + /*************************************************************************/ + /* Iterate through the interface list and write out whitelist items and */ + /* also compile a HOME_NET list of all the local interfaces for snort. */ + /* Skip the WAN interface as we do not typically want that whole subnet */ + /* whitelisted (just the i/f IP itself which was handled earlier). */ + /*************************************************************************/ + $int_array = get_configured_interface_list(); + foreach ($int_array as $int) { + if ($int == "wan") + continue; $subnet = get_interface_ip($int); if (is_ipaddr($subnet)) { - if ($whitelist == false) { - $sn = get_interface_subnet($int); - $home_net .= "{$subnet}/{$sn} "; - } else - $home_net .= "{$subnet} "; + $sn = get_interface_subnet($int); + $ip = gen_subnet($subnet, $sn) . "/{$sn}"; + if (!in_array($ip, $home_net)) + $home_net[] = $ip; } if (function_exists("get_interface_ipv6")) { + if ($int == "wan") + continue; $subnet = get_interface_ipv6($int); if (is_ipaddrv6($subnet)) { - if ($whitelist == false) { - $sn = get_interface_subnetv6($int); - $home_net .= "{$subnet}/{$sn} "; - } else - $home_net .= "{$subnet} "; + $sn = get_interface_subnetv6($int); + $ip = gen_subnetv6($subnet, $sn). "/{$sn}"; + if (!in_array($ip, $home_net)) + $home_net[] = $ip; } } - } else { - $ifcfg = $config['interfaces'][$int]; - switch ($ifcfg['ipaddr']) { - case "pppoe": - case "pptp": - case "l2tp": - if (function_exists('get_interface_ip')) - $subnet = get_interface_ip($int); - else - $subnet = find_interface_ip("ng0"); + } + } - if (is_ipaddr($subnet)) - $home_net .= "{$subnet} "; - break; - case "dhcp": - $subnet = find_interface_ip(snort_get_real_interface($int)); - if (is_ipaddr($subnet)) - $home_net .= "{$subnet} "; - break; - default: - if (is_ipaddr($ifcfg['ipaddr'])) { - $home_net .= "{$ifcfg['ipaddr']} "; - } - break; + if ($wanip == 'yes') { + $ip = get_interface_ip("wan"); + if (is_ipaddr($ip)) { + if (!in_array($ip, $home_net)) + $home_net[] = $ip; + } + if (function_exists("get_interface_ipv6")) { + $ip = get_interface_ipv6("wan"); + if (is_ipaddrv6($ip)) { + if (!in_array($ip, $home_net)) + $home_net[] = $ip; } } } if ($wangw == 'yes') { + /* Grab the default gateway if set */ + $default_gw = exec("/sbin/route -n get default |grep 'gateway:' | /usr/bin/awk '{ print $2 }'"); + if (is_ipaddr($default_gw) && !in_array($default_gw, $home_net)) + $home_net[] = $default_gw; + + /* Get any other interface gateway and put in $HOME_NET if not there already */ $gw = get_interface_gateway($snortcfg['interface']); - if (is_ipaddr($gw)) - $home_net .= "{$gw} "; + if (is_ipaddr($gw) && !in_array($gw, $home_net)) + $home_net[] = $gw; if (function_exists("get_interface_gatewayv6")) { $gw = get_interface_gatewayv6($snortcfg['interface']); - if (is_ipaddrv6($gw)) - $home_net .= "{$gw} "; + if (is_ipaddrv6($gw) && !in_array($gw, $home_net)) + $home_net[] = $gw; } } @@ -215,8 +364,8 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { /* Add DNS server for WAN interface to whitelist */ $dns_servers = get_dns_servers(); foreach ($dns_servers as $dns) { - if ($dns) - $home_net .= "{$dns} "; + if ($dns && !in_array($dns, $home_net)) + $home_net[] = $dns; } } @@ -225,10 +374,8 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { if (is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) { foreach($config['virtualip']['vip'] as $vip) { if ($vip['subnet'] && $vip['mode'] != 'proxyarp') { - if ($whitelist == false) - $home_net .= "{$vip['subnet']}/{$vip['subnet_bits']} "; - else - $home_net .= "{$vip['subnet']} "; + if (!in_array("{$vip['subnet']}/{$vip['subnet_bits']}", $home_net)) + $home_net[] = "{$vip['subnet']}/{$vip['subnet_bits']}"; } } } @@ -236,19 +383,19 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ if ($vpns == 'yes') { - if ($config['version'] <= 6) // chk what pfsense version were on - $vpns_list = get_vpns_list(); - else - $vpns_list = filter_get_vpns_list(); - - if (!empty($vpns_list)) - $home_net .= "{$vpns_list} "; + $vpns_list = filter_get_vpns_list(); + if (!empty($vpns_list)) { + /* Convert the returned space-delimited string to an array */ + /* and then add each VPN address to our HOME_NET array. */ + $vpns = explode(" ", $vpns_list); + foreach ($vpns as $vpn) + $home_net[] = trim($vpn); + unset($vpns, $vpns_list); + } } - $home_net = trim($home_net); - $validator = explode(" ", $home_net); $valresult = array(); - foreach ($validator as $vald) { + foreach ($home_net as $vald) { if (empty($vald)) continue; $vald = trim($vald); @@ -256,6 +403,11 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { $valresult[$vald] = $vald; } + /* Release memory no longer required */ + unset($home_net); + + /* Sort the list and return it */ + natsort($valresult); return $valresult; } @@ -274,8 +426,8 @@ function snort_barnyard_stop($snortcfg, $if_real) { $snort_uuid = $snortcfg['uuid']; if (file_exists("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) { + log_error("[Snort] Barnyard2 STOP for {$snortcfg['descr']}({$if_real})..."); killbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid"); - @unlink("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid"); } } @@ -284,13 +436,11 @@ function snort_stop($snortcfg, $if_real) { $snort_uuid = $snortcfg['uuid']; if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { + log_error("[Snort] Snort STOP for {$snortcfg['descr']}({$if_real})..."); killbypid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid"); - exec("/bin/rm {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid"); } snort_barnyard_stop($snortcfg, $if_real); - - log_error("Interface Rule STOP for {$snortcfg['descr']}({$if_real})..."); } function snort_barnyard_start($snortcfg, $if_real) { @@ -300,9 +450,10 @@ function snort_barnyard_start($snortcfg, $if_real) { $snort_uuid = $snortcfg['uuid']; /* define snortbarnyardlog_chk */ - if ($snortcfg['barnyard_enable'] == 'on' && !empty($snortcfg['barnyard_mysql'])) + if ($snortcfg['barnyard_enable'] == 'on' && !empty($snortcfg['barnyard_mysql'])) { + log_error("[Snort] Barnyard2 START for {$snortcfg['descr']}({$if_real})..."); exec("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q"); - + } } function snort_start($snortcfg, $if_real) { @@ -311,14 +462,42 @@ function snort_start($snortcfg, $if_real) { $snortdir = SNORTDIR; $snort_uuid = $snortcfg['uuid']; - if ($snortcfg['enable'] == 'on') + if ($snortcfg['enable'] == 'on') { + log_error("[Snort] Snort START for {$snortcfg['descr']}({$if_real})..."); exec("/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + } else return; snort_barnyard_start($snortcfg, $if_real); +} + +/**************************************************************/ +/* This function sends the passed SIGNAL to the Snort */ +/* instance on the passed interface to cause Snort to reload */ +/* and parse the running configuration without stopping */ +/* packet processing. It also executes the reload as a */ +/* background process and returns control immediately to the */ +/* caller. */ +/* */ +/* $signal = SIGHUP (default) parses and reloads config. */ +/* SIGURG updates Host Attribute Table. */ +/**************************************************************/ +function snort_reload_config($snortcfg, $signal="SIGHUP") { + global $config, $g; + + $snortdir = SNORTDIR; + $snort_uuid = $snortcfg['uuid']; + $if_real = snort_get_real_interface($snortcfg['interface']); - log_error("Interface Rule START for {$snortcfg['descr']}({$if_real})..."); + /******************************************************/ + /* Only send the SIGHUP if Snort is running and we */ + /* can find a valid PID for the process. */ + /******************************************************/ + if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { + log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']}({$if_real})..."); + exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid 2>&1 &"); + } } function snort_get_friendly_interface($interface) { @@ -373,8 +552,7 @@ function snort_get_real_interface($interface) { this code block is for deleteing logs while keeping the newest file, snort is linked to these files while running, do not take the easy way out by touch and rm, snort will lose sync and not log. - - */ +*/ function snort_post_delete_logs($snort_uuid = 0) { global $config, $g; @@ -406,9 +584,14 @@ function snort_post_delete_logs($snort_uuid = 0) { } function snort_postinstall() { - global $config, $g; + global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include; $snortdir = SNORTDIR; + $snortlibdir = SNORTLIBDIR; + $rcdir = RCFILEPREFIX; + + /* Set flag for post-install in progress */ + $g['snort_postinstall'] = true; /* cleanup default files */ @rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf"); @@ -419,31 +602,57 @@ function snort_postinstall() { @rename("{$snortdir}/generators-sample", "{$snortdir}/generators"); @rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config"); @rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map"); - @unlink("{$snortdir}/sid"); - @unlink("/usr/local/etc/rc.d/snort"); - @unlink("/usr/local/etc/rc.d/barnyard2"); - /* remove example files */ - if (file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0')) - exec('rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); + /* fix up the preprocessor rules filenames from a PBI package install */ + $preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules"); + foreach ($preproc_rules as $file) { + if (file_exists("{$snortdir}/preproc_rules/{$file}-sample")) + @rename("{$snortdir}/preproc_rules/{$file}-sample", "{$snortdir}/preproc_rules/{$file}"); + } - if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) - exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); + /* Remove any previously installed scripts since we rebuild them */ + @unlink("{$snortdir}/sid"); + @unlink("{$rcdir}/snort.sh"); + @unlink("{$rcdir}/barnyard2"); - /* - mwexec("/usr/sbin/chown -R snort:snort /var/log/snort", true); - mwexec("/usr/sbin/chown -R snort:snort {$snortdir}", true); - mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); - mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); - */ + /* remove example library files */ + $files = glob("{$snortlibdir}/dynamicrules/*_example*"); + foreach ($files as $f) + @unlink($f); + $files = glob("{$snortlibdir}/dynamicpreprocessor/*_example*"); + foreach ($files as $f) + @unlink($f); /* remake saved settings */ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { + log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings...")); update_status(gettext("Saved settings detected...")); - update_output_window(gettext("Please wait... rebuilding files...")); + update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); + log_error(gettext("[Snort] Downloading and updating configured rule types...")); + update_output_window(gettext("Please wait... downloading and updating configured rule types...")); + if ($pkg_interface <> "console") + $snort_gui_include = true; + @include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); + update_status(gettext("Generating snort.conf configuration file from saved settings...")); + $rebuild_rules = true; sync_snort_package_config(); - update_output_window(gettext("Finnished Rebuilding files...")); + $rebuild_rules = false; + update_output_window(gettext("Finished rebuilding files...")); + log_error(gettext("[Snort] Finished rebuilding installation from saved settings...")); + + /* Only try to start Snort if not in reboot */ + if (!$g['booting']) { + update_status(gettext("Starting Snort using rebuilt configuration...")); + update_output_window(gettext("Please wait... while Snort is started...")); + log_error(gettext("[Snort] Starting Snort using rebuilt configuration...")); + update_output_window(gettext("Snort has been started using the rebuilt configuration...")); + start_service("snort"); + } } + + /* Done with post-install, so clear flag */ + unset($g['snort_postinstall']); + log_error(gettext("[Snort] Package post-installation tasks completed...")); } function snort_Getdirsize($node) { @@ -577,17 +786,20 @@ function snort_rm_blocked_install_cron($should_install) { } switch($should_install) { case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rm_blocked_min"; - $cron_item['hour'] = "$snort_rm_blocked_hr"; - $cron_item['mday'] = "$snort_rm_blocked_mday"; - $cron_item['month'] = "$snort_rm_blocked_month"; - $cron_item['wday'] = "$snort_rm_blocked_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + $cron_item = array(); + $cron_item['minute'] = "$snort_rm_blocked_min"; + $cron_item['hour'] = "$snort_rm_blocked_hr"; + $cron_item['mday'] = "$snort_rm_blocked_mday"; + $cron_item['month'] = "$snort_rm_blocked_month"; + $cron_item['wday'] = "$snort_rm_blocked_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + + /* Add cron job if not already installed, else just update the existing one */ + if (!$is_installed) $config['cron']['item'][] = $cron_item; - } + elseif ($is_installed) + $config['cron']['item'][$x] = $cron_item; break; case false: if ($is_installed == true) @@ -613,61 +825,83 @@ function snort_rules_up_install_cron($should_install) { $x++; } $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; + + /* See if a customized start time has been set for rule file updates */ + if (!empty($config['installedpackages']['snortglobal']['rule_update_starttime'])) + $snort_rules_upd_time = $config['installedpackages']['snortglobal']['rule_update_starttime']; + else + $snort_rules_upd_time = "00:03"; + if ($snort_rules_up_info_ck == "6h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/6"; + $snort_rules_up_min = intval(substr($snort_rules_upd_time, -2)); + $hour = intval(substr($snort_rules_upd_time, 0, 2)); + $snort_rules_up_hr = strval($hour); + for ($i=0; $i<3; $i++) { + $hour += 6; + if ($hour > 24) + $hour -= 24; + $snort_rules_up_hr .= "," . strval($hour); + } $snort_rules_up_mday = "*"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "12h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/12"; + $snort_rules_up_min = intval(substr($snort_rules_upd_time, -2)); + $hour = intval(substr($snort_rules_upd_time, 0, 2)); + $snort_rules_up_hr = strval($hour) . ","; + $hour += 12; + if ($hour > 24) + $hour -= 24; + $snort_rules_up_hr .= strval($hour); $snort_rules_up_mday = "*"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "1d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; + $snort_rules_up_min = intval(substr($snort_rules_upd_time, -2)); + $snort_rules_up_hr = intval(substr($snort_rules_upd_time, 0, 2)); $snort_rules_up_mday = "*/1"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "4d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; + $snort_rules_up_min = intval(substr($snort_rules_upd_time, -2)); + $snort_rules_up_hr = intval(substr($snort_rules_upd_time, 0, 2)); $snort_rules_up_mday = "*/4"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "7d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; + $snort_rules_up_min = intval(substr($snort_rules_upd_time, -2)); + $snort_rules_up_hr = intval(substr($snort_rules_upd_time, 0, 2)); $snort_rules_up_mday = "*/7"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "28d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; + $snort_rules_up_min = intval(substr($snort_rules_upd_time, -2)); + $snort_rules_up_hr = intval(substr($snort_rules_upd_time, 0, 2)); $snort_rules_up_mday = "*/28"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } switch($should_install) { case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rules_up_min"; - $cron_item['hour'] = "$snort_rules_up_hr"; - $cron_item['mday'] = "$snort_rules_up_mday"; - $cron_item['month'] = "$snort_rules_up_month"; - $cron_item['wday'] = "$snort_rules_up_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log"; + $cron_item = array(); + $cron_item['minute'] = "$snort_rules_up_min"; + $cron_item['hour'] = "$snort_rules_up_hr"; + $cron_item['mday'] = "$snort_rules_up_mday"; + $cron_item['month'] = "$snort_rules_up_month"; + $cron_item['wday'] = "$snort_rules_up_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php"; + + /* Add cron job if not already installed, else just update the existing one */ + if (!$is_installed) $config['cron']['item'][] = $cron_item; - } + elseif ($is_installed) + $config['cron']['item'][$x] = $cron_item; break; case false: if($is_installed == true) @@ -679,12 +913,16 @@ function snort_rules_up_install_cron($should_install) { /* Only run when all ifaces needed to sync. Expects filesystem rw */ function sync_snort_package_config() { global $config, $g; + global $rebuild_rules; + + $snortdir = SNORTDIR; + $rcdir = RCFILEPREFIX; conf_mount_rw(); - /* do not start config build if rules is empty */ - if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); + /* do not start config build if rules is empty or there are no Snort settings */ + if (!is_array($config['installedpackages']['snortglobal']) || !is_array($config['installedpackages']['snortglobal']['rule'])) { + @unlink("{$rcdir}/snort.sh"); conf_mount_ro(); return; } @@ -693,10 +931,10 @@ function sync_snort_package_config() { foreach ($snortconf as $value) { $if_real = snort_get_real_interface($value['interface']); - /* create snort configuration file */ + /* create a snort.conf file for interface */ snort_generate_conf($value); - /* create barnyard2 configuration file */ + /* create barnyard2.conf file for interface */ if ($value['barnyard_enable'] == 'on') snort_create_barnyard2_conf($value, $if_real); } @@ -715,16 +953,829 @@ function sync_snort_package_config() { snort_rules_up_install_cron($snortglob['autorulesupdate7'] != "never_up" ? true : false); configure_cron(); - + + /* Do not attempt package sync if reinstalling package or booting */ + if (!$g['snort_postinstall'] && !$g['booting']) + snort_sync_on_changes(); + conf_mount_ro(); } +function snort_build_sid_msg_map($rules_path, $sid_file) { + + /*************************************************************/ + /* This function reads all the rules file in the passed */ + /* $rules_path variable and produces a properly formatted */ + /* sid-msg.map file for use by Snort and/or barnyard2. */ + /*************************************************************/ + + $sidMap = array(); + $rule_files = array(); + + /* First check if we were passed a directory, a single file */ + /* or an array of filenames to read. Set our $rule_files */ + /* variable accordingly. If we can't figure it out, return */ + /* and don't write a sid_msg_map file. */ + if (is_string($rules_path)) { + if (is_dir($rules_path)) + $rule_files = glob($rules_path . "*.rules"); + elseif (is_file($rules_path)) + $rule_files = (array)$rules_path; + } + elseif (is_array($rules_path)) + $rule_files = $rules_path; + else + return; + + /* Read the rule files into an array, then iterate the list */ + foreach ($rule_files as $file) { + + /* Don't process files with "deleted" in the filename */ + if (stristr($file, "deleted")) + continue; + + /* Read the file into an array, skipping missing files. */ + if (!file_exists($file)) + continue; + + $rules_array = file($file, FILE_SKIP_EMPTY_LINES); + $record = ""; + $b_Multiline = false; + + /* Read and process each line from the rules in the */ + /* current file. */ + foreach ($rules_array as $rule) { + + /* Skip any non-rule lines unless we're in */ + /* multiline mode. */ + if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline) + continue; + + /* Test for a multi-line rule, and reassemble the */ + /* pieces back into a single line. */ + if (preg_match('/\\\\s*[\n]$/m', $rule)) { + $rule = substr($rule, 0, strrpos($rule, '\\')); + $record .= $rule; + $b_Multiline = true; + continue; + } + /* If the last segment of a multiline rule, then */ + /* append it onto the previous parts to form a */ + /* single-line rule for further processing below. */ + elseif (!preg_match('/\\\\s*[\n]$/m', $rule) && $b_Multiline) { + $record .= $rule; + $rule = $record; + } + $b_Multiline = false; + $record = ""; + + /* Parse the rule to find sid and any references. */ + $sid = ''; + $msg = ''; + $matches = ''; + $sidEntry = ''; + if (preg_match('/\bmsg\s*:\s*"(.+?)"\s*;/i', $rule, $matches)) + $msg = trim($matches[1]); + if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches)) + $sid = trim($matches[1]); + if (!empty($sid) && !empty($msg)) { + $sidEntry = $sid . ' || ' . $msg; + preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches); + foreach ($matches[1] as $ref) + $sidEntry .= " || " . trim($ref); + $sidEntry .= "\n"; + $sidMap[$sid] = $sidEntry; + } + } + } + /* Sort the generated sid-msg map by sid */ + ksort($sidMap); + + /* Now print the result to the supplied file */ + @file_put_contents($sid_file, array_values($sidMap)); +} + +function snort_merge_reference_configs($cfg_in, $cfg_out) { + + /***********************************************************/ + /* This function takes a list of "reference.config" files */ + /* in the $cfg_in array and merges them into a single */ + /* file specified by $cfg_out. The merging is done so */ + /* no duplication of lines occurs in the output file. */ + /***********************************************************/ + + $outMap = array(); + foreach ($cfg_in as $file) { + if (!file_exists($file)) + continue; + $in = file($file, FILE_SKIP_EMPTY_LINES); + foreach ($in as $line) { + /* Skip comment lines */ + if (preg_match('/^\s*#/', $line)) + continue; + if (preg_match('/(\:)\s*(\w+)\s*(.*)/', $line, $matches)) { + if (!empty($matches[2]) && !empty($matches[3])) { + $matches[2] = trim($matches[2]); + if (!array_key_exists($matches[2], $outMap)) + $outMap[$matches[2]] = trim($matches[3]); + } + } + } + } + /* Sort the new reference map. */ + uksort($outMap,'strnatcasecmp'); + + /**********************************************************/ + /* Do NOT write an empty references.config file, just */ + /* exit instead. */ + /**********************************************************/ + if (empty($outMap)) + return false; + + /* Format and write it to the supplied output file. */ + $format = "config reference: %-12s %s\n"; + foreach ($outMap as $key=>$value) + $outMap[$key] = sprintf($format, $key, $value); + @file_put_contents($cfg_out, array_values($outMap)); + return true; +} + +function snort_merge_classification_configs($cfg_in, $cfg_out) { + + /************************************************************/ + /* This function takes a list of "classification.config" */ + /* files in the $cfg_in array and merges them into a */ + /* single file specified by $cfg_out. The merging is done */ + /* so no duplication of lines occurs in the output file. */ + /************************************************************/ + + $outMap = array(); + foreach ($cfg_in as $file) { + if (!file_exists($file)) + continue; + $in = file($file, FILE_SKIP_EMPTY_LINES); + foreach ($in as $line) { + if (preg_match('/(.*:)(\s*.*),(.*),(.*)/', $line, $matches)) { + /* Skip comment lines */ + if (preg_match('/^\s*#/', $line)) + continue; + if (!empty($matches[2]) && !empty($matches[3]) && !empty($matches[4])) { + $matches[2] = trim($matches[2]); + if (!array_key_exists($matches[2], $outMap)) + $outMap[$matches[2]] = trim($matches[3]) . "," . trim($matches[4]); + } + } + } + } + /* Sort the new classification map. */ + uksort($outMap,'strnatcasecmp'); + + /**********************************************************/ + /* Do NOT write an empty classification.config file, just */ + /* exit instead. */ + /**********************************************************/ + if (empty($outMap)) + return false; + + /* Format and write it to the supplied output file. */ + $format = "config classification: %s,%s\n"; + foreach ($outMap as $key=>$value) + $outMap[$key] = sprintf($format, $key, $value); + @file_put_contents($cfg_out, array_values($outMap)); + return true; +} + +function snort_load_rules_map($rules_path) { + + /***************************************************************/ + /* This function loads and returns an array with all the rules */ + /* found in the *.rules files in the passed rules path. */ + /* */ + /* $rules_path can be: */ + /* a directory (assumed to contain *.rules files) */ + /* a filename (identifying a specific *.rules file) */ + /* an array of filenames (identifying *.rules files) */ + /***************************************************************/ + + $map_ref = array(); + $rule_files = array(); + + if (empty($rules_path)) + return $map_ref; + + /*************************************************************** + * Read all the rules into the map array. + * The structure of the map array is: + * + * map[gid][sid]['rule']['category']['disabled']['flowbits'] + * + * where: + * gid = Generator ID from rule, or 1 if general text + * rule + * sid = Signature ID from rule + * rule = Complete rule text + * category = File name of file containing the rule + * disabled = 1 if rule is disabled (commented out), 0 if + * rule is enabled + * flowbits = Array of applicable flowbits if rule contains + * flowbits options + ***************************************************************/ + + /* First check if we were passed a directory, a single file */ + /* or an array of filenames to read. Set our $rule_files */ + /* variable accordingly. If we can't figure it out, return */ + /* an empty rules map array. */ + if (is_string($rules_path)) { + if (is_dir($rules_path)) + $rule_files = glob($rules_path . "*.rules"); + elseif (is_file($rules_path)) + $rule_files = (array)$rules_path; + } + elseif (is_array($rules_path)) + $rule_files = $rules_path; + else + return $map_ref; + + /* Read the rule files into an array, then iterate the list */ + /* to process the rules from the files one-by-one. */ + foreach ($rule_files as $file) { + + /* Don't process files with "deleted" in the filename. */ + if (stristr($file, "deleted")) + continue; + + /* Read the file contents into an array, skipping */ + /* missing files. */ + if (!file_exists($file)) + continue; + + $rules_array = file($file, FILE_SKIP_EMPTY_LINES); + $record = ""; + $b_Multiline = false; + + /* Read and process each line from the rules in the */ + /* current file into an array. */ + foreach ($rules_array as $rule) { + + /* Skip any lines that may be just spaces. */ + if (trim($rule, " \n") == "") + continue; + + /* Skip any non-rule lines unless we're in */ + /* multiline mode. */ + if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline) + continue; + + /* Test for a multi-line rule; loop and reassemble */ + /* the pieces back into a single line. */ + if (preg_match('/\\\\s*[\n]$/m', $rule)) { + $rule = substr($rule, 0, strrpos($rule, '\\')); + $record .= $rule; + $b_Multiline = true; + continue; + } + /* If the last segment of a multiline rule, then */ + /* append it onto the previous parts to form a */ + /* single-line rule for further processing below. */ + elseif (!preg_match('/\\\\s*[\n]$/m', $rule) && $b_Multiline) { + $record .= $rule; + $rule = $record; + } + + /* We have an actual single-line rule, or else a */ + /* re-assembled multiline rule that is now a */ + /* single-line rule, so store it in our rules map. */ + + /* Get and test the SID. If we don't find one, */ + /* ignore and skip this rule as it is invalid. */ + $sid = snort_get_sid($rule); + if (empty($sid)) { + $b_Multiline = false; + $record = ""; + continue; + } + + $gid = snort_get_gid($rule); + if (!is_array($map_ref[$gid])) + $map_ref[$gid] = array(); + if (!is_array($map_ref[$gid][$sid])) + $map_ref[$gid][$sid] = array(); + $map_ref[$gid][$sid]['rule'] = $rule; + $map_ref[$gid][$sid]['category'] = basename($file, ".rules"); + + if (preg_match('/^\s*\#+/', $rule)) + $map_ref[$gid][$sid]['disabled'] = 1; + else + $map_ref[$gid][$sid]['disabled'] = 0; + + /* Grab any associated flowbits from the rule. */ + $map_ref[$gid][$sid]['flowbits'] = snort_get_flowbits($rule); + + /* Reset our local flag and record variables */ + /* for the next rule in the set. */ + $b_Multiline = false; + $record = ""; + } + + /* Zero out our processing array and get the next file. */ + unset($rules_array); + } + return $map_ref; +} + +function snort_get_gid($rule) { + + /****************************************************************/ + /* If a gid is defined, then return it, else default to "1" for */ + /* general text rules match. */ + /****************************************************************/ + + if (preg_match('/\bgid\s*:\s*(\d+)\s*;/i', $rule, $matches)) + return trim($matches[1]); + else + return "1"; +} + +function snort_get_sid($rule) { + + /***************************************************************/ + /* If a sid is defined, then return it, else default to an */ + /* empty value. */ + /***************************************************************/ + + if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches)) + return trim($matches[1]); + else + return ""; +} + +function snort_get_msg($rule) { + + /**************************************************************/ + /* Return the MSG section of the passed rule as a string. */ + /**************************************************************/ + + $msg = ""; + if (preg_match('/\bmsg\s*:\s*"(.+?)"\s*;/i', $rule, $matches)) + $msg = trim($matches[1]); + return $msg; +} + +function snort_get_flowbits($rule) { + + /*************************************************************/ + /* This will pull out "flowbits:" options from the rule text */ + /* and return them in an array (minus the "flowbits:" part). */ + /*************************************************************/ + + $flowbits = array(); + + /* Grab any "flowbits:set, setx, unset, isset or toggle" options first. */ + /* Examine flowbits targets for logical operators to capture all targets */ + if (preg_match_all('/flowbits\b\s*:\s*(set|setx|unset|toggle|isset|isnotset)\s*,([^;]+)/i', $rule, $matches)) { + $i = -1; + while (++$i < count($matches[1])) { + $action = trim($matches[1][$i]); + $target = preg_split('/[&|]/', $matches[2][$i]); + foreach ($target as $t) + $flowbits[] = "{$action}," . trim($t); + } + } + + /* Include the "flowbits:noalert or reset" options, if present. */ + if (preg_match_all('/flowbits\b\s*:\s*(noalert|reset)\b/i', $rule, $matches)) { + $i = -1; + while (++$i < count($matches[1])) { + $flowbits[] = trim($matches[1][$i]); + } + } + + return $flowbits; +} + +function snort_get_checked_flowbits($rules_map) { + + /*************************************************************/ + /* This function checks all the currently enabled rules to */ + /* find any checked flowbits, and returns the checked */ + /* flowbit names in an array. */ + /*************************************************************/ + + $checked_flowbits = array(); + foreach ($rules_map as $rulem) { + if (!is_array($rulem)) + continue; + foreach ($rulem as $rulem2) { + if (!is_array($rulem2)) + continue; + if ($rulem2['disabled'] == 1) + continue; + if (empty($rulem2['flowbits'])) + continue; + if (!is_array($rulem2['flowbits'])) + continue; + foreach ($rulem2['flowbits'] as $flowbit) { + if (empty($flowbit)) + continue; + /* If no comma in flowbits option, then skip it. */ + $pos = strpos($flowbit, ","); + if ($pos === false) + continue; + $action = substr(strtolower($flowbit), 0, $pos); + if ($action == "isset" || $action == "isnotset") { + $target = preg_split('/[&|]/', substr($flowbit, $pos + 1)); + foreach ($target as $t) + if (!empty($t) && !isset($checked_flowbits[$t])) + $checked_flowbits[$t] = $action; + } + } + } + } + unset($rulem, $rulem2); + + return $checked_flowbits; +} + +function snort_get_set_flowbits($rules_map) { + + /*********************************************************/ + /* This function checks all the currently enabled rules */ + /* to find any set flowbits, and returns the flowbit */ + /* names in an array. */ + /*********************************************************/ + + $set_flowbits = array(); + foreach ($rules_map as $rulem) { + if (!is_array($rulem)) + continue; + foreach ($rulem as $rulem2) { + if ($rulem2['disabled'] == 1) + continue; + if (empty($rulem2['flowbits'])) + continue; + if (!is_array($rulem2['flowbits'])) + continue; + foreach ($rulem2['flowbits'] as $flowbit) { + if (empty($flowbit)) + continue; + /* If no comma in flowbits option, then skip it. */ + $pos = strpos($flowbit, ","); + if ($pos === false) + continue; + $action = substr(strtolower($flowbit), 0, $pos); + if ($action == "set" || $action == "toggle" || $action == "setx") { + $target = preg_split('/[&|]/', substr($flowbit, $pos + 1)); + foreach ($target as $t) + if (!empty($t) && !isset($set_flowbits[$t])) + $set_flowbits[$t] = $action; + } + } + } + } + unset($rulem, $rulem2); + + return $set_flowbits; +} + +function snort_find_flowbit_required_rules($rules, $unchecked_flowbits) { + + /********************************************************/ + /* This function finds all rules that must be enabled */ + /* in order to satisfy the "checked flowbits" used by */ + /* the currently enabled rules. It returns the list */ + /* of required rules in an array. */ + /********************************************************/ + + $required_flowbits_rules = array(); + foreach ($rules as $k1 => $rule) { + if (!is_array($rule)) + continue; + foreach ($rule as $k2 => $rule2) { + if (empty($rule2['flowbits'])) + continue; + if (!is_array($rule2['flowbits'])) + continue; + foreach ($rule2['flowbits'] as $flowbit) { + if (empty($flowbit)) + continue; + $action = substr($flowbit, 0, strpos($flowbit, ",")); + if (!strcasecmp(substr($action, 0, 3), "set")) { + $tmp = substr($flowbit, strpos($flowbit, ",") +1 ); + if (!empty($tmp) && isset($unchecked_flowbits[$tmp])) { + if (!is_array($required_flowbits_rules[$k1])) + $required_flowbits_rules[$k1] = array(); + if (!is_array($required_flowbits_rules[$k1][$k2])) + $required_flowbits_rules[$k1][$k2] = array(); + $required_flowbits_rules[$k1][$k2]['category'] = $rule2['category']; + if ($rule2['disabled'] == 0) + /* If not disabled, just return the rule text "as is" */ + $required_flowbits_rules[$k1][$k2]['rule'] = ltrim($rule2['rule']); + else { + /* If rule is disabled, remove leading '#' to enable it */ + $required_flowbits_rules[$k1][$k2]['rule'] = ltrim(substr($rule2['rule'], strpos($rule2['rule'], "#") + 1)); + $required_flowbits_rules[$k1][$k2]['disabled'] = 0; + } + } + } + } + } + } + unset($rule, $rule2); + + return $required_flowbits_rules; +} + +function snort_resolve_flowbits($rules, $active_rules) { + + /******************************************************/ + /* This function auto-resolves flowbit requirements */ + /* by finding all checked flowbits in the currently */ + /* enabled rules, and then making sure all the "set" */ + /* flowbit rules for those "checked" flowbits are */ + /* enabled. For any that are not enabled, they are */ + /* copied to an array, enabled, and returned. */ + /* */ + /* $active_rules --> Rules Map array containing */ + /* the current rules for the */ + /* interface to resolve flowbit */ + /* dependencies for. */ + /* */ + /* $rules --> Rules Map array containing */ + /* all the available rules. */ + /******************************************************/ + + $snortdir = SNORTDIR; + + /* Check $all_rules array to be sure it is filled. */ + if (empty($rules)) { + log_error(gettext("[Snort] WARNING: Flowbit resolution not done - no rules in {$snortdir}/rules/ ...")); + return array(); + } + + /* First, find all the "checked" and "set" flowbits. */ + $checked_flowbits = snort_get_checked_flowbits($active_rules); + $set_flowbits = snort_get_set_flowbits($active_rules); + + /* Next find any "checked" flowbits without matching */ + /* "set" flowbit rules in the enabled rule set. */ + $delta_flowbits = array_diff_key($checked_flowbits, $set_flowbits); + + /* Cleanup and release the memory we no longer need. */ + unset($checked_flowbits); + unset($set_flowbits); + + /* Now find all the needed "set flowbit" rules from */ + /* the master list of all rules. */ + $required_rules = snort_find_flowbit_required_rules($rules, $delta_flowbits); + + /* Cleanup and release memory we no longer need. */ + unset($delta_flowbits); + + return $required_rules; +} + +function snort_write_flowbit_rules_file($flowbit_rules, $rule_file) { + + /************************************************/ + /* This function takes an array of rules in the */ + /* rules_map format and writes them to the file */ + /* given. */ + /* */ + /* $flowbit_rules --> array of flowbit-required */ + /* rules. */ + /* */ + /* $rule_file --> filename to write the */ + /* flowbit-required rules */ + /* to. */ + /************************************************/ + + $flowbit_rules_file = FLOWBITS_FILENAME; + + /* See if we were passed a directory or full */ + /* filename to write the rules to, and adjust */ + /* the destination argument accordingly. */ + if (is_dir($rule_file)) + $rule_file = rtrim($rule_file, '/')."/{$flowbit_rules_file}"; + + if (empty($flowbit_rules)) { + @file_put_contents($rule_file, ""); + return; + } + + $fp = fopen($rule_file, "w"); + if ($fp) { + @fwrite($fp, "# These rules set flowbits checked by your other enabled rules. If the\n"); + @fwrite($fp, "# the dependent flowbits are not set, then some of your chosen rules may\n"); + @fwrite($fp, "# not fire. Enabling all rules that set these dependent flowbits ensures\n"); + @fwrite($fp, "# your chosen rules fire as intended.\n#\n"); + @fwrite($fp, "# If you wish to prevent alerts from any of these rules, add the GID:SID\n"); + @fwrite($fp, "# of the rule to the Suppression List for the interface.\n"); + foreach ($flowbit_rules as $k1 => $rule) { + foreach ($rule as $k2 => $rule2) { + @fwrite($fp, "\n# Category: {$rule2['category']}"); + @fwrite($fp, " GID:{$k1} SID:{$k2}\n"); + @fwrite($fp, $rule2['rule']); + } + } + fclose($fp); + } +} + +function snort_load_vrt_policy($policy, $all_rules=null) { + + /************************************************/ + /* This function returns an array of all rules */ + /* marked with the passed in $policy metadata. */ + /* */ + /* $policy --> desired VRT security policy */ + /* 1. connectivity */ + /* 2. balanced */ + /* 3. security */ + /* */ + /* $all_rules --> optional Rules Map array of */ + /* rules to scan for policy. */ + /* If not provided, then an */ + /* array will be created. */ + /************************************************/ + + $snortdir = SNORTDIR; + $vrt_policy_rules = array(); + + /* Load a map of all the VRT rules if we were */ + /* not passed a pre-loaded one to use. */ + if (is_null($all_rules)) { + /* Since only Snort VRT rules have IPS Policy metadata, */ + /* limit our search to just those files. */ + $snort_vrt_files = glob("{$snortdir}/rules/snort_*.rules"); + $all_rules = snort_load_rules_map($snort_vrt_files); + } + + /* Now walk the rules list and find all those that are */ + /* defined as active for the chosen security policy. */ + foreach ($all_rules as $k1 => $arulem) { + foreach ($arulem as $k2 => $arulem2) { + if (strripos($arulem2['rule'], "policy {$policy}-ips") !== false) { + if (!preg_match('/flowbits\s*:\s*noalert/i', $arulem2['rule'])) { + if (!is_array($vrt_policy_rules[$k1])) + $vrt_policy_rules[$k1] = array(); + if (!is_array($vrt_policy_rules[$k1][$k2])) + $vrt_policy_rules[$k1][$k2] = array(); + $vrt_policy_rules[$k1][$k2] = $arulem2; + + /* Enable the policy rule if disabled */ + if ($arulem2['disabled'] == 1) { + $vrt_policy_rules[$k1][$k2]['rule'] = ltrim(substr($arulem2['rule'], strpos($arulem2['rule'], "#") + 1)); + $vrt_policy_rules[$k1][$k2]['disabled'] = 0; + } + } + } + } + } + + /* Release memory we no longer need. */ + unset($arulem, $arulem2); + + /* Return all the rules that match the policy. */ + return $vrt_policy_rules; +} + +function snort_write_enforcing_rules_file($rule_map, $rule_path) { + + /************************************************/ + /* This function takes a rules map array of */ + /* the rules chosen for the active rule set */ + /* and writes them out to the passed path. */ + /* */ + /* $rule_map --> Rules Map array of rules to */ + /* write to disk. */ + /* */ + /* $rule_path --> filename or directory where */ + /* rules file will be written. */ + /************************************************/ + + $rule_file = "/" . ENFORCING_RULES_FILENAME; + + /* See if we were passed a directory or full */ + /* filename to write the rules to, and adjust */ + /* the destination argument accordingly. */ + if (is_dir($rule_path)) + $rule_file = rtrim($rule_path, '/').$rule_file; + else + $rule_file = $rule_path; + + /* If the $rule_map array is empty, then exit. */ + if (empty($rule_map)) { + file_put_contents($rule_file, ""); + return; + } + + $fp = fopen($rule_file, "w"); + if ($fp) { + @fwrite($fp, "# These rules are your current set of enforced rules for the protected\n"); + @fwrite($fp, "# interface. This list was compiled from the categories selected on the\n"); + @fwrite($fp, "# CATEGORIES tab of the Snort configuration for the interface and/or any\n"); + @fwrite($fp, "# chosen Snort VRT pre-defined IPS Policy.\n#\n"); + @fwrite($fp, "# Any enablesid or disablesid customizations you made have been applied\n"); + @fwrite($fp, "# to the rules in this file.\n\n"); + foreach ($rule_map as $rulem) { + foreach ($rulem as $rulem2) { + /* No reason to write disabled rules to enforcing file, so skip them. */ + if ($rulem2['disabled'] == 1) + continue; + @fwrite($fp, $rulem2['rule']); + } + } + fclose($fp); + } +} + +function snort_load_sid_mods($sids, $value) { + + /*****************************************/ + /* This function parses the string of */ + /* SID values in $sids and returns an */ + /* array with the SID as the key and */ + /* value. The SID values in $sids are */ + /* assumed to be delimited by "||". */ + /* */ + /* $sids ==> string of SID values from */ + /* saved config file. */ + /* */ + /* $value ==> type of mod (enable or */ + /* disable). Not currently */ + /* utilized, but maintained */ + /* so as not to break legacy */ + /* code elsewhere. */ + /*****************************************/ + + $result = array(); + if (empty($sids) || empty($value)) + return $result; + $tmp = explode("||", $sids); + foreach ($tmp as $v) { + if (preg_match('/\s\d+/', $v, $match)) + $result[trim($match[0])] = trim($match[0]); + } + unset($tmp); + + return $result; +} + +function snort_modify_sids(&$rule_map, $snortcfg) { + + /*****************************************/ + /* This function modifies the rules in */ + /* the passed rules_map array based on */ + /* values in the enablesid/disablesid */ + /* configuration parameters. */ + /* */ + /* $rule_map = array of current rules */ + /* $snortcfg = config settings */ + /*****************************************/ + + if (!isset($snortcfg['rule_sid_on']) && !isset($snortcfg['rule_sid_off'])) + return; + + /* Load up our enablesid and disablesid */ + /* arrays with lists of modified SIDs */ + $enablesid = snort_load_sid_mods($snortcfg['rule_sid_on'], "enablesid"); + $disablesid = snort_load_sid_mods($snortcfg['rule_sid_off'], "disablesid"); + + /* Turn on any rules that need to be */ + /* forced "on" with enablesid mods. */ + if (!empty($enablesid)) { + foreach ($rule_map as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + if (in_array($k2, $enablesid) && $v['disabled'] == 1) { + $rule_map[$k1][$k2]['rule'] = ltrim($v['rule'], " \t#"); + $rule_map[$k1][$k2]['disabled'] = 0; + } + } + } + } + + /* Turn off any rules that need to be */ + /* forced "off" with disablesid mods. */ + if (!empty($disablesid)) { + foreach ($rule_map as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + if (in_array($k2, $disablesid) && $v['disabled'] == 0) { + $rule_map[$k1][$k2]['rule'] = "# " . $v['rule']; + $rule_map[$k1][$k2]['disabled'] = 1; + } + } + } + } + unset($enablesid, $disablesid); +} + /* Start of main config files */ /* open snort.sh for writing" */ function snort_create_rc() { global $config, $g; $snortdir = SNORTDIR; + $rcdir = RCFILEPREFIX; if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; @@ -743,23 +1794,59 @@ function snort_create_rc() { $start_barnyard = <<<EOE if [ ! -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then - /bin/pgrep -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q' > {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid - fi - /bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid - if [ $? = 0 ]; then - /bin/pkill -HUP -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid -a + pid=`/bin/pgrep -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q' > {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid` else - /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q + pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid` fi + if [ ! -z \$pid ]; then + /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." + /bin/pkill $pid -a + time=0 timeout=30 + while kill -0 \$pid 2>/dev/null; do + sleep 1 + time=\$((time+1)) + if [ \$time -gt \$timeout ]; then + break + fi + done + if [ -f /var/run/barnyard2_{$if_real}{$snort_uuid}.pid ]; then + /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid + fi + fi + /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 START for {$value['descr']}({$snort_uuid}_{$if_real})..." + /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q EOE; $stop_barnyard2 = <<<EOE if [ -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then + /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." + pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid` /bin/pkill -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid -a - /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid + time=0 timeout=30 + while kill -0 \$pid 2>/dev/null; do + sleep 1 + time=\$((time+1)) + if [ \$time -gt \$timeout ]; then + break + fi + done + if [ -f /var/run/barnyard2_{$if_real}{$snort_uuid}.pid ]; then + /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid + fi else - /bin/pkill -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q' + pid=`/bin/pgrep -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q'` + if [ ! -z \$pid ]; then + /bin/pkill -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q' + time=0 timeout=30 + while kill -0 \$pid 2>/dev/null; do + sleep 1 + time=\$((time+1)) + if [ \$time -gt \$timeout ]; then + break + fi + done + fi fi EOE; @@ -771,19 +1858,18 @@ EOE; $start_snort_iface_start[] = <<<EOE ###### For Each Iface -#### Only try to restart if snort is running on Iface + # Start snort and barnyard2 if [ ! -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then - /bin/pgrep -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}' > {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid + pid=`/bin/pgrep -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}'` + else + pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid` fi - /bin/pgrep -nF {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid - if [ $? = 0 ]; then - /bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort SOFT START For {$value['descr']}({$snort_uuid}_{$if_real})..." + if [ ! -z \$pid ]; then + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort SOFT RESTART for {$value['descr']}({$snort_uuid}_{$if_real})..." + /bin/pkill -HUP \$pid else - # Start snort and barnyard2 - /bin/rm {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort START for {$value['descr']}({$snort_uuid}_{$if_real})..." /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort START For {$value['descr']}({$snort_uuid}_{$if_real})..." fi sleep 2 @@ -793,12 +1879,35 @@ EOE; $start_snort_iface_stop[] = <<<EOE - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP For {$value['descr']}({$snort_uuid}_{$if_real})..." if [ -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then + pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid` + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." /bin/pkill -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a - /bin/rm /var/run/snort_{$if_real}{$snort_uuid}.pid - else - /bin/pkill -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}' + time=0 timeout=30 + while kill -0 \$pid 2>/dev/null; do + sleep 1 + time=\$((time+1)) + if [ \$time -gt \$timeout ]; then + break + fi + done + if [ -f /var/run/snort_{$if_real}{$snort_uuid}.pid ]; then + /bin/rm /var/run/snort_{$if_real}{$snort_uuid}.pid + fi + else + pid=`/bin/pgrep -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}'` + if [ ! -z \$pid ]; then + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." + /bin/pkill -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}' + time=0 timeout=30 + while kill -0 \$pid 2>/dev/null; do + sleep 1 + time=\$((time+1)) + if [ \$time -gt \$timeout ]; then + break + fi + done + fi fi sleep 2 @@ -834,6 +1943,7 @@ case $1 in rc_stop ;; restart) + rc_stop rc_start ;; esac @@ -841,11 +1951,11 @@ esac EOD; /* write out snort.sh */ - if (!@file_put_contents("/usr/local/etc/rc.d/snort.sh", $snort_sh_text)) { - log_error("Could not open /usr/local/etc/rc.d/snort.sh for writing."); + if (!@file_put_contents("{$rcdir}/snort.sh", $snort_sh_text)) { + log_error("Could not open {$rcdir}/snort.sh for writing."); return; } - @chmod("/usr/local/etc/rc.d/snort.sh", 0755); + @chmod("{$rcdir}/snort.sh", 0755); } /* open barnyard2.conf for writing */ @@ -892,13 +2002,16 @@ function snort_generate_barnyard2_conf($snortcfg, $if_real) { config reference_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/reference.config config classification_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/classification.config config gen_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/gen-msg.map -config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map +config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map config hostname: $snortbarnyardlog_hostname_info_chk config interface: {$if_real} config decode_data_link config waldo_file: /var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2/{$snort_uuid}_{$if_real}.waldo +# Show year in timestamps +config show_year + ## START user pass through ## {$snortbarnyardlog_config_pass_thru} @@ -921,36 +2034,39 @@ EOD; } function snort_deinstall() { + global $config, $g; $snortdir = SNORTDIR; + $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; + $rcdir = RCFILEPREFIX; + $snort_rules_upd_log = RULES_UPD_LOGFILE; + + log_error(gettext("[Snort] Snort package uninstall in progress...")); - /* decrease bpf buffers back to 4096, from 20480 */ + /* Make sure all active Snort processes are terminated */ + /* Log a message only if a running process is detected */ + if (is_service_running("snort")) + log_error(gettext("[Snort] Snort STOP for all interfaces...")); mwexec('/usr/bin/killall snort', true); sleep(2); mwexec('/usr/bin/killall -9 snort', true); sleep(2); + + /* Make sure all active Barnyard2 processes are terminated */ + /* Log a message only if a running process is detected */ + if (is_service_running("barnyard2")) + log_error(gettext("[Snort] Barnyard2 STOP for all interfaces...")); mwexec('/usr/bin/killall barnyard2', true); sleep(2); mwexec('/usr/bin/killall -9 barnyard2', true); sleep(2); - mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true); - if (!function_exists("get_interface_ipv6")) { - /* create a few directories and ensure the sample files are in place */ - $snort_dirs = array( $snortdir, $snortlogdir, - "dynamicrules" => "/usr/local/lib/snort/dynamicrules", - "dynamicengine" => "/usr/local/lib/snort/dynamicengine", - "dynamicpreprocessor" => "/usr/local/lib/snort/dynamicpreprocessor" - ); - foreach ($snort_dirs as $dir) { - if (is_dir($dir)) - mwexec("/bin/rm -rf {$dir}", true); - } - } + /* Remove the snort user and group */ + mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true); - /* Remove snort cron entries Ugly code needs smoothness*/ + /* Remove snort cron entries Ugly code needs smoothness */ if (!function_exists('snort_deinstall_cron')) { function snort_deinstall_cron($crontask) { global $config, $g; @@ -972,25 +2088,372 @@ function snort_deinstall() { } } + /* Remove all the Snort cron jobs. */ snort_deinstall_cron("snort2c"); snort_deinstall_cron("snort_check_for_rule_updates.php"); snort_deinstall_cron("snort_check_cron_misc.inc"); configure_cron(); + /**********************************************************/ + /* Test for existence of library backup tarballs in /tmp. */ + /* If these are present, then a package "delete" */ + /* operation is in progress and we need to wipe out the */ + /* configuration files. Otherwise we leave the binary- */ + /* side configuration intact since only a GUI files */ + /* deinstall and reinstall operation is in progress. */ + /* */ + /* XXX: hopefully a better method presents itself in */ + /* future versions of pfSense. */ + /**********************************************************/ + if (file_exists("/tmp/pkg_libs.tgz") || file_exists("/tmp/pkg_bins.tgz")) { + log_error(gettext("[Snort] Package deletion requested... removing all files...")); + mwexec("/bin/rm -rf {$snortdir}"); + mwexec("/bin/rm -rf {$snortlibdir}/dynamicrules"); + mwexec("/bin/rm -f {$rcdir}/snort.sh"); + mwexec("/bin/rm -rf /usr/local/pkg/snort"); + mwexec("/bin/rm -rf /usr/local/www/snort"); + mwexec("/bin/rm -rf /usr/local/etc/snort"); + } + /* Keep this as a last step */ - if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') + if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') { + log_error(gettext("Not saving settings... all Snort configuration info and logs deleted...")); unset($config['installedpackages']['snortglobal']); + unset($config['installedpackages']['snortsync']); + @unlink("{$snort_rules_upd_log}"); + mwexec("/bin/rm -rf {$snortlogdir}"); + log_error(gettext("[Snort] The package has been removed from this system...")); + } +} + +function snort_prepare_rule_files($snortcfg, $snortcfgdir) { + + /***********************************************************/ + /* This function builds a new set of enforcing rules for */ + /* Snort and writes them to disk. */ + /* */ + /* $snortcfg --> pointer to applicable section of */ + /* config.xml containing settings for */ + /* the interface. */ + /* */ + /* $snortcfgdir --> pointer to physical directory on */ + /* disk where Snort configuration is */ + /* to be written. */ + /***********************************************************/ + + global $rebuild_rules; + + $snortdir = SNORTDIR; + $flowbit_rules_file = FLOWBITS_FILENAME; + $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME; + $no_rules_defined = true; + + /* If there is no reason to rebuild the rules, exit to save time. */ + if (!$rebuild_rules) + return; + + /* Log a message for rules rebuild in progress */ + log_error(gettext("[Snort] Updating rules configuration for: " . snort_get_friendly_interface($snortcfg['interface']) . " ...")); + + /* Only rebuild rules if some are selected or an IPS Policy is enabled */ + if (!empty($snortcfg['rulesets']) || $snortcfg['ips_policy_enable'] == 'on') { + $enabled_rules = array(); + $enabled_files = array(); + $all_rules = array(); + $no_rules_defined = false; + + /* Load up all the rules into a Rules Map array. */ + $all_rules = snort_load_rules_map("{$snortdir}/rules/"); + + /* Create an array with the filenames of the enabled */ + /* rule category files if we have any. */ + if (!empty($snortcfg['rulesets'])) { + foreach (explode("||", $snortcfg['rulesets']) as $file){ + $category = basename($file, ".rules"); + if (!is_array($enabled_files[$category])) + $enabled_files[$category] = array(); + $enabled_files[$category] = $file; + } + + /****************************************************/ + /* Walk the ALL_RULES map array and copy the rules */ + /* matching our selected file categories to the */ + /* ENABLED_RULES map array. */ + /****************************************************/ + foreach ($all_rules as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + if (isset($enabled_files[$v['category']])) { + if (!is_array($enabled_rules[$k1])) + $enabled_rules[$k1] = array(); + if (!is_array($enabled_rules[$k1][$k2])) + $enabled_rules[$k1][$k2] = array(); + $enabled_rules[$k1][$k2]['rule'] = $v['rule']; + $enabled_rules[$k1][$k2]['category'] = $v['category']; + $enabled_rules[$k1][$k2]['disabled'] = $v['disabled']; + $enabled_rules[$k1][$k2]['flowbits'] = $v['flowbits']; + } + } + } + + /* Release memory we no longer need. */ + unset($enabled_files, $rulem, $v); + } + + /* Check if a pre-defined Snort VRT policy is selected. If so, */ + /* add all the VRT policy rules to our enforcing rule set. */ + if (!empty($snortcfg['ips_policy'])) { + $policy_rules = snort_load_vrt_policy($snortcfg['ips_policy'], $all_rules); + foreach ($policy_rules as $k1 => $policy) { + foreach ($policy as $k2 => $p) { + if (!is_array($enabled_rules[$k1])) + $enabled_rules[$k1] = array(); + if (!is_array($enabled_rules[$k1][$k2])) + $enabled_rules[$k1][$k2] = array(); + $enabled_rules[$k1][$k2]['rule'] = $p['rule']; + $enabled_rules[$k1][$k2]['category'] = $p['category']; + $enabled_rules[$k1][$k2]['disabled'] = $p['disabled']; + $enabled_rules[$k1][$k2]['flowbits'] = $p['flowbits']; + } + } + unset($policy_rules, $policy, $p); + } + + /* Process any enablesid or disablesid modifications for the selected rules. */ + snort_modify_sids($enabled_rules, $snortcfg); + + /* Check for and disable any rules dependent upon disabled preprocessors if */ + /* this option is enabled for the interface. */ + if ($snortcfg['preproc_auto_rule_disable'] == "on") { + log_error('[Snort] Checking for rules dependent on disabled preprocessors for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + snort_filter_preproc_rules($snortcfg, $enabled_rules); + } + + /* Write the enforcing rules file to the Snort interface's "rules" directory. */ + snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); + + /* If auto-flowbit resolution is enabled, generate the dependent flowbits rules file. */ + if ($snortcfg['autoflowbitrules'] == 'on') { + log_error('[Snort] Enabling any flowbit-required rules for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + $fbits = snort_resolve_flowbits($all_rules, $enabled_rules); + + /* Check for and disable any flowbit-required rules dependent upon */ + /* disabled preprocessors if this option is enabled for the interface. */ + if ($snortcfg['preproc_auto_rule_disable'] == "on") { + log_error('[Snort] Checking flowbit rules dependent on disabled preprocessors for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + snort_filter_preproc_rules($snortcfg, $fbits, true); + } + snort_write_flowbit_rules_file($fbits, "{$snortcfgdir}/rules/{$flowbit_rules_file}"); + unset($fbits); + } else + /* Just put an empty file to always have the file present */ + snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); + } else { + snort_write_enforcing_rules_file(array(), "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); + snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); + } + + if (!empty($snortcfg['customrules'])) { + @file_put_contents("{$snortcfgdir}/rules/custom.rules", base64_decode($snortcfg['customrules'])); + $no_rules_defined = false; + } + else + @file_put_contents("{$snortcfgdir}/rules/custom.rules", ""); + + /* Log a warning if the interface has no rules defined or enabled */ + if ($no_rules_defined) + log_error(gettext("[Snort] Warning - no text rules selected for: " . snort_get_friendly_interface($snortcfg['interface']) . " ...")); + + /* Build a new sid-msg.map file from the enabled */ + /* rules and copy it to the interface directory. */ + log_error(gettext("[Snort] Building new sig-msg.map file for " . snort_get_friendly_interface($snortcfg['interface']) . "...")); + snort_build_sid_msg_map("{$snortcfgdir}/rules/", "{$snortcfgdir}/sid-msg.map"); +} + +function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = false) { + + /**************************************************/ + /* This function checks the $active_rules array */ + /* for rule options dependent upon preprocessors. */ + /* Rules with rule options dependent upon any */ + /* non-enabled preprocessors are disabled to stop */ + /* start-up errors from unknown rule options. */ + /* */ + /* $snortcfg --> config parameters array for */ + /* the interface. */ + /* */ + /* $active_rules --> rules_map array of enabled */ + /* rules for the interface. */ + /* */ + /* $persist_log --> flag indicating if new log */ + /* file should be created or */ + /* the existing one appended */ + /* to. */ + /* */ + /* NOTE: This feature must be enabled in the GUI */ + /* by the user. Use of this feature can */ + /* severely degrade Snort's ability to */ + /* detect threats by disabling potentially */ + /* crucial detection rules. */ + /**************************************************/ + + global $config; + + $snortlogdir = SNORTLOGDIR; + $disabled_count = 0; + $log_msg = array(); + + /* Check if no rules or if this option is disabled */ + if (empty($active_rules) || $snortcfg['preproc_auto_rule_disable'] <> 'on') + return; + + /*************************************************** + * Construct an array of rule options with their * + * associated preprocessors. * + * * + * IMPORTANT -- Keep this part of the code current * + * with changes to preprocessor rule options in * + * Snort VRT rules. * + * * + * * + * Format of array is: * + * "rule_option" => "dependent_preprocessor" * + * * + * Last Update: 04/05/2013 * + * * + * Added: http_inspect content modifiers and * + * various "service" metadata values. * + * * + ***************************************************/ + $rule_opts_preprocs = array("ssl_version:" => "ssl_preproc","ssl_state:" => "ssl_preproc", + "service ssl" => "ssl_preproc", "service ftp" => "ftp_preprocessor", + "service telnet" => "ftp_preprocessor", "service dns" => "dns_preprocessor", + "dce_iface:" => "dce_rpc_2", "dce_opnum:" => "dce_rpc_2", + "dce_stub_data;" => "dce_rpc_2", "sd_pattern:" => "sensitive_data", + "sip_method:" => "sip_preproc", "sip_stat_code:" => "sip_preproc", + "sip_header;" => "sip_preproc", "sip_body;" => "sip_preproc", + "gtp_type:" => "gtp_preproc", "gtp_info:" => "gtp_preproc", + "gtp_version:" => "gtp_preproc", "modbus_func:" => "modbus_preproc", + "modbus_unit:" => "modbus_preproc", "modbus_data;" => "modbus_preproc", + "dnp3_func:" => "dnp3_preproc", "dnp3_obj:" => "dnp3_preproc", + "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc", + "http_client_body;" => "http_inspect", "http_cookie;" => "http_inspect", + "http_raw_cookie;" => "http_inspect", "http_header;" => "http_inspect", + "http_raw_header;" => "http_inspect", "http_method;" => "http_inspect", + "http_uri;" => "http_inspect", "http_raw_uri;" => "http_inspect", + "http_stat_code;" => "http_inspect", "http_stat_msg;" => "http_inspect", + "uricontent:" => "http_inspect", "urilen:" => "http_inspect", + "http_encode;" => "http_inspect", "service http" => "http_inspect", + "service imap" => "imap_preproc", "service pop2" => "pop_preproc", + "service pop3" => "pop_preproc", "service smtp" => "smtp_preprocessor"); + + /*************************************************** + * Iterate the enabled rules, and check for rule * + * options that depend on disabled preprocessors. * + * Disable any of these preprocessor-dependent * + * rules we find. Once we find at least one * + * reason to disable the rule, stop further checks * + * and go to the next rule. * + ***************************************************/ + foreach ($active_rules as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + + /* If rule is already disabled, skip it. */ + if ($v['disabled'] == 1) + continue; + + foreach ($rule_opts_preprocs as $opt => $preproc) { + $pcre = "/\s*\b" . preg_quote($opt) . "/i"; + if (($snortcfg[$preproc] != 'on') && preg_match($pcre, $v['rule'])) { + $active_rules[$k1][$k2]['rule'] = "# " . $v['rule']; + $active_rules[$k1][$k2]['disabled'] = 1; + $disabled_count++; + + /* Accumulate auto-disabled rules for logging */ + $tmp = $active_rules[$k1][$k2]['category'] . ","; + $tmp .= "{$k1}:{$k2},{$preproc},{$opt}"; + $log_msg[] = $tmp; + break; + } + } + } + } + + /* Release memory we no longer need. */ + unset($rulem, $v, $preproc); + + /***************************************************************/ + /* If we are persisting the log from the last pass, then open */ + /* the log file in append mode. Otherwise open in overwrite */ + /* to clear the log in case we have zero disabled rules. */ + /* */ + /* Typically "persist log" mode is used on the second pass */ + /* when flowbit-required rules are being assessed after the */ + /* primary enforcing rules have been evaluated. */ + /***************************************************************/ + $iface = snort_get_friendly_interface($snortcfg['interface']); + $file = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log"; + if ($persist_log) + $fp = fopen($file, 'a'); + else + $fp = fopen($file, 'w'); + + /***************************************************/ + /* Log a warning if we auto-disabled any rules */ + /* just so the user is aware protection is less */ + /* than optimal with the preprocessors disabled. */ + /***************************************************/ + if ($disabled_count > 0) { + log_error(gettext("[Snort] Warning: auto-disabled {$disabled_count} rules due to disabled preprocessor dependencies.")); + natcasesort($log_msg); + if ($fp) { + /* Only write the header when not persisting the log */ + if (!$persist_log) { + @fwrite($fp, "#\n# Run Time: " . date("Y-m-d H:i:s") . "\n#\n"); + @fwrite($fp, "#\n# These rules were auto-disabled because they contain options or operators\n"); + @fwrite($fp, "# dependent on preprocessors that are currently NOT ENABLED on the Preprocessors\n"); + @fwrite($fp, "# tab. Without these dependent preprocessors enabled, Snort would fail to start\n"); + @fwrite($fp, "# if the rules listed below were enabled. Therefore the listed rules have been\n"); + @fwrite($fp, "# automatically disabled. This behavior is controlled by the Auto-Rule Disable\n"); + @fwrite($fp, "# feature on the Preprocessors tab.\n#\n"); + @fwrite($fp, "# WARNING: Using the auto-disable rule feature is not recommended because it can\n"); + @fwrite($fp, "# significantly reduce the threat detection capabilities of Snort!\n#"); + @fwrite($fp, "\n# In the list below, the PREPROCESSOR column is the disabled preprocessor that\n"); + @fwrite($fp, "# triggered the auto-disable of the rule represented by GID:SID. The RULE OPTION\n"); + @fwrite($fp, "# column shows the specific rule option or content modifier contained within\n"); + @fwrite($fp, "# the rule text that requires the preprocessor be enabled in order to execute.\n#"); + @fwrite($fp, "\n# RULE CATEGORY GID:SID PREPROCESSOR RULE OPTION\n"); + } + foreach ($log_msg as $m) { + $tmp = explode(",", $m); + @fwrite($fp, sprintf("%-30s %-10s %-20s %s", $tmp[0], $tmp[1], $tmp[2], $tmp[3]) . "\n"); + } + } + log_error(gettext("[Snort] See '{$file}' for list of auto-disabled rules.")); + unset($log_msg); + } + if ($fp) + fclose($fp); } function snort_generate_conf($snortcfg) { - global $config, $g; + + global $config, $g, $rebuild_rules; $snortdir = SNORTDIR; + $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; + $flowbit_rules_file = FLOWBITS_FILENAME; + $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME; if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; + /* See if we should protect and not modify the preprocessor rules files */ + if (!empty($snortcfg['protect_preproc_rules'])) + $protect_preproc_rules = $snortcfg['protect_preproc_rules']; + else + $protect_preproc_rules = "off"; + $if_real = snort_get_real_interface($snortcfg['interface']); $snort_uuid = $snortcfg['uuid']; $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; @@ -1013,8 +2476,8 @@ function snort_generate_conf($snortcfg) { "{$snortlogdir}/snort_{$if_real}{$snort_uuid}", "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2", "{$snortcfgdir}/preproc_rules", - "dynamicrules" => "{$snortcfgdir}/dynamicrules", - "dynamicengine" => "/usr/local/lib/snort/dynamicengine", + "dynamicrules" => "{$snortlibdir}/dynamicrules", + "dynamicengine" => "{$snortlibdir}/dynamicengine", "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" ); foreach ($snort_dirs as $dir) { @@ -1022,13 +2485,24 @@ function snort_generate_conf($snortcfg) { safe_mkdir($dir); } + /********************************************************************/ + /* For fail-safe on an initial startup following installation, and */ + /* before a rules update has occurred, copy the default config */ + /* files to the interface directory. If files already exist in */ + /* the interface directory, or they are newer, that means a rule */ + /* update has been done and we should leave the customized files */ + /* put in place by the rules update process. */ + /********************************************************************/ $snort_files = array("gen-msg.map", "classification.config", "reference.config", "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules", "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules" ); foreach ($snort_files as $file) { - if (file_exists("{$snortdir}/{$file}")) - @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); + if (file_exists("{$snortdir}/{$file}")) { + $ftime = filemtime("{$snortdir}/{$file}"); + if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}"))) + @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); + } } /* define alertsystemlog */ @@ -1047,7 +2521,6 @@ function snort_generate_conf($snortcfg) { $pfkill = ""; if ($snortcfg['blockoffenderskill'] == "on") $pfkill = "kill"; - /* No subnets to default addresses */ $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true); /* write whitelist */ @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist)); @@ -1075,11 +2548,11 @@ function snort_generate_conf($snortcfg) { $ssh_port = "22"; $snort_ports = array( "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691", - "http_ports" => "80", "oracle_ports" => "1521", "mssql_ports" => "1433", + "http_ports" => "80,901,3128,8080,9000", "oracle_ports" => "1521", "mssql_ports" => "1433", "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21", "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", - "sip_ports" => "5060:5090,16384:32768", "auth_ports" => "113", "finger_ports" => "79", + "sip_ports" => "5060,5061", "auth_ports" => "113", "finger_ports" => "79", "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", "ssl_ports" => "443,465,563,636,989,990,992,993,994,995", @@ -1088,14 +2561,15 @@ function snort_generate_conf($snortcfg) { "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", - "DCERPC_BRIGHTSTORE" => "6503,6504" + "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502", + "GTP_PORTS" => "2123,2152,3386" ); $portvardef = ""; foreach ($snort_ports as $alias => $avalue) { if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) $snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]); - $snort_ports[$alias] = str_replace(" ", ",", trim($snort_ports[$alias])); + $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias])); $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; } @@ -1109,38 +2583,53 @@ preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_u EOD; - $def_flow_depth_type = '0'; - if (!empty($snortcfg['flow_depth'])) - $def_flow_depth_type = $snortcfg['flow_depth']; + /* Pull in the user-configurable HTTP_INSPECT global preprocessor options */ + $http_inspect_memcap = "150994944"; + if (!empty($snortcfg['http_inspect_memcap'])) + $http_inspect_memcap = $snortcfg['http_inspect_memcap']; + + /* Pull in the user-configurable HTTP_INSPECT server preprocessor options */ + $server_flow_depth = '300'; + if ((!empty($snortcfg['server_flow_depth'])) || ($snortcfg['server_flow_depth'] == '0')) + $server_flow_depth = $snortcfg['server_flow_depth']; + $http_server_profile = "all"; + if (!empty($snortcfg['http_server_profile'])) + $http_server_profile = $snortcfg['http_server_profile']; + $client_flow_depth = '300'; + if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0')) + $client_flow_depth = $snortcfg['client_flow_depth']; + if ($snortcfg['noalert_http_inspect'] == 'on' || empty($snortcfg['noalert_http_inspect'])) + $noalert_http_inspect = "no_alerts"; + else + $noalert_http_inspect = ""; + $http_inspect_server_opts = "enable_cookie \\\n\textended_response_inspection \\\n\tnormalize_javascript \\\n"; + $http_inspect_server_opts .= "\tinspect_gzip \\\n\tnormalize_utf \\\n\tunlimited_decompress \\\n"; + $http_inspect_server_opts .= "\tnormalize_headers \\\n\tnormalize_cookies"; + if ($snortcfg['http_inspect_enable_xff'] == "on") + $http_inspect_server_opts .= " \\\n\tenable_xff"; + + /* If Stream5 is enabled, then we can enable the "log_uri" and "log_hostname" options */ + if ($snortcfg['stream5_reassembly'] == "on") { + if ($snortcfg['http_inspect_log_uri'] == "on") + $http_inspect_server_opts .= " \\\n\tlog_uri"; + if ($snortcfg['http_inspect_log_hostname'] == "on") + $http_inspect_server_opts .= " \\\n\tlog_hostname"; + } $http_ports = str_replace(",", " ", $snort_ports['http_ports']); + /* def http_inspect */ $http_inspect = <<<EOD -# HTTP Inspect # -preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 - -preprocessor http_inspect_server: server default \ - ports { {$http_ports} } \ - non_strict \ - non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ - flow_depth {$def_flow_depth_type} \ - apache_whitespace no \ - directory no \ - iis_backslash no \ - u_encode yes \ - extended_response_inspection \ - inspect_gzip \ - normalize_utf \ - normalize_javascript \ - unlimited_decompress \ - ascii no \ - chunk_length 500000 \ - bare_byte yes \ - double_decode yes \ - iis_unicode no \ - iis_delimiter no \ - multi_slash no - +# HTTP Inspect # +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 memcap {$http_inspect_memcap} + +preprocessor http_inspect_server: server default profile {$http_server_profile} {$noalert_http_inspect} \ + ports { {$http_ports} } \ + http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ + server_flow_depth {$server_flow_depth} \ + client_flow_depth {$client_flow_depth} \ + {$http_inspect_server_opts} + EOD; /* def ftp_preprocessor */ @@ -1195,18 +2684,22 @@ EOD; $pop_preproc = <<<EOD preprocessor pop: \ ports { {$pop_ports} } \ - qp_decode_depth -1 \ + memcap 1310700 \ + qp_decode_depth 0 \ b64_decode_depth 0 \ - bitenc_decode_depth 100 + bitenc_decode_depth 0 + EOD; $imap_ports = str_replace(",", " ", $snort_ports['imap_ports']); $imap_preproc = <<<EOD preprocessor imap: \ ports { {$imap_ports} } \ - qp_decode_depth -1 \ + memcap 1310700 \ + qp_decode_depth 0 \ b64_decode_depth 0 \ - bitenc_decode_depth 100 + bitenc_decode_depth 0 + EOD; $smtp_ports = str_replace(",", " ", $snort_ports['mail_ports']); @@ -1217,6 +2710,7 @@ preprocessor SMTP: \ ports { {$smtp_ports} } \ inspection_type stateful \ normalize cmds \ + ignore_tls_data \ valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ @@ -1230,26 +2724,54 @@ PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - xlink2state { enable } - + xlink2state { enable } \ + log_mailfrom \ + log_rcptto \ + log_email_hdrs \ + email_hdrs_log_depth 1464 \ + log_filename \ + qp_decode_depth 0 \ + b64_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 + EOD; /* def sf_portscan */ + $sf_pscan_protocol = "all"; + if (!empty($snortcfg['pscan_protocol'])) + $sf_pscan_protocol = $snortcfg['pscan_protocol']; + $sf_pscan_type = "all"; + if (!empty($snortcfg['pscan_type'])) + $sf_pscan_type = $snortcfg['pscan_type']; + $sf_pscan_memcap = "10000000"; + if (!empty($snortcfg['pscan_memcap'])) + $sf_pscan_memcap = $snortcfg['pscan_memcap']; + $sf_pscan_sense_level = "medium"; + if (!empty($snortcfg['pscan_sense_level'])) + $sf_pscan_sense_level = $snortcfg['pscan_sense_level']; + $sf_pscan_ignore_scanners = "\$HOME_NET"; + if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) { + $sf_pscan_ignore_scanners = filter_expand_alias($snortcfg['pscan_ignore_scanners']); + $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners)); + } + $sf_portscan = <<<EOD # sf Portscan # -preprocessor sfportscan: scan_type { all } \ - proto { all } \ - memcap { 10000000 } \ - sense_level { medium } \ - ignore_scanners { \$HOME_NET } +preprocessor sfportscan: scan_type { {$sf_pscan_type} } \ + proto { {$sf_pscan_protocol} } \ + memcap { {$sf_pscan_memcap} } \ + sense_level { {$sf_pscan_sense_level} } \ + ignore_scanners { {$sf_pscan_ignore_scanners} } EOD; $sun_rpc_ports = str_replace(",", " ", $snort_ports['sun_rpc_ports']); /* def other_preprocs */ $other_preprocs = <<<EOD + # Other preprocs # -preprocessor rpc_decode: {$sun_rpc_ports} +preprocessor rpc_decode: {$sun_rpc_ports} no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete # Back Orifice preprocessor bo @@ -1259,14 +2781,24 @@ EOD; /* def dce_rpc_2 */ $dce_rpc_2 = <<<EOD # DCE/RPC 2 # -preprocessor dcerpc2: memcap 102400, events [smb, co, cl] +preprocessor dcerpc2: memcap 102400, events [co] preprocessor dcerpc2_server: default, policy WinXP, \ detect [smb [{$snort_ports['smb_ports']}], tcp 135, udp 135, rpc-over-http-server 593], \ autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ - smb_max_chain 3 + smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"] EOD; + $sip_ports = str_replace(",", " ", $snort_ports['sip_ports']); + $sip_preproc = <<<EOD +# SIP preprocessor +preprocessor sip: ports { {$sip_ports} }, max_call_id_len 300, \ + max_from_len 100, max_to_len 200, max_via_len 1000, \ + max_requestName_len 50, max_uri_len 100, ignore_call_channel,\ + max_content_len 1000 + +EOD; + $dns_ports = str_replace(",", " ", $snort_ports['dns_ports']); /* def dns_preprocessor */ $dns_preprocessor = <<<EOD @@ -1277,6 +2809,34 @@ preprocessor dns: \ EOD; + /* def dnp3_preprocessor */ + $dnp3_ports = str_replace(",", " ", $snort_ports['DNP3_PORTS']); + $dnp3_preproc = <<<EOD +# DNP3 preprocessor # +preprocessor dnp3: \ + ports { {$dnp3_ports} } \ + memcap 262144 \ + check_crc + +EOD; + + /* def modbus_preprocessor */ + $modbus_ports = str_replace(",", " ", $snort_ports['MODBUS_PORTS']); + $modbus_preproc = <<<EOD +# Modbus preprocessor # +preprocessor modbus: \ + ports { {$modbus_ports} } + +EOD; + + /* def gtp_preprocessor */ + $gtp_ports = str_replace(",", " ", $snort_ports['GTP_PORTS']); + $gtp_preproc = <<<EOD +# GTP preprocessor # +preprocessor gtp: ports { {$gtp_ports} } + +EOD; + $def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']); $ssl_preproc = <<<EOD # Ignore SSL and Encryption # @@ -1286,14 +2846,16 @@ EOD; $sensitive_data = "preprocessor sensitive_data:\n"; - /* stream5 queued settings */ - $def_max_queued_bytes_type = ''; - if (!empty($snortcfg['max_queued_bytes'])) - $def_max_queued_bytes_type = ", max_queued_bytes {$snortcfg['max_queued_bytes']}"; - - $def_max_queued_segs_type = ''; - if (!empty($snortcfg['max_queued_segs'])) - $def_max_queued_segs_type = ", max_queued_segs {$snortcfg['max_queued_segs']}"; + /**************************************************************/ + /* Default the HTTP_INSPECT preprocessor to "on" if not set. */ + /* The preprocessor is required by hundreds of Snort rules, */ + /* and without it Snort may not start and/or the number of */ + /* rules required to be disabled reduces Snort's capability. */ + /* Alerts from the HTTP_INSPECT preprocessor default to "off" */ + /* unless a specific value has been set by the user. */ + /**************************************************************/ + if (empty($snortcfg['http_inspect'])) + $snortcfg['http_inspect'] = 'on'; /* define servers and ports snortdefservers */ $snort_servers = array ( @@ -1301,7 +2863,9 @@ EOD; "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", "snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET", "pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET", - "sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", + "sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET", + "dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET", + "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" ); @@ -1317,25 +2881,34 @@ EOD; $snort_preproc_libs = array( "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", - "sip_preproc" => "sip_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", - "ssl_preproc" => "ssl_preproc" + "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", + "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" ); $snort_preproc = array ( - "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", - "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc" + "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", + "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" + ); + $default_disabled_preprocs = array( + "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc" ); $snort_preprocessors = ""; foreach ($snort_preproc as $preproc) { - if ($snortcfg[$preproc] == 'on') { - /* NOTE: The $$ is not a bug. Its a advanced feature of php */ + if ($snortcfg[$preproc] == 'on' || empty($snortcfg[$preproc]) ) { + + /* If preprocessor is not explicitly "on" or "off", then default to "off" if in our default disabled list */ + if (empty($snortcfg[$preproc]) && in_array($preproc, $default_disabled_preprocs)) + continue; + + /* NOTE: The $$ is not a bug. It is an advanced feature of php */ if (!empty($snort_preproc_libs[$preproc])) { $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { - if (file_exists("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so")) { - @copy("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); + if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) { + @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); $snort_preprocessors .= $$preproc; $snort_preprocessors .= "\n"; - } + } else + log_error("Could not find the {$preproclib} file. Snort might error out!"); } else { $snort_preprocessors .= $$preproc; $snort_preprocessors .= "\n"; @@ -1353,61 +2926,146 @@ EOD; if (file_exists("{$snortcfgdir}/classification.config")) $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; if (is_dir("{$snortcfgdir}/preproc_rules")) { - if ($snortcfg['sensitive_data'] == 'on') { + if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") { $sedcmd = '/^#alert.*classtype:sdf/s/^#//'; if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")) $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n"; } else $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && - file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) { + file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") { @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules"); mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules"); @unlink("{$g['tmp_path']}/sedcmd"); - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; - } else { + } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && + file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") { + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + } + else { $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); + log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); } } else { $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); + log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); } /* generate rule sections to load */ - $selected_rules_sections = ""; - $dynamic_rules_sections = ""; - if (!empty($snortcfg['rulesets'])) { - $enabled_rulesets_array = explode("||", $snortcfg['rulesets']); - foreach($enabled_rulesets_array as $enabled_item) { - if (file_exists("{$snortdir}/rules/{$enabled_item}") && !file_exists("{$snortcfgdir}/rules/{$enabled_item}")) - @copy("{$snortdir}/rules/{$enabled_item}", "{$snortcfgdir}/rules/{$enabled_item}"); - if (substr($enabled_item, 0, 5) == "snort" && substr($enabled_item, -9) == ".so.rules") { - $slib = substr($enabled_item, 6, -6); - if (!file_exists("{$snort_dirs['dynamicrules']}/{$slib}")) - @copy("/usr/local/lib/snort/dynamicrules/{$slib}", "{$snort_dirs['dynamicrules']}/{$slib}"); - if (file_exists("{$snort_dirs['dynamicrules']}/{$slib}") && - file_exists("{$snortcfgdir}/rules/{$enabled_item}")) - $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; - } else if (file_exists("{$snortcfgdir}/rules/{$enabled_item}")) - $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; - } - } + /* The files are always configured so the update process is easier */ + $selected_rules_sections = "include \$RULE_PATH/{$snort_enforcing_rules_file}\n"; + $selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n"; + $selected_rules_sections .= "include \$RULE_PATH/custom.rules\n"; - if (!empty($snortcfg['customrules'])) { - @file_put_contents("{$snortcfgdir}/rules/custom.rules", base64_decode($snortcfg['customrules'])); - $selected_rules_sections .= "include \$RULE_PATH/custom.rules\n"; - } else - @unlink("{$snortcfgdir}/rules/custom.rules"); + /* Create the actual rules files and save in the interface directory */ + snort_prepare_rule_files($snortcfg, $snortcfgdir); $cksumcheck = "all"; if ($snortcfg['cksumcheck'] == 'on') $cksumcheck = "none"; - /* build snort configuration file */ + /* Pull in user-configurable detection config options */ + $cfg_detect_settings = "search-method {$snort_performance} max-pattern-len 20 max_queue_events 5"; + if ($snortcfg['fpm_split_any_any'] == "on") + $cfg_detect_settings .= " split-any-any"; + if ($snortcfg['fpm_search_optimize'] == "on") + $cfg_detect_settings .= " search-optimize"; + if ($snortcfg['fpm_no_stream_inserts'] == "on") + $cfg_detect_settings .= " no_stream_inserts"; + + /* Pull in user-configurable options for Frag3 preprocessor settings */ + $frag3_disabled = ""; + if ($snortcfg['frag3_detection'] == "off") + $frag3_disabled = ", disabled"; + $frag3_memcap = "memcap 4194304"; + if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0") + $frag3_memcap = "memcap {$snortcfg['frag3_memcap']}"; + $frag3_max_frags = "max_frags 8192"; + if (!empty($snortcfg['frag3_max_frags'])) + $frag3_max_frags = "max_frags {$snortcfg['frag3_max_frags']}"; + $frag3_overlap_limit = "overlap_limit 0"; + if (!empty($snortcfg['frag3_overlap_limit'])) + $frag3_overlap_limit = "overlap_limit {$snortcfg['frag3_overlap_limit']}"; + $frag3_min_frag_len = "min_fragment_length 0"; + if (!empty($snortcfg['frag3_min_frag_len'])) + $frag3_min_frag_len = "min_fragment_length {$snortcfg['frag3_min_frag_len']}"; + $frag3_timeout = "timeout 60"; + if (!empty($snortcfg['frag3_timeout'])) + $frag3_timeout = "timeout {$snortcfg['frag3_timeout']}"; + $frag3_policy = "policy bsd"; + if (!empty($snortcfg['frag3_policy'])) + $frag3_policy = "policy {$snortcfg['frag3_policy']}"; + + /* Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs */ + $paf_max_pdu_config = "config paf_max: "; + if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == "0") + $paf_max_pdu_config .= "0"; + else + $paf_max_pdu_config .= $snortcfg['max_paf']; + + /* Pull in user-configurable options for Stream5 preprocessor settings */ + $stream5_reassembly = ""; + if ($snortcfg['stream5_reassembly'] == "off") + $stream5_reassembly = "disabled,"; + $stream5_track_tcp = "yes"; + if ($snortcfg['stream5_track_tcp'] =="off") + $stream5_track_tcp = "no"; + $stream5_track_udp = "yes"; + if ($snortcfg['stream5_track_udp'] =="off") + $stream5_track_udp = "no"; + $stream5_track_icmp = "no"; + if ($snortcfg['stream5_track_icmp'] =="on") + $stream5_track_icmp = "yes"; + $stream5_require_3whs = ""; + if ($snortcfg['stream5_require_3whs'] == "on") + $stream5_require_3whs = ", require_3whs 0"; + $stream5_no_reassemble_async = ""; + if ($snortcfg['stream5_no_reassemble_async'] == "on") + $stream5_no_reassemble_async = ", dont_reassemble_async"; + $stream5_dont_store_lg_pkts = ""; + if ($snortcfg['stream5_dont_store_lg_pkts'] == "on") + $stream5_dont_store_lg_pkts = ", dont_store_large_packets"; + $stream5_max_queued_bytes_type = ""; + if ((!empty($snortcfg['max_queued_bytes'])) || ($snortcfg['max_queued_bytes'] == '0')) + $stream5_max_queued_bytes_type = ", max_queued_bytes {$snortcfg['max_queued_bytes']}"; + $stream5_max_queued_segs_type = ""; + if ((!empty($snortcfg['max_queued_segs'])) || ($snortcfg['max_queued_segs'] == '0')) + $stream5_max_queued_segs_type = ", max_queued_segs {$snortcfg['max_queued_segs']}"; + $stream5_mem_cap = ""; + if (!empty($snortcfg['stream5_mem_cap'])) + $stream5_mem_cap = ", memcap {$snortcfg['stream5_mem_cap']}"; + $stream5_overlap_limit = "overlap_limit 0"; + if (!empty($snortcfg['stream5_overlap_limit'])) + $stream5_overlap_limit = "overlap_limit {$snortcfg['stream5_overlap_limit']}"; + $stream5_policy = "policy bsd"; + if (!empty($snortcfg['stream5_policy'])) + $stream5_policy = "policy {$snortcfg['stream5_policy']}"; + $stream5_tcp_timeout = "timeout 30"; + if (!empty($snortcfg['stream5_tcp_timeout'])) + $stream5_tcp_timeout = "timeout {$snortcfg['stream5_tcp_timeout']}"; + $stream5_udp_timeout = "timeout 30"; + if (!empty($snortcfg['stream5_udp_timeout'])) + $stream5_udp_timeout = "timeout {$snortcfg['stream5_udp_timeout']}"; + $stream5_icmp_timeout = "timeout 30"; + if (!empty($snortcfg['stream5_icmp_timeout'])) + $stream5_icmp_timeout = "timeout {$snortcfg['stream5_icmp_timeout']}"; + + /* Check for and configure Host Attribute Table if enabled */ + $host_attrib_config = ""; + if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) { + file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data'])); + $host_attrib_config = "# Host Attribute Table #\n"; + $host_attrib_config .= "attribute_table filename {$snortcfgdir}/host_attributes\n"; + if (!empty($snortcfg['max_attribute_hosts'])) + $host_attrib_config .= "config max_attribute_hosts: {$snortcfg['max_attribute_hosts']}\n"; + if (!empty($snortcfg['max_attribute_services_per_host'])) + $host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}"; + } + + /* Finally, build the Snort configuration file */ $snort_conf_text = <<<EOD # snort configuration file @@ -1427,6 +3085,9 @@ var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules # Define Server Ports # {$portvardef} +# Configure quiet startup mode # +config quiet + # Configure the snort decoder # config checksum_mode: {$cksumcheck} config disable_decode_alerts @@ -1437,26 +3098,50 @@ config disable_tcpopt_alerts config disable_ipopt_alerts config disable_decode_drops +# Enable the GTP decoder # +config enable_gtp + +# Configure PCRE match limitations +config pcre_match_limit: 3500 +config pcre_match_limit_recursion: 1500 + # Configure the detection engine # -config detection: search-method {$snort_performance} max_queue_events 5 -config event_queue: max_queue 8 log 3 order_events content_length +config detection: {$cfg_detect_settings} +config event_queue: max_queue 8 log 5 order_events content_length + +# Configure to show year in timestamps +config show_year -#Configure dynamic loaded libraries +# Configure protocol aware flushing # +# For more information see README.stream5 # +{$paf_max_pdu_config} + +#Configure dynamically loaded libraries dynamicpreprocessor directory {$snort_dirs['dynamicpreprocessor']} dynamicengine directory {$snort_dirs['dynamicengine']} dynamicdetection directory {$snort_dirs['dynamicrules']} +# Inline packet normalization. For more information, see README.normalize +# Disabled since we do not use "inline" mode with pfSense +# preprocessor normalize_ip4 +# preprocessor normalize_tcp: ips ecn stream +# preprocessor normalize_icmp4 +# preprocessor normalize_ip6 +# preprocessor normalize_icmp6 + # Flow and stream # -preprocessor frag3_global: max_frags 8192 -preprocessor frag3_engine: policy bsd detect_anomalies +preprocessor frag3_global: {$frag3_memcap}, {$frag3_max_frags}{$frag3_disabled} +preprocessor frag3_engine: {$frag3_policy} detect_anomalies {$frag3_timeout} {$frag3_overlap_limit} {$frag3_min_frag_len} -preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes -preprocessor stream5_tcp: policy BSD, ports both all{$def_max_queued_bytes_type}{$def_max_queued_segs_type} -preprocessor stream5_udp: -preprocessor stream5_icmp: +preprocessor stream5_global:{$stream5_reassembly} track_tcp {$stream5_track_tcp}, track_udp {$stream5_track_udp}, track_icmp {$stream5_track_icmp}, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5{$stream5_mem_cap} +preprocessor stream5_tcp: {$stream5_policy}, {$stream5_overlap_limit}, {$stream5_tcp_timeout}, ports both all{$stream5_max_queued_bytes_type}{$stream5_max_queued_segs_type}{$stream5_require_3whs}{$stream5_no_reassemble_async}$stream5_dont_store_lg_pkts +preprocessor stream5_udp: {$stream5_udp_timeout} +preprocessor stream5_icmp: {$stream5_icmp_timeout} {$snort_preprocessors} +{$host_attrib_config} + # Snort Output Logs # output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority {$alertsystemlog_type} @@ -1484,6 +3169,225 @@ EOD; } fwrite($conf, $snort_conf_text); fclose($conf); + unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type); + unset($home_net, $external_net, $vardef, $portvardef); +} + +/* Uses XMLRPC to synchronize the changes to a remote node */ +function snort_sync_on_changes() { + global $config, $g; + + /* Do not attempt a package sync while booting up or installing package */ + if ($g['booting'] || $g['snort_postinstall']) + return; + + if (is_array($config['installedpackages']['snortsync']['config'])){ + $snort_sync=$config['installedpackages']['snortsync']['config'][0]; + $synconchanges = $snort_sync['varsynconchanges']; + $synctimeout = $snort_sync['varsynctimeout']; + $syncdownloadrules = $snort_sync['vardownloadrules']; + switch ($synconchanges){ + case "manual": + if (is_array($snort_sync[row])){ + $rs=$snort_sync[row]; + } + else{ + log_error("[snort] xmlrpc sync is enabled but there are no hosts configured as replication targets."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['varsyncipaddress']=$system_carp['synchronizetoip']; + $rs[0]['varsyncusername']=$system_carp['username']; + $rs[0]['varsyncpassword']=$system_carp['password']; + $rs[0]['varsyncsnortstart']="no"; + if ($system_carp['synchronizetoip'] ==""){ + log_error("[snort] xmlrpc sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } + } + else{ + log_error("[snort] xmlrpc sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)){ + log_error("[snort] Snort pkg xmlrpc sync is starting."); + foreach($rs as $sh){ + if ($sh['varsyncsnortstart']) + $syncstartsnort = $sh['varsyncsnortstart']; + else + $syncstartsnort = "OFF"; + $sync_to_ip = $sh['varsyncipaddress']; + $password = $sh['varsyncpassword']; + if($sh['varsyncusername']) + $username = $sh['varsyncusername']; + else + $username = 'admin'; + if($password && $sync_to_ip) + snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $password, $synctimeout, $syncstartsnort); + } + log_error("[snort] Snort pkg xmlrpc sync completed."); + } + } +} + +/* Do the actual XMLRPC sync */ +function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $password, $synctimeout, $syncstartsnort) { + global $config, $g; + + /* Do not attempt a package sync while booting up or installing package */ + if ($g['booting'] || $g['snort_postinstall']) + return; + + if(!$username || !$password || !$sync_to_ip) { + log_error("[snort] A required XMLRPC sync parameter (user, host IP or password) is empty ... aborting pkg sync"); + return; + } + + /* Test key variables and set defaults if empty */ + if(!$synctimeout) + $synctimeout=150; + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['snortglobal'] = $config['installedpackages']['snortglobal']; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("[snort] Beginning Snort pkg configuration XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + + /* send our XMLRPC message and timeout after defined sync timeout value*/ + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting snort XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "snort Settings Sync", ""); + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "snort Settings Sync", ""); + } else { + log_error("[snort] Snort pkg configuration XMLRPC sync successfully completed with {$url}:{$port}."); + } + + $downloadrulescmd = ""; + if ($syncdownloadrules == "yes") { + $downloadrulescmd = "log_error(gettext(\"[snort] XMLRPC pkg sync: Update of downloaded rule sets requested...\"));\n"; + $downloadrulescmd .= "include_once(\"/usr/local/pkg/snort/snort_check_for_rule_updates.php\");\n"; + } + $snortstart = ""; + if ($syncstartsnort == "ON") { + $snortstart = "log_error(gettext(\"[snort] XMLRPC pkg sync: Checking Snort status...\"));\n"; + $snortstart .= "if (!is_process_running(\"snort\")) {\n"; + $snortstart .= "log_error(gettext(\"[snort] XMLRPC pkg sync: Snort not running. Sending a start command...\"));\n"; + $snortstart .= "exec(\"/usr/local/etc/rc.d/snort.sh start 2>&1 &\");\n}\n"; + $snortstart .= "else {log_error(gettext(\"[snort] XMLRPC pkg sync: Snort is running...\"));\n}\n"; + } + + /* Build a series of commands as a PHP file for the secondary host to execute to load the new settings. */ + $snort_sync_cmd = <<<EOD + <?php + require_once("/usr/local/pkg/snort/snort.inc"); + require_once("service-utils.inc"); + global \$g, \$rebuild_rules, \$snort_gui_include, \$pkg_interface; + \$orig_pkg_interface = \$pkg_interface; + \$g["snort_postinstall"] = true; + \$g["snort_sync_in_progress"] = true; + \$snort_gui_include = false; + \$pkg_interface = "console"; + {$downloadrulescmd} + unset(\$g["snort_postinstall"]); + log_error(gettext("[snort] XMLRPC pkg sync: Generating snort.conf file using Master Host settings...")); + \$rebuild_rules = true; + sync_snort_package_config(); + \$rebuild_rules = false; + {$snortstart} + log_error(gettext("[snort] XMLRPC pkg sync process on this host is complete...")); + \$pkg_interface = \$orig_pkg_interface; + unset(\$g["snort_sync_in_progress"]); + return true; + ?> + +EOD; + + /* First, have the target host write the commands to a PHP file in the /tmp directory */ + $execcmd = "file_put_contents('/tmp/snort_sync_cmds.php', '{$snort_sync_cmd}');"; + + /* assemble xmlrpc payload */ + $method = 'pfsense.exec_php'; + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("[snort] Snort XMLRPC sending reload configuration cmd set as a file to {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting snort XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "snort Settings Sync", ""); + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "snort Settings Sync", ""); + } else { + log_error("[snort] Snort pkg XMLRPC reload configuration success with {$url}:{$port} (pfsense.exec_php)."); + } + + /* Now assemble a command to execute the previously sent PHP file in the background */ + $execcmd = "exec(\"/usr/local/bin/php -f '/tmp/snort_sync_cmds.php' > /dev/null 2>&1 &\");"; + $params2 = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + log_error("[snort] Snort XMLRPC sending {$url}:{$port} cmd to execute configuration reload."); + $msg2 = new XML_RPC_Message($method, $params2); + $resp = $cli->send($msg2, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting snort XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "snort Settings Sync", ""); + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "snort Settings Sync", ""); + } else { + log_error("[snort] Snort pkg XMLRPC reload configuration success with {$url}:{$port} (pfsense.exec_php)."); + } } ?> diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 07603176..ed731f74 100644..100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -46,8 +46,8 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> - <version>2.9.2.3</version> - <title>Services:2.9.2.3 pkg v. 2.5.1</title> + <version>2.9.4.6</version> + <title>Services:2.9.4.6 pkg v. 2.5.9</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> @@ -74,6 +74,11 @@ <item>http://www.pfsense.com/packages/config/snort/snort_check_cron_misc.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_sync.xml</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort_alerts.php</item> @@ -163,6 +168,26 @@ <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_suppress_edit.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_log_view.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_list_view.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_rules_flowbits.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_edit_hat_data.php</item> + </additional_files_needed> <fields> </fields> <custom_add_php_command> @@ -177,3 +202,4 @@ snort_deinstall(); </custom_php_deinstall_command> </packagegui> + diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index e6ebefeb..c296f81b 100644..100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -38,6 +38,91 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); $snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; +$supplist = array(); + +function snort_is_alert_globally_suppressed($list, $gid, $sid) { + + /************************************************/ + /* Checks the passed $gid:$sid to see if it has */ + /* been globally suppressed. If true, then any */ + /* "track by_src" or "track by_dst" options are */ + /* disabled since they are overridden by the */ + /* global suppression of the $gid:$sid. */ + /************************************************/ + + /* If entry has a child array, then it's by src or dst ip. */ + /* So if there is a child array or the keys are not set, */ + /* then this gid:sid is not globally suppressed. */ + if (is_array($list[$gid][$sid])) + return false; + elseif (!isset($list[$gid][$sid])) + return false; + else + return true; +} + +function snort_add_supplist_entry($suppress) { + + /************************************************/ + /* Adds the passed entry to the Suppress List */ + /* for the active interface. If a Suppress */ + /* List is defined for the interface, it is */ + /* used. If no list is defined, a new default */ + /* list is created using the interface name. */ + /* */ + /* On Entry: */ + /* $suppress --> suppression entry text */ + /* */ + /* Returns: */ + /* TRUE if successful or FALSE on failure */ + /************************************************/ + + global $config, $a_instance, $instanceid; + + if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + $config['installedpackages']['snortglobal']['suppress'] = array(); + if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) + $config['installedpackages']['snortglobal']['suppress']['item'] = array(); + $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; + + $found_list = false; + + /* If no Suppress List is set for the interface, then create one with the interface name */ + if (empty($a_instance[$instanceid]['suppresslistname']) || $a_instance[$instanceid]['suppresslistname'] == 'default') { + $s_list = array(); + $s_list['name'] = $a_instance[$instanceid]['interface'] . "suppress"; + $s_list['uuid'] = uniqid(); + $s_list['descr'] = "Auto-generated list for Alert suppression"; + $s_list['suppresspassthru'] = base64_encode($suppress); + $a_suppress[] = $s_list; + $a_instance[$instanceid]['suppresslistname'] = $s_list['name']; + $found_list = true; + } else { + /* If we get here, a Suppress List is defined for the interface so see if we can find it */ + foreach ($a_suppress as $a_id => $alist) { + if ($alist['name'] == $a_instance[$instanceid]['suppresslistname']) { + $found_list = true; + if (!empty($alist['suppresspassthru'])) { + $tmplist = base64_decode($alist['suppresspassthru']); + $tmplist .= "\n{$suppress}"; + $alist['suppresspassthru'] = base64_encode($tmplist); + $a_suppress[$a_id] = $alist; + } + } + } + } + + /* If we created a new list or updated an existing one, save the change, */ + /* tell Snort to load it, and return true; otherwise return false. */ + if ($found_list) { + write_config(); + sync_snort_package_config(); + snort_reload_config($a_instance[$instanceid]); + return true; + } + else + return false; +} if ($_GET['instance']) $instanceid = $_GET['instance']; @@ -80,8 +165,10 @@ if ($_POST['todelete'] || $_GET['todelete']) { $ip = $_POST['todelete']; else if($_GET['todelete']) $ip = $_GET['todelete']; - if (is_ipaddr($ip)) + if (is_ipaddr($ip)) { exec("/sbin/pfctl -t snort2c -T delete {$ip}"); + $savemsg = "Host IP address {$ip} has been removed from the Blocked Table."; + } } if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { @@ -89,34 +176,38 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n"; else $suppress = "#{$_GET['descr']}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}"; - if (!is_array($config['installedpackages']['snortglobal']['suppress'])) - $config['installedpackages']['snortglobal']['suppress'] = array(); - if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) - $config['installedpackages']['snortglobal']['suppress']['item'] = array(); - $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; - if (empty($a_instance[$instanceid]['suppresslistname']) || $a_instance[$instanceid]['suppresslistname'] == 'default') { - $s_list = array(); - $s_list['name'] = $a_instance[$instanceid]['interface'] . "suppress"; - $s_list['uuid'] = uniqid(); - $s_list['descr'] = "Auto generted list for suppress"; - $s_list['suppresspassthru'] = base64_encode($suppress); - $a_suppress[] = $s_list; - $a_instance[$instanceid]['suppresslistname'] = $s_list['name']; - } else { - foreach ($a_suppress as $a_id => $alist) { - if ($alist['name'] == $a_instance[$instanceid]['suppresslistname']) { - if (!empty($alist['suppresspassthru'])) { - $tmplist = base64_decode($alist['suppresspassthru']); - $tmplist .= "\n{$suppress}"; - $alist['suppresspassthru'] = base64_encode($tmplist); - $a_suppress[$a_id] = $alist; - } - } - } + /* Add the new entry to the Suppress List */ + if (snort_add_supplist_entry($suppress)) + $savemsg = "An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List."; + else + $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); +} + +if (($_GET['act'] == "addsuppress_srcip" || $_GET['act'] == "addsuppress_dstip") && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { + if ($_GET['act'] == "addsuppress_srcip") + $method = "by_src"; + else + $method = "by_dst"; + + /* Check for valid IP addresses, exit if not valid */ + if (is_ipaddr($_GET['ip']) || is_ipaddrv6($_GET['ip'])) { + if (empty($_GET['descr'])) + $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}\n"; + else + $suppress = "#{$_GET['descr']}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}\n"; } - write_config(); - sync_snort_package_config(); + else { + header("Location: /snort/snort_alerts.php?instance={$instanceid}"); + exit; + } + + /* Add the new entry to the Suppress List */ + if (snort_add_supplist_entry($suppress)) + $savemsg = "An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}' has been added to the Suppress List."; + else + /* We did not find the defined list, so notify the user with an error */ + $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); } if ($_GET['action'] == "clear" || $_POST['delete']) { @@ -157,6 +248,9 @@ if ($_POST['download']) { exit; } +/* Load up an array with the current Suppression List GID,SID values */ +$supplist = snort_load_suppress_sigs($a_instance[$instanceid], true); + $pgtitle = "Services: Snort: Snort Alerts"; include_once("head.inc"); @@ -177,6 +271,9 @@ if ($pconfig['arefresh'] == 'on') if ($input_errors) { print_input_errors($input_errors); // TODO: add checks } + if ($savemsg) { + print_info_box($savemsg); + } ?> <form action="/snort/snort_alerts.php" method="post" id="formalert"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> @@ -190,20 +287,20 @@ if ($pconfig['arefresh'] == 'on') $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); display_top_tabs($tab_array); ?> </td></tr> <tr> - <td> - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <td><div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6"> <tr> - <td width="22%" class="listtopic"><?php printf(gettext('Last %s Alert Entries.'),$anentries); ?></td> - <td width="78%" class="listtopic"><?php echo gettext('Latest Alert Entries Are Listed First.'); ?></td> + <td colspan="2" class="listtopic"><?php echo gettext("Alert Log View Settings"); ?></td> </tr> <tr> <td width="22%" class="vncell"><?php echo gettext('Instance to inspect'); ?></td> <td width="78%" class="vtable"> - <br/> <select name="instance" id="instance" class="formselect" onChange="document.getElementById('formalert').submit()"> + <select name="instance" id="instance" class="formselect" onChange="document.getElementById('formalert').submit()"> <?php foreach ($a_instance as $id => $instance) { $selected = ""; @@ -212,14 +309,14 @@ if ($pconfig['arefresh'] == 'on') echo "<option value='{$id}' {$selected}> (" . snort_get_friendly_interface($instance['interface']) . "){$instance['descr']}</option>\n"; } ?> - </select><br/> <?php echo gettext('Choose which instance alerts you want to inspect.'); ?> + </select> <?php echo gettext('Choose which instance alerts you want to inspect.'); ?> </td> <tr> <td width="22%" class="vncell"><?php echo gettext('Save or Remove Logs'); ?></td> <td width="78%" class="vtable"> - <input name="download" type="submit" class="formbtn" value="Download"> <?php echo gettext('All ' . - 'log files will be saved.'); ?> <a href="/snort/snort_alerts.php?action=clear&instance=<?=$instanceid;?>"> - <input name="delete" type="button" class="formbtn" value="Clear" + <input name="download" type="submit" class="formbtns" value="Download"> <?php echo gettext('All ' . + 'log files will be saved.'); ?> <a href="/snort/snort_alerts.php?action=clear&instance=<?=$instanceid;?>"> + <input name="delete" type="submit" class="formbtns" value="Clear" onclick="return confirm('Do you really want to remove all instance logs?')"></a> <span class="red"><strong><?php echo gettext('Warning:'); ?></strong></span> <?php echo ' ' . gettext('all log files will be deleted.'); ?> </td> @@ -227,32 +324,47 @@ if ($pconfig['arefresh'] == 'on') <tr> <td width="22%" class="vncell"><?php echo gettext('Auto Refresh and Log View'); ?></td> <td width="78%" class="vtable"> - <input name="save" type="submit" class="formbtn" value="Save"> + <input name="save" type="submit" class="formbtns" value="Save"> <?php echo gettext('Refresh'); ?> <input name="arefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>> - <?php printf(gettext('%sDefault%s is %sON%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> + <?php printf(gettext('%sDefault%s is %sON%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> <input name="alertnumber" type="text" class="formfld" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"> - <?php printf(gettext('Enter the number of log entries to view. %sDefault%s is %s250%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> + <?php printf(gettext('Enter number of log entries to view. %sDefault%s is %s250%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> </td> </tr> <tr> - <td colspan="2" ><br/><br/></td> + <td colspan="2" class="listtopic"><?php printf(gettext("Last %s Alert Entries"), $anentries); ?> + <?php echo gettext("(Most recent entries are listed first)"); ?></td> </tr> <tr> - <td width="100%" colspan="2" class='vtable'> - <table id="myTable" width="100%" class="sortable" border="1" cellpadding="0" cellspacing="0"> - <thead> - <th class='listhdr' width='10%' axis="date"><?php echo gettext("Date"); ?></th> - <th class='listhdrr' width='5%' axis="number"><?php echo gettext("PRI"); ?></th> - <th class='listhdrr' width='3%' axis="string"><?php echo gettext("PROTO"); ?></th> - <th class='listhdrr' width='7%' axis="string"><?php echo gettext("CLASS"); ?></th> - <th class='listhdrr' width='15%' axis="string"><?php echo gettext("SRC"); ?></th> - <th class='listhdrr' width='5%' axis="string"><?php echo gettext("SRCPORT"); ?></th> - <th class='listhdrr' width='15%' axis="string"><?php echo gettext("DST"); ?></th> - <th class='listhdrr' width='5%' axis="string"><?php echo gettext("DSTPORT"); ?></th> - <th class='listhdrr' width='5%' axis="string"><?php echo gettext("SID"); ?></th> - <th class='listhdrr' width='20%' axis="string"><?php echo gettext("DESCRIPTION"); ?></th> - </thead> + <td width="100%" colspan="2"> + <table id="myTable" style="table-layout: fixed;" width="100%" class="sortable" border="1" cellpadding="0" cellspacing="0"> + <colgroup> + <col width="9%" align="center" axis="date"> + <col width="45" align="center" axis="number"> + <col width="65" align="center" axis="string"> + <col width="10%" axis="string"> + <col width="13%" align="center" axis="string"> + <col width="8%" align="center" axis="string"> + <col width="13%" align="center" axis="string"> + <col width="8%" align="center" axis="string"> + <col width="9%" align="center" axis="number"> + <col axis="string"> + </colgroup> + <thead> + <tr> + <th class="listhdrr" axis="date"><?php echo gettext("DATE"); ?></th> + <th class="listhdrr" axis="number"><?php echo gettext("PRI"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("PROTO"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("CLASS"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("SRC"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("SPORT"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("DST"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("DPORT"); ?></th> + <th class="listhdrr" axis="number"><?php echo gettext("SID"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("DESCRIPTION"); ?></th> + </tr> + </thead> <tbody> <?php @@ -269,8 +381,10 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { if(count($fields) < 11) continue; + /* Time */ + $alert_time = substr($fields[0], strpos($fields[0], '-')+1, -8); /* Date */ - $alert_date = substr($fields[0], 0, -8); + $alert_date = substr($fields[0], 0, strpos($fields[0], '-')); /* Description */ $alert_descr = $fields[4]; $alert_descr_url = urlencode($fields[4]); @@ -280,41 +394,68 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_proto = $fields[5]; /* IP SRC */ $alert_ip_src = $fields[6]; + /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ + $alert_ip_src = str_replace(":", ":​", $alert_ip_src); + if (!snort_is_alert_globally_suppressed($supplist, $fields[1], $fields[2]) && + !isset($supplist[$fields[1]][$fields[2]]['by_src'][$fields[6]])) { + $alert_ip_src .= "<br/><a href='?instance={$instanceid}&act=addsuppress_srcip&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}&ip=" . trim(urlencode($fields[6])) . "'>"; + $alert_ip_src .= "<img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' "; + $alert_ip_src .= "title='" . gettext("Add this gen_id:sig_id track by_src IP to Suppress List") . "'></a>"; + } + elseif (isset($supplist[$fields[1]][$fields[2]]['by_src'][$fields[6]])) { + $alert_ip_src .= "<br/><img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' "; + $alert_ip_src .= "title='" . gettext("This gen_id:sig_id track by_src IP already in Suppress List") . "'/>"; + } if (isset($tmpblocked[$fields[6]])) { - $alert_ip_src .= "<a href='?instance={$id}&todelete=" . trim(urlencode($fields[6])) . "'> - <img title=\"" . gettext("Remove from blocked ips") . "\" border=\"0\" width='10' height='10' name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a>"; + $alert_ip_src .= " <a href='?instance={$id}&todelete=" . trim(urlencode($fields[6])) . "'> + <img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"/></a>"; } /* IP SRC Port */ $alert_src_p = $fields[7]; /* IP Destination */ $alert_ip_dst = $fields[8]; + /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ + $alert_ip_dst = str_replace(":", ":​", $alert_ip_dst); + if (!snort_is_alert_globally_suppressed($supplist, $fields[1], $fields[2]) && + !isset($supplist[$fields[1]][$fields[2]]['by_dst'][$fields[8]])) { + $alert_ip_dst .= "<br/><a href='?instance={$instanceid}&act=addsuppress_dstip&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}&ip=" . trim(urlencode($fields[8])) . "'>"; + $alert_ip_dst .= "<img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' "; + $alert_ip_dst .= "title='" . gettext("Add this gen_id:sig_id track by_dst IP to Suppress List") . "'></a>"; + } + elseif (isset($supplist[$fields[1]][$fields[2]]['by_dst'][$fields[8]])) { + $alert_ip_dst .= "<br/><img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' "; + $alert_ip_dst .= "title='" . gettext("This gen_id:sig_id track by_dst IP already in Suppress List") . "'/>"; + } if (isset($tmpblocked[$fields[8]])) { - $alert_ip_dst .= "<a href='?instance={$id}&todelete=" . trim(urlencode($fields[8])) . "'> - <img title=\"" . gettext("Remove from blocked ips") . "\" border=\"0\" width='10' height='10' name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a>"; + $alert_ip_dst .= " <a href='?instance={$id}&todelete=" . trim(urlencode($fields[8])) . "'> + <img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"/></a>"; } /* IP DST Port */ $alert_dst_p = $fields[9]; /* SID */ - $alert_sid_str = "{$fields[1]}:{$fields[2]}:{$fields[3]}"; + $alert_sid_str = "{$fields[1]}:{$fields[2]}"; + if (!snort_is_alert_globally_suppressed($supplist, $fields[1], $fields[2])) { + $sidsupplink = "<a href='?instance={$instanceid}&act=addsuppress&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}'>"; + $sidsupplink .= "<img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' "; + $sidsupplink .= "title='" . gettext("Add this gen_id:sig_id to Suppress List") . "'></a>"; + } + else { + $sidsupplink = "<img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' "; + $sidsupplink .= "title='" . gettext("This gen_id:sig_id already in Suppress List") . "'/>"; + } $alert_class = $fields[11]; echo "<tr> - <td class='listr' width='10%'>{$alert_date}</td> - <td class='listr' width='5%' >{$alert_priority}</td> - <td class='listr' width='3%'>{$alert_proto}</td> - <td class='listr' width='7%' >{$alert_class}</td> - <td class='listr' width='15%'>{$alert_ip_src}</td> - <td class='listr' width='5%'>{$alert_src_p}</td> - <td class='listr' width='15%'>{$alert_ip_dst}</td> - <td class='listr' width='5%'>{$alert_dst_p}</td> - <td class='listr' width='5%' > - {$alert_sid_str} - <a href='?instance={$instanceid}&act=addsuppress&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}'> - <img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' - width='10' height='10' border='0' - title='" . gettext("click to add to suppress list") . "'></a> - </td> - <td class='listr' width='20%'>{$alert_descr}</td> + <td class='listr' align='center'>{$alert_date}<br/>{$alert_time}</td> + <td class='listr' align='center'>{$alert_priority}</td> + <td class='listr' align='center'>{$alert_proto}</td> + <td class='listr' style=\"word-wrap:break-word;\">{$alert_class}</td> + <td class='listr' align='center'>{$alert_ip_src}</td> + <td class='listr' align='center'>{$alert_src_p}</td> + <td class='listr' align='center'>{$alert_ip_dst}</td> + <td class='listr' align='center'>{$alert_dst_p}</td> + <td class='listr' align='center'>{$alert_sid_str}<br/>{$sidsupplink}</td> + <td class='listr' style=\"word-wrap:break-word;\">{$alert_descr}</td> </tr>\n"; $counter++; @@ -329,11 +470,13 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { </td> </tr> </table> +</div> </td></tr> </table> </form> <?php include("fend.inc"); ?> + </body> </html> diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index ccbe3c26..a5c1ffec 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -32,7 +32,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $rebuild_rules; $id = $_GET['id']; if (isset($_POST['id'])) @@ -87,6 +87,9 @@ if ($_POST) { } write_config(); + + /* No need to rebuild rules if just toggling Barnyard2 on or off */ + $rebuild_rules = false; sync_snort_package_config(); /* after click go to this page */ @@ -105,16 +108,11 @@ $pgtitle = "Snort: Interface: {$if_friendly} Barnyard2 Edit"; include_once("head.inc"); ?> -<body - link="#0000CC" vlink="#0000CC" alink="#0000CC"> - +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> <?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include_once("fbegin.inc"); -?> <script language="JavaScript"> <!-- @@ -147,20 +145,32 @@ function enable_change(enable_change) { <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array); + echo '</td></tr>'; + echo '<tr><td>'; + $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); $tab_array = array(); - $tab_array[] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tab_array[] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array(gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array(gettext("Barnyard2"), true, "/snort/snort_barnyard.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), true, "/snort/snort_barnyard.php?id={$id}"); display_top_tabs($tab_array); ?> </td></tr> <tr> - <td class="tabcont"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <td><div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Barnyard2 " . "Settings"); ?></td> @@ -169,19 +179,19 @@ function enable_change(enable_change) { <td width="22%" valign="top" class="vncellreq"><?php echo gettext("Enable"); ?></td> <td width="78%" class="vtable"> <input name="barnyard_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_enable'] == "on") echo "checked"; ?> onClick="enable_change(false)"> - <strong><?php echo gettext("Enable Barnyard2"); ?></strong><br> + <strong><?php echo gettext("Enable Barnyard2"); ?></strong><br/> <?php echo gettext("This will enable barnyard2 for this interface. You will also have to set the database credentials."); ?></td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Mysql Settings"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Settings"); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Log to a Mysql Database"); ?></td> - <td width="78%" class="vtable"><input name="barnyard_mysql" - type="text" class="formfld" id="barnyard_mysql" size="100" - value="<?=htmlspecialchars($pconfig['barnyard_mysql']);?>"> <br> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Log to a MySQL Database"); ?></td> + <td width="78%" class="vtable"><input name="barnyard_mysql" + type="text" class="formfld" id="barnyard_mysql" style="width:95%;" size="85" + value="<?=htmlspecialchars($pconfig['barnyard_mysql']);?>"> <br/> <span class="vexpl"><?php echo gettext("Example: output database: alert, mysql, " . - "dbname=snort user=snort host=localhost password=xyz"); ?><br> + "dbname=snort user=snort host=localhost password=xyz"); ?><br/> <?php echo gettext("Example: output database: log, mysql, dbname=snort user=snort " . "host=localhost password=xyz"); ?></span></td> </tr> @@ -189,11 +199,11 @@ function enable_change(enable_change) { <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Advanced Settings"); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"<?php echo gettext("Advanced configuration " . + <td width="22%" valign="top" class="vncell"><?php echo gettext("Advanced configuration " . "pass through"); ?></td> - <td width="78%" class="vtable"><textarea name="barnconfigpassthru" - cols="60" rows="7" id="barnconfigpassthru" ><?=htmlspecialchars($pconfig['barnconfigpassthru']);?></textarea> - <br> + <td width="78%" class="vtable"><textarea name="barnconfigpassthru" style="width:95%;" + cols="65" rows="7" id="barnconfigpassthru" ><?=htmlspecialchars($pconfig['barnconfigpassthru']);?></textarea> + <br/> <?php echo gettext("Arguments here will be automatically inserted into the running " . "barnyard2 configuration."); ?></td> </tr> @@ -205,12 +215,14 @@ function enable_change(enable_change) { </tr> <tr> <td width="22%" valign="top"> </td> - <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> - <br> - <?php echo gettext("Please save your settings befor you click start."); ?> </td> + <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span></span> + <br/> + <?php echo gettext("Please save your settings before you click start."); ?> </td> </tr> </table> - + </div> + </td> + </tr> </table> </form> <script language="JavaScript"> diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index def5dd22..56edfbc5 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -134,62 +134,72 @@ if ($pconfig['brefresh'] == 'on') <?php if ($savemsg) print_info_box($savemsg); ?> <form action="/snort/snort_blocked.php" method="post"> -<table width="99%" border="0" cellpadding="0" cellspacing="0"> -<tr><td> -<?php - $tab_array = array(); - $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); - $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); - $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); - $tab_array[4] = array(gettext("Blocked"), true, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); - $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - display_top_tabs($tab_array); -?> -</td></tr> - <tr> - <td> - <table id="maintable" class="tabcont" width="100%" border="0" - cellpadding="0" cellspacing="0"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> + <td> + <?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), true, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array); + ?> + </td> +</tr> +<tr> + <td><div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td width="22%" colspan="0" class="listtopic"><?php printf(gettext("Last %s " . - "Blocked."), $bnentries); ?></td> - <td width="78%" class="listtopic"><?php echo gettext("This page lists hosts that have " . - "been blocked by Snort."); ?> <?=$blocked_msg_txt;?></td> + <td colspan="2" class="listtopic"><?php echo gettext("Blocked Hosts Log View Settings"); ?></td> </tr> <tr> <td width="22%" class="vncell"><?php echo gettext("Save or Remove Hosts"); ?></td> <td width="78%" class="vtable"> - <input name="download" type="submit" class="formbtn" value="Download"> <?php echo gettext("All " . - "blocked hosts will be saved."); ?> <input name="remove" type="submit" - class="formbtn" value="Clear"> <span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> - <?php echo gettext("all hosts will be removed."); ?></form> + <input name="download" type="submit" class="formbtns" value="Download"> <?php echo gettext("All " . + "blocked hosts will be saved."); ?> <input name="remove" type="submit" + class="formbtns" value="Clear"> <span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> + <?php echo gettext("all hosts will be removed."); ?> </td> </tr> <tr> <td width="22%" class="vncell"><?php echo gettext("Auto Refresh and Log View"); ?></td> <td width="78%" class="vtable"> - <input name="save" type="submit" class="formbtn" value="Save"> <?php echo gettext("Refresh"); ?> <input + <input name="save" type="submit" class="formbtns" value="Save"> <?php echo gettext("Refresh"); ?> <input name="brefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>> - <?php printf(gettext("%sDefault%s is %sON%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?> <input + <?php printf(gettext("%sDefault%s is %sON%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?> <input name="blertnumber" type="text" class="formfld" id="blertnumber" size="5" value="<?=htmlspecialchars($bnentries);?>"> <?php printf(gettext("Enter the " . "number of blocked entries to view. %sDefault%s is %s500%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?> </td> </tr> - <tr> - <td colspan="2"> - <table id="sortabletable1" class="sortable" width="100%" border="0" - cellpadding="0" cellspacing="0"> - <tr id="frheader"> - <td width="5%" class="listhdrr">#</td> - <td width="15%" class="listhdrr"><?php echo gettext("IP"); ?></td> - <td width="70%" class="listhdrr"><?php echo gettext("Alert Description"); ?></td> - <td width="5%" class="listhdrr"><?php echo gettext("Remove"); ?></td> - </tr> - <?php + <tr> + <td colspan="2" class="listtopic"><?php printf(gettext("Last %s Hosts Blocked by Snort"), $bnentries); ?></td> + </tr> + <tr> + <td colspan="2"> + <table id="sortabletable1" style="table-layout: fixed;" class="sortable" width="100%" border="0" cellpadding="2" cellspacing="0"> + <colgroup> + <col width="5%" align="center" axis="number"> + <col width="15%" align="center" axis="string"> + <col width="70%" align="left" axis="string"> + <col width="10%" align="center"> + </colgroup> + <thead> + <tr> + <th class="listhdrr" axis="number">#</th> + <th class="listhdrr" axis="string"><?php echo gettext("IP"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Alert Description"); ?></th> + <th class="listhdrr"><?php echo gettext("Remove"); ?></th> + </tr> + </thead> + <tbody> + <?php /* set the arrays */ $blocked_ips_array = array(); if (is_array($blocked_ips)) { @@ -232,37 +242,52 @@ if ($pconfig['brefresh'] == 'on') $src_ip_list[$blocked_ip] = array("N\A\n"); } - /* buil final list, preg_match, buld html */ + /* build final list, preg_match, build html */ $counter = 0; foreach($src_ip_list as $blocked_ip => $blocked_msg) { - $blocked_desc = "<br/>" . implode("<br/>", $blocked_msg); + $blocked_desc = implode("<br/>", $blocked_msg); if($counter > $bnentries) break; else $counter++; - /* use one echo to do the magic*/ - echo "<tr> - <td width='5%' > {$counter}</td> - <td width='15%' > {$blocked_ip}</td> - <td width='70%' > {$blocked_desc}</td> - <td width='5%' align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($blocked_ip)) . "'> - <img title=\"" . gettext("Delete") . "\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> - </tr>\n"; + /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ + $tmp_ip = str_replace(":", ":​", $blocked_ip); + /* use one echo to do the magic*/ + echo "<tr> + <td align=\"center\" valign=\"middle\" class=\"listr\">{$counter}</td> + <td valign=\"middle\" class=\"listr\">{$tmp_ip}</td> + <td valign=\"middle\" class=\"listr\">{$blocked_desc}</td> + <td align=\"center\" valign=\"middle\" class=\"listr\"><a href='snort_blocked.php?todelete=" . trim(urlencode($blocked_ip)) . "'> + <img title=\"" . gettext("Delete host from Blocked Table") . "\" border=\"0\" name='todelete' id='todelete' alt=\"Delete host from Blocked Table\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> + </tr>\n"; } - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>"; - } else - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>"; - + } ?> - </table> - </td> - </tr> -</table> - </td> - </tr> + </tbody> + </table> + </td> + </tr> + <tr> + <td colspan="2" class="vexpl" align="center"> + <?php if (!empty($blocked_ips_array)) { + if ($counter > 1) + echo "{$counter}" . gettext(" host IP addresses are currently being blocked."); + else + echo "{$counter}" . gettext(" host IP address is currently being blocked."); + } + else { + echo gettext("There are currently no hosts being blocked by Snort."); + } + ?> + </td> + </tr> + </table> + </div> + </td> +</tr> </table> </form> <?php diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 61479a15..c40d6ff4 100644..100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -31,58 +31,204 @@ require_once("functions.inc"); require_once("service-utils.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); +require_once "/usr/local/pkg/snort/snort.inc"; + +global $g, $pkg_interface, $snort_gui_include, $rebuild_rules; + + +if (!defined("VRT_DNLD_FILENAME")) + define("VRT_DNLD_FILENAME", "snortrules-snapshot-2946.tar.gz"); +if (!defined("VRT_DNLD_URL")) + define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); +if (!defined("ET_VERSION")) + define("ET_VERSION", "2.9.0"); +if (!defined("ET_DNLD_FILENAME")) + define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); +if (!defined("GPLV2_DNLD_FILENAME")) + define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); +if (!defined("GPLV2_DNLD_URL")) + define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/"); +if (!defined("FLOWBITS_FILENAME")) + define("FLOWBITS_FILENAME", "flowbit-required.rules"); +if (!defined("ENFORCING_RULES_FILENAME")) + define("ENFORCING_RULES_FILENAME", "snort.rules"); +if (!defined("RULES_UPD_LOGFILE")) + define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); -global $snort_gui_include; $snortdir = SNORTDIR; - -if (!isset($snort_gui_include)) +$snortlibdir = SNORTLIBDIR; +$snortlogdir = SNORTLOGDIR; +$snort_rules_upd_log = RULES_UPD_LOGFILE; + +/* Save the state of $pkg_interface so we can restore it */ +$pkg_interface_orig = $pkg_interface; +if ($snort_gui_include) + $pkg_interface = ""; +else $pkg_interface = "console"; -$tmpfname = "{$snortdir}/tmp/snort_rules_up"; -$snort_filename_md5 = "{$snort_rules_file}.md5"; -$snort_filename = "{$snort_rules_file}"; -$emergingthreats_filename_md5 = "emerging.rules.tar.gz.md5"; -$emergingthreats_filename = "emerging.rules.tar.gz"; - /* define checks */ $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; +$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; +$et_enabled = $config['installedpackages']['snortglobal']['emergingthreats']; -/* Start of code */ -conf_mount_rw(); +/* Working directory for downloaded rules tarballs */ +$tmpfname = "{$snortdir}/tmp/snort_rules_up"; + +/* Snort VRT rules filenames and URL */ +$snort_filename = VRT_DNLD_FILENAME; +$snort_filename_md5 = VRT_DNLD_FILENAME . ".md5"; +$snort_rule_url = VRT_DNLD_URL; + +/* Emerging Threats rules filenames and URL */ +$emergingthreats_filename = ET_DNLD_FILENAME; +$emergingthreats_filename_md5 = ET_DNLD_FILENAME . ".md5"; +$emerging_threats_version = ET_VERSION; + +/* Snort GPLv2 Community Rules filenames and URL */ +$snort_community_rules_filename = GPLV2_DNLD_FILENAME; +$snort_community_rules_filename_md5 = GPLV2_DNLD_FILENAME . ".md5"; +$snort_community_rules_url = GPLV2_DNLD_URL; + +/* Custom function for rules file download via URL */ +function snort_download_file_url($url, $file_out) { + + /************************************************/ + /* This function downloads the file specified */ + /* by $url using the CURL library functions and */ + /* saves the content to the file specified by */ + /* $file. */ + /* */ + /* It provides logging of returned CURL errors. */ + /************************************************/ + + global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded; + + /* Array of message strings for HTTP Response Codes */ + $http_resp_msg = array( 200 => "OK", 202 => "Accepted", 204 => "No Content", 205 => "Reset Content", + 206 => "Partial Content", 301 => "Moved Permanently", 302 => "Found", + 305 => "Use Proxy", 307 => "Temporary Redirect", 400 => "Bad Request", + 401 => "Unauthorized", 402 => "Payment Required", 403 => "Forbidden", + 404 => "Not Found", 405 => "Method Not Allowed", 407 => "Proxy Authentication Required", + 408 => "Request Timeout", 410 => "Gone", 500 => "Internal Server Error", + 501 => "Not Implemented", 502 => "Bad Gateway", 503 => "Service Unavailable", + 504 => "Gateway Timeout", 505 => "HTTP Version Not Supported" ); + + $last_curl_error = ""; + + $fout = fopen($file_out, "wb"); + if ($fout) { + $ch = curl_init($url); + if (!$ch) + return false; + curl_setopt($ch, CURLOPT_FILE, $fout); + + /* NOTE: required to suppress errors from XMLRPC due to progress bar output */ + if ($g['snort_sync_in_progress']) + curl_setopt($ch, CURLOPT_HEADER, false); + else { + curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'read_header'); + curl_setopt($ch, CURLOPT_WRITEFUNCTION, 'read_body'); + } -if (!is_dir($tmpfname)) - exec("/bin/mkdir -p {$tmpfname}"); + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); + curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)"); + /* Don't verify SSL peers since we don't have the certificates to do so. */ + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); + curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30); + curl_setopt($ch, CURLOPT_TIMEOUT, 0); + $counter = 0; + $rc = true; + /* Try up to 4 times to download the file before giving up */ + while ($counter < 4) { + $counter++; + $rc = curl_exec($ch); + if ($rc === true) + break; + log_error(gettext("[Snort] Rules download error: " . curl_error($ch))); + log_error(gettext("[Snort] Will retry in 15 seconds...")); + sleep(15); + } + if ($rc === false) + $last_curl_error = curl_error($ch); + $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); + if (isset($http_resp_msg[$http_code])) + $last_curl_error = $http_resp_msg[$http_code]; + curl_close($ch); + fclose($fout); + /* If we had to try more than once, log it */ + if ($counter > 1) + log_error(gettext("File '" . basename($file_out) . "' download attempts: {$counter} ...")); + return ($http_code == 200) ? true : $http_code; + } + else { + $last_curl_error = gettext("Failed to create file " . $file_out); + log_error(gettext("[Snort] Failed to create file {$file_out} ...")); + return false; + } +} -/* Set user agent to Mozilla */ -ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); -ini_set("memory_limit","150M"); +/* Start of code */ +conf_mount_rw(); /* remove old $tmpfname files */ if (is_dir("{$tmpfname}")) exec("/bin/rm -r {$tmpfname}"); -/* Make shure snortdir exits */ +/* Make sure required snortdirs exsist */ exec("/bin/mkdir -p {$snortdir}/rules"); exec("/bin/mkdir -p {$snortdir}/signatures"); +exec("/bin/mkdir -p {$snortdir}/preproc_rules"); exec("/bin/mkdir -p {$tmpfname}"); -exec("/bin/mkdir -p /usr/local/lib/snort/dynamicrules"); +exec("/bin/mkdir -p {$snortlibdir}/dynamicrules"); +exec("/bin/mkdir -p {$snortlogdir}"); + +/* See if we need to automatically clear the Update Log based on 1024K size limit */ +if (file_exists($snort_rules_upd_log)) { + if (1048576 < filesize($snort_rules_upd_log)) + exec("/bin/rm -r {$snort_rules_upd_log}"); +} + +/* Log start time for this rules update */ +error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, $snort_rules_upd_log); +$last_curl_error = ""; /* download md5 sig from snort.org */ if ($snortdownload == 'on') { - update_status(gettext("Downloading snort.org md5 file...")); - $image = @file_get_contents("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}"); - @file_put_contents("{$tmpfname}/{$snort_filename_md5}", $image); - if (0 == filesize("{$tmpfname}/{$snort_filename_md5}")) { - update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); - log_error("Please wait... You may only check for New Rules every 15 minutes..."); - update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); + if ($pkg_interface <> "console") + update_status(gettext("Downloading Snort VRT md5 file...")); + error_log(gettext("\tDownloading Snort VRT md5 file...\n"), 3, $snort_rules_upd_log); + $rc = snort_download_file_url("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}"); + if ($rc === true) { + if ($pkg_interface <> "console") + update_status(gettext("Done downloading snort.org md5.")); + error_log("\tChecking Snort VRT md5 file...\n", 3, $snort_rules_upd_log); + } + else { + error_log(gettext("\tSnort VRT md5 download failed.\n"), 3, $snort_rules_upd_log); + if ($rc == 403) { + $snort_err_msg = gettext("Too many attempts or Oinkcode not authorized for this Snort version.\n"); + $snort_err_msg .= gettext("\tFree Registered User accounts may download Snort VRT Rules once every 15 minutes.\n"); + $snort_err_msg .= gettext("\tPaid Subscriber accounts have no download limits.\n"); + } + else + $snort_err_msg = gettext("Server returned error code '{$rc}'."); + if ($pkg_interface <> "console") { + update_status(gettext("Snort VRT md5 error ... Server returned error code {$rc} ...")); + update_output_window(gettext("Snort VRT rules will not be updated.\n{$snort_err_msg}")); + } + log_error(gettext("[Snort] Snort VRT md5 download failed...")); + log_error(gettext("[Snort] Server returned error code '{$rc}'...")); + error_log(gettext("\t{$snort_err_msg}\n"), 3, $snort_rules_upd_log); + if ($pkg_interface == "console") + error_log(gettext("\tServer error message was '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tSnort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); $snortdownload = 'off'; - } else - update_status(gettext("Done downloading snort.org md5")); + } } /* Check if were up to date snort.org */ @@ -91,8 +237,10 @@ if ($snortdownload == 'on') { $md5_check_new = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); $md5_check_old = file_get_contents("{$snortdir}/{$snort_filename_md5}"); if ($md5_check_new == $md5_check_old) { - update_status(gettext("Snort rules are up to date...")); - log_error("Snort rules are up to date..."); + if ($pkg_interface <> "console") + update_status(gettext("Snort VRT rules are up to date...")); + log_error(gettext("[Snort] Snort VRT rules are up to date...")); + error_log(gettext("\tSnort VRT rules are up to date.\n"), 3, $snort_rules_upd_log); $snortdownload = 'off'; } } @@ -100,75 +248,246 @@ if ($snortdownload == 'on') { /* download snortrules file */ if ($snortdownload == 'on') { - update_status(gettext("There is a new set of Snort.org rules posted. Downloading...")); - log_error("There is a new set of Snort.org rules posted. Downloading..."); - download_file_with_progress_bar("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename}", "{$tmpfname}/{$snort_filename}"); - update_status(gettext("Done downloading rules file.")); - if (300000 > filesize("{$tmpfname}/$snort_filename")){ - update_output_window(gettext("Snort rules file downloaded failed...")); - log_error("Snort rules file downloaded failed..."); + if ($pkg_interface <> "console") + update_status(gettext("There is a new set of Snort VRT rules posted. Downloading...")); + log_error(gettext("[Snort] There is a new set of Snort VRT rules posted. Downloading...")); + error_log(gettext("\tThere is a new set of Snort VRT rules posted. Downloading...\n"), 3, $snort_rules_upd_log); + $rc = snort_download_file_url("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}"); + if ($rc === true) { + if ($pkg_interface <> "console") + update_status(gettext("Done downloading Snort VRT rules file.")); + error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log); + if (trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_filename}"))){ + if ($pkg_interface <> "console") + update_output_window(gettext("Snort VRT rules file MD5 checksum failed...")); + log_error(gettext("[Snort] Snort VRT rules file download failed. Bad MD5 checksum...")); + log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_filename}"))); + log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_filename_md5}"))); + error_log(gettext("\tSnort VRT rules file download failed. Bad MD5 checksum.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloaded Snort VRT file MD5: " . md5_file("{$tmpfname}/{$snort_filename}") . "\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tExpected Snort VRT file MD5: " . file_get_contents("{$tmpfname}/{$snort_filename_md5}") . "\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tSnort VRT rules file download failed. Snort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); + $snortdownload = 'off'; + } + } + else { + if ($pkg_interface <> "console") + update_output_window(gettext("Snort VRT rules file download failed...")); + log_error(gettext("[Snort] Snort VRT rules file download failed... server returned error '{$rc}'...")); + error_log(gettext("\tSnort VRT rules file download failed. Server returned error {$rc}.\n"), 3, $snort_rules_upd_log); + if ($pkg_interface == "console") + error_log(gettext("\tThe error text was '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tSnort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); $snortdownload = 'off'; } } +/* download md5 sig from Snort GPLv2 Community Rules */ +if ($snortcommunityrules == 'on') { + if ($pkg_interface <> "console") + update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file...")); + error_log(gettext("\tDownloading Snort GPLv2 Community Rules md5 file...\n"), 3, $snort_rules_upd_log); + $rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}"); + if ($rc === true) { + if ($pkg_interface <> "console") + update_status(gettext("Done downloading Snort GPLv2 Community Rules md5")); + error_log(gettext("\tChecking Snort GPLv2 Community Rules md5.\n"), 3, $snort_rules_upd_log); + if (file_exists("{$snortdir}/{$snort_community_rules_filename_md5}") && $snortcommunityrules == "on") { + /* Check if were up to date Snort GPLv2 Community Rules */ + $snort_comm_md5_check_new = file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"); + $snort_comm_md5_check_old = file_get_contents("{$snortdir}/{$snort_community_rules_filename_md5}"); + if ($snort_comm_md5_check_new == $snort_comm_md5_check_old) { + if ($pkg_interface <> "console") + update_status(gettext("Snort GPLv2 Community Rules are up to date...")); + log_error(gettext("[Snort] Snort GPLv2 Community Rules are up to date...")); + error_log(gettext("\tSnort GPLv2 Community Rules are up to date.\n"), 3, $snort_rules_upd_log); + $snortcommunityrules = 'off'; + } + } + } + else { + if ($pkg_interface <> "console") + update_output_window(gettext("Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.")); + log_error(gettext("[Snort] Snort GPLv2 Community Rules md5 file download failed. Server returned error code '{$rc}'.")); + error_log(gettext("\tSnort GPLv2 Community Rules md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); + if ($pkg_interface == "console") + error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tSnort GPLv2 Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); + $snortcommunityrules = 'off'; + } +} + +/* download Snort GPLv2 Community rules file */ +if ($snortcommunityrules == "on") { + if ($pkg_interface <> "console") + update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); + log_error(gettext("[Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); + error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted. Downloading...\n"), 3, $snort_rules_upd_log); + $rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}"); + + /* Test for a valid rules file download. Turn off Snort Community update if download failed. */ + if ($rc === true) { + if (trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_community_rules_filename}"))){ + if ($pkg_interface <> "console") + update_output_window(gettext("Snort GPLv2 Community Rules file MD5 checksum failed...")); + log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed. Bad MD5 checksum...")); + log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}"))); + log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"))); + error_log(gettext("\tSnort GPLv2 Community Rules file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloaded Snort GPLv2 file MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}") . "\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tExpected Snort GPLv2 file MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}") . "\n"), 3, $snort_rules_upd_log); + $snortcommunityrules = 'off'; + } + else { + if ($pkg_interface <> "console") + update_status(gettext('Done downloading Snort GPLv2 Community Rules file.')); + log_error("[Snort] Snort GPLv2 Community Rules file update downloaded successfully"); + error_log(gettext("\tDone downloading Snort GPLv2 Community Rules file.\n"), 3, $snort_rules_upd_log); + } + } + else { + if ($pkg_interface <> "console") { + update_status(gettext("The server returned error code {$rc} ... skipping GPLv2 Community Rules...")); + update_output_window(gettext("Snort GPLv2 Community Rules file download failed...")); + } + log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed. Server returned error '{$rc}'...")); + error_log(gettext("\tSnort GPLv2 Community Rules download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); + if ($pkg_interface == "console") + error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); + $snortcommunityrules = 'off'; + } +} + +/* Untar Snort GPLv2 Community rules to tmp */ +if ($snortcommunityrules == 'on') { + safe_mkdir("{$snortdir}/tmp/community"); + if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) { + if ($pkg_interface <> "console") { + update_status(gettext("Extracting Snort GPLv2 Community Rules...")); + update_output_window(gettext("Installing Snort GPLv2 Community Rules...")); + } + error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, $snort_rules_upd_log); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$snortdir}/tmp/community/"); + + $files = glob("{$snortdir}/tmp/community/community-rules/*.rules"); + foreach ($files as $file) { + $newfile = basename($file); + @copy($file, "{$snortdir}/rules/GPLv2_{$newfile}"); + } + /* base etc files for Snort GPLv2 Community rules */ + foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { + if (file_exists("{$snortdir}/tmp/community/community-rules/{$file}")) + @copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/GPLv2_{$file}"); + } + /* Copy snort community md5 sig to snort dir */ + if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) { + if ($pkg_interface <> "console") + update_status(gettext("Copying md5 signature to snort directory...")); + @copy("{$tmpfname}/{$snort_community_rules_filename_md5}", "{$snortdir}/{$snort_community_rules_filename_md5}"); + } + if ($pkg_interface <> "console") { + update_status(gettext("Extraction of Snort GPLv2 Community Rules completed...")); + update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed...")); + } + error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, $snort_rules_upd_log); + exec("rm -r {$snortdir}/tmp/community"); + } +} + /* download md5 sig from emergingthreats.net */ if ($emergingthreats == 'on') { - update_status(gettext("Downloading emergingthreats md5 file...")); - $image = @file_get_contents("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz.md5"); - /* XXX: error checking */ - @file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image); - update_status(gettext("Done downloading emergingthreats md5")); - - if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}")) { - /* Check if were up to date emergingthreats.net */ - $emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); - $emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); - if ($emerg_md5_check_new == $emerg_md5_check_old) { - update_status(gettext("Emerging threat rules are up to date...")); - log_error("Emerging threat rules are up to date..."); - $emergingthreats = 'off'; + if ($pkg_interface <> "console") + update_status(gettext("Downloading EmergingThreats md5 file...")); + error_log(gettext("\tDownloading EmergingThreats md5 file...\n"), 3, $snort_rules_upd_log); + /* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */ + if ($vrt_enabled == "on") + $rc = snort_download_file_url("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}"); + else + $rc = snort_download_file_url("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}"); + if ($rc === true) { + if ($pkg_interface <> "console") + update_status(gettext("Done downloading EmergingThreats md5")); + error_log(gettext("\tChecking EmergingThreats md5.\n"), 3, $snort_rules_upd_log); + if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") { + /* Check if were up to date emergingthreats.net */ + $emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); + $emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); + if ($emerg_md5_check_new == $emerg_md5_check_old) { + if ($pkg_interface <> "console") + update_status(gettext("Emerging Threats rules are up to date...")); + log_error(gettext("[Snort] Emerging Threat rules are up to date...")); + error_log(gettext("\tEmerging Threats rules are up to date.\n"), 3, $snort_rules_upd_log); + $emergingthreats = 'off'; + } } } + else { + if ($pkg_interface <> "console") + update_output_window(gettext("EmergingThreats md5 file download failed. EmergingThreats rules will not be updated.")); + log_error(gettext("[Snort] EmergingThreats md5 file download failed. Server returned error code '{$rc}'.")); + error_log(gettext("\tEmergingThreats md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); + if ($pkg_interface == "console") + error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tEmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); + $emergingthreats = 'off'; + } } /* download emergingthreats rules file */ if ($emergingthreats == "on") { - update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); - log_error("There is a new set of Emergingthreats rules posted. Downloading..."); - download_file_with_progress_bar("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}"); - update_status(gettext('Done downloading Emergingthreats rules file.')); - log_error("Emergingthreats rules file update downloaded succsesfully"); + if ($pkg_interface <> "console") + update_status(gettext("There is a new set of EmergingThreats rules posted. Downloading...")); + log_error(gettext("[Snort] There is a new set of EmergingThreats rules posted. Downloading...")); + error_log(gettext("\tThere is a new set of EmergingThreats rules posted. Downloading...\n"), 3, $snort_rules_upd_log); + + /* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */ + if ($vrt_enabled == "on") + $rc = snort_download_file_url("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}"); + else + $rc = snort_download_file_url("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}"); + + /* Test for a valid rules file download. Turn off ET update if download failed. */ + if ($rc === true) { + if (trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")) != trim(md5_file("{$tmpfname}/{$emergingthreats_filename}"))){ + if ($pkg_interface <> "console") + update_output_window(gettext("EmergingThreats rules file MD5 checksum failed...")); + log_error(gettext("[Snort] EmergingThreats rules file download failed. Bad MD5 checksum...")); + log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}"))); + log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"))); + error_log(gettext("\tEmergingThreats rules file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloaded ET file MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}") . "\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tExpected ET file MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}") . "\n"), 3, $snort_rules_upd_log); + $emergingthreats = 'off'; + } + else { + if ($pkg_interface <> "console") + update_status(gettext('Done downloading EmergingThreats rules file.')); + log_error("[Snort] EmergingThreats rules file update downloaded successfully"); + error_log(gettext("\tDone downloading EmergingThreats rules file.\n"), 3, $snort_rules_upd_log); + } + } + else { + if ($pkg_interface <> "console") { + update_status(gettext("The server returned error code {$rc} ... skipping EmergingThreats update...")); + update_output_window(gettext("EmergingThreats rules file download failed...")); + } + log_error(gettext("[Snort] EmergingThreats rules file download failed. Server returned error '{$rc}'...")); + error_log(gettext("\tEmergingThreats rules file download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); + if ($pkg_interface == "console") + error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); + $emergingthreats = 'off'; + } } -/* XXX: need to be verified */ -/* Compair md5 sig to file sig */ -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk == on) { -//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md5 == $file_md5_ondisk) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); -// update_output_window(gettext("Error md5 Mismatch...")); -// return; -// } -//} - -/* Normalize rulesets */ -$sedcmd = "s/^#alert/# alert/g\n"; -$sedcmd .= "s/^##alert/# alert/g\n"; -$sedcmd .= "s/^#[ \\t#]*alert/# alert/g\n"; -$sedcmd .= "s/^##\\talert/# alert/g\n"; -$sedcmd .= "s/^\\talert/alert/g\n"; -$sedcmd .= "s/^[ \\t]*alert/alert/g\n"; -@file_put_contents("{$snortdir}/tmp/sedcmd", $sedcmd); - /* Untar emergingthreats rules to tmp */ if ($emergingthreats == 'on') { safe_mkdir("{$snortdir}/tmp/emerging"); if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - update_status(gettext("Extracting rules...")); + if ($pkg_interface <> "console") { + update_status(gettext("Extracting EmergingThreats.org rules...")); + update_output_window(gettext("Installing EmergingThreats rules...")); + } + error_log(gettext("\tExtracting and installing EmergingThreats.org rules...\n"), 3, $snort_rules_upd_log); exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/"); $files = glob("{$snortdir}/tmp/emerging/rules/*.rules"); @@ -176,40 +495,48 @@ if ($emergingthreats == 'on') { $newfile = basename($file); @copy($file, "{$snortdir}/rules/{$newfile}"); } - /* IP lists */ - $files = glob("{$snortdir}/tmp/emerging/rules/*.txt"); + /* IP lists for Emerging Threats rules */ + $files = glob("{$snortdir}/tmp/emerging/rules/*ips.txt"); foreach ($files as $file) { $newfile = basename($file); @copy($file, "{$snortdir}/rules/{$newfile}"); } - if ($snortdownload == 'off') { - foreach (array("classification.config", "reference.config", "sid-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/tmp/emerging/rules/{$file}")) - @copy("{$snortdir}/tmp/emerging/rules/{$file}", "{$snortdir}/{$file}"); - } + /* base etc files for Emerging Threats rules */ + foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { + if (file_exists("{$snortdir}/tmp/emerging/rules/{$file}")) + @copy("{$snortdir}/tmp/emerging/rules/{$file}", "{$snortdir}/tmp/ET_{$file}"); } - /* make shure default rules are in the right format */ - exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/emerging*.rules"); - /* Copy emergingthreats md5 sig to snort dir */ - if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { - update_status(gettext("Copying md5 sig to snort directory...")); - @copy("{$tmpfname}/$emergingthreats_filename_md5", "{$snortdir}/$emergingthreats_filename_md5"); + if (file_exists("{$tmpfname}/{$emergingthreats_filename_md5}")) { + if ($pkg_interface <> "console") + update_status(gettext("Copying md5 signature to snort directory...")); + @copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$snortdir}/{$emergingthreats_filename_md5}"); + } + if ($pkg_interface <> "console") { + update_status(gettext("Extraction of EmergingThreats.org rules completed...")); + update_output_window(gettext("Installation of EmergingThreats rules completed...")); } + error_log(gettext("\tInstallation of EmergingThreats.org rules completed.\n"), 3, $snort_rules_upd_log); + exec("rm -r {$snortdir}/tmp/emerging"); } } /* Untar snort rules file individually to help people with low system specs */ if ($snortdownload == 'on') { if (file_exists("{$tmpfname}/{$snort_filename}")) { - if ($pfsense_stable == 'yes') - $freebsd_version_so = 'FreeBSD-7-2'; - else - $freebsd_version_so = 'FreeBSD-8-1'; - - update_status(gettext("Extracting Snort.org rules...")); - /* extract snort.org rules and add prefix to all snort.org files*/ + /* Currently, only FreeBSD-8-1 and FreeBSD-9-0 precompiled SO rules exist from Snort.org */ + /* Default to FreeBSD 8.1, and then test for FreeBSD 9.x */ + $freebsd_version_so = 'FreeBSD-8-1'; + if (substr(php_uname("r"), 0, 1) == '9') + $freebsd_version_so = 'FreeBSD-9-0'; + + if ($pkg_interface <> "console") { + update_status(gettext("Extracting Snort VRT rules...")); + update_output_window(gettext("Installing Sourcefire VRT rules...")); + } + error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, $snort_rules_upd_log); + /* extract snort.org rules and add prefix to all snort.org files */ safe_mkdir("{$snortdir}/tmp/snortrules"); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp/snortrules rules/"); $files = glob("{$snortdir}/tmp/snortrules/rules/*.rules"); @@ -224,187 +551,223 @@ if ($snortdownload == 'on') { @copy($file, "{$snortdir}/rules/{$newfile}"); } exec("rm -r {$snortdir}/tmp/snortrules"); - /* extract so rules */ - exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); + if ($pkg_interface <> "console") { + update_status(gettext("Extracting Snort VRT Shared Objects rules...")); + update_output_window(gettext("Installing precompiled Shared Objects rules for {$freebsd_version_so}...")); + } + exec("/bin/mkdir -p {$snortlibdir}/dynamicrules/"); + error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, $snort_rules_upd_log); $snort_arch = php_uname("m"); $nosorules = false; if ($snort_arch == 'i386'){ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/$freebsd_version_so/i386/{$snort_version}/"); - exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/$freebsd_version_so/i386/{$snort_version}/* /usr/local/lib/snort/dynamicrules/"); - } else if ($snort_arch == 'amd64') { - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/$freebsd_version_so/x86-64/{$snort_version}/"); - exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/$freebsd_version_so/x86-64/{$snort_version}/* /usr/local/lib/snort/dynamicrules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/"); + exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/* {$snortlibdir}/dynamicrules/"); + } elseif ($snort_arch == 'amd64') { + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/"); + exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/* {$snortlibdir}/dynamicrules/"); } else $nosorules = true; exec("rm -r {$snortdir}/tmp/so_rules"); - if ($nosorules == false) { - /* extract so rules none bin and rename */ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/"); + /* extract so stub rules, rename and copy to the rules folder. */ + if ($pkg_interface <> "console") + update_status(gettext("Copying Snort VRT Shared Objects rules...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp --exclude precompiled/ --exclude src/ so_rules/"); $files = glob("{$snortdir}/tmp/so_rules/*.rules"); foreach ($files as $file) { $newfile = basename($file, ".rules"); @copy($file, "{$snortdir}/rules/snort_{$newfile}.so.rules"); } exec("rm -r {$snortdir}/tmp/so_rules"); - - /* extract base etc files */ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp etc/"); - foreach (array("classification.config", "reference.config", "gen-msg.map", "sid-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/tmp/etc/{$file}")) - @copy("{$snortdir}/tmp/etc/{$file}", "{$snortdir}/{$file}"); - } - exec("rm -r {$snortdir}/tmp/etc"); - - /* Untar snort signatures */ - $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; - if ($premium_url_chk == 'on') { - update_status(gettext("Extracting Signatures...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); + } + /* extract base etc files */ + if ($pkg_interface <> "console") { + update_status(gettext("Extracting Snort VRT config and map files...")); + update_output_window(gettext("Copying config and map files...")); + } + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp etc/"); + foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { + if (file_exists("{$snortdir}/tmp/etc/{$file}")) + @copy("{$snortdir}/tmp/etc/{$file}", "{$snortdir}/tmp/VRT_{$file}"); + } + exec("rm -r {$snortdir}/tmp/etc"); + /* Untar snort signatures */ + $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; + if ($premium_url_chk == 'on') { + if ($pkg_interface <> "console") + update_status(gettext("Extracting Snort VRT Signatures...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); + if ($pkg_interface <> "console") update_status(gettext("Done extracting Signatures.")); - if (is_dir("{$snortdir}/doc/signatures")) { - update_status(gettext("Copying signatures...")); - exec("/bin/cp -r {$snortdir}/doc/signatures {$snortdir}/signatures"); + if (is_dir("{$snortdir}/doc/signatures")) { + if ($pkg_interface <> "console") + update_status(gettext("Copying Snort VRT signatures...")); + exec("/bin/cp -r {$snortdir}/doc/signatures {$snortdir}/signatures"); + if ($pkg_interface <> "console") update_status(gettext("Done copying signatures.")); - } - } - - foreach (glob("/usr/local/lib/snort/dynamicrules/*example*") as $file) - @unlink($file); - - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} preproc_rules/"); - - /* make shure default rules are in the right format */ - exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/snort_*.rules"); - - if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { - update_status(gettext("Copying md5 sig to snort directory...")); - @copy("{$tmpfname}/$snort_filename_md5", "{$snortdir}/$snort_filename_md5"); } } + /* Extract the Snort preprocessor rules */ + if ($pkg_interface <> "console") + update_output_window(gettext("Extracting preprocessor rules files...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp preproc_rules/"); + + if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { + if ($pkg_interface <> "console") + update_status(gettext("Copying md5 signature to snort directory...")); + @copy("{$tmpfname}/{$snort_filename_md5}", "{$snortdir}/{$snort_filename_md5}"); + } + if ($pkg_interface <> "console") { + update_status(gettext("Extraction of Snort VRT rules completed...")); + update_output_window(gettext("Installation of Sourcefire VRT rules completed...")); + } + error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, $snort_rules_upd_log); } } -/* remove old $tmpfname files */ -if (is_dir("{$snortdir}/tmp")) { - update_status(gettext("Cleaning up...")); - exec("/bin/rm -r {$snortdir}/tmp"); -} - function snort_apply_customizations($snortcfg, $if_real) { - global $config, $g, $snortdir; - - if (empty($snortcfg['rulesets'])) - return; - else { - update_status(gettext("Your set of configured rules are being copied...")); - log_error("Your set of configured rules are being copied..."); - $enabled_rulesets_array = explode("||", $snortcfg['rulesets']); - foreach($enabled_rulesets_array as $enabled_item) { - @copy("{$snortdir}/rules/{$enabled_item}", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/rules/{$enabled_item}"); - if (substr($enabled_item, 0, 5) == "snort" && substr($enabled_item, -9) == ".so.rules") { - $slib = substr($enabled_item, 6, -6); - if (file_exists("/usr/local/lib/snort/dynamicrules/{$slib}")) - @copy("/usr/local/lib/snort/dynamicrules/{$slib}", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/dynamicrules/{$slib}"); - - } - } - @copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config"); - @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map"); - if (is_dir("{$snortdir}/generators")) - exec("/bin/cp -r {$snortdir}/generators {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}"); - @copy("{$snortdir}/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config"); - @copy("{$snortdir}/sid", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/sid"); - @copy("{$snortdir}/sid-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/sid-msg.map"); - @copy("{$snortdir}/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map"); - } + global $vrt_enabled; + $snortdir = SNORTDIR; - if (!empty($snortcfg['rule_sid_on']) || !empty($snortcfg['rule_sid_off'])) { - if (!empty($snortcfg['rule_sid_on'])) { - $enabled_sid_on_array = explode("||", trim($snortcfg['rule_sid_on'])); - $enabled_sids = array_flip($enabled_sid_on_array); + /* Update the Preprocessor rules for the master configuration and for the interface if Snort VRT rules are in use. */ + if ($vrt_enabled == 'on') { + exec("/bin/mkdir -p {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules"); + $preproc_files = glob("{$snortdir}/tmp/preproc_rules/*.rules"); + foreach ($preproc_files as $file) { + $newfile = basename($file); + @copy($file, "{$snortdir}/preproc_rules/{$newfile}"); + /* Check if customized preprocessor rule protection is enabled for interface before overwriting them. */ + if ($snortcfg['protect_preproc_rules'] <> 'on') + @copy($file, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules/{$newfile}"); } + } + else { + exec("/bin/mkdir -p {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules"); + } - if (!empty($snortcfg['rule_sid_off'])) { - $enabled_sid_off_array = explode("||", trim($snortcfg['rule_sid_off'])); - $disabled_sids = array_flip($enabled_sid_off_array); - } + snort_prepare_rule_files($snortcfg, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}"); - $files = glob("{$snortdir}/snort_{$snortcfg}_{$if_real}/rules/*.rules"); - foreach ($files as $file) { - $splitcontents = file($file); - $changed = false; - foreach ( $splitcontents as $counter => $value ) { - $sid = snort_get_rule_part($value, 'sid:', ';', 0); - if (!is_numeric($sid)) - continue; - if (isset($enabled_sids["enablesid {$sid}"])) { - if (substr($value, 0, 5) == "alert") - /* Rule is already enabled */ - continue; - if (substr($value, 0, 7) == "# alert") { - /* Rule is disabled, change */ - $splitcontents[$counter] = substr($value, 2); - $changed = true; - } else if (substr($splitcontents[$counter - 1], 0, 5) == "alert") { - /* Rule is already enabled */ - continue; - } else if (substr($splitcontents[$counter - 1], 0, 7) == "# alert") { - /* Rule is disabled, change */ - $splitcontents[$counter - 1] = substr($value, 2); - $changed = true; - } - } else if (isset($disabled_sids["disablesid {$sid}"])) { - if (substr($value, 0, 7) == "# alert") - /* Rule is already disabled */ - continue; - if (substr($value, 0, 5) == "alert") { - /* Rule is enabled, change */ - $splitcontents[$counter] = "# {$value}"; - $changed = true; - } else if (substr($splitcontents[$counter - 1], 0, 7) == "# alert") { - /* Rule is already disabled */ - continue; - } else if (substr($splitcontents[$counter - 1], 0, 5) == "alert") { - /* Rule is enabled, change */ - $splitcontents[$counter - 1] = "# {$value}"; - $changed = true; - } - - } - } - if ($changed == true) - @file_put_contents($file, implode("\n", $splitcontents)); - } - } + /* Copy the master config and map files to the interface directory */ + @copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config"); + @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map"); + @copy("{$snortdir}/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config"); + @copy("{$snortdir}/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map"); } -if ($snortdownload == 'on' || $emergingthreats == 'on') { - /* You are Not Up to date, always stop snort when updating rules for low end machines */; - - /* Start the proccess for every interface rule */ +if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules == 'on') { + + if ($pkg_interface <> "console") + update_status(gettext('Copying new config and map files...')); + error_log(gettext("\tCopying new config and map files...\n"), 3, $snort_rules_upd_log); + + /* Determine which config and map file set to use for the master copy. */ + /* If the Snort VRT rules are not enabled, then use Emerging Threats. */ + if (($vrt_enabled == 'off') && ($et_enabled == 'on')) { + $cfgs = glob("{$snortdir}/tmp/*reference.config"); + $cfgs[] = "{$snortdir}/reference.config"; + snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config"); + $cfgs = glob("{$snortdir}/tmp/*classification.config"); + $cfgs[] = "{$snortdir}/classification.config"; + snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config"); + } + elseif (($vrt_enabled == 'on') && ($et_enabled == 'off')) { + foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { + if (file_exists("{$snortdir}/tmp/VRT_{$file}")) + @copy("{$snortdir}/tmp/VRT_{$file}", "{$snortdir}/{$file}"); + } + } + elseif (($vrt_enabled == 'on') && ($et_enabled == 'on')) { + /* Both VRT and ET rules are enabled, so build combined */ + /* reference.config and classification.config files. */ + $cfgs = glob("{$snortdir}/tmp/*reference.config"); + $cfgs[] = "{$snortdir}/reference.config"; + snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config"); + $cfgs = glob("{$snortdir}/tmp/*classification.config"); + $cfgs[] = "{$snortdir}/classification.config"; + snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config"); + /* Use the unicode.map and gen-msg.map files from VRT rules. */ + if (file_exists("{$snortdir}/tmp/VRT_unicode.map")) + @copy("{$snortdir}/tmp/VRT_unicode.map", "{$snortdir}/unicode.map"); + if (file_exists("{$snortdir}/tmp/VRT_gen-msg.map")) + @copy("{$snortdir}/tmp/VRT_gen-msg.map", "{$snortdir}/gen-msg.map"); + } + + /* Start the rules rebuild proccess for each configured interface */ if (is_array($config['installedpackages']['snortglobal']['rule'])) { + + /* Set the flag to force rule rebuilds since we downloaded new rules, */ + /* except when in post-install mode. Post-install does its own rebuild. */ + if ($g['snort_postinstall']) + $rebuild_rules = false; + else + $rebuild_rules = true; + + /* Create configuration for each active Snort interface */ foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { $if_real = snort_get_real_interface($value['interface']); - - /* make oinkmaster.conf for each interface rule */ + $tmp = "Updating rules configuration for: " . snort_get_friendly_interface($value['interface']) . " ..."; + if ($pkg_interface <> "console"){ + update_status(gettext($tmp)); + update_output_window(gettext("Please wait while Snort interface files are being updated...")); + } snort_apply_customizations($value, $if_real); + + /* Log a message in Update Log if protecting customized preprocessor rules. */ + $tmp = "\t" . $tmp . "\n"; + if ($value['protect_preproc_rules'] == 'on') { + $tmp .= gettext("\tPreprocessor text rules flagged as protected and not updated for "); + $tmp .= snort_get_friendly_interface($value['interface']) . "...\n"; + } + error_log($tmp, 3, $snort_rules_upd_log); + } + } + else { + if ($pkg_interface <> "console") { + update_output_window(gettext("Warning: No interfaces configured for Snort were found...")); + update_output_window(gettext("No interfaces currently have Snort configured and enabled on them...")); } + error_log(gettext("\tWarning: No interfaces configured for Snort were found...\n"), 3, $snort_rules_upd_log); } - exec("/bin/sh /usr/local/etc/rc.d/snort.sh restart"); - sleep(10); - if (!is_process_running("snort")) - exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); - update_output_window(gettext("Snort has restarted with your new set of rules...")); - log_error("Snort has restarted with your new set of rules..."); + /* Clear the rebuild rules flag. */ + $rebuild_rules = false; + /* remove old $tmpfname files */ + if (is_dir("{$snortdir}/tmp")) { + if ($pkg_interface <> "console") + update_status(gettext("Cleaning up after rules extraction...")); + exec("/bin/rm -r {$snortdir}/tmp"); + } + + /* Restart snort if already running and we are not rebooting to pick up the new rules. */ + if (is_process_running("snort") && !$g['booting']) { + if ($pkg_interface <> "console") { + update_status(gettext('Restarting Snort to activate the new set of rules...')); + update_output_window(gettext("Please wait ... restarting Snort will take some time...")); + } + error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, $snort_rules_upd_log); + restart_service("snort"); + if ($pkg_interface <> "console") + update_output_window(gettext("Snort has restarted with your new set of rules...")); + log_error(gettext("[Snort] Snort has restarted with your new set of rules...")); + error_log(gettext("\tSnort has restarted with your new set of rules.\n"), 3, $snort_rules_upd_log); + } + else { + if ($pkg_interface <> "console") + update_output_window(gettext("The rules update task is complete...")); + } } -update_status(gettext("The Rules update finished...")); +if ($pkg_interface <> "console") + update_status(gettext("The Rules update has finished...")); +log_error(gettext("[Snort] The Rules update has finished.")); +error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, $snort_rules_upd_log); conf_mount_ro(); +/* Restore the state of $pkg_interface */ +$pkg_interface = $pkg_interface_orig; + ?> diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 20917d00..371bbecd 100644..100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -33,7 +33,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $rebuild_rules; $id = $_GET['id']; if (isset($_POST['id'])) @@ -55,7 +55,9 @@ $snort_servers = array ( "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", "snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET", "pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET", -"sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", +"sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET", +"dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET", +"enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" ); @@ -70,16 +72,16 @@ $snort_ports = array( "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21", "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", -"sip_ports" => "5060:5090,16384:32768", "auth_ports" => "113", "finger_ports" => "79", +"sip_ports" => "5060,5061", "auth_ports" => "113", "finger_ports" => "79", "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", -"ssl_ports" => "443,465,563,636,989,990,992,993,994,995", +"ssl_ports" => "443,465,563,636,989,990,992,993,994,995", "GTP_PORTS" => "2123,2152,3386", "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", -"DCERPC_BRIGHTSTORE" => "6503,6504" +"DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502" ); $pconfig = $a_nat[$id]; @@ -124,7 +126,9 @@ if ($_POST) { write_config(); - sync_snort_package_config(); + /* Update the snort conf file for this interface. */ + $rebuild_rules = false; + snort_generate_conf($a_nat[$id]); /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -162,20 +166,32 @@ if ($savemsg) <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array); + echo '</td></tr>'; + echo '<tr><td class="tabnavtbl">'; + $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); $tab_array = array(); - $tab_array[] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tab_array[] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array(gettext("Variables"), true, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext(" Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), true, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); display_top_tabs($tab_array); ?> </td></tr> <tr> - <td class="tabcont"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <td><div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Servers"); ?></td> </tr> @@ -228,6 +244,7 @@ if ($savemsg) </td> </tr> </table> +</div> </td></tr> </table> </form> diff --git a/config/snort/snort_download_rules.php b/config/snort/snort_download_rules.php index bbbf689c..562a6b36 100644..100755 --- a/config/snort/snort_download_rules.php +++ b/config/snort/snort_download_rules.php @@ -34,6 +34,8 @@ require_once("functions.inc"); require_once("service-utils.inc"); require_once("/usr/local/pkg/snort/snort.inc"); +global $g; + $pgtitle = "Services: Snort: Update Rules"; include("head.inc"); ?> @@ -44,34 +46,43 @@ include("head.inc"); <?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> <form action="/snort/snort_download_updates.php" method="GET"> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> -<tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td ><!-- progress bar --> - <table id="progholder" width='320' style='border-collapse: collapse; border: 1px solid #000000;' cellpadding='2' cellspacing='2'> + +<table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td align="center"><div id="boxarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td> - <img border='0' src='../themes/<?= $g['theme']; ?>/images/misc/progress_bar.gif' - width='280' height='23' name='progressbar' id='progressbar' alt='' /> + <td class="tabcont" align="center"> + <table width="420" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td style="background:url('../themes/<?= $g['theme']; ?>/images/misc/bar_left.gif')" height="15" width="5"></td> + <td style="background:url('../themes/<?= $g['theme']; ?>/images/misc/bar_gray.gif')" height="15" width="410"> + <table id="progholder" width='410' cellpadding='0' cellspacing='0'> + <tr> + <td align="left"><img border='0' src='../themes/<?= $g['theme']; ?>/images/misc/bar_blue.gif' + width='0' height='15' name='progressbar' id='progressbar' alt='' /></td + </tr> + </table></td> + <td style="background:url('../themes/<?= $g['theme']; ?>/images/misc/bar_right.gif')" height="15" width="5"></td> + </tr> + </table> </td> </tr> - </table> - <br /> - <textarea cols="60" rows="2" name="status" id="status" wrap="hard"> - <?=gettext("Initializing...");?> - </textarea> - <textarea cols="60" rows="2" name="output" id="output" wrap="hard"> - </textarea> - </td> - </tr> + <tr> + <td class="tabcont" align="center"> + <!-- status box --> + <textarea cols="85" rows="1" name="status" id="status" wrap="soft"><?=gettext("Initializing..."); ?>.</textarea> + <!-- command output box --> + <textarea cols="85" rows="12" name="output" id="output" wrap="soft"></textarea> + </td> + </tr> + <tr> + <td class="tabcont" align="center" valign="middle"><input type="submit" name="return" id="return" Value="Return"></td> + </tr> </table> - </div> - </td> -</tr> - <tr><td><input type="submit" name="return" id="return" Value="Return"></td></tr> + </div> + </td> + </tr> </table> </form> <?php include("fend.inc");?> diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 4c4202a8..1f87fbbc 100644..100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -36,15 +36,20 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; - +/* Define some locally required variables from Snort constants */ $snortdir = SNORTDIR; +$snort_rules_upd_log = RULES_UPD_LOGFILE; +$log = $snort_rules_upd_log; +$snort_rules_file = VRT_DNLD_FILENAME; +$emergingthreats_filename = ET_DNLD_FILENAME; +$snort_community_rules_filename = GPLV2_DNLD_FILENAME; /* load only javascript that is needed */ $snort_load_jquery = 'yes'; $snort_load_jquery_colorbox = 'yes'; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; /* quick md5s chk */ $snort_org_sig_chk_local = 'N/A'; @@ -52,13 +57,28 @@ if (file_exists("{$snortdir}/{$snort_rules_file}.md5")) $snort_org_sig_chk_local = file_get_contents("{$snortdir}/{$snort_rules_file}.md5"); $emergingt_net_sig_chk_local = 'N/A'; -if (file_exists("{$snortdir}/emerging.rules.tar.gz.md5")) - $emergingt_net_sig_chk_local = file_get_contents("{$snortdir}/emerging.rules.tar.gz.md5"); +if (file_exists("{$snortdir}/{$emergingthreats_filename}.md5")) + $emergingt_net_sig_chk_local = file_get_contents("{$snortdir}/{$emergingthreats_filename}.md5"); + +$snort_community_sig_chk_local = 'N/A'; +if (file_exists("{$snortdir}/{$snort_community_rules_filename}.md5")) + $snort_community_sig_chk_local = file_get_contents("{$snortdir}/{$snort_community_rules_filename}.md5"); + +/* Check for postback to see if we should clear the update log file. */ +if (isset($_POST['clear'])) { + if (file_exists("{$snort_rules_upd_log}")) + mwexec("/bin/rm -f {$snort_rules_upd_log}"); +} + +if (isset($_POST['update'])) { + header("Location: /snort/snort_download_rules.php"); + exit; +} /* check for logfile */ -$update_logfile_chk = 'no'; -if (file_exists("{$snortdir}/snort_update.log")) - $update_logfile_chk = 'yes'; +$snort_rules_upd_logfile_chk = 'no'; +if (file_exists("{$snort_rules_upd_log}")) + $snort_rules_upd_logfile_chk = 'yes'; $pgtitle = "Services: Snort: Updates"; include_once("head.inc"); @@ -68,6 +88,27 @@ include_once("head.inc"); <?php include("fbegin.inc"); ?> <?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> + +<script language="javascript" type="text/javascript"> +function wopen(url, name, w, h) +{ +// Fudge factors for window decoration space. +// In my tests these work well on all platforms & browsers. +w += 32; +h += 96; + var win = window.open(url, + name, + 'width=' + w + ', height=' + h + ', ' + + 'location=no, menubar=no, ' + + 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); + win.resizeTo(w, h); + win.focus(); +} + +</script> + +<form action="snort_download_updates.php" method="post" name="iform" id="iform"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php @@ -79,60 +120,58 @@ include_once("head.inc"); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); display_top_tabs($tab_array); ?> </td></tr> <tr> <td> - <div id="mainarea3"> - <table id="maintable4" class="tabcont" width="100%" border="0" - cellpadding="0" cellspacing="0"> + <div id="mainarea"> + <table id="maintable4" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr align="center"> <td> <br/> - <table id="download_rules" height="32px" width="725px" border="0" - cellpadding="5px" cellspacing="0"> + <table id="download_rules" height="32px" width="725px" border="0" cellpadding="5px" cellspacing="0"> <tr> <td id="download_rules_td" style="background-color: #eeeeee"> <div height="32" width="725px" style="background-color: #eeeeee"> - - <font color="#777777" size="1.5px"> <p style="text-align: left; margin-left: 225px;"> - <b><?php echo gettext("INSTALLED SIGNATURE RULESET"); ?></b></font><br> - <br> - <font color="#FF850A" size="1px"><b>SNORT.ORG >>></b></font> - <font size="1px" color="#000000"> <? echo $snort_org_sig_chk_local; ?></font><br> - <font color="#FF850A" size="1px"><b>EMERGINGTHREATS.NET >>></b></font> - <font size="1px" color="#000000"> <? echo $emergingt_net_sig_chk_local; ?></font><br> + <font color="#777777" size="2.5px"> + <b><?php echo gettext("INSTALLED RULESET SIGNATURES"); ?></b></font><br/><br/> + <font color="#FF850A" size="1px"><b>SNORT.ORG --></b></font> + <font size="1px" color="#000000"> <? echo $snort_org_sig_chk_local; ?></font><br/> + <font color="#FF850A" size="1px"><b>EMERGINGTHREATS.NET --></b></font> + <font size="1px" color="#000000"> <? echo $emergingt_net_sig_chk_local; ?></font><br/> + <font color="#FF850A" size="1px"><b>SNORT GPLv2 COMMUNITY RULES --></b></font> + <font size="1px" color="#000000"> <? echo $snort_community_sig_chk_local; ?></font><br/> </p> </div> </td> </tr> </table> <br/> - <table id="download_rules" height="32px" width="725px" border="0" - cellpadding="5px" cellspacing="0"> + <table id="download_rules" height="32px" width="725px" border="0" cellpadding="5px" cellspacing="0"> <tr> <td id="download_rules_td" style='background-color: #eeeeee'> <div height="32" width="725px" style='background-color: #eeeeee'> - <p style="text-align: left; margin-left: 225px;"> - <font color='#777777' size='1.5px'><b><?php echo gettext("UPDATE YOUR RULES"); ?></b></font><br> + <font color='#777777' size='2.5px'><b><?php echo gettext("UPDATE YOUR RULESET"); ?></b></font><br/> <br/> <?php if ($snortdownload != 'on' && $emergingthreats != 'on') { echo ' - <button disabled="disabled"><span class="download">' . gettext("Update Rules") . ' </span></button><br/> + <button disabled="disabled"><span class="download">' . gettext("Update Rules") . '</span></button><br/> <p style="text-align:left; margin-left:150px;"> - <font color="#fc3608" size="2px"><b>' . gettext("WARNING:") . '</b></font><font size="1px" color="#000000"> ' . gettext('No rule types have been selected for download. "Global Settings Tab"') . '</font><br>'; + <font color="#fc3608" size="2px"><b>' . gettext("WARNING:") . '</b></font><font size="1px" color="#000000"> ' . gettext('No rule types have been selected for download. ') . + gettext('Visit the ') . '<a href="snort_interfaces_global.php">Global Settings Tab</a>' . gettext(' to select rule types.') . '</font><br/>'; echo '</p>' . "\n"; } else { echo ' - <a href="/snort/snort_download_rules.php"><button ><span class="download">' . gettext("Update Rules") . ' </span></button></a><br/>' . "\n"; + <input type="submit" value="' . gettext("Update Rules") . '" name="update" id="Submit" class="formbtn" /><br/>' . "\n"; } @@ -143,26 +182,24 @@ include_once("head.inc"); </tr> </table> <br/> - <table id="download_rules" height="32px" width="725px" border="0" - cellpadding="5px" cellspacing="0"> + <table id="download_rules" height="32px" width="725px" border="0" cellpadding="5px" cellspacing="0"> <tr> <td id="download_rules_td" style='background-color: #eeeeee'> <div height="32" width="725px" style='background-color: #eeeeee'> - <p style="text-align: left; margin-left: 225px;"> - <font color='#777777' size='1.5px'><b><?php echo gettext("VIEW UPDATE LOG"); ?></b></font><br> + <font color='#777777' size='2.5px'><b><?php echo gettext("VIEW UPDATE LOG"); ?></b></font><br/> <br> - <?php - if ($update_logfile_chk == 'yes') { + if ($snort_rules_upd_logfile_chk == 'yes') { echo " - <button href='/snort/snort_rules_edit.php?openruleset={$snortdir}/snort_update.log'><span class='pwhitetxt'>" . gettext("Update Log") . " </span></button>\n"; + <button class=\"formbtn\" onclick=\"wopen('snort_log_view.php?logfile={$log}', 'LogViewer', 800, 600)\"><span class='pwhitetxt'>" . gettext("View Log") . "</span></button>"; + echo " <input type=\"submit\" value=\"Clear Log\" name=\"clear\" id=\"Submit\" class=\"formbtn\" />\n"; }else{ echo " - <button disabled='disabled' href='/snort/snort_rules_edit.php?openruleset={$snortdir}/snort_update.log'><span class='pwhitetxt'>" . gettext("Update Log") . " </span></button>\n"; + <button disabled='disabled'><span class='pwhitetxt'>" . gettext("View Log") . "</span></button> " . gettext("Log is empty.") . "\n"; } - + echo '<br><br>' . gettext("The log file is limited to 1024K in size and automatically clears when the limit is exceeded."); ?> <br/> </p> @@ -173,15 +210,14 @@ include_once("head.inc"); <br/> - <table id="download_rules" height="32px" width="725px" border="0" - cellpadding="5px" cellspacing="0"> + <table id="download_rules" height="32px" width="725px" border="0" cellpadding="5px" cellspacing="0"> <tr> <td id="download_rules_td" style='background-color: #eeeeee'> - <div height="32" width="725px" style='background-color: #eeeeee'> - <font color='#FF850A' size='1px'><b><?php echo gettext("NOTE:"); ?></b></font><font size='1px' - color='#000000'> <?php echo gettext("Snort.org and Emergingthreats.net " . - "will go down from time to time. Please be patient."); ?> - </font> + <div height="32" width="725px" style='background-color: #eeeeee'><span class="vexpl"> + <span class="red"><b><?php echo gettext("NOTE:"); ?></b></span> + <a href="http://www.snort.org/" target="_blank"><?php echo gettext("Snort.org") . "</a>" . + gettext(" and ") . "<a href=\"http://www.emergingthreats.net/\" target=\"_blank\">" . gettext("EmergingThreats.net") . "</a>" . + gettext(" will go down from time to time. Please be patient."); ?></span> </div> </td> </tr> @@ -191,16 +227,12 @@ include_once("head.inc"); </tr> </table> </div> - - - - - <br> </td> </tr> </table> -<!-- end of final table --></div> +<!-- end of final table --> +</form> <?php include("fend.inc"); ?> </body> </html> diff --git a/config/snort/snort_edit_hat_data.php b/config/snort/snort_edit_hat_data.php new file mode 100644 index 00000000..f0562046 --- /dev/null +++ b/config/snort/snort_edit_hat_data.php @@ -0,0 +1,126 @@ +<?php +/* + * snort_edit_hat_data.php + * Copyright (C) 2004 Scott Ullrich + * Copyright (C) 2011-2012 Ermal Luci + * All rights reserved. + * + * originially part of m0n0wall (http://m0n0.ch/wall) + * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g, $rebuild_rules; + +$snortdir = SNORTDIR; + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!empty($a_nat[$id]['host_attribute_data'])) + $pconfig['host_attribute_data'] = base64_decode($a_nat[$id]['host_attribute_data']); +else + $pconfig['host_attribute_data'] = ""; + +if ($_POST['clear']) { + unset($a_nat[$id]['host_attribute_data']); + write_config(); + $rebuild_rules = false; + snort_generate_conf($a_nat[$id]); + header("Location: /snort/snort_edit_hat_data.php?id={$id}"); + exit; +} + +if ($_POST['host_attribute_data']) { + $a_nat[$id]['host_attribute_data'] = base64_encode($_POST['host_attribute_data']); + write_config(); + $rebuild_rules = false; + snort_generate_conf($a_nat[$id]); + header("Location: /snort/snort_preprocessors.php?id={$id}"); + exit; +} + + +$if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']); +$pgtitle = "Services: Snort: {$if_friendly} Host Attribute Table Data"; +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" > + +<?php +include("fbegin.inc"); +if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} +if ($input_errors) print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> +<form action="snort_edit_hat_data.php" method="post" name="iform" id="iform"> +<div id="boxarea"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> +<td class="tabcont"> +<table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td valign="middle" class="listtopic"><?php echo gettext("Edit Host Attribute Table Data"); ?></td> + </tr> + <tr> + <td> + <input type='hidden' name='id' value='<?=$id;?>'> + <textarea wrap="off" cols="80" rows="35" name="host_attribute_data" id="host_attribute_data" style="width:99%; height:100%;"><?=$pconfig['host_attribute_data'];?></textarea></td> + </tr> + <tr> + <td> + <input name="Submit" type="submit" class="formbtn" value="<?php echo gettext(" Save "); ?>" title=" <?php echo gettext("Save Host Attribute data"); ?>"/> + <input type="button" class="formbtn" value=" <?php echo gettext("Return"); ?>" onclick="parent.location='snort_preprocessors.php?id=<?=$id;?>'" title="<?php echo gettext("Return to Preprocessors tab"); ?>"/> + <input name="clear" type="submit" class="formbtn" id="clear" value="<?php echo gettext("Clear"); ?>" onclick="return confirm('<?php echo gettext("This will erase all Host Attribute data for the interface. Are you sure?"); ?>')" title="<?php echo gettext("Deletes all Host Attribute data"); ?>"/> + </td> + </tr> +</table> +</td> +</tr> +</table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index 1e155e82..84273167 100644..100755 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -32,9 +32,10 @@ $nocsrf = true; require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $rebuild_rules; $snortdir = SNORTDIR; +$rcdir = RCFILEPREFIX; $id = $_GET['id']; if (isset($_POST['id'])) @@ -57,19 +58,38 @@ if (isset($_POST['del_x'])) { exec("/bin/rm -r /var/log/snort/snort_{$if_real}{$snort_uuid}"); exec("/bin/rm -r {$snortdir}/snort_{$snort_uuid}_{$if_real}"); + // If interface had auto-generated Suppress List, then + // delete that along with the interface + $autolist = "{$a_nat[$rulei]['interface']}" . "suppress"; + if (is_array($config['installedpackages']['snortglobal']['suppress']) && + is_array($config['installedpackages']['snortglobal']['suppress']['item'])) { + $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; + foreach ($a_suppress as $k => $i) { + if ($i['name'] == $autolist) { + unset($config['installedpackages']['snortglobal']['suppress']['item'][$k]); + break; + } + } + } + + // Finally delete the interface's config entry entirely unset($a_nat[$rulei]); } conf_mount_ro(); + /* If all the Snort interfaces are removed, then unset the config array. */ + if (empty($a_nat)) + unset($a_nat); + write_config(); sleep(2); - /* if there are no ifaces do not create snort.sh */ + /* if there are no ifaces remaining do not create snort.sh */ if (!empty($config['installedpackages']['snortglobal']['rule'])) snort_create_rc(); else { conf_mount_rw(); - @unlink('/usr/local/etc/rc.d/snort.sh'); + @unlink("{$rcdir}/snort.sh"); conf_mount_ro(); } @@ -93,11 +113,11 @@ if ($_GET['act'] == 'bartoggle' && is_numeric($id)) { $if_friendly = snort_get_friendly_interface($snortcfg['interface']); if (snort_is_running($snortcfg['uuid'], $if_real, 'barnyard2') == 'no') { - log_error("Toggle(barnyard starting) for {$if_friendly}({$snortcfg['descr']}}..."); + log_error("Toggle (barnyard starting) for {$if_friendly}({$snortcfg['descr']})..."); sync_snort_package_config(); snort_barnyard_start($snortcfg, $if_real); } else { - log_error("Toggle(barnyard stopping) for {$if_friendly}({$snortcfg['descr']}}..."); + log_error("Toggle (barnyard stopping) for {$if_friendly}({$snortcfg['descr']})..."); snort_barnyard_stop($snortcfg, $if_real); } @@ -113,7 +133,7 @@ if ($_GET['act'] == 'toggle' && is_numeric($id)) { $if_friendly = snort_get_friendly_interface($snortcfg['interface']); if (snort_is_running($snortcfg['uuid'], $if_real) == 'yes') { - log_error("Toggle(snort stopping) for {$if_friendly}({$snortcfg['descr']})..."); + log_error("Toggle (snort stopping) for {$if_friendly}({$snortcfg['descr']})..."); snort_stop($snortcfg, $if_real); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -122,8 +142,12 @@ if ($_GET['act'] == 'toggle' && is_numeric($id)) { header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); } else { - log_error("Toggle(snort starting) for {$if_friendly}({$snortcfg['descr']})..."); + log_error("Toggle (snort starting) for {$if_friendly}({$snortcfg['descr']})..."); + + /* set flag to rebuild interface rules before starting Snort */ + $rebuild_rules = true; sync_snort_package_config(); + $rebuild_rules = false; snort_start($snortcfg, $if_real); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -174,26 +198,28 @@ if ($pfsense_stable == 'yes') ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> -<tr><td> -<?php - $tab_array = array(); - $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); - $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); - $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); - $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); - $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); - $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - display_top_tabs($tab_array); -?> -</td></tr> <tr> <td> - <div id="mainarea2"> - <table class="tabcont" width="100%" border="0" cellpadding="0" - cellspacing="0"> + <?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array); + ?> + </td> +</tr> +<tr> + <td> + <div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr id="frheader"> - <td width="5%" class="list"> </td> + <td width="3%" class="list"> </td> <td width="10%" class="listhdrr"><?php echo gettext("If"); ?></td> <td width="13%" class="listhdrr"><?php echo gettext("Snort"); ?></td> <td width="10%" class="listhdrr"><?php echo gettext("Performance"); ?></td> @@ -201,44 +227,86 @@ if ($pfsense_stable == 'yes') <td width="12%" class="listhdrr"><?php echo gettext("Barnyard2"); ?></td> <td width="30%" class="listhdr"><?php echo gettext("Description"); ?></td> <td width="3%" class="list"> - <table border="0" cellspacing="0" cellpadding="1"> + <table border="0" cellspacing="0" cellpadding="0"> <tr> - <td width="17"></td> - <td><a href="snort_interfaces_edit.php?id=<?php echo $id_gen;?>"><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" - width="17" height="17" border="0"></a></td> + <td></td> + <td align="center" valign="middle"><a href="snort_interfaces_edit.php?id=<?php echo $id_gen;?>"><img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" + width="17" height="17" border="0" title="<?php echo gettext('Add Snort interface mapping');?>"></a></td> </tr> </table> </td> </tr> -<?php $nnats = $i = 0; foreach ($a_nat as $natent): ?> -<tr valign="top" id="fr<?=$nnats;?>"> -<?php + <?php $nnats = $i = 0; -/* convert fake interfaces to real and check if iface is up */ -/* There has to be a smarter way to do this */ - $if_real = snort_get_real_interface($natent['interface']); - $snort_uuid = $natent['uuid']; - if (snort_is_running($snort_uuid, $if_real) == 'no') - $iconfn = 'pass'; - else - $iconfn = 'block'; - if (snort_is_running($snort_uuid, $if_real, 'barnyard2') == 'no') - $biconfn = 'pass'; - else - $biconfn = 'block'; + // Turn on buffering to speed up rendering + ini_set('output_buffering','true'); - ?> - <td class="listt"> - <input type="checkbox" id="frc<?=$nnats;?>" name="rule[]" value="<?=$i;?>" onClick="fr_bgcolor('<?=$nnats;?>')" style="margin: 0; padding: 0;"></td> - <td class="listr" + // Start buffering to fix display lag issues in IE9 and IE10 + ob_start(null, 0); + + /* If no interfaces are defined, then turn off the "no rules" warning */ + $no_rules_footnote = false; + if ($id_gen == 0) + $no_rules = false; + else + $no_rules = true; + + foreach ($a_nat as $natent): ?> + <tr valign="top" id="fr<?=$nnats;?>"> + <?php + + /* convert fake interfaces to real and check if iface is up */ + /* There has to be a smarter way to do this */ + $if_real = snort_get_real_interface($natent['interface']); + $natend_friendly= snort_get_friendly_interface($natent['interface']); + $snort_uuid = $natent['uuid']; + if (snort_is_running($snort_uuid, $if_real) == 'no'){ + $iconfn = 'block'; + $iconfn_msg1 = 'Snort is not running on '; + $iconfn_msg2 = '. Click to start.'; + } + else{ + $iconfn = 'pass'; + $iconfn_msg1 = 'Snort is running on '; + $iconfn_msg2 = '. Click to stop.'; + } + if (snort_is_running($snort_uuid, $if_real, 'barnyard2') == 'no'){ + $biconfn = 'block'; + $biconfn_msg1 = 'Barnyard2 is not running on '; + $biconfn_msg2 = '. Click to start.'; + } + else{ + $biconfn = 'pass'; + $biconfn_msg1 = 'Barnyard2 is running on '; + $biconfn_msg2 = '. Click to stop.'; + } + + /* See if interface has any rules defined and set boolean flag */ + $no_rules = true; + if (isset($natent['customrules']) && !empty($natent['customrules'])) + $no_rules = false; + if (isset($natent['rulesets']) && !empty($natent['rulesets'])) + $no_rules = false; + if (isset($natent['ips_policy']) && !empty($natent['ips_policy'])) + $no_rules = false; + /* Do not display the "no rules" warning if interface disabled */ + if ($natent['enable'] == "off") + $no_rules = false; + if ($no_rules) + $no_rules_footnote = true; + ?> + <td class="listt"> + <input type="checkbox" id="frc<?=$nnats;?>" name="rule[]" value="<?=$i;?>" onClick="fr_bgcolor('<?=$nnats;?>')" style="margin: 0; padding: 0;"> + </td> + <td class="listr" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> <?php - echo snort_get_friendly_interface($natent['interface']); + echo $natend_friendly; ?> - </td> - <td class="listr" + </td> + <td class="listr" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> <?php @@ -248,12 +316,13 @@ if ($pfsense_stable == 'yes') echo "<a href='?act=toggle&id={$i}'> <img src='../themes/{$g['theme']}/images/icons/icon_{$iconfn}.gif' width='13' height='13' border='0' - title='" . gettext('click to toggle start/stop snort') . "'></a>"; + title='" . gettext($iconfn_msg1.$natend_friendly.$iconfn_msg2) . "'></a>"; + echo ($no_rules) ? " <img src=\"../themes/{$g['theme']}/images/icons/icon_frmfld_imp.png\" width=\"15\" height=\"15\" border=\"0\">" : ""; } else echo strtoupper("disabled"); ?> - </td> - <td class="listr" + </td> + <td class="listr" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> <?php @@ -263,8 +332,9 @@ if ($pfsense_stable == 'yes') }else{ $check_performance = "lowmem"; } - ?> <?=strtoupper($check_performance);?></td> - <td class="listr" + ?> <?=strtoupper($check_performance);?> + </td> + <td class="listr" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> <?php @@ -275,8 +345,9 @@ if ($pfsense_stable == 'yes') } else { $check_blockoffenders = disabled; } - ?> <?=strtoupper($check_blockoffenders);?></td> - <td class="listr" + ?> <?=strtoupper($check_blockoffenders);?> + </td> + <td class="listr" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> <?php @@ -286,94 +357,140 @@ if ($pfsense_stable == 'yes') echo "<a href='?act=bartoggle&id={$i}'> <img src='../themes/{$g['theme']}/images/icons/icon_{$biconfn}.gif' width='13' height='13' border='0' - title='" . gettext('click to toggle start/stop barnyard') . "'></a>"; + title='" . gettext($biconfn_msg1.$natend_friendly.$biconfn_msg2) . "'></a>"; } else echo strtoupper("disabled"); ?> - </td> - <td class="listbg" + </td> + <td class="listbg" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> - <font color="#ffffff"> <?=htmlspecialchars($natent['descr']);?> - </td> - <td valign="middle" class="list" nowrap> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td><a href="snort_interfaces_edit.php?id=<?=$i;?>"><img - src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" - width="17" height="17" border="0" title="<?php echo gettext('edit rule'); ?>"></a></td> - </tr> - </table> - - </tr> - <?php $i++; $nnats++; endforeach; ?> - <tr> - <td class="list" colspan="8"></td> - <td class="list" valign="middle" nowrap> - <table border="0" cellspacing="0" cellpadding="1"> + <font color="#ffffff"> <?=htmlspecialchars($natent['descr']);?> </font> + </td> + <td valign="middle" class="list" nowrap> + <table border="0" cellspacing="0" cellpadding="0"> + <tr> + <td><a href="snort_interfaces_edit.php?id=<?=$i;?>"><img + src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="<?php echo gettext('Edit Snort interface mapping'); ?>"></a> + </td> + </tr> + </table> + </td> + </tr> + <?php $i++; $nnats++; endforeach; ob_end_flush(); ?> + <tr> + <td class="list"></td> + <td class="list" colspan="6"> + <?php if ($no_rules_footnote): ?><br><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_frmfld_imp.png" width="15" height="15" border="0"> + <span class="red">   <?php echo gettext("WARNING: Marked interface currently has no rules defined for Snort"); ?></span> + <?php else: ?> + <?php endif; ?> + </td> + <td class="list" valign="middle" nowrap> + <table border="0" cellspacing="0" cellpadding="0"> <tr> <td><?php if ($nnats == 0): ?><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" - width="17" height="17" title="<?php echo gettext("delete selected rules"); ?>" border="0"><?php else: ?><input - name="del" type="image" - src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" - width="17" height="17" title="<?php echo gettext("delete selected mappings"); ?>" - onclick="return confirm('Do you really want to delete the selected Snort Rule?')"><?php endif; ?></td> + src="../themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" + width="17" height="17" " border="0"> + <?php else: ?> + <input name="del" type="image" + src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" + width="17" height="17" title="<?php echo gettext("Delete selected Snort interface mapping(s)"); ?>" + onclick="return intf_del()"> + <?php endif; ?></td> </tr> </table> - </td> - </tr> - </table> - </div> - </td> - </tr> -</table> - -<br> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> - <div id="mainarea4"> - <table class="tabcont" width="100%" border="0" cellpadding="0" - cellspacing="0"> - <tr id="frheader"> - <td width="100%"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> <br> - <?php echo gettext('This is the <strong>Snort Menu</strong> where you can see an over ' . - 'view of all your interface settings. <br> ' . - 'Please edit the <strong>Global Settings</strong> tab before adding ' . - 'an interface.'); ?> <br> - <br> - <span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> <br> - <strong><?php echo gettext("New settings will not take effect until interface restart."); ?></strong> - <br> - <br> - <strong>Click</strong> on the <img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" - width="17" height="17" border="0" title="<?php echo gettext("Add Icon"); ?>"> icon to add a - interface.<strong> Click</strong> - on the <img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_pass.gif" - width="13" height="13" border="0" title="<?php echo gettext("Start Icon"); ?>"> icon to <strong>start</strong> - snort and barnyard2. <br> - <strong>Click</strong> on the <img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" - width="17" height="17" border="0" title="<?php echo gettext("Edit Icon"); ?>"> icon to edit a - interface and settings.<strong> Click</strong> - on the <img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" - width="13" height="13" border="0" title="<?php echo gettext("Stop Icon"); ?>"> icon to <strong>stop</strong> - snort and barnyard2. <br> - <strong> Click</strong> on the <img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" - width="17" height="17" border="0" title="<?php echo gettext("Delete Icon"); ?>"> icon to - delete a interface and settings.</td> - </tr> - </table> - </div> - - </tr> + </td> + </tr> + <tr> + <td colspan="8"> </td> + </tr> + <tr> + <td> </td> + <td colspan="6"> + <table class="tabcont" width="100%" border="0" cellpadding="1" cellspacing="0"> + <tr> + <td colspan="3" class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> <br> + <?php echo gettext("This is the ") . "<strong>" . gettext("Snort Menu ") . + "</strong>" . gettext("where you can see an overview of all your interface settings."); + if (empty($a_nat)) { + echo gettext("Please visit the ") . "<strong>" . gettext("Global Settings") . + "</strong>" . gettext(" tab before adding an interface."); + }?> + </td> + </tr> + <tr> + <td colspan="3" class="vexpl"><br> + </td> + </tr> + <tr> + <td colspan="3" class="vexpl"><span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span><br> + <strong><?php echo gettext("New settings will not take effect until interface restart."); ?></strong> + </td> + </tr> + <tr> + <td colspan="3" class="vexpl"><br> + </td> + </tr> + <tr> + <td class="vexpl"><strong>Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" + width="17" height="17" border="0" title="<?php echo gettext("Add Icon"); ?>"> icon to add + an interface. + </td> + <td width="3%" class="vexpl"> + </td> + <td class="vexpl"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_pass.gif" + width="13" height="13" border="0" title="<?php echo gettext("Running"); ?>"> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" + width="13" height="13" border="0" title="<?php echo gettext("Not Running"); ?>"> icons will show current + snort and barnyard2 status. + </td> + </tr> + <tr> + <td class="vexpl"><strong>Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="<?php echo gettext("Edit Icon"); ?>"> icon to edit + an interface and settings. + <td width="3%"> + </td> + <td class="vexpl"><strong>Click</strong> on the status icons to <strong>toggle</strong> snort and barnyard2 status. + </td> + </tr> + <tr> + <td colspan="3" class="vexpl"><strong> Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" + width="17" height="17" border="0" title="<?php echo gettext("Delete Icon"); ?>"> icon to + delete an interface and settings. + </td> + </tr> + </table> + </td> + <td> </td> + </tr> + </table> + </div> </td> +</tr> </table> </form> + +<script type="text/javascript"> + +function intf_del() { + var isSelected = false; + var inputs = document.iform.elements; + for (var i = 0; i < inputs.length; i++) { + if (inputs[i].type == "checkbox") { + if (inputs[i].checked) + isSelected = true; + } + } + if (isSelected) + return confirm('Do you really want to delete the selected Snort mapping?'); + else + alert("There is no Snort mapping selected for deletion. Click the checkbox beside the Snort mapping(s) you wish to delete."); +} + +</script> + <?php include("fend.inc"); ?> diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index f47a055e..bbd4338c 100644..100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -31,7 +31,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $rebuild_rules; if (!is_array($config['installedpackages']['snortglobal'])) $config['installedpackages']['snortglobal'] = array(); @@ -50,12 +50,28 @@ if (is_null($id)) { } $pconfig = array(); -if (empty($snortglob['rule'][$id]['uuid'])) +if (empty($snortglob['rule'][$id]['uuid'])) { + /* Adding new interface, so flag rules to build. */ $pconfig['uuid'] = snort_generate_id(); -else + $rebuild_rules = true; +} +else { $pconfig['uuid'] = $a_rule[$id]['uuid']; + $pconfig['descr'] = $a_rule[$id]['descr']; + $rebuild_rules = false; +} $snort_uuid = $pconfig['uuid']; +// Get the physical configured interfaces on the firewall +if (function_exists('get_configured_interface_with_descr')) + $interfaces = get_configured_interface_with_descr(); +else { + $interfaces = array('wan' => 'WAN', 'lan' => 'LAN'); + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) + $interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr']; +} + +// See if interface is already configured, and use its values if (isset($id) && $a_rule[$id]) { /* old options */ $pconfig = $a_rule[$id]; @@ -63,28 +79,32 @@ if (isset($id) && $a_rule[$id]) { $pconfig['configpassthru'] = base64_decode($pconfig['configpassthru']); if (empty($pconfig['uuid'])) $pconfig['uuid'] = $snort_uuid; - if (!$pconfig['interface']) - $pconfig['interface'] = "wan"; +} +// Must be a new interface, so try to pick next available physical interface to use +elseif (isset($id) && !isset($a_rule[$id])) { + $ifaces = get_configured_interface_list(); + $ifrules = array(); + foreach($a_rule as $r) + $ifrules[] = $r['interface']; + foreach ($ifaces as $i) { + if (!in_array($i, $ifrules)) { + $pconfig['interface'] = $i; + break; + } + } + if (count($ifrules) == count($ifaces)) { + $input_errors[] = "No more available interfaces to configure for Snort!"; + $interfaces = array(); + $pconfig = array(); + } } if (isset($_GET['dup'])) unset($id); if ($_POST["Submit"]) { - if ($_POST['descr'] == '' && $pconfig['descr'] == '') { - $input_errors[] = "Please enter a description for your reference."; - } - if (!$_POST['interface']) $input_errors[] = "Interface is mandatory"; -/* - foreach ($a_rule as $natent) { - if (isset($id) && ($a_rule[$id]) && ($a_rule[$id] === $natent)) - continue; - if ($natent['interface'] == $_POST['interface']) - $input_errors[] = "This interface is already configured for another instance"; - } -*/ /* if no errors write to conf */ if (!$input_errors) { @@ -92,7 +112,19 @@ if ($_POST["Submit"]) { $natent['interface'] = $_POST['interface']; $natent['enable'] = $_POST['enable'] ? 'on' : 'off'; $natent['uuid'] = $pconfig['uuid']; - if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else unset($natent['descr']); + + /* See if the HOME_NET, EXTERNAL_NET, WHITELIST or SUPPRESS LIST values were changed */ + $snort_reload = false; + if ($_POST['homelistname'] && ($_POST['homelistname'] <> $natent['homelistname'])) + $snort_reload = true; + if ($_POST['externallistname'] && ($_POST['externallistname'] <> $natent['externallistname'])) + $snort_reload = true; + if ($_POST['suppresslistname'] && ($_POST['suppresslistname'] <> $natent['suppresslistname'])) + $snort_reload = true; + if ($_POST['whitelistname'] && ($_POST['whitelistname'] <> $natent['whitelistname'])) + $snort_reload = true; + + if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else $natent['descr'] = strtoupper($natent['interface']); if ($_POST['performance']) $natent['performance'] = $_POST['performance']; else unset($natent['performance']); /* if post = on use on off or rewrite the conf */ if ($_POST['blockoffenders7'] == "on") $natent['blockoffenders7'] = 'on'; else $natent['blockoffenders7'] = 'off'; @@ -105,6 +137,9 @@ if ($_POST["Submit"]) { if ($_POST['alertsystemlog'] == "on") { $natent['alertsystemlog'] = 'on'; }else{ $natent['alertsystemlog'] = 'off'; } if ($_POST['configpassthru']) $natent['configpassthru'] = base64_encode($_POST['configpassthru']); else unset($natent['configpassthru']); if ($_POST['cksumcheck']) $natent['cksumcheck'] = 'on'; else $natent['cksumcheck'] = 'off'; + if ($_POST['fpm_split_any_any'] == "on") { $natent['fpm_split_any_any'] = 'on'; }else{ $natent['fpm_split_any_any'] = 'off'; } + if ($_POST['fpm_search_optimize'] == "on") { $natent['fpm_search_optimize'] = 'on'; }else{ $natent['fpm_search_optimize'] = 'off'; } + if ($_POST['fpm_no_stream_inserts'] == "on") { $natent['fpm_no_stream_inserts'] = 'on'; }else{ $natent['fpm_no_stream_inserts'] = 'off'; } $if_real = snort_get_real_interface($natent['interface']); if (isset($id) && $a_rule[$id]) { @@ -118,11 +153,28 @@ if ($_POST["Submit"]) { } else $a_rule[] = $natent; + /* If Snort is disabled on this interface, stop any running instance */ if ($natent['enable'] != 'on') snort_stop($natent, $if_real); + + /* Save configuration changes */ write_config(); + + /* Most changes don't require a rules rebuild, so default to "off" */ + $rebuild_rules = false; + + /* Update snort.conf and snort.sh files for this interface */ sync_snort_package_config(); + /*******************************************************/ + /* Signal Snort to reload configuration if we changed */ + /* HOME_NET, the Whitelist, EXTERNAL_NET or Suppress */ + /* list values. The function only signals a running */ + /* Snort instance to safely reload these parameters. */ + /*******************************************************/ + if ($snort_reload == true) + snort_reload_config($natent, "SIGHUP"); + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); @@ -143,29 +195,6 @@ include_once("head.inc"); <?php include("fbegin.inc"); ?> -<script language="JavaScript"> -<!-- - -function enable_blockoffenders() { - var endis = !(document.iform.blockoffenders7.checked); - document.iform.blockoffenderskill.disabled=endis; - document.iform.blockoffendersip.disabled=endis; -} - -function enable_change(enable_change) { - endis = !(document.iform.enable.checked || enable_change); - // make shure a default answer is called if this is envoked. - endis2 = (document.iform.enable); - document.iform.performance.disabled = endis; - document.iform.blockoffenders7.disabled = endis; - document.iform.alertsystemlog.disabled = endis; - document.iform.externallistname.disabled = endis; - document.iform.homelistname.disabled = endis; - document.iform.suppresslistname.disabled = endis; - document.iform.configpassthru.disabled = endis; -} -//--> -</script> <?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> <?php @@ -181,21 +210,33 @@ function enable_change(enable_change) { <form action="snort_interfaces_edit.php<?php echo "?id=$id";?>" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> -<tr><td class="tabnavtbl"> +<tr><td> <?php - $tab_array = array(); - $tab_array[] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tab_array[] = array(gettext("If Settings"), true, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array(gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array); + echo '</td></tr>'; + echo '<tr><td class="tabnavtbl">'; + $tab_array = array(); + $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); + $tab_array[] = array($menu_iface . gettext("Settings"), true, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); ?> </td></tr> -<tr><td class="tabcont"> -<table width="100%" border="0" cellpadding="6" cellspacing="0"> +<tr><td><div id="mainarea"> +<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Settings"); ?></td> </tr> @@ -215,112 +256,41 @@ function enable_change(enable_change) { <tr> <td width="22%" valign="top" class="vncellreq"><?php echo gettext("Interface"); ?></td> <td width="78%" class="vtable"> - <select name="interface" class="formselect"> + <select name="interface" class="formselect" tabindex="0"> <?php - if (function_exists('get_configured_interface_with_descr')) - $interfaces = get_configured_interface_with_descr(); - else { - $interfaces = array('wan' => 'WAN', 'lan' => 'LAN'); - for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { - $interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr']; - } - } foreach ($interfaces as $iface => $ifacename): ?> <option value="<?=$iface;?>" - <?php if ($iface == $pconfig['interface']) echo "selected"; ?>><?=htmlspecialchars($ifacename);?> + <?php if ($iface == $pconfig['interface']) echo " selected"; ?>><?=htmlspecialchars($ifacename);?> </option> - <?php endforeach; ?> - </select><br> - <span class="vexpl"><?php echo gettext("Choose which interface this rule applies to."); ?><br/> - <b><?php echo gettext("Hint:"); ?> </b><?php echo gettext("in most cases, you'll want to use WAN here."); ?></span><br/><br/></td> + <?php endforeach; ?> + </select> + <span class="vexpl"><?php echo gettext("Choose which interface this Snort instance applies to."); ?><br/> + <span class="red"><?php echo gettext("Hint:"); ?> </span><?php echo gettext("in most cases, you'll want to use WAN here."); ?></span><br/></td> </tr> <tr> <td width="22%" valign="top" class="vncellreq"><?php echo gettext("Description"); ?></td> <td width="78%" class="vtable"><input name="descr" type="text" - class="formfld" id="descr" size="40" - value="<?=htmlspecialchars($pconfig['descr']);?>"> <br/> - <span class="vexpl"><?php echo gettext("You may enter a description here for your " . - "reference (not parsed)."); ?></span><br/><br/></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Memory Performance"); ?></td> - <td width="78%" class="vtable"> - <select name="performance" class="formselect" id="performance"> - <?php - $interfaces2 = array('ac-bnfa' => 'AC-BNFA', 'lowmem' => 'LOWMEM', 'ac-std' => 'AC-STD', 'ac' => 'AC', 'ac-banded' => 'AC-BANDED', 'ac-sparsebands' => 'AC-SPARSEBANDS', 'acs' => 'ACS'); - foreach ($interfaces2 as $iface2 => $ifacename2): ?> - <option value="<?=$iface2;?>" - <?php if ($iface2 == $pconfig['performance']) echo "selected"; ?>> - <?=htmlspecialchars($ifacename2);?></option> - <?php endforeach; ?> - </select><br> - <span class="vexpl"><?php echo gettext("Lowmem and ac-bnfa are recommended for low end " . - "systems, Ac: high memory, best performance, ac-std: moderate " . - "memory,high performance, acs: small memory, moderateperformance, " . - "ac-banded: small memory,moderate performance, ac-sparsebands: small " . - "memory, high performance."); ?> - </span><br/></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Choose the networks " . - "snort should inspect and whitelist."); ?></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Home net"); ?></td> - <td width="78%" class="vtable"> - <select name="homelistname" class="formselect" id="homelistname"> - <?php - echo "<option value='default' >default</option>"; - /* find whitelist names and filter by type */ - if (is_array($snortglob['whitelist']['item'])) { - foreach ($snortglob['whitelist']['item'] as $value) { - $ilistname = $value['name']; - if ($ilistname == $pconfig['homelistname']) - echo "<option value='$ilistname' selected>"; - else - echo "<option value='$ilistname'>"; - echo htmlspecialchars($ilistname) . '</option>'; - } - } - ?> - </select><br/> - <span class="vexpl"><?php echo gettext("Choose the home net you will like this rule to " . - "use."); ?> </span><br/> <br/><span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("Default home " . - "net adds only local networks."); ?><br> - <span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("Most users add a list of " . - "friendly ips that the firewall cant see."); ?><br/></td> + class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']); ?>"> <br/> + <span class="vexpl"><?php echo gettext("Enter a meaningful description here for your reference."); ?></span><br/></td> </tr> +<tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Alert Settings"); ?></td> +</tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("External net"); ?></td> - <td width="78%" class="vtable"> - <select name="externallistname" class="formselect" id="externallistname"> - <?php - echo "<option value='default' >default</option>"; - /* find whitelist names and filter by type */ - if (is_array($snortglob['whitelist']['item'])) { - foreach ($snortglob['whitelist']['item'] as $value) { - $ilistname = $value['name']; - if ($ilistname == $pconfig['externallistname']) - echo "<option value='$ilistname' selected>"; - else - echo "<option value='$ilistname'>"; - echo htmlspecialchars($ilistname) . '</option>'; - } - } - ?> - </select><br/> - <span class="vexpl"><?php echo gettext("Choose the external net you will like this rule " . - "to use."); ?> </span> <br/><span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("Default " . - "external net, networks that are not home net."); ?><br/> - <span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("Most users should leave this " . - "setting at default."); ?><br/></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Send alerts to main " . + "System logs"); ?></td> + <td width="78%" class="vtable"><input name="alertsystemlog" + type="checkbox" value="on" + <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?> + onClick="enable_change(false)"> + <?php echo gettext("Snort will send Alerts to the firewall's system logs."); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Block offenders"); ?></td> <td width="78%" class="vtable"> <input name="blockoffenders7" id="blockoffenders7" type="checkbox" value="on" <?php if ($pconfig['blockoffenders7'] == "on") echo "checked"; ?> - onClick="enable_blockoffenders()"><br> + onClick="enable_blockoffenders()"> <?php echo gettext("Checking this option will automatically block hosts that generate a " . "Snort alert."); ?></td> </tr> @@ -328,11 +298,11 @@ function enable_change(enable_change) { <td width="22%" valign="top" class="vncell"><?php echo gettext("Kill states"); ?></td> <td width="78%" class="vtable"> <input name="blockoffenderskill" id="blockoffenderskill" type="checkbox" value="on" <?php if ($pconfig['blockoffenderskill'] == "on") echo "checked"; ?>> - <br/<?php echo gettext("Should firewall states be killed for the blocked ip"); ?>> + <?php echo gettext("Checking this option will kill firewall states for the blocked IP"); ?> </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Which ip to block"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Which IP to block"); ?></td> <td width="78%" class="vtable"> <select name="blockoffendersip" class="formselect" id="blockoffendersip"> <?php @@ -344,34 +314,172 @@ function enable_change(enable_change) { echo htmlspecialchars($btype) . '</option>'; } ?> + </select> + <?php echo gettext("Select which IP extracted from the packet you wish to block"); ?> + </td> + </tr> +<tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Detection Performance Settings"); ?></td> +</tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Search Method"); ?></td> + <td width="78%" class="vtable"> + <select name="performance" class="formselect" id="performance"> + <?php + $interfaces2 = array('ac-bnfa' => 'AC-BNFA', 'ac-split' => 'AC-SPLIT', 'lowmem' => 'LOWMEM', 'ac-std' => 'AC-STD', 'ac' => 'AC', + 'ac-nq' => 'AC-NQ', 'ac-bnfa-nq' => 'AC-BNFA-NQ', 'lowmem-nq' => 'LOWMEM-NQ', 'ac-banded' => 'AC-BANDED', + 'ac-sparsebands' => 'AC-SPARSEBANDS', 'acs' => 'ACS'); + foreach ($interfaces2 as $iface2 => $ifacename2): ?> + <option value="<?=$iface2;?>" + <?php if ($iface2 == $pconfig['performance']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename2);?></option> + <?php endforeach; ?> + </select> + <?php echo gettext("Choose a fast pattern matcher algorithm. ") . "<strong>" . gettext("Default") . + "</strong>" . gettext(" is ") . "<strong>" . gettext("AC-BNFA") . "</strong>"; ?>.<br/><br/> + <span class="vexpl"><?php echo gettext("LOWMEM and AC-BNFA are recommended for low end " . + "systems, AC-SPLIT: low memory, high performance, short-hand for search-method ac split-any-any, AC: high memory, " . + "best performance, -NQ: the -nq option specifies that matches should not be queued and evaluated as they are found," . + " AC-STD: moderate memory, high performance, ACS: small memory, moderate performance, " . + "AC-BANDED: small memory,moderate performance, AC-SPARSEBANDS: small memory, high performance."); ?> + </span><br/></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Split ANY-ANY"); ?></td> + <td width="78%" class="vtable"> + <input name="fpm_split_any_any" id="fpm_split_any_any" type="checkbox" value="on" <?php if ($pconfig['fpm_split_any_any'] == "on") echo "checked"; ?>> + <?php echo gettext("Enable splitting of ANY-ANY port group.") . " <strong>" . gettext("Default") . "</strong>" . gettext(" is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> + <br/><?php echo gettext("This setting is a memory/performance trade-off. It reduces memory footprint by not " . + "putting the ANY-ANY port group into every port group, but instead splits these rules off into a single port group. " . + "But doing so may require two port group evaluations per packet - one for the specific port group and one for the ANY-ANY " . + "port group, thus potentially reducing performance."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Search Optimize"); ?></td> + <td width="78%" class="vtable"> + <input name="fpm_search_optimize" id="fpm_search_optimize" type="checkbox" value="on" <?php if ($pconfig['fpm_search_optimize'] == "on" || empty($pconfig['fpm_search_optimize'])) echo "checked"; ?>> + <?php echo gettext("Enable search optimization.") . " <strong>" . gettext("Default") . "</strong>" . gettext(" is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.<br/> + <br/><?php echo gettext("This setting optimizes fast pattern memory when used with search-methods AC or AC-SPLIT " . + "by dynamically determining the size of a state based on the total number of states. When used with AC-BNFA, " . + "some fail-state resolution will be attempted, potentially increasing performance."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Stream Inserts"); ?></td> + <td width="78%" class="vtable"> + <input name="fpm_no_stream_inserts" id="fpm_no_stream_inserts" type="checkbox" value="on" <? if ($pconfig['fpm_no_stream_inserts'] == "on") echo "checked"; ?>> + <?php echo gettext("Do not evaluate stream inserted packets against the detection engine.") . " <strong>" . gettext("Default") . "</strong>" . gettext(" is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> + <br/><?php echo gettext("This is a potential performance improvement based on the idea the stream rebuilt packet " . + "will contain the payload in the inserted one, so the stream inserted packet does not need to be evaluated."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Checksum Check Disable"); ?></td> + <td width="78%" class="vtable"> + <input name="cksumcheck" id="cksumcheck" type="checkbox" value="on" <?php if ($pconfig['cksumcheck'] == "on") echo "checked"; ?>> + <?php echo gettext("Disable checksum checking within Snort to improve performance."); ?> + <br><span class="red"><?php echo gettext("Hint: ") . "</span>" . + gettext("Most of this is already done at the firewall/filter level, so it is usually safe to check this box."); ?> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Choose the networks " . + "Snort should inspect and whitelist."); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Home Net"); ?></td> + <td width="78%" class="vtable"> + + <select name="homelistname" class="formselect" id="homelistname"> + <?php + echo "<option value='default' >default</option>"; + /* find whitelist names and filter by type */ + if (is_array($snortglob['whitelist']['item'])) { + foreach ($snortglob['whitelist']['item'] as $value) { + $ilistname = $value['name']; + if ($ilistname == $pconfig['homelistname']) + echo "<option value='$ilistname' selected>"; + else + echo "<option value='$ilistname'>"; + echo htmlspecialchars($ilistname) . '</option>'; + } + } + ?> </select> - <br/><?php echo gettext("Which ip extracted from the packet you want to block"); ?> + <input type="button" class="formbtns" value="View List" + onclick="viewList('<?=$id;?>','homelistname','homenet')" id="btnHomeNet" + title="<?php echo gettext("Click to view currently selected Home Net contents"); ?>"/> + <br/> + <span class="vexpl"><?php echo gettext("Choose the Home Net you want this interface to use."); ?></span> + <br/><br/> + <span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("Default Home " . + "Net adds only local networks, WAN IPs, Gateways, VPNs and VIPs."); ?><br/> + <span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("Create an Alias to hold a list of " . + "friendly IPs that the firewall cannot see or to customize the default Home Net."); ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("External Net"); ?></td> + <td width="78%" class="vtable"> + <select name="externallistname" class="formselect" id="externallistname"> + <?php + echo "<option value='default' >default</option>"; + /* find whitelist names and filter by type */ + if (is_array($snortglob['whitelist']['item'])) { + foreach ($snortglob['whitelist']['item'] as $value) { + $ilistname = $value['name']; + if ($ilistname == $pconfig['externallistname']) + echo "<option value='$ilistname' selected>"; + else + echo "<option value='$ilistname'>"; + echo htmlspecialchars($ilistname) . '</option>'; + } + } + ?> + </select> + <span class="vexpl"><?php echo gettext("Choose the External Net you want this interface " . + "to use."); ?></span> <br/><br/> + <span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("Default " . + "External Net is networks that are not Home Net."); ?><br/> + <span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("Most users should leave this " . + "setting at default. Create an Alias for custom External Net settings."); ?><br/> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Whitelist"); ?></td> <td width="78%" class="vtable"> <select name="whitelistname" class="formselect" id="whitelistname"> - <?php - /* find whitelist names and filter by type, make sure to track by uuid */ - echo "<option value='default' >default</option>\n"; - if (is_array($snortglob['whitelist']['item'])) { - foreach ($snortglob['whitelist']['item'] as $value) { - if ($value['name'] == $pconfig['whitelistname']) - echo "<option value='{$value['name']}' selected>"; - else - echo "<option value='{$value['name']}'>"; - echo htmlspecialchars($value['name']) . '</option>'; + <?php + /* find whitelist names and filter by type, make sure to track by uuid */ + echo "<option value='default' >default</option>\n"; + if (is_array($snortglob['whitelist']['item'])) { + foreach ($snortglob['whitelist']['item'] as $value) { + if ($value['name'] == $pconfig['whitelistname']) + echo "<option value='{$value['name']}' selected>"; + else + echo "<option value='{$value['name']}'>"; + echo htmlspecialchars($value['name']) . '</option>'; + } } - } - ?> - </select><br> - <span class="vexpl"><?php echo gettext("Choose the whitelist you will like this rule to " . - "use."); ?> </span><br/> <br/><span class="red"><?php echo gettext("Note:"); ?></span><br/> <?php echo gettext("Default " . - "whitelist adds only local networks."); ?><br/> - <span class="red"><?php echo gettext("Note:"); ?></span><br/> <?php echo gettext("This option will only be used when block offenders is on."); ?> + ?> + </select> + <input type="button" class="formbtns" value="View List" onclick="viewList('<?=$id;?>','whitelistname','whitelist')" + id="btnWhitelist" title="<?php echo gettext("Click to view currently selected Whitelist contents"); ?>"/> + <br/> + <span class="vexpl"><?php echo gettext("Choose the whitelist you want this interface to " . + "use."); ?> </span><br/> <br/><span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("Default " . + "whitelist adds local networks, WAN IPs, Gateways, VPNs and VIPs. Create an Alias to customize."); ?><br/> + <span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("This option will only be used when block offenders is on."); ?> </td> </tr> +<tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Choose a suppression or filtering " . + "file if desired."); ?></td> +</tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Suppression and filtering"); ?></td> <td width="78%" class="vtable"> @@ -390,60 +498,100 @@ function enable_change(enable_change) { } } ?> - </select><br> + </select> + <input type="button" class="formbtns" value="View List" onclick="viewList('<?=$id;?>','suppresslistname', 'suppress')" + id="btnSuppressList" title="<?php echo gettext("Click to view currently selected Suppression List contents"); ?>"/> + <br/> <span class="vexpl"><?php echo gettext("Choose the suppression or filtering file you " . - "will like this rule to use."); ?> </span><br/> <br/><span class="red"><?php echo gettext("Note:"); ?></span><br/> <?php echo gettext("Default " . - "option disables suppression and filtering."); ?></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Checksum checking"); ?></td> - <td width="78%" class="vtable"> - <input name="cksumcheck" id="cksumcheck" type="checkbox" value="on" <?php if ($pconfig['cksumcheck'] == "on") echo "checked"; ?>> - <br/<?php echo gettext("If ticked checksum checking on snort will be disabled to improve performance."); ?>> - <br/<?php echo gettext("Most of this is already done on the firewall/filter level"); ?>> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Send alerts to main " . - "lSystem logs"); ?></td> - <td width="78%" class="vtable"><input name="alertsystemlog" - type="checkbox" value="on" - <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("Snort will send Alerts to the firewall's system logs."); ?></td> + "want this interface to use."); ?> </span><br/> <br/><span class="red"><?php echo gettext("Note: ") . "</span>" . + gettext("Default option disables suppression and filtering."); ?> + </td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Arguments here will " . - "be automatically inserted into the snort configuration."); ?></td> + "be automatically inserted into the Snort configuration."); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Advanced configuration pass through"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Advanced configuration pass-through"); ?></td> <td width="78%" class="vtable"> - <textarea wrap="off" name="configpassthru" cols="65" rows="12" id="configpassthru"><?=htmlspecialchars($pconfig['configpassthru']);?></textarea> - + <textarea style="width:98%; height:100%;" wrap="off" name="configpassthru" cols="60" rows="8" id="configpassthru"><?=htmlspecialchars($pconfig['configpassthru']);?></textarea> </td> </tr> <tr> <td width="22%" valign="top"></td> - <td width="78%"><input name="Submit" type="submit" class="formbtn" value="Save"> - <input name="id" type="hidden" value="<?=$id;?>"> + <td width="78%"><input name="Submit" type="submit" class="formbtn" value="Save" title="<?php echo + gettext("Click to save settings and exit"); ?>"/> + <input name="id" type="hidden" value="<?=$id;?>"/> </td> </tr> <tr> <td width="22%" valign="top"> </td> - <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span><br/> - <br> - <?php echo gettext("Please save your settings before you click start."); ?> + <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note: ") . "</strong></span></span>" . + gettext("Please save your settings before you attempt to start Snort."); ?> </td> </tr> </table> +</div> </td></tr> </table> </form> <script language="JavaScript"> <!-- -enable_change(false); -enable_blockoffenders(); +function enable_blockoffenders() { + var endis = !(document.iform.blockoffenders7.checked); + document.iform.blockoffenderskill.disabled=endis; + document.iform.blockoffendersip.disabled=endis; + document.iform.whitelistname.disabled=endis; + document.iform.btnWhitelist.disabled=endis; +} + +function enable_change(enable_change) { + endis = !(document.iform.enable.checked || enable_change); + // make sure a default answer is called if this is invoked. + endis2 = (document.iform.enable); + document.iform.performance.disabled = endis; + document.iform.blockoffenders7.disabled = endis; + document.iform.blockoffendersip.disabled=endis; + document.iform.blockoffenderskill.disabled=endis; + document.iform.alertsystemlog.disabled = endis; + document.iform.externallistname.disabled = endis; + document.iform.cksumcheck.disabled = endis; + document.iform.homelistname.disabled = endis; + document.iform.whitelistname.disabled=endis; + document.iform.suppresslistname.disabled = endis; + document.iform.configpassthru.disabled = endis; + document.iform.btnHomeNet.disabled=endis; + document.iform.btnWhitelist.disabled=endis; + document.iform.btnSuppressList.disabled=endis; +} + +function wopen(url, name, w, h) { + // Fudge factors for window decoration space. + // In my tests these work well on all platforms & browsers. + w += 32; + h += 96; + var win = window.open(url, + name, + 'width=' + w + ', height=' + h + ', ' + + 'location=no, menubar=no, ' + + 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); + win.resizeTo(w, h); + win.focus(); +} + +function getSelectedValue(elemID) { + var ctrl = document.getElementById(elemID); + return ctrl.options[ctrl.selectedIndex].value; +} + +function viewList(id, elemID, elemType) { + if (typeof elemType == "undefined") { + elemType = "whitelist"; + } + var url = "snort_list_view.php?id=" + id + "&wlist="; + url = url + getSelectedValue(elemID) + "&type=" + elemType; + wopen(url, 'WhitelistViewer', 640, 480); +} //--> </script> <?php include("fend.inc"); ?> diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index eb371119..d28ec2b4 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -49,16 +49,29 @@ $pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked $pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortloglimit']; $pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize']; $pconfig['autorulesupdate7'] = $config['installedpackages']['snortglobal']['autorulesupdate7']; +$pconfig['rule_update_starttime'] = $config['installedpackages']['snortglobal']['rule_update_starttime']; $pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['forcekeepsettings']; +$pconfig['snortcommunityrules'] = $config['installedpackages']['snortglobal']['snortcommunityrules']; + +if (empty($pconfig['snortloglimit'])) + $pconfig['snortloglimit'] = 'on'; +if (empty($pconfig['rule_update_starttime'])) + $pconfig['rule_update_starttime'] = '00:03'; + +if ($_POST['rule_update_starttime']) { + if (!preg_match('/^([01]?[0-9]|2[0-3]):?([0-5][0-9])$/', $_POST['rule_update_starttime'])) + $input_errors[] = "Invalid Rule Update Start Time! Please supply a value in 24-hour format as 'HH:MM'."; +} /* if no errors move foward */ if (!$input_errors) { - if ($_POST["Submit"]) { $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload']; $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; + $config['installedpackages']['snortglobal']['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked']; if ($_POST['snortloglimitsize']) { $config['installedpackages']['snortglobal']['snortloglimit'] = $_POST['snortloglimit']; @@ -71,15 +84,23 @@ if (!$input_errors) { $config['installedpackages']['snortglobal']['snortloglimitsize'] = $snortloglimitDSKsize; } $config['installedpackages']['snortglobal']['autorulesupdate7'] = $_POST['autorulesupdate7']; + + /* Check and adjust format of Rule Update Starttime string to add colon and leading zero if necessary */ + $pos = strpos($_POST['rule_update_starttime'], ":"); + if ($pos === false) { + $tmp = str_pad($_POST['rule_update_starttime'], 4, "0", STR_PAD_LEFT); + $_POST['rule_update_starttime'] = substr($tmp, 0, 2) . ":" . substr($tmp, -2); + } + $config['installedpackages']['snortglobal']['rule_update_starttime'] = str_pad($_POST['rule_update_starttime'], 4, "0", STR_PAD_LEFT); $config['installedpackages']['snortglobal']['forcekeepsettings'] = $_POST['forcekeepsettings'] ? 'on' : 'off'; $retval = 0; - write_config(); - /* create whitelist and homenet file then sync files */ sync_snort_package_config(); + write_config(); + /* forces page to reload new settings */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); @@ -112,7 +133,7 @@ if ($input_errors) <form action="snort_interfaces_global.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> -<tr><td class="tabnavtbl"> +<tr><td> <?php $tab_array = array(); $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); @@ -122,71 +143,91 @@ if ($input_errors) $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); display_top_tabs($tab_array); ?> </td></tr> <tr> - <td class="tabcont"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <td> + <div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Please Choose The " . "Type Of Rules You Wish To Download"); ?></td> </tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Install Snort.org rules"); ?></td> +<tr> + <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort VRT%s rules"), '<strong>' , '</strong>'); ?></td> <td width="78%" class="vtable"> - <table cellpadding="0" cellspacing="0"> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td colspan="2"><input name="snortdownload" type="radio" - id="snortdownload" value="off" -<?php if($pconfig['snortdownload']=='off' || $pconfig['snortdownload']=='') echo 'checked'; ?>> - <?php printf(gettext("Do %sNOT%s Install"), '<strong>', '</strong>'); ?></td> + <td><input name="snortdownload" type="radio" id="snortdownload" value="off" onclick="enable_snort_vrt('off')" + <?php if($pconfig['snortdownload']=='off' || $pconfig['snortdownload']=='') echo 'checked'; ?> > </td> + <td><span class="vexpl"><?php printf(gettext("Do %sNOT%s Install"), '<strong>', '</strong>'); ?></span></td> </tr> <tr> - <td colspan="2"><input name="snortdownload" type="radio" - id="snortdownload" value="on" - <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?>> <?php echo gettext("Install " . - "Basic Rules or Premium rules"); ?> <br> - <a - href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a " . - "Basic Rule Account"); ?></a><br> - <a - href="http://www.snort.org/vrt/buy-a-subscription" - target="_blank"><?php echo gettext("Sign Up for Sourcefire VRT Certified Premium " . - "Rules. This Is Highly Recommended"); ?></a></td> - </tr> + <td><input name="snortdownload" type="radio" id="snortdownload" value="on" onclick="enable_snort_vrt('on')" + <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?>></td> + <td><span class="vexpl"><?php echo gettext("Install Basic Rules or Premium rules"); ?></span></td> <tr> <td> </td> + <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a Basic Rule Account"); ?> </a><br> + <a href="http://www.snort.org/vrt/buy-a-subscription" target="_blank"> + <?php echo gettext("Sign Up for Sourcefire VRT Certified Premium Rules. This Is Highly Recommended"); ?></a></td> </tr> - </table> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td colspan="2" valign="top" class="optsect_t2"><?php echo gettext("Oinkmaster code"); ?></td> + <td colspan="2"> </td> + </tr> + </table> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("Oinkmaster Configuration"); ?></span></b></td> </tr> <tr> - <td class="vncell" valign="top"><?php echo gettext("Code"); ?></td> - <td class="vtable"><input name="oinkmastercode" type="text" + <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code"); ?></strong></span></td> + <td><input name="oinkmastercode" type="text" class="formfld" id="oinkmastercode" size="52" - value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>"><br> - <?php echo gettext("Obtain a snort.org Oinkmaster code and paste here."); ?></td> - + value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>" + <?php if($pconfig['snortdownload']<>'on') echo 'disabled'; ?>><br> + <?php echo gettext("Obtain a snort.org Oinkmaster code and paste it here."); ?></td> + </tr> </table> - </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sEmergingthreats%s " . + <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort Community%s " . "rules"), '<strong>' , '</strong>'); ?></td> - <td width="78%" class="vtable"><input name="emergingthreats" - type="checkbox" value="yes" - <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?> - ><br> - <?php echo gettext("Emerging Threats is an open source community that produces fastest " . - "moving and diverse Snort Rules."); ?></td> + <td width="78%" class="vtable"> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="yes" + <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked"; ?> ></td> + <td><span class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " . + "without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset."); ?> + <br/><br/><?php printf(gettext("%sNote: %sIf you are a Snort VRT Paid Subscriber, the community ruleset is already built into your download of the Snort VRT rules, and there is no benefit in adding this rule set."),'<span class="red"><strong>' ,'</strong></span>'); ?></span><br></td> + </tr> + </table></td> +</tr> +<tr> + <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sEmerging Threats%s " . + "rules"), '<strong>' , '</strong>'); ?></td> + <td width="78%" class="vtable"> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td valign="top" width="8%"><input name="emergingthreats" type="checkbox" value="yes" + <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?>> + <td><span class="vexpl"><?php echo gettext("Emerging Threats is an open source community that produces fast " . + "moving and diverse Snort Rules."); ?></span></td> + </tr> + </table> + </td> +</tr> + +<tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Rules Update Settings"); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Update rules " . - "automatically"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Update Interval"); ?></td> <td width="78%" class="vtable"> - <select name="autorulesupdate7" class="formselect" id="autorulesupdate7"> + <select name="autorulesupdate7" class="formselect" id="autorulesupdate7" onchange="enable_change_rules_upd()"> <?php $interfaces3 = array('never_up' => gettext('NEVER'), '6h_up' => gettext('6 HOURS'), '12h_up' => gettext('12 HOURS'), '1d_up' => gettext('1 DAY'), '4d_up' => gettext('4 DAYS'), '7d_up' => gettext('7 DAYS'), '28d_up' => gettext('28 DAYS')); foreach ($interfaces3 as $iface3 => $ifacename3): ?> @@ -194,55 +235,55 @@ if ($input_errors) <?php if ($iface3 == $pconfig['autorulesupdate7']) echo "selected"; ?>> <?=htmlspecialchars($ifacename3);?></option> <?php endforeach; ?> - </select><br> - <span class="vexpl"><?php echo gettext("Please select the update times for rules."); ?><br> - <?php echo gettext("Hint: in most cases, every 12 hours is a good choice."); ?></span></td> + </select><span class="vexpl"> <?php echo gettext("Please select the interval for rule updates. Choosing ") . + "<strong>" . gettext("NEVER") . "</strong>" . gettext(" disables auto-updates."); ?><br/><br/> + <?php echo "<span class=\"red\"><strong>" . gettext("Hint: ") . "</strong></span>" . gettext("in most cases, every 12 hours is a good choice."); ?></span></td> +</tr> +<tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Update Start Time"); ?></td> + <td width="78%" class="vtable"><input type="text" class="formfld" name="rule_update_starttime" id="rule_update_starttime" size="4" + maxlength="5" value="<?=$pconfig['rule_update_starttime'];?>" <?php if ($pconfig['autorulesupdate7'] == "never_up") {echo "disabled";} ?>><span class="vexpl"> + <?php echo gettext("Enter the rule update start time in 24-hour format (HH:MM). ") . "<strong>" . + gettext("Default") . " </strong>" . gettext("is ") . "<strong>" . gettext("00:03") . "</strong></span>"; ?>.<br/><br/> + <?php echo gettext("Rules will update at the interval chosen above starting at the time specified here. For example, using the default " . + "start time of 00:03 and choosing 12 Hours for the interval, the rules will update at 00:03 and 12:03 each day."); ?></td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Settings"); ?></td> </tr> - <tr> <?php $snortlogCurrentDSKsize = round(exec('df -k /var | grep -v "Filesystem" | awk \'{print $4}\'') / 1024); ?> <td width="22%" valign="top" class="vncell"><?php echo gettext("Log Directory Size " . "Limit"); ?><br/> <br/> <br/> - <span class="red"><strong><?php echo gettext("Note"); ?></span>:</strong><br> - <?php echo gettext("Available space is"); ?> <strong><?php echo $snortlogCurrentDSKsize; ?>MB</strong></td> + <span class="red"><strong><?php echo gettext("Note:"); ?></strong></span><br/> + <?php echo gettext("Available space is"); ?> <strong><?php echo $snortlogCurrentDSKsize; ?> MB</strong></td> <td width="78%" class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td colspan="2"><input name="snortloglimit" type="radio" - id="snortloglimit" value="on" -<?php if($pconfig['snortloglimit']=='on') echo 'checked'; ?>> - <strong><?php echo gettext("Enable"); ?></strong> <?php echo gettext("directory size limit"); ?> (<strong><?php echo gettext("Default"); ?></strong>)</td> - </tr> - <tr> - <td colspan="2"><input name="snortloglimit" type="radio" - id="snortloglimit" value="off" -<?php if($pconfig['snortloglimit']=='off') echo 'checked'; ?>> <strong><?php echo gettext("Disable"); ?></strong> - <?php echo gettext("directory size limit"); ?><br> - <br> - <span class="red"><strong><?php echo gettext("Warning"); ?></span>:</strong> <?php echo gettext("Nanobsd " . - "should use no more than 10MB of space."); ?></td> - </tr> - <tr> - <td> </td> - </tr> - </table> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td class="vncell3"><?php echo gettext("Size in"); ?> <strong>MB</strong></td> - <td class="vtable"><input name="snortloglimitsize" type="text" - class="formfld" id="snortloglimitsize" size="7" - value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>"> - <?php echo gettext("Default is"); ?> <strong>20%</strong> <?php echo gettext("of available space."); ?></td> - - </table> - + <table cellpadding="0" cellspacing="0"> + <tr> + <td colspan="2"><input name="snortloglimit" type="radio" id="snortloglimit" value="on" + <?php if($pconfig['snortloglimit']=='on') echo 'checked'; ?>><span class="vexpl"> + <strong><?php echo gettext("Enable"); ?></strong> <?php echo gettext("directory size limit"); ?> (<strong><?php echo gettext("Default"); ?></strong>)</span></td> + </tr> + <tr> + <td colspan="2"><input name="snortloglimit" type="radio" id="snortloglimit" value="off" + <?php if($pconfig['snortloglimit']=='off') echo 'checked'; ?>> <span class="vexpl"><strong><?php echo gettext("Disable"); ?></strong> + <?php echo gettext("directory size limit"); ?></span><br> + <br> + <span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> <?php echo gettext("Nanobsd " . + "should use no more than 10MB of space."); ?></td> + </tr> + </table> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td><span class="vexpl"><?php echo gettext("Size in"); ?> <strong>MB</strong></span></td> + <td><input name="snortloglimitsize" type="text" class="formfld" id="snortloglimitsize" size="10" value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>"> + <?php printf(gettext("Default is %s20%%%s of available space."), '<strong>', '</strong>'); ?></td> + </tr> + </table> + </td> </tr> - <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Remove blocked hosts " . "every"); ?></td> @@ -255,10 +296,9 @@ if ($input_errors) <?php if ($iface3 == $pconfig['rm_blocked']) echo "selected"; ?>> <?=htmlspecialchars($ifacename3);?></option> <?php endforeach; ?> - </select><br> - <span class="vexpl"><?php echo gettext("Please select the amount of time you would like " . - "hosts to be blocked for."); ?><br> - <?php echo gettext("Hint: in most cases, 1 hour is a good choice."); ?></span></td> + </select> + <?php echo gettext("Please select the amount of time you would like hosts to be blocked for."); ?><br/><br/> + <?php printf(gettext("%sHint:%s in most cases, 1 hour is a good choice."), '<span class="red"><strong>', '</strong></span>'); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Keep snort settings " . @@ -266,8 +306,7 @@ if ($input_errors) <td width="78%" class="vtable"><input name="forcekeepsettings" id="forcekeepsettings" type="checkbox" value="yes" <?php if ($config['installedpackages']['snortglobal']['forcekeepsettings']=="on") echo "checked"; ?> - ><br> - <?php echo gettext("Settings will not be removed during deinstall."); ?></td> + > <?php echo gettext("Settings will not be removed during deinstall."); ?></td> </tr> <tr> <td width="22%" valign="top"> @@ -279,13 +318,36 @@ if ($input_errors) <td width="22%" valign="top"> </td> <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?><br> </strong></span> <?php echo gettext("Changing any settings on this page will affect all " . - "interfaces. Please, double check if your oink code is correct and " . - "the type of snort.org account you hold."); ?></span></td> + "interfaces. Double check that your oink code is correct, and verify the " . + "type of Snort.org account you hold."); ?></span></td> </tr> </table> +</div><br/> </td></tr> </table> </form> <?php include("fend.inc"); ?> + +<script language="JavaScript"> +<!-- +function enable_snort_vrt(btn) { + if (btn == 'off') { + document.iform.oinkmastercode.disabled = "true"; + } + if (btn == 'on') { + document.iform.oinkmastercode.disabled = ""; + } +} + +function enable_change_rules_upd() { + if (document.iform.autorulesupdate7.selectedIndex == 0) + document.iform.rule_update_starttime.disabled="true"; + else + document.iform.rule_update_starttime.disabled=""; +} + +//--> +</script> + </body> </html> diff --git a/config/snort/snort_interfaces_suppress.php b/config/snort/snort_interfaces_suppress.php index 93d3f2dc..780a6e92 100644 --- a/config/snort/snort_interfaces_suppress.php +++ b/config/snort/snort_interfaces_suppress.php @@ -79,12 +79,13 @@ if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); $tab_array[6] = array(gettext("Suppress"), true, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); display_top_tabs($tab_array); ?> </td> </tr> -<tr><td class="tabcont"> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td><div id="mainarea"> +<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td width="30%" class="listhdrr"><?php echo gettext("File Name"); ?></td> <td width="60%" class="listhdr"><?php echo gettext("Description"); ?></td> @@ -97,7 +98,7 @@ if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} <?=htmlspecialchars($list['name']);?></td> <td class="listbg" ondblclick="document.location='snort_interfaces_suppress_edit.php?id=<?=$i;?>';"> - <font color="#FFFFFF"> <?=htmlspecialchars($list['descr']);?> + <font color="#FFFFFF"> <?=htmlspecialchars($list['descr']);?> </font> </td> <td valign="middle" nowrap class="list"> @@ -132,13 +133,14 @@ if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} </td> </tr> </table> +</div> </td></tr> <tr> - <td colspan="3" width="100%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> - <p><span class="vexpl"><?php echo gettext("Here you can create event filtering and " . - "suppression for your snort package rules."); ?><br> - <?php echo gettext("Please note that you must restart a running rule so that changes can " . - "take effect."); ?></span></p></td> + <td colspan="3" width="100%"><br/><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> + <p><?php echo gettext("Here you can create event filtering and " . + "suppression for your snort package rules."); ?><br/><br/> + <?php echo gettext("Please note that you must restart a running Interface so that changes can " . + "take effect."); ?></p></span></td> </tr> </table> </form> diff --git a/config/snort/snort_interfaces_suppress_edit.php b/config/snort/snort_interfaces_suppress_edit.php index 782b9784..1eb16260 100644 --- a/config/snort/snort_interfaces_suppress_edit.php +++ b/config/snort/snort_interfaces_suppress_edit.php @@ -52,13 +52,12 @@ $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; - /* returns true if $name is a valid name for a whitelist file name or ip */ function is_validwhitelistname($name) { if (!is_string($name)) return false; - if (!preg_match("/[^a-zA-Z0-9\.\/]/", $name)) + if (!preg_match("/[^a-zA-Z0-9\_\.\/]/", $name)) return true; return false; @@ -70,8 +69,10 @@ if (isset($id) && $a_suppress[$id]) { $pconfig['name'] = $a_suppress[$id]['name']; $pconfig['uuid'] = $a_suppress[$id]['uuid']; $pconfig['descr'] = $a_suppress[$id]['descr']; - if (!empty($a_suppress[$id]['suppresspassthru'])); + if (!empty($a_suppress[$id]['suppresspassthru'])) { $pconfig['suppresspassthru'] = base64_decode($a_suppress[$id]['suppresspassthru']); + $pconfig['suppresspassthru'] = str_replace("​", "", $pconfig['suppresspassthru']); + } if (empty($a_suppress[$id]['uuid'])) $pconfig['uuid'] = uniqid(); } @@ -88,7 +89,7 @@ if ($_POST['submit']) { $input_errors[] = "Whitelist file names may not be named defaultwhitelist."; if (is_validwhitelistname($_POST['name']) == false) - $input_errors[] = "Whitelist file name may only consist of the characters a-z, A-Z and 0-9 _. Note: No Spaces. Press Cancel to reset."; + $input_errors[] = "Whitelist file name may only consist of the characters \"a-z, A-Z, 0-9 and _\". Note: No Spaces or dashes. Press Cancel to reset."; /* check for name conflicts */ foreach ($a_suppress as $s_list) { @@ -107,8 +108,10 @@ if ($_POST['submit']) { $s_list['name'] = $_POST['name']; $s_list['uuid'] = uniqid(); $s_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); - if ($_POST['suppresspassthru']) + if ($_POST['suppresspassthru']) { + $s_list['suppresspassthru'] = str_replace("​", "", $s_list['suppresspassthru']); $s_list['suppresspassthru'] = base64_encode($_POST['suppresspassthru']); + } if (isset($id) && $a_suppress[$id]) $a_suppress[$id] = $s_list; @@ -141,70 +144,75 @@ if ($savemsg) ?> <form action="/snort/snort_interfaces_suppress_edit.php" name="iform" id="iform" method="post"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> -<tr><td class="tabcont"> -<table width="100%" border="0" cellpadding="6" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), true, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=/snort/snort_sync.xml"); + display_top_tabs($tab_array); +?> +</td></tr> +<tr><td><div id="mainarea"> +<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> <td colspan="2" class="listtopic">Add the name and description of the file.</td> </tr> <tr> <td width="22%" valign="top" class="vncellreq"><?php echo gettext("Name"); ?></td> - <td width="78%" class="vtable"><input name="name" type="text" id="name" + <td width="78%" class="vtable"><input name="name" type="text" id="name" class="formfld unkown" size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br /> <span class="vexpl"> <?php echo gettext("The list name may only consist of the " . - "characters a-z, A-Z and 0-9."); ?> <span class="red"><?php echo gettext("Note:"); ?> </span> - <?php echo gettext("No Spaces."); ?> </span></td> + "characters \"a-z, A-Z, 0-9 and _\"."); ?> <span class="red"><?php echo gettext("Note:"); ?> </span> + <?php echo gettext("No Spaces or dashes."); ?> </span></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Description"); ?></td> - <td width="78%" class="vtable"><input name="descr" type="text" + <td width="78%" class="vtable"><input name="descr" type="text" class="formfld unkown" id="descr" size="40" value="<?=$pconfig['descr'];?>" /> <br /> <span class="vexpl"> <?php echo gettext("You may enter a description here for your " . "reference (not parsed)."); ?> </span></td> </tr> <tr> - <td colspan="2"> - <div style='background-color: #E0E0E0' id='redbox'> - <table width='100%'> - <tr> - <td width='8%'> </td> - <td width='70%'><font size="2" color='#FF850A'><b><?php echo gettext("NOTE:"); ?></b></font> - <font color='#000000'> <?php echo gettext("The threshold keyword " . + <td colspan="2" align="center" height="30px"> + <font size="2"><span class="red"><strong><?php echo gettext("NOTE:"); ?></strong></span></font> + <font color='#000000'> <?php echo gettext("The threshold keyword " . "is deprecated as of version 2.8.5. Use the event_filter keyword " . - "instead."); ?></font></td> - </tr> - </table> - </div> + "instead."); ?></font> </td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Apply suppression or " . - "filters to rules. Valid keywords are 'suppress', 'event_filter' and " . - "'rate_filter'."); ?></td> + "filters to rules. Valid keywords are 'suppress', 'event_filter' and 'rate_filter'."); ?></td> </tr> <tr> <td colspan="2" valign="top" class="vncell"><b><?php echo gettext("Example 1;"); ?></b> - suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54<br> + suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54<br/> <b><?php echo gettext("Example 2;"); ?></b> event_filter gen_id 1, sig_id 1851, type limit, - track by_src, count 1, seconds 60<br> + track by_src, count 1, seconds 60<br/> <b><?php echo gettext("Example 3;"); ?></b> rate_filter gen_id 135, sig_id 1, track by_src, count 100, seconds 1, new_action log, timeout 10</td> </tr> <tr> - <td width="10%" class="vncell"> <?php echo gettext("Advanced pass through"); ?></td> - <td width="100%" class="vtable"><textarea wrap="off" - name="suppresspassthru" cols="90" rows="28" id="suppresspassthru" class="formpre"><?=htmlspecialchars($pconfig['suppresspassthru']);?></textarea> + <td colspan="2" class="vtable"><textarea wrap="off" style="width:100%; height:100%;" + name="suppresspassthru" cols="90" rows="26" id="suppresspassthru" class="formpre"><?=htmlspecialchars($pconfig['suppresspassthru']);?></textarea> </td> </tr> <tr> - <td width="22%"> </td> - <td width="78%"><input id="submit" name="submit" type="submit" - class="formbtn" value="Save" /> <input id="cancelbutton" - name="cancelbutton" type="button" class="formbtn" value="Cancel" - onclick="history.back()" /> <?php if (isset($id) && $a_suppress[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>" /> <?php endif; ?> + <td colspan="2"><input id="submit" name="submit" type="submit" + class="formbtn" value="Save" /> <input id="cancelbutton" + name="cancelbutton" type="button" class="formbtn" value="Cancel" + onclick="history.back();"/> <?php if (isset($id) && $a_suppress[$id]): ?> + <input name="id" type="hidden" value="<?=$id;?>"/> <?php endif; ?> </td> </tr> </table> +</div> </td></tr> </table> </form> diff --git a/config/snort/snort_interfaces_whitelist.php b/config/snort/snort_interfaces_whitelist.php index f90cbe1f..ab22103e 100644 --- a/config/snort/snort_interfaces_whitelist.php +++ b/config/snort/snort_interfaces_whitelist.php @@ -85,13 +85,14 @@ if ($savemsg) print_info_box($savemsg); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); $tab_array[5] = array(gettext("Whitelists"), true, "/snort/snort_interfaces_whitelist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); display_top_tabs($tab_array); ?> </td> </tr> <tr> - <td class="tabcont"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <td><div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> <td width="20%" class="listhdrr">File Name</td> <td width="40%" class="listhdrr">Values</td> @@ -150,19 +151,25 @@ if ($savemsg) print_info_box($savemsg); </td> </tr> </table> + </div> </td> </tr> </table> <br> -<table width="100%" border="0" cellpadding="0" - cellspacing="0"> +<table width="100%" border="0" cellpadding="1" + cellspacing="1"> + <tr> <td width="100%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> - <p><span class="vexpl"><?php echo gettext("Here you can create whitelist files for your " . + <p><?php echo gettext("Here you can create whitelist files for your " . "snort package rules."); ?><br> <?php echo gettext("Please add all the ips or networks you want to protect against snort " . "block decisions."); ?><br> <?php echo gettext("Remember that the default whitelist only includes local networks."); ?><br> - <?php echo gettext("Be careful, it is very easy to get locked out of you system."); ?></span></p></td> + <?php echo gettext("Be careful, it is very easy to get locked out of your system."); ?></p></span></td> + </tr> + <tr> + <td width="100%"><span class="vexpl"><?php echo gettext("Remember you must restart Snort on the interface for changes to take effect!"); ?></span></td> + </tr> </table> </form> <?php include("fend.inc"); ?> diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php index 378530ba..fc157375 100644 --- a/config/snort/snort_interfaces_whitelist_edit.php +++ b/config/snort/snort_interfaces_whitelist_edit.php @@ -66,7 +66,7 @@ function is_validwhitelistname($name) { if (!is_string($name)) return false; - if (!preg_match("/[^a-zA-Z0-9\.\/]/", $name)) + if (!preg_match("/[^a-zA-Z0-9\_\.\/]/", $name)) return true; return false; @@ -80,6 +80,7 @@ if (isset($id) && $a_whitelist[$id]) { $pconfig['detail'] = $a_whitelist[$id]['detail']; $pconfig['address'] = $a_whitelist[$id]['address']; $pconfig['descr'] = html_entity_decode($a_whitelist[$id]['descr']); + $pconfig['localnets'] = $a_whitelist[$id]['localnets']; $pconfig['wanips'] = $a_whitelist[$id]['wanips']; $pconfig['wangateips'] = $a_whitelist[$id]['wangateips']; $pconfig['wandnsips'] = $a_whitelist[$id]['wandnsips']; @@ -102,7 +103,7 @@ if ($_POST['submit']) { $input_errors[] = gettext("Whitelist file names may not be named defaultwhitelist."); if (is_validwhitelistname($_POST['name']) == false) - $input_errors[] = gettext("Whitelist file name may only consist of the characters a-z, A-Z and 0-9 _. Note: No Spaces. Press Cancel to reset."); + $input_errors[] = gettext("Whitelist file name may only consist of the characters \"a-z, A-Z, 0-9 and _\". Note: No Spaces or dashes. Press Cancel to reset."); /* check for name conflicts */ foreach ($a_whitelist as $w_list) { @@ -124,6 +125,7 @@ if ($_POST['submit']) { /* post user input */ $w_list['name'] = $_POST['name']; $w_list['uuid'] = $whitelist_uuid; + $w_list['localnets'] = $_POST['localnets']? 'yes' : 'no'; $w_list['wanips'] = $_POST['wanips']? 'yes' : 'no'; $w_list['wangateips'] = $_POST['wangateips']? 'yes' : 'no'; $w_list['wandnsips'] = $_POST['wandnsips']? 'yes' : 'no'; @@ -168,8 +170,23 @@ if ($savemsg) </script> <form action="snort_interfaces_whitelist_edit.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> -<tr><td class="tabcont"> -<table width="100%" border="0" cellpadding="6" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), true, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array); +?> + </td> +</tr> +<tr><td><div id="mainarea"> +<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Add the name and " . "description of the file."); ?></td> @@ -179,8 +196,8 @@ if ($savemsg) <td class="vtable"><input name="name" type="text" id="name" size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br /> <span class="vexpl"> <?php echo gettext("The list name may only consist of the " . - "characters a-z, A-Z and 0-9."); ?> <span class="red"><?php echo gettext("Note:"); ?> </span> - <?php echo gettext("No Spaces."); ?> </span></td> + "characters \"a-z, A-Z, 0-9 and _\"."); ?> <span class="red"><?php echo gettext("Note:"); ?> </span> + <?php echo gettext("No Spaces or dashes."); ?> </span></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Description"); ?></td> @@ -190,24 +207,33 @@ if ($savemsg) "reference (not parsed)."); ?> </span></td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Add auto generated ips."); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Add auto-generated IP Addresses."); ?></td> + </tr> + + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Local Networks"); ?></td> + <td width="78%" class="vtable"><input name="localnets" type="checkbox" + id="localnets" size="40" value="yes" + <?php if($pconfig['localnets'] == 'yes'){ echo "checked";} if($pconfig['localnets'] == ''){ echo "checked";} ?> /> + <span class="vexpl"> <?php echo gettext("Add firewall Local Networks to the list (excluding WAN)."); ?> </span></td> </tr> + <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("WAN IPs"); ?></td> <td width="78%" class="vtable"><input name="wanips" type="checkbox" id="wanips" size="40" value="yes" <?php if($pconfig['wanips'] == 'yes'){ echo "checked";} if($pconfig['wanips'] == ''){ echo "checked";} ?> /> - <span class="vexpl"> <?php echo gettext("Add WAN IPs to the list."); ?> </span></td> + <span class="vexpl"> <?php echo gettext("Add WAN interface IPs to the list."); ?> </span></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Wan Gateways"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("WAN Gateways"); ?></td> <td width="78%" class="vtable"><input name="wangateips" type="checkbox" id="wangateips" size="40" value="yes" <?php if($pconfig['wangateips'] == 'yes'){ echo "checked";} if($pconfig['wangateips'] == ''){ echo "checked";} ?> /> <span class="vexpl"> <?php echo gettext("Add WAN Gateways to the list."); ?> </span></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Wan DNS servers"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("WAN DNS servers"); ?></td> <td width="78%" class="vtable"><input name="wandnsips" type="checkbox" id="wandnsips" size="40" value="yes" <?php if($pconfig['wandnsips'] == 'yes'){ echo "checked";} if($pconfig['wandnsips'] == ''){ echo "checked";} ?> /> @@ -228,11 +254,11 @@ if ($savemsg) <span class="vexpl"> <?php echo gettext("Add VPN Addresses to the list."); ?> </span></td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Add your own custom ips."); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Add custom IP Addresses from configured Aliases."); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncellreq"> - <div id="addressnetworkport"><?php echo gettext("Alias of IP's"); ?></div> + <div id="addressnetworkport"><?php echo gettext("Alias Name:"); ?></div> </td> <td width="78%" class="vtable"> <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" /> @@ -247,6 +273,7 @@ if ($savemsg) </td> </tr> </table> +</div> </td></tr> </table> </form> diff --git a/config/snort/snort_list_view.php b/config/snort/snort_list_view.php new file mode 100644 index 00000000..856367ef --- /dev/null +++ b/config/snort/snort_list_view.php @@ -0,0 +1,107 @@ +<?php +/* + * snort_list_view.php + * + * Copyright (C) 2004, 2005 Scott Ullrich + * Copyright (C) 2011 Ermal Luci + * All rights reserved. + * + * Adapted for FreeNAS by Volker Theile (votdev@gmx.de) + * Copyright (C) 2006-2009 Volker Theile + * + * Adapted for Pfsense Snort package by Robert Zelaya + * Copyright (C) 2008-2009 Robert Zelaya + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g, $config; + +$contents = ''; + +$id = $_GET['id']; +$wlist = $_GET['wlist']; +$type = $_GET['type']; + +if (isset($id) && isset($wlist)) { + $a_rule = $config['installedpackages']['snortglobal']['rule'][$id]; + if ($type == "homenet") { + $list = snort_build_list($a_rule, $wlist); + $contents = implode("\n", $list); + } + elseif ($type == "whitelist") { + $list = snort_build_list($a_rule, $wlist, true); + $contents = implode("\n", $list); + } + elseif ($type == "suppress") { + $list = snort_find_list($wlist, $type); + $contents = str_replace("\r", "", base64_decode($list['suppresspassthru'])); + } + else + $contents = gettext("\n\nERROR -- Requested List Type entity is not valid!"); +} +else + $contents = gettext("\n\nERROR -- Supplied interface or List entity is not valid!"); + +$pgtitle = array(gettext("Snort"), gettext(ucfirst($type) . " Viewer")); +?> + +<?php include("head.inc");?> + +<body link="#000000" vlink="#000000" alink="#000000"> +<?php if ($savemsg) print_info_box($savemsg); ?> +<?php // include("fbegin.inc");?> + +<form action="snort_whitelist_view.php" method="post"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> + <td class="tabcont"> + <table width="100%" cellpadding="0" cellspacing="6" bgcolor="#eeeeee"> + <tr> + <td class="pgtitle" colspan="2">Snort: <?php echo gettext(ucfirst($type) . " Viewer"); ?></td> + </tr> + <tr> + <td align="left" width="20%"> + <input type="button" class="formbtn" value="Return" onclick="window.close()"> + </td> + <td align="right"> + <b><?php echo gettext(ucfirst($type) . ": ") . '</b> ' . $_GET['wlist']; ?> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="label"> + <div style="background: #eeeeee; width:100%; height:100%;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> + <textarea style="width:100%; height:100%;" readonly wrap="off" rows="25" cols="80" name="code2"><?=$contents;?></textarea> + </div> + </td> + </tr> + </table> + </td> +</tr> +</table> +</form> +<?php // include("fend.inc");?> +</body> +</html> diff --git a/config/snort/snort_log_view.php b/config/snort/snort_log_view.php new file mode 100644 index 00000000..4fc8d990 --- /dev/null +++ b/config/snort/snort_log_view.php @@ -0,0 +1,89 @@ +<?php +/* + * snort_log_view.php + * + * Copyright (C) 2004, 2005 Scott Ullrich + * Copyright (C) 2011 Ermal Luci + * All rights reserved. + * + * Adapted for FreeNAS by Volker Theile (votdev@gmx.de) + * Copyright (C) 2006-2009 Volker Theile + * + * Adapted for Pfsense Snort package by Robert Zelaya + * Copyright (C) 2008-2009 Robert Zelaya + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +$contents = ''; + +// Read the contents of the argument passed to us. +// Is it a fully qualified path and file? +if (file_exists($_GET['logfile'])) + $contents = file_get_contents($_GET['logfile']); +// It is not something we can display, so print an error. +else + $contents = gettext("\n\nERROR -- File: {$_GET['logfile']} not found!"); + +$pgtitle = array(gettext("Snort"), gettext("Log File Viewer")); +?> + +<?php include("head.inc");?> + +<body link="#000000" vlink="#000000" alink="#000000"> +<?php if ($savemsg) print_info_box($savemsg); ?> +<?php // include("fbegin.inc");?> + +<form action="snort_log_view.php" method="post"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> + <td class="tabcont"> + <table width="100%" cellpadding="0" cellspacing="6" bgcolor="#eeeeee"> + <tr> + <td class="pgtitle" colspan="2">Snort: Log File Viewer</td> + </tr> + <tr> + <td align="left" width="20%"> + <input type="button" class="formbtn" value="Return" onclick="window.close()"> + </td> + <td align="right"> + <b><?php echo gettext("Log File: ") . '</b> ' . $_GET['logfile']; ?> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="label"> + <div style="background: #eeeeee; width:100%; height:100%;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> + <textarea style="width:100%; height:100%;" readonly wrap="off" rows="33" cols="80" name="code2"><?=$contents;?></textarea> + </div> + </td> + </tr> + </table> + </td> +</tr> +</table> +</form> +<?php // include("fend.inc");?> +</body> +</html> diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index d59af640..3f88efaa 100644..100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -34,7 +34,13 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $rebuild_rules; +$snortlogdir = SNORTLOGDIR; + +if (!is_array($config['installedpackages']['snortglobal'])) { + $config['installedpackages']['snortglobal'] = array(); +} +$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; if (!is_array($config['installedpackages']['snortglobal']['rule'])) { $config['installedpackages']['snortglobal']['rule'] = array(); @@ -53,37 +59,266 @@ $pconfig = array(); if (isset($id) && $a_nat[$id]) { $pconfig = $a_nat[$id]; - /* new options */ + /* Get current values from config for page form fields */ $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; - $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; + $pconfig['host_attribute_table'] = $a_nat[$id]['host_attribute_table']; + $pconfig['host_attribute_data'] = $a_nat[$id]['host_attribute_data']; + $pconfig['max_attribute_hosts'] = $a_nat[$id]['max_attribute_hosts']; + $pconfig['max_attribute_services_per_host'] = $a_nat[$id]['max_attribute_services_per_host']; + $pconfig['max_paf'] = $a_nat[$id]['max_paf']; + $pconfig['server_flow_depth'] = $a_nat[$id]['server_flow_depth']; + $pconfig['http_server_profile'] = $a_nat[$id]['http_server_profile']; + $pconfig['client_flow_depth'] = $a_nat[$id]['client_flow_depth']; + $pconfig['stream5_reassembly'] = $a_nat[$id]['stream5_reassembly']; + $pconfig['stream5_require_3whs'] = $a_nat[$id]['stream5_require_3whs']; + $pconfig['stream5_track_tcp'] = $a_nat[$id]['stream5_track_tcp']; + $pconfig['stream5_track_udp'] = $a_nat[$id]['stream5_track_udp']; + $pconfig['stream5_track_icmp'] = $a_nat[$id]['stream5_track_icmp']; $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; + $pconfig['stream5_overlap_limit'] = $a_nat[$id]['stream5_overlap_limit']; + $pconfig['stream5_policy'] = $a_nat[$id]['stream5_policy']; + $pconfig['stream5_mem_cap'] = $a_nat[$id]['stream5_mem_cap']; + $pconfig['stream5_tcp_timeout'] = $a_nat[$id]['stream5_tcp_timeout']; + $pconfig['stream5_udp_timeout'] = $a_nat[$id]['stream5_udp_timeout']; + $pconfig['stream5_icmp_timeout'] = $a_nat[$id]['stream5_icmp_timeout']; + $pconfig['stream5_no_reassemble_async'] = $a_nat[$id]['stream5_no_reassemble_async']; + $pconfig['stream5_dont_store_lg_pkts'] = $a_nat[$id]['stream5_dont_store_lg_pkts']; $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; + $pconfig['http_inspect_memcap'] = $a_nat[$id]['http_inspect_memcap']; + $pconfig['http_inspect_enable_xff'] = $a_nat[$id]['http_inspect_enable_xff']; + $pconfig['http_inspect_log_uri'] = $a_nat[$id]['http_inspect_log_uri']; + $pconfig['http_inspect_log_hostname'] = $a_nat[$id]['http_inspect_log_hostname']; + $pconfig['noalert_http_inspect'] = $a_nat[$id]['noalert_http_inspect']; $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; + $pconfig['pscan_protocol'] = $a_nat[$id]['pscan_protocol']; + $pconfig['pscan_type'] = $a_nat[$id]['pscan_type']; + $pconfig['pscan_sense_level'] = $a_nat[$id]['pscan_sense_level']; + $pconfig['pscan_memcap'] = $a_nat[$id]['pscan_memcap']; + $pconfig['pscan_ignore_scanners'] = $a_nat[$id]['pscan_ignore_scanners']; $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; $pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data']; $pconfig['ssl_preproc'] = $a_nat[$id]['ssl_preproc']; $pconfig['pop_preproc'] = $a_nat[$id]['pop_preproc']; $pconfig['imap_preproc'] = $a_nat[$id]['imap_preproc']; + $pconfig['sip_preproc'] = $a_nat[$id]['sip_preproc']; + $pconfig['dnp3_preproc'] = $a_nat[$id]['dnp3_preproc']; + $pconfig['modbus_preproc'] = $a_nat[$id]['modbus_preproc']; + $pconfig['gtp_preproc'] = $a_nat[$id]['gtp_preproc']; + $pconfig['preproc_auto_rule_disable'] = $a_nat[$id]['preproc_auto_rule_disable']; + $pconfig['protect_preproc_rules'] = $a_nat[$id]['protect_preproc_rules']; + $pconfig['frag3_detection'] = $a_nat[$id]['frag3_detection']; + $pconfig['frag3_overlap_limit'] = $a_nat[$id]['frag3_overlap_limit']; + $pconfig['frag3_min_frag_len'] = $a_nat[$id]['frag3_min_frag_len']; + $pconfig['frag3_policy'] = $a_nat[$id]['frag3_policy']; + $pconfig['frag3_max_frags'] = $a_nat[$id]['frag3_max_frags']; + $pconfig['frag3_memcap'] = $a_nat[$id]['frag3_memcap']; + $pconfig['frag3_timeout'] = $a_nat[$id]['frag3_timeout']; + + /* If not using the Snort VRT rules, then disable */ + /* the Sensitive Data (sdf) preprocessor. */ + if ($vrt_enabled == "off") + $pconfig['sensitive_data'] = "off"; + + /************************************************************/ + /* To keep new users from shooting themselves in the foot */ + /* enable the most common required preprocessors by default */ + /* and set reasonable values for any options. */ + /************************************************************/ + if (empty($pconfig['max_attribute_hosts'])) + $pconfig['max_attribute_hosts'] = '10000'; + if (empty($pconfig['max_attribute_services_per_host'])) + $pconfig['max_attribute_services_per_host'] = '10'; + if (empty($pconfig['max_paf'])) + $pconfig['max_paf'] = '16000'; + if (empty($pconfig['ftp_preprocessor'])) + $pconfig['ftp_preprocessor'] = 'on'; + if (empty($pconfig['smtp_preprocessor'])) + $pconfig['smtp_preprocessor'] = 'on'; + if (empty($pconfig['dce_rpc_2'])) + $pconfig['dce_rpc_2'] = 'on'; + if (empty($pconfig['dns_preprocessor'])) + $pconfig['dns_preprocessor'] = 'on'; + if (empty($pconfig['ssl_preproc'])) + $pconfig['ssl_preproc'] = 'on'; + if (empty($pconfig['pop_preproc'])) + $pconfig['pop_preproc'] = 'on'; + if (empty($pconfig['imap_preproc'])) + $pconfig['imap_preproc'] = 'on'; + if (empty($pconfig['sip_preproc'])) + $pconfig['sip_preproc'] = 'on'; + if (empty($pconfig['other_preprocs'])) + $pconfig['other_preprocs'] = 'on'; + if (empty($pconfig['http_inspect_memcap'])) + $pconfig['http_inspect_memcap'] = "150994944"; + if (empty($pconfig['frag3_overlap_limit'])) + $pconfig['frag3_overlap_limit'] = '0'; + if (empty($pconfig['frag3_min_frag_len'])) + $pconfig['frag3_min_frag_len'] = '0'; + if (empty($pconfig['frag3_max_frags'])) + $pconfig['frag3_max_frags'] = '8192'; + if (empty($pconfig['frag3_policy'])) + $pconfig['frag3_policy'] = 'bsd'; + if (empty($pconfig['frag3_memcap'])) + $pconfig['frag3_memcap'] = '4194304'; + if (empty($pconfig['frag3_timeout'])) + $pconfig['frag3_timeout'] = '60'; + if (empty($pconfig['frag3_detection'])) + $pconfig['frag3_detection'] = 'on'; + if (empty($pconfig['stream5_reassembly'])) + $pconfig['stream5_reassembly'] = 'on'; + if (empty($pconfig['stream5_track_tcp'])) + $pconfig['stream5_track_tcp'] = 'on'; + if (empty($pconfig['stream5_track_udp'])) + $pconfig['stream5_track_udp'] = 'on'; + if (empty($pconfig['stream5_track_icmp'])) + $pconfig['stream5_track_icmp'] = 'off'; + if (empty($pconfig['stream5_require_3whs'])) + $pconfig['stream5_require_3whs'] = 'off'; + if (empty($pconfig['stream5_overlap_limit'])) + $pconfig['stream5_overlap_limit'] = '0'; + if (empty($pconfig['stream5_tcp_timeout'])) + $pconfig['stream5_tcp_timeout'] = '30'; + if (empty($pconfig['stream5_udp_timeout'])) + $pconfig['stream5_udp_timeout'] = '30'; + if (empty($pconfig['stream5_icmp_timeout'])) + $pconfig['stream5_icmp_timeout'] = '30'; + if (empty($pconfig['stream5_no_reassemble_async'])) + $pconfig['stream5_no_reassemble_async'] = 'off'; + if (empty($pconfig['stream5_dont_store_lg_pkts'])) + $pconfig['stream5_dont_store_lg_pkts'] = 'off'; + if (empty($pconfig['stream5_policy'])) + $pconfig['stream5_policy'] = 'bsd'; + if (empty($pconfig['pscan_protocol'])) + $pconfig['pscan_protocol'] = 'all'; + if (empty($pconfig['pscan_type'])) + $pconfig['pscan_type'] = 'all'; + if (empty($pconfig['pscan_memcap'])) + $pconfig['pscan_memcap'] = '10000000'; + if (empty($pconfig['pscan_sense_level'])) + $pconfig['pscan_sense_level'] = 'medium'; } -if ($_POST) { +/* Define the "disabled_preproc_rules.log" file for this interface */ +$iface = snort_get_friendly_interface($pconfig['interface']); +$disabled_rules_log = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log"; + +if ($_POST['ResetAll']) { + + /* Reset all the preprocessor settings to defaults */ + $pconfig['perform_stat'] = "off"; + $pconfig['host_attribute_table'] = "off"; + $pconfig['max_attribute_hosts'] = '10000'; + $pconfig['max_attribute_services_per_host'] = '10'; + $pconfig['max_paf'] = '16000'; + $pconfig['server_flow_depth'] = "300"; + $pconfig['http_server_profile'] = "all"; + $pconfig['client_flow_depth'] = "300"; + $pconfig['stream5_reassembly'] = "on"; + $pconfig['stream5_require_3whs'] = "off"; + $pconfig['stream5_track_tcp'] = "on"; + $pconfig['stream5_track_udp'] = "on"; + $pconfig['stream5_track_icmp'] = "off"; + $pconfig['max_queued_bytes'] = "1048576"; + $pconfig['max_queued_segs'] = "2621"; + $pconfig['stream5_overlap_limit'] = "0"; + $pconfig['stream5_policy'] = "bsd"; + $pconfig['stream5_mem_cap'] = "8388608"; + $pconfig['stream5_tcp_timeout'] = "30"; + $pconfig['stream5_udp_timeout'] = "30"; + $pconfig['stream5_icmp_timeout'] = "30"; + $pconfig['stream5_no_reassemble_async'] = "off"; + $pconfig['stream5_dont_store_lg_pkts'] = "off"; + $pconfig['http_inspect'] = "on"; + $pconfig['http_inspect_enable_xff'] = "off"; + $pconfig['http_inspect_log_uri'] = "off"; + $pconfig['http_inspect_log_hostname'] = "off"; + $pconfig['noalert_http_inspect'] = "on"; + $pconfig['http_inspect_memcap'] = "150994944"; + $pconfig['other_preprocs'] = "on"; + $pconfig['ftp_preprocessor'] = "on"; + $pconfig['smtp_preprocessor'] = "on"; + $pconfig['sf_portscan'] = "off"; + $pconfig['pscan_protocol'] = "all"; + $pconfig['pscan_type'] = "all"; + $pconfig['pscan_sense_level'] = "medium"; + $pconfig['pscan_ignore_scanners'] = ""; + $pconfig['pscan_memcap'] = '10000000'; + $pconfig['dce_rpc_2'] = "on"; + $pconfig['dns_preprocessor'] = "on"; + $pconfig['sensitive_data'] = "off"; + $pconfig['ssl_preproc'] = "on"; + $pconfig['pop_preproc'] = "on"; + $pconfig['imap_preproc'] = "on"; + $pconfig['sip_preproc'] = "on"; + $pconfig['dnp3_preproc'] = "off"; + $pconfig['modbus_preproc'] = "off"; + $pconfig['gtp_preproc'] = "off"; + $pconfig['preproc_auto_rule_disable'] = "off"; + $pconfig['protect_preproc_rules'] = "off"; + $pconfig['frag3_detection'] = "on"; + $pconfig['frag3_overlap_limit'] = "0"; + $pconfig['frag3_min_frag_len'] = "0"; + $pconfig['frag3_policy'] = "bsd"; + $pconfig['frag3_max_frags'] = "8192"; + $pconfig['frag3_memcap'] = "4194304"; + $pconfig['frag3_timeout'] = "60"; + + /* Log a message at the top of the page to inform the user */ + $savemsg = "All preprocessor settings have been reset to the defaults."; +} +elseif ($_POST['Submit']) { $natent = array(); $natent = $pconfig; + if ($_POST['pscan_ignore_scanners'] && !is_alias($_POST['pscan_ignore_scanners'])) + $input_errors[] = "Only aliases are allowed for the Portscan IGNORE_SCANNERS option."; + /* if no errors write to conf */ if (!$input_errors) { /* post new options */ - if ($_POST['flow_depth'] != "") { $natent['flow_depth'] = $_POST['flow_depth']; }else{ $natent['flow_depth'] = ""; } - if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; } - if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; } + if ($_POST['max_attribute_hosts'] != "") { $natent['max_attribute_hosts'] = $_POST['max_attribute_hosts']; }else{ $natent['max_attribute_hosts'] = "10000"; } + if ($_POST['max_attribute_services_per_host'] != "") { $natent['max_attribute_services_per_host'] = $_POST['max_attribute_services_per_host']; }else{ $natent['max_attribute_services_per_host'] = "10"; } + if ($_POST['max_paf'] != "") { $natent['max_paf'] = $_POST['max_paf']; }else{ $natent['max_paf'] = "16000"; } + if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = "300"; } + if ($_POST['http_server_profile'] != "") { $natent['http_server_profile'] = $_POST['http_server_profile']; }else{ $natent['http_server_profile'] = "all"; } + if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = "300"; } + if ($_POST['http_inspect_memcap'] != "") { $natent['http_inspect_memcap'] = $_POST['http_inspect_memcap']; }else{ $natent['http_inspect_memcap'] = "150994944"; } + if ($_POST['stream5_overlap_limit'] != "") { $natent['stream5_overlap_limit'] = $_POST['stream5_overlap_limit']; }else{ $natent['stream5_overlap_limit'] = "0"; } + if ($_POST['stream5_policy'] != "") { $natent['stream5_policy'] = $_POST['stream5_policy']; }else{ $natent['stream5_policy'] = "bsd"; } + if ($_POST['stream5_mem_cap'] != "") { $natent['stream5_mem_cap'] = $_POST['stream5_mem_cap']; }else{ $natent['stream5_mem_cap'] = "8388608"; } + if ($_POST['stream5_tcp_timeout'] != "") { $natent['stream5_tcp_timeout'] = $_POST['stream5_tcp_timeout']; }else{ $natent['stream5_tcp_timeout'] = "30"; } + if ($_POST['stream5_udp_timeout'] != "") { $natent['stream5_udp_timeout'] = $_POST['stream5_udp_timeout']; }else{ $natent['stream5_udp_timeout'] = "30"; } + if ($_POST['stream5_icmp_timeout'] != "") { $natent['stream5_icmp_timeout'] = $_POST['stream5_icmp_timeout']; }else{ $natent['stream5_icmp_timeout'] = "30"; } + if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = "1048576"; } + if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = "2621"; } + if ($_POST['pscan_protocol'] != "") { $natent['pscan_protocol'] = $_POST['pscan_protocol']; }else{ $natent['pscan_protocol'] = "all"; } + if ($_POST['pscan_type'] != "") { $natent['pscan_type'] = $_POST['pscan_type']; }else{ $natent['pscan_type'] = "all"; } + if ($_POST['pscan_memcap'] != "") { $natent['pscan_memcap'] = $_POST['pscan_memcap']; }else{ $natent['pscan_memcap'] = "10000000"; } + if ($_POST['pscan_sense_level'] != "") { $natent['pscan_sense_level'] = $_POST['pscan_sense_level']; }else{ $natent['pscan_sense_level'] = "medium"; } + if ($_POST['frag3_overlap_limit'] != "") { $natent['frag3_overlap_limit'] = $_POST['frag3_overlap_limit']; }else{ $natent['frag3_overlap_limit'] = "0"; } + if ($_POST['frag3_min_frag_len'] != "") { $natent['frag3_min_frag_len'] = $_POST['frag3_min_frag_len']; }else{ $natent['frag3_min_frag_len'] = "0"; } + if ($_POST['frag3_policy'] != "") { $natent['frag3_policy'] = $_POST['frag3_policy']; }else{ $natent['frag3_policy'] = "bsd"; } + if ($_POST['frag3_max_frags'] != "") { $natent['frag3_max_frags'] = $_POST['frag3_max_frags']; }else{ $natent['frag3_max_frags'] = "8192"; } + if ($_POST['frag3_memcap'] != "") { $natent['frag3_memcap'] = $_POST['frag3_memcap']; }else{ $natent['frag3_memcap'] = "4194304"; } + if ($_POST['frag3_timeout'] != "") { $natent['frag3_timeout'] = $_POST['frag3_timeout']; }else{ $natent['frag3_timeout'] = "60"; } + + if ($_POST['pscan_ignore_scanners']) + $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners']; + else + unset($natent['pscan_ignore_scanners']); $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; + $natent['host_attribute_table'] = $_POST['host_attribute_table'] ? 'on' : 'off'; $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; + $natent['http_inspect_enable_xff'] = $_POST['http_inspect_enable_xff'] ? 'on' : 'off'; + $natent['http_inspect_log_uri'] = $_POST['http_inspect_log_uri'] ? 'on' : 'off'; + $natent['http_inspect_log_hostname'] = $_POST['http_inspect_log_hostname'] ? 'on' : 'off'; + $natent['noalert_http_inspect'] = $_POST['noalert_http_inspect'] ? 'on' : 'off'; $natent['other_preprocs'] = $_POST['other_preprocs'] ? 'on' : 'off'; $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor'] ? 'on' : 'off'; $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor'] ? 'on' : 'off'; @@ -94,6 +329,25 @@ if ($_POST) { $natent['ssl_preproc'] = $_POST['ssl_preproc'] ? 'on' : 'off'; $natent['pop_preproc'] = $_POST['pop_preproc'] ? 'on' : 'off'; $natent['imap_preproc'] = $_POST['imap_preproc'] ? 'on' : 'off'; + $natent['dnp3_preproc'] = $_POST['dnp3_preproc'] ? 'on' : 'off'; + $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; + $natent['sip_preproc'] = $_POST['sip_preproc'] ? 'on' : 'off'; + $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; + $natent['gtp_preproc'] = $_POST['gtp_preproc'] ? 'on' : 'off'; + $natent['preproc_auto_rule_disable'] = $_POST['preproc_auto_rule_disable'] ? 'on' : 'off'; + $natent['protect_preproc_rules'] = $_POST['protect_preproc_rules'] ? 'on' : 'off'; + $natent['frag3_detection'] = $_POST['frag3_detection'] ? 'on' : 'off'; + $natent['stream5_reassembly'] = $_POST['stream5_reassembly'] ? 'on' : 'off'; + $natent['stream5_track_tcp'] = $_POST['stream5_track_tcp'] ? 'on' : 'off'; + $natent['stream5_track_udp'] = $_POST['stream5_track_udp'] ? 'on' : 'off'; + $natent['stream5_track_icmp'] = $_POST['stream5_track_icmp'] ? 'on' : 'off'; + $natent['stream5_require_3whs'] = $_POST['stream5_require_3whs'] ? 'on' : 'off'; + $natent['stream5_no_reassemble_async'] = $_POST['stream5_no_reassemble_async'] ? 'on' : 'off'; + $natent['stream5_dont_store_lg_pkts'] = $_POST['stream5_dont_store_lg_pkts'] ? 'on' : 'off'; + + /* If 'preproc_auto_rule_disable' is off, then clear log file */ + if ($natent['preproc_auto_rule_disable'] == 'off') + @unlink("{$disabled_rules_log}"); if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -106,8 +360,23 @@ if ($_POST) { write_config(); - $if_real = snort_get_real_interface($pconfig['interface']); - sync_snort_package_config(); + /* Set flag to rebuild rules for this interface */ + $rebuild_rules = true; + + /*************************************************/ + /* Update the snort.conf file and rebuild the */ + /* rules for this interface. */ + /*************************************************/ + snort_generate_conf($natent); + $rebuild_rules = false; + + /*******************************************************/ + /* Signal Snort to reload Host Attribute Table if one */ + /* is configured and saved. */ + /*******************************************************/ + if ($natent['host_attribute_table'] == "on" && + !empty($natent['host_attribute_data'])) + snort_reload_config($natent, "SIGURG"); /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -119,12 +388,53 @@ if ($_POST) { exit; } } +elseif ($_POST['btn_import']) { + if (is_uploaded_file($_FILES['host_attribute_file']['tmp_name'])) { + $data = file_get_contents($_FILES['host_attribute_file']['tmp_name']); + if ($data === false) + $input_errors[] = gettext("Error uploading file {$_FILES['host_attribute_file']}!"); + else { + if (isset($id) && $a_nat[$id]) { + $a_nat[$id]['host_attribute_table'] = "on"; + $a_nat[$id]['host_attribute_data'] = base64_encode($data); + $pconfig['host_attribute_data'] = $a_nat[$id]['host_attribute_data']; + $a_nat[$id]['max_attribute_hosts'] = $pconfig['max_attribute_hosts']; + $a_nat[$id]['max_attribute_services_per_host'] = $pconfig['max_attribute_services_per_host']; + write_config(); + } + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: snort_preprocessors.php?id=$id"); + exit; + } + } + else + $input_errors[] = gettext("No filename specified for import!"); +} +elseif ($_POST['btn_edit_hat']) { + if (isset($id) && $a_nat[$id]) { + $a_nat[$id]['host_attribute_table'] = "on"; + $a_nat[$id]['max_attribute_hosts'] = $pconfig['max_attribute_hosts']; + $a_nat[$id]['max_attribute_services_per_host'] = $pconfig['max_attribute_services_per_host']; + write_config(); + header("Location: snort_edit_hat_data.php?id=$id"); + exit; + } +} + +/* If Host Attribute Table option is enabled, but */ +/* no Host Attribute data exists, flag an error. */ +if ($pconfig['host_attribute_table'] == 'on' && empty($pconfig['host_attribute_data'])) + $input_errors[] = gettext("The Host Attribute Table option is enabled, but no Host Attribute data has been loaded. Data may be entered manually or imported from a suitable file."); $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface {$if_real} Preprocessors and Flow"; +$pgtitle = "Snort: Interface {$if_friendly}: Preprocessors and Flow"; include_once("head.inc"); ?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="enable_change_all()"> <?php include("fbegin.inc"); ?> <?php if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} @@ -142,88 +452,486 @@ include_once("head.inc"); ?> +<script type="text/javascript" src="/javascript/autosuggest.js"> +</script> +<script type="text/javascript" src="/javascript/suggestions.js"> +</script> + <form action="snort_preprocessors.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array); + echo '</td></tr>'; + echo '<tr><td>'; + $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); $tab_array = array(); - $tab_array[] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tab_array[] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array(gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array(gettext("Preprocessors"), true, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocessors"), true, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); display_top_tabs($tab_array); ?> </td></tr> -<tr><td class="tabcont"> -<table width="100%" border="0" cellpadding="6" cellspacing="0"> +<tr><td><div id="mainarea"> +<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td width="22%" valign="top"> </td> - <td width="78%"><span class="vexpl"><span class="red"><strong<?php echo gettext("Note:"); ?>> - </strong></span><br> - <?php echo gettext("Rules may be dependent on preprocessors!"); ?><br> - <?php echo gettext("Defaults will be used when there is no user input."); ?><br></td> + <td colspan="2" align="left" valign="middle"> + <?php echo gettext("Rules may be dependent on preprocessors! Disabling preprocessors may result in "); ?> + <?php echo gettext("Snort start failures unless dependent rules are also disabled."); ?> + <?php echo gettext("The Auto-Rule Disable feature can be used, but note the warning about compromising protection. " . + "Defaults will be used where no user input is provided."); ?></td> + </tr> + <tr> + + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Preprocessors Configuration"); ?></td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Performance Statistics"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Performance Stats"); ?></td> + <td width="78%" class="vtable"><input name="perform_stat" type="checkbox" value="on" + <?php if ($pconfig['perform_stat']=="on") echo "checked"; ?>> + <?php echo gettext("Collect Performance Statistics for this interface."); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Protect Customized Preprocessor Rules"); ?></td> + <td width="78%" class="vtable"><input name="protect_preproc_rules" type="checkbox" value="on" + <?php if ($pconfig['protect_preproc_rules']=="on") echo "checked "; + if ($vrt_enabled <> 'on') echo "disabled"; ?>> + <?php echo gettext("Check this box if you maintain customized preprocessor text rules files for this interface."); ?> + <table width="100%" border="0" cellpadding="2" cellpadding="2"> + <tr> + <td width="3%"> </td> + <td><?php echo gettext("Enable this only if you use customized preprocessor text rules files and " . + "you do not want them overwritten by automatic Snort VRT rule updates. " . + "This option is disabled when Snort VRT rules download is not enabled on the Global Settings tab."); ?><br/><br/> + <?php echo "<span class=\"red\"><strong>" . gettext("Hint: ") . "</strong></span>" . + gettext("Most users should leave this unchecked."); ?></td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Auto Rule Disable"); ?></td> + <td width="78%" class="vtable"><input name="preproc_auto_rule_disable" type="checkbox" value="on" + <?php if ($pconfig['preproc_auto_rule_disable']=="on") echo "checked"; ?>> + <?php echo gettext("Auto-disable text rules dependent on disabled preprocessors for this interface. "); + echo gettext("Default is ") . '<strong>' . gettext("Not Checked"); ?></strong>.<br/> + <table width="100%" border="0" cellpadding="2" cellpadding="2"> + <tr> + <td width="3%"> </td> + <td><span class="red"><strong><?php echo gettext("Warning: "); ?></strong></span> + <?php echo gettext("Enabling this option allows Snort to automatically disable any text rules " . + "containing rule options or content modifiers that are dependent upon the preprocessors " . + "you have not enabled. This may facilitate starting Snort without errors related to " . + "disabled preprocessors, but can substantially compromise the level of protection by " . + "automatically disabling detection rules."); ?></td> + </tr> + <?php if (file_exists($disabled_rules_log) && filesize($disabled_rules_log) > 0): ?> + <tr> + <td width="3%"> </td> + <td class="vexpl"><input type="button" class="formbtn" value="View" onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$disabled_rules_log;?>','FileViewer',800,600)"/> + <?php echo gettext("Click to view the list of currently auto-disabled rules"); ?></td> + </tr> + <?php endif; ?> + </table> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Host Attribute Table Settings"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> - <td width="78%" class="vtable"><input name="perform_stat" - type="checkbox" value="on" - <?php if ($pconfig['perform_stat']=="on") echo "checked"; ?> - onClick="enable_change(false)"> <?php echo gettext("Performance Statistics for this interface."); ?></td> + <td width="78%" class="vtable"><input name="host_attribute_table" + type="checkbox" value="on" id="host_attribute_table" onclick="host_attribute_table_enable_change();" + <?php if ($pconfig['host_attribute_table']=="on") echo "checked"; ?>> + <?php echo gettext("Use a Host Attribute Table file to auto-configure applicable preprocessors. " . + "Default is "); ?><strong><?php echo gettext("Not Checked"); ?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Host Attribute Data"); ?></td> + <td width="78%" class="vtable"><strong><?php echo gettext("Import From File"); ?></strong><br/> + <input name="host_attribute_file" type="file" class="formfld unknown" value="on" id="host_attribute_file" size="40" + <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>> + <input type="submit" name="btn_import" id="btn_import" value="Import" class="formbtn" + <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>><br/> + <?php echo gettext("Choose the Host Attributes file to use for auto-configuration."); ?><br/><br/> + <span class="red"><strong><?php echo gettext("Warning: "); ?></strong></span> + <?php echo gettext("The Host Attributes file has a required format. See the "); ?><a href="http://manual.snort.org/" target="_blank"> + <?php echo gettext("Snort Manual"); ?></a><?php echo gettext(" for details. " . + "An improperly formatted file may cause Snort to crash or fail to start. The combination of "); ?> + <a href="http://nmap.org/" target="_blank"><?php echo gettext("NMap"); ?></a><?php echo gettext(" and "); ?> + <a href="http://code.google.com/p/hogger/" target="_blank"><?php echo gettext("Hogger"); ?></a><?php echo gettext(" or "); ?> + <a href="http://gamelinux.github.io/prads/" target="_blank"><?php echo gettext("PRADS"); ?></a><?php echo gettext(" can be used to " . + "scan networks and automatically generate a suitable Host Attribute Table file for import."); ?><br/><br/> + <input type="submit" id="btn_edit_hat" name="btn_edit_hat" value="<?php if (!empty($pconfig['host_attribute_data'])) {echo gettext(" Edit ");} else {echo gettext("Create");} ?>" + class="formbtn" + <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>> + <?php if (!empty($pconfig['host_attribute_data'])) {echo gettext("Click to View or Edit the Host Attribute data.");} + else {echo gettext("Click to Create Host Attribute data manually.");} + if ($pconfig['host_attribute_table']=="on" && empty($pconfig['host_attribute_data'])){ + echo "<br/><br/><span class=\"red\"><strong>" . gettext("Warning: ") . "</strong></span>" . + gettext("No Host Attribute Data loaded - import from a file or enter it manually."); + } ?></td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Maximum Hosts"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="max_attribute_hosts" type="text" class="formfld" id="max_attribute_hosts" size="6" + value="<?=htmlspecialchars($pconfig['max_attribute_hosts']);?>" + <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>> + <?php echo gettext("Max number of hosts to read from the Attribute Table. Min is ") . + "<strong>" . gettext("32") . "</strong>" . gettext(" and Max is ") . "<strong>" . + gettext("524288") . "</strong>"; ?>.</td> + </tr> + </table> + <?php echo gettext("Sets a limit on the maximum number of hosts to read from the Attribute Table. If the number of hosts in " . + "the table exceeds this value, an error is logged and the remainder of the hosts are ignored. " . + "Default is ") . "<strong>" . gettext("10000") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Maximum Services Per Host"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="max_attribute_services_per_host" type="text" class="formfld" id="max_attribute_services_per_host" size="6" + value="<?=htmlspecialchars($pconfig['max_attribute_services_per_host']);?>" + <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>> + <?php echo gettext("Max number of per host services to read from the Attribute Table. Min is ") . + "<strong>" . gettext("1") . "</strong>" . gettext(" and Max is ") . "<strong>" . + gettext("65535") . "</strong>"; ?>.</td> + </tr> + </table> + <?php echo gettext("Sets the per host limit of services to read from the Attribute Table. For a given host, if the number of " . + "services read exceeds this value, an error is logged and the remainder of the services for that host are ignored. " . + "Default is ") . "<strong>" . gettext("10") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Protocol Aware Flushing Setting"); ?></td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Protocol Aware Flushing Maximum PDU"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="max_paf" type="text" class="formfld" id="max_paf" size="6" + value="<?=htmlspecialchars($pconfig['max_paf']);?>"> + <?php echo gettext("Max number of PDUs to be reassembled into a single PDU. Min is ") . + "<strong>" . gettext("0") . "</strong>" . gettext(" (off) and Max is ") . "<strong>" . + gettext("63780") . "</strong>"; ?>.</td> + </tr> + </table> + <?php echo gettext("Multiple PDUs within a single TCP segment, as well as one PDU spanning multiple TCP segments, will be " . + "reassembled into one PDU per packet for each PDU. PDUs larger than the configured maximum will be split into multiple packets. " . + "Default is ") . "<strong>" . gettext("16000") . "</strong>. " . gettext("A value of 0 disables Protocol Aware Flushing."); ?>.<br/> + </td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("HTTP Inspect Settings"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> - <td width="78%" class="vtable"><input name="http_inspect" - type="checkbox" value="on" - <?php if ($pconfig['http_inspect']=="on") echo "checked"; ?> - onClick="enable_change(false)"> <?php echo gettext("Use HTTP Inspect to " . - "Normalize/Decode and detect HTTP traffic and protocol anomalies."); ?></td> + <td width="78%" class="vtable"><input name="http_inspect" + type="checkbox" value="on" id="http_inspect" onclick="http_inspect_enable_change();" + <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked"; ?>> + <?php echo gettext("Use HTTP Inspect to " . + "Normalize/Decode and detect HTTP traffic and protocol anomalies. Default is "); ?> + <strong><?php echo gettext("Checked"); ?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable XFF/True-Client-IP"); ?></td> + <td width="78%" class="vtable"><input name="http_inspect_enable_xff" + type="checkbox" value="on" id="http_inspect_enable_xff" + <?php if ($pconfig['http_inspect_enable_xff']=="on") echo "checked"; ?>> + <?php echo gettext("Log original client IP present in X-Forwarded-For or True-Client-IP " . + "HTTP headers. Default is "); ?> + <strong><?php echo gettext("Not Checked"); ?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable URI Logging"); ?></td> + <td width="78%" class="vtable"><input name="http_inspect_log_uri" + type="checkbox" value="on" id="http_inspect_log_uri" + <?php if ($pconfig['http_inspect_log_uri']=="on") echo "checked"; ?>> + <?php echo gettext("Parse URI data from the HTTP request and log it with other session data." . + " Default is "); ?> + <strong><?php echo gettext("Not Checked"); ?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Hostname Logging"); ?></td> + <td width="78%" class="vtable"><input name="http_inspect_log_hostname" + type="checkbox" value="on" id="http_inspect_log_hostname" + <?php if ($pconfig['http_inspect_log_hostname']=="on") echo "checked"; ?>> + <?php echo gettext("Parse Hostname data from the HTTP request and log it with other session data." . + " Default is "); ?> + <strong><?php echo gettext("Not Checked"); ?></strong>.</td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("HTTP Inspect Memory Cap"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="http_inspect_memcap" type="text" class="formfld" + id="http_inspect_memcap" size="6" + value="<?=htmlspecialchars($pconfig['http_inspect_memcap']);?>"> + <?php echo gettext("Max memory in bytes to use for URI and Hostname logging. Min is ") . + "<strong>" . gettext("2304") . "</strong>" . gettext(" and Max is ") . "<strong>" . + gettext("603979776") . "</strong>" . gettext(" (576 MB)"); ?>.</td> + </tr> + </table> + <?php echo gettext("Maximum amount of memory the preprocessor will use for logging the URI and Hostname data. The default " . + "value is ") . "<strong>" . gettext("150,994,944") . "</strong>" . gettext(" (144 MB)."); ?> + <?php echo gettext(" This option determines the maximum HTTP sessions that will log URI and Hostname data at any given instant. ") . + gettext(" Max Logged Sessions = MEMCAP / 2304"); ?>.<br/> + </td> </tr> <tr> <td valign="top" class="vncell"><?php echo gettext("HTTP server flow depth"); ?></td> <td class="vtable"> <table cellpadding="0" cellspacing="0"> <tr> - <td><input name="flow_depth" type="text" class="formfld" - id="flow_depth" size="5" - value="<?=htmlspecialchars($pconfig['flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " . - "to <strong>1460</strong> (<strong>-1</strong> disables HTTP " . + <td><input name="server_flow_depth" type="text" class="formfld" + id="server_flow_depth" size="6" + value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " . + "to <strong>65535</strong> (<strong>-1</strong> disables HTTP " . "inspect, <strong>0</strong> enables all HTTP inspect)"); ?></td> </tr> </table> <?php echo gettext("Amount of HTTP server response payload to inspect. Snort's " . - "performance may increase by adjusting this value."); ?><br> + "performance may increase by adjusting this value."); ?><br/> <?php echo gettext("Setting this value too low may cause false negatives. Values above 0 " . - "are specified in bytes. Default value is <strong>0</strong>"); ?><br> + "are specified in bytes. Recommended setting is maximum (65535). Default value is <strong>300</strong>"); ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("HTTP server profile"); ?> </td> + <td width="78%" class="vtable"> + <select name="http_server_profile" class="formselect" id="http_server_profile"> + <?php + $profile = array('All', 'Apache', 'IIS', 'IIS4_0', 'IIS5_0'); + foreach ($profile as $val): ?> + <option value="<?=strtolower($val);?>" + <?php if (strtolower($val) == $pconfig['http_server_profile']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the profile type of the protected web server. The default is ") . + "<strong>" . gettext("All") . "</strong>"; ?><br/> + <?php echo gettext("IIS_4.0 and IIS_5.0 are identical to IIS except they alert on the ") . + gettext("double decoding vulnerability present in those versions."); ?><br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("HTTP client flow depth"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="client_flow_depth" type="text" class="formfld" + id="client_flow_depth" size="6" + value="<?=htmlspecialchars($pconfig['client_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " . + "to <strong>1460</strong> (<strong>-1</strong> disables HTTP " . + "inspect, <strong>0</strong> enables all HTTP inspect)"); ?></td> + </tr> + </table> + <?php echo gettext("Amount of raw HTTP client request payload to inspect. Snort's " . + "performance may increase by adjusting this value."); ?><br/> + <?php echo gettext("Setting this value too low may cause false negatives. Values above 0 " . + "are specified in bytes. Recommended setting is maximum (1460). Default value is <strong>300</strong>"); ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Disable HTTP Alerts"); ?></td> + <td width="78%" class="vtable"><input name="noalert_http_inspect" + type="checkbox" value="on" id="noalert_http_inspect" + <?php if ($pconfig['noalert_http_inspect']=="on" || empty($pconfig['noalert_http_inspect'])) echo "checked"; ?> + onClick="enable_change(false);"> <?php echo gettext("Turn off alerts from HTTP Inspect " . + "preprocessor. This has no effect on HTTP rules. Default is "); ?> + <strong><?php echo gettext("Checked"); ?></strong>.</td> + </tr> + + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Frag3 Settings"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> + <td width="78%" class="vtable"><input name="frag3_detection" type="checkbox" value="on" onclick="frag3_enable_change();" + <?php if ($pconfig['frag3_detection']=="on") echo "checked "; ?> + onClick="enable_change(false)"> + <?php echo gettext("Use Frag3 Engine to detect IDS evasion attempts via target-based IP packet fragmentation. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="frag3_memcap" type="text" class="formfld" + id="frag3_memcap" size="6" + value="<?=htmlspecialchars($pconfig['frag3_memcap']);?>"> + <?php echo gettext("Memory cap (in bytes) for self preservation."); ?>.</td> + </tr> + </table> + <?php echo gettext("The maximum amount of memory allocated for Frag3 fragment reassembly. Default value is ") . + "<strong>" . gettext("4MB") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Maximum Fragments"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="frag3_max_frags" type="text" class="formfld" + id="frag3_max_frags" size="6" + value="<?=htmlspecialchars($pconfig['frag3_max_frags']);?>"> + <?php echo gettext("Maximum simultaneous fragments to track."); ?></td> + </tr> + </table> + <?php echo gettext("The maximum number of simultaneous fragments to track. Default value is ") . + "<strong>8192</strong>."; ?><br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Overlap Limit"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="frag3_overlap_limit" type="text" class="formfld" + id="frag3_overlap_limit" size="6" + value="<?=htmlspecialchars($pconfig['frag3_overlap_limit']);?>"> + <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited), values greater than zero set the overlapped fragments per packet limit."); ?></td> + </tr> + </table> + <?php echo gettext("Sets the limit for the number of overlapping fragments allowed per packet. Default value is ") . + "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Minimum Fragment Length"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="frag3_min_frag_len" type="text" class="formfld" + id="frag3_min_frag_len" size="6" + value="<?=htmlspecialchars($pconfig['frag3_min_frag_len']);?>"> + <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (check is disabled). Fragments smaller than or equal to this limit are considered malicious."); ?></td> + </tr> + </table> + <?php echo gettext("Defines smallest fragment size (payload size) that should be considered valid. Default value is ") . + "<strong>0</strong>" . gettext(" (check is disabled)."); ?><br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Timeout"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="frag3_timeout" type="text" class="formfld" + id="frag3_timeout" size="6" + value="<?=htmlspecialchars($pconfig['frag3_timeout']);?>"> + <?php echo gettext("Timeout period in seconds for fragments in the engine."); ?></td> + </tr> + </table> + <?php echo gettext("Fragments in the engine for longer than this period will be automatically dropped. Default value is ") . + "<strong>" . gettext("60 ") . "</strong>" . gettext("seconds."); ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Target Policy"); ?> </td> + <td width="78%" class="vtable"> + <select name="frag3_policy" class="formselect" id="frag3_policy"> + <?php + $profile = array( 'BSD', 'BSD-Right', 'First', 'Last', 'Linux', 'Solaris', 'Windows' ); + foreach ($profile as $val): ?> + <option value="<?=strtolower($val);?>" + <?php if (strtolower($val) == $pconfig['frag3_policy']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the IP fragmentation target policy appropriate for the protected hosts. The default is ") . + "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/> + <?php echo gettext("Available OS targets are BSD, BSD-Right, First, Last, Linux, Solaris and Windows."); ?><br/> </td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Stream5 Settings"); ?></td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> + <td width="78%" class="vtable"><input name="stream5_reassembly" type="checkbox" value="on" onclick="stream5_enable_change();" + <?php if ($pconfig['stream5_reassembly']=="on") echo "checked"; ?>> + <?php echo gettext("Use Stream5 session reassembly for TCP, UDP and/or ICMP traffic. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Protocol Tracking"); ?></td> + <td width="78%" class="vtable"> + <input name="stream5_track_tcp" type="checkbox" value="on" id="stream5_track_tcp" + <?php if ($pconfig['stream5_track_tcp']=="on") echo "checked"; ?>> + <?php echo gettext("Track and reassemble TCP sessions. Default is ") . + "<strong>" . gettext("Checked") . "</strong>."; ?> + <br/> + <input name="stream5_track_udp" type="checkbox" value="on" id="stream5_track_udp" + <?php if ($pconfig['stream5_track_udp']=="on") echo "checked"; ?>> + <?php echo gettext("Track and reassemble UDP sessions. Default is ") . + "<strong>" . gettext("Checked") . "</strong>."; ?> + <br/> + <input name="stream5_track_icmp" type="checkbox" value="on" id="stream5_track_icmp" + <?php if ($pconfig['stream5_track_icmp']=="on") echo "checked"; ?>> + <?php echo gettext("Track and reassemble ICMP sessions. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>."; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Require 3-Way Handshake"); ?></td> + <td width="78%" class="vtable"><input name="stream5_require_3whs" type="checkbox" value="on" + <?php if ($pconfig['stream5_require_3whs']=="on") echo "checked "; ?>> + <?php echo gettext("Establish sessions only on completion of SYN/SYN-ACK/ACK handshake. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Reassemble Async"); ?></td> + <td width="78%" class="vtable"><input name="stream5_no_reassemble_async" type="checkbox" value="on" + <?php if ($pconfig['stream5_no_reassemble_async']=="on") echo "checked "; ?>> + <?php echo gettext("Do not queue packets for reassembly if traffic has not been seen in both directions. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Store Large TCP Packets"); ?></td> + <td width="78%" class="vtable"> + <input name="stream5_dont_store_lg_pkts" type="checkbox" value="on" + <?php if ($pconfig['stream5_dont_store_lg_pkts']=="on") echo "checked"; ?>> + <?php echo gettext("Do not queue large packets in reassembly buffer to increase performance. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> + <?php echo "<span class=\"red\"><strong>" . gettext("Warning: ") . "</strong></span>" . + gettext("Enabling this option could result in missed packets. Recommended setting is not checked."); ?></td> + </tr> + <tr> <td valign="top" class="vncell"><?php echo gettext("Max Queued Bytes"); ?></td> <td class="vtable"> <table cellpadding="0" cellspacing="0"> <tr> - <td><input name="max_queued_bytes" type="text" class="formfld" - id="max_queued_bytes" size="5" + <td><input name="max_queued_bytes" type="text" class="formfld" + id="max_queued_bytes" size="6" value="<?=htmlspecialchars($pconfig['max_queued_bytes']);?>"> <?php echo gettext("Minimum is <strong>1024</strong>, Maximum is <strong>1073741824</strong> " . "( default value is <strong>1048576</strong>, <strong>0</strong> " . - "means Maximum )"); ?></td> + "means Maximum )"); ?>.</td> </tr> </table> <?php echo gettext("The number of bytes to be queued for reassembly for TCP sessions in " . - "memory. Default value is <strong>1048576</strong>"); ?><br> + "memory. Default value is <strong>1048576</strong>"); ?>.<br/> </td> </tr> <tr> @@ -231,126 +939,516 @@ include_once("head.inc"); <td class="vtable"> <table cellpadding="0" cellspacing="0"> <tr> - <td><input name="max_queued_segs" type="text" class="formfld" - id="max_queued_segs" size="5" + <td><input name="max_queued_segs" type="text" class="formfld" + id="max_queued_segs" size="6" value="<?=htmlspecialchars($pconfig['max_queued_segs']);?>"> <?php echo gettext("Minimum is <strong>2</strong>, Maximum is <strong>1073741824</strong> " . "( default value is <strong>2621</strong>, <strong>0</strong> means " . - "Maximum )"); ?></td> + "Maximum )"); ?>.</td> </tr> </table> <?php echo gettext("The number of segments to be queued for reassembly for TCP sessions " . - "in memory. Default value is <strong>2621</strong>"); ?><br> + "in memory. Default value is <strong>2621</strong>"); ?>.<br/> </td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessor Settings"); ?></td> + <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="stream5_mem_cap" type="text" class="formfld" + id="stream5_mem_cap" size="6" + value="<?=htmlspecialchars($pconfig['stream5_mem_cap']);?>"> + <?php echo gettext("Minimum is <strong>32768</strong>, Maximum is <strong>1073741824</strong> " . + "( default value is <strong>8388608</strong>) "); ?>.</td> + </tr> + </table> + <?php echo gettext("The memory cap in bytes for TCP packet storage " . + "in RAM. Default value is <strong>8388608</strong> (8 MB)"); ?>.<br/> + </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> - <?php echo gettext("RPC Decode and Back Orifice detector"); ?></td> - <td width="78%" class="vtable"><input name="other_preprocs" - type="checkbox" value="on" - <?php if ($pconfig['other_preprocs']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("Normalize/Decode RPC traffic and detects Back Orifice traffic on the network."); ?></td> + <td valign="top" class="vncell"><?php echo gettext("Overlap Limit"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="stream5_overlap_limit" type="text" class="formfld" + id="stream5_overlap_limit" size="6" + value="<?=htmlspecialchars($pconfig['stream5_overlap_limit']);?>"> + <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited), and the maximum is ") . + "<strong>255</strong>."; ?></td> + </tr> + </table> + <?php echo gettext("Sets the limit for the number of overlapping fragments allowed per packet. Default value is ") . + "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/> + </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> - <?php echo gettext("FTP and Telnet Normalizer"); ?></td> - <td width="78%" class="vtable"><input name="ftp_preprocessor" - type="checkbox" value="on" - <?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("Normalize/Decode FTP and Telnet traffic and protocol anomalies."); ?></td> + <td valign="top" class="vncell"><?php echo gettext("TCP Session Timeout"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="stream5_tcp_timeout" type="text" class="formfld" + id="stream5_tcp_timeout" size="6" + value="<?=htmlspecialchars($pconfig['stream5_tcp_timeout']);?>"> + <?php echo gettext("TCP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") . + "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td> + </tr> + </table> + <?php echo gettext("Sets the session reassembly timeout period for TCP packets. Default value is ") . + "<strong>30</strong>" . gettext(" seconds."); ?><br/> + </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> - <?php echo gettext("SMTP Normalizer"); ?></td> - <td width="78%" class="vtable"><input name="pop_preproc" - type="checkbox" value="on" - <?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("Normalize/Decode POP protocol for enforcement and buffer overflows."); ?></td> + <td valign="top" class="vncell"><?php echo gettext("UDP Session Timeout"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="stream5_udp_timeout" type="text" class="formfld" + id="stream5_udp_timeout" size="6" + value="<?=htmlspecialchars($pconfig['stream5_udp_timeout']);?>"> + <?php echo gettext("UDP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") . + "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td> + </tr> + </table> + <?php echo gettext("Sets the session reassembly timeout period for UDP packets. Default value is ") . + "<strong>30</strong>" . gettext(" seconds."); ?><br/> + </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> - <?php echo gettext("SMTP Normalizer"); ?></td> - <td width="78%" class="vtable"><input name="imap_preproc" - type="checkbox" value="on" - <?php if ($pconfig['imap_preproc']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("Normalize/Decode IMAP protocol for enforcement and buffer overflows."); ?></td> + <td valign="top" class="vncell"><?php echo gettext("ICMP Session Timeout"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="stream5_icmp_timeout" type="text" class="formfld" + id="stream5_icmp_timeout" size="6" + value="<?=htmlspecialchars($pconfig['stream5_icmp_timeout']);?>"> + <?php echo gettext("ICMP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") . + "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td> + </tr> + </table> + <?php echo gettext("Sets the session reassembly timeout period for ICMP packets. Default value is ") . + "<strong>30</strong>" . gettext(" seconds."); ?><br/> + </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> - <?php echo gettext("SMTP Normalizer"); ?></td> - <td width="78%" class="vtable"><input name="smtp_preprocessor" - type="checkbox" value="on" - <?php if ($pconfig['smtp_preprocessor']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("Normalize/Decode SMTP protocol for enforcement and buffer overflows."); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("IP Target Policy"); ?></td> + <td width="78%" class="vtable"> + <select name="stream5_policy" class="formselect" id="stream5_policy"> + <?php + $profile = array( 'BSD', 'First', 'HPUX', 'HPUX10', 'Irix', 'Last', 'Linux', 'MacOS', 'Old-Linux', + 'Solaris', 'Vista', 'Windows', 'Win2003' ); + foreach ($profile as $val): ?> + <option value="<?=strtolower($val);?>" + <?php if (strtolower($val) == $pconfig['stream5_policy']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the TCP reassembly target policy appropriate for the protected hosts. The default is ") . + "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/> + <?php echo gettext("Available OS targets are BSD, First, HPUX, HPUX10, Irix, Last, Linux, MacOS, Old Linux, Solaris, Vista, Windows, and Win2003 Server."); ?><br/> + </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> - <?php echo gettext("Portscan Detection"); ?></td> - <td width="78%" class="vtable"><input name="sf_portscan" - type="checkbox" value="on" - <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("Detects various types of portscans and portsweeps."); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Settings"); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> - <?php echo gettext("DCE/RPC2 Detection"); ?></td> - <td width="78%" class="vtable"><input name="dce_rpc_2" - type="checkbox" value="on" - <?php if ($pconfig['dce_rpc_2']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic."); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> + <td width="78%" class="vtable"><input name="sf_portscan" onclick="sf_portscan_enable_change();" + type="checkbox" value="on" id="sf_portscan" + <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?>> + <?php echo gettext("Use Portscan Detection to detect various types of port scans and sweeps. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> - <?php echo gettext("DNS Detection"); ?></td> - <td width="78%" class="vtable"><input name="dns_preprocessor" - type="checkbox" value="on" - <?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("The DNS preprocessor decodes DNS Response traffic and detects some vulnerabilities."); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Protocol"); ?> </td> + <td width="78%" class="vtable"> + <select name="pscan_protocol" class="formselect" id="pscan_protocol"> + <?php + $protos = array('all', 'tcp', 'udp', 'icmp', 'ip'); + foreach ($protos as $val): ?> + <option value="<?=$val;?>" + <?php if ($val == $pconfig['pscan_protocol']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the Portscan protocol type to alert for (all, tcp, udp, icmp or ip). Default is ") . + "<strong>" . gettext("all") . "</strong>."; ?><br/> + </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("SSL Data"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Scan Type"); ?> </td> <td width="78%" class="vtable"> - <input name="ssl_preproc" type="checkbox" value="on" - <?php if ($pconfig['ssl_preproc']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("SSL data searches for irregularities during SSL protocol exchange"); ?> + <select name="pscan_type" class="formselect" id="pscan_type"> + <?php + $protos = array('all', 'portscan', 'portsweep', 'decoy_portscan', 'distributed_portscan'); + foreach ($protos as $val): ?> + <option value="<?=$val;?>" + <?php if ($val == $pconfig['pscan_type']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the Portscan scan type to alert for. Default is ") . + "<strong>" . gettext("all") . "</strong>."; ?><br/> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td><?php echo gettext("PORTSCAN: one->one scan; one host scans multiple ports on another host."); ?></td> + </tr> + <tr> + <td><?php echo gettext("PORTSWEEP: one->many scan; one host scans a single port on multiple hosts."); ?></td> + </tr> + <tr> + <td><?php echo gettext("DECOY_PORTSCAN: one->one scan; attacker has spoofed source address inter-mixed with real scanning address."); ?></td> + </tr> + <tr> + <td><?php echo gettext("DISTRIBUTED_PORTSCAN: many->one scan; multiple hosts query one host for open services."); ?></td> + </tr> + <tr> + <td><?php echo gettext("ALL: alerts for all of the above scan types."); ?></td> + </tr> + </table> </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("Sensitive Data"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Sensitivity"); ?> </td> <td width="78%" class="vtable"> - <input name="sensitive_data" type="checkbox" value="on" - <?php if ($pconfig['sensitive_data']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("Sensisitive data searches for CC or SS# in data"); ?> + <select name="pscan_sense_level" class="formselect" id="pscan_sense_level"> + <?php + $levels = array('low', 'medium', 'high'); + foreach ($levels as $val): ?> + <option value="<?=$val;?>" + <?php if ($val == $pconfig['pscan_sense_level']) echo "selected"; ?>> + <?=gettext(ucfirst($val));?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the Portscan sensitivity level (Low, Medium, High). Default is ") . + "<strong>" . gettext("Medium") . "</strong>."; ?><br/> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td><?php echo gettext("LOW: alerts generated on error packets from the target host; "); ?> + <?php echo gettext("this setting should see few false positives. "); ?></td> + </tr> + <tr> + <td><?php echo gettext("MEDIUM: tracks connection counts, so will generate filtered alerts; may "); ?> + <?php echo gettext("false positive on active hosts."); ?></td> + </tr> + <tr> + <td><?php echo gettext("HIGH: tracks hosts using a time window; will catch some slow scans, but is "); ?> + <?php echo gettext("very sensitive to active hosts."); ?></td> + </tr> + </table> </td> </tr> <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <input name="id" type="hidden" value="<?=$id;?>"></td> - </tr> + <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> <tr> - <td width="22%" valign="top"> </td> - <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> - <br> - <?php echo gettext("Please save your settings before you click Start."); ?> </td> + <td><input name="pscan_memcap" type="text" class="formfld" + id="pscan_memcap" size="6" + value="<?=htmlspecialchars($pconfig['pscan_memcap']);?>"> + <?php echo gettext("Maximum memory in bytes to allocate for portscan detection. ") . + gettext("Default is ") . "<strong>" . gettext("10000000") . "</strong>" . + gettext(" (10 MB)"); ?>.</td> </tr> + </table> + <?php echo gettext("The maximum number of bytes to allocate for portscan detection. The higher this number, ") . + gettext("the more nodes that can be tracked. Default is ") . + "<strong>10,000,000</strong>" . gettext(" bytes. (10 MB)"); ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Scanners"); ?></td> + <td width="78%" class="vtable"> + <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners" + value="<?=$pconfig['pscan_ignore_scanners'];?>"> <?php echo gettext("Leave blank for default. ") . + gettext("Default value is ") . "<strong>" . gettext("\$HOME_NET") . "</strong>"; ?>.<br/> + <?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias."); ?><br/> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessor Settings"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable RPC Decode and Back Orifice detector"); ?></td> + <td width="78%" class="vtable"><input name="other_preprocs" type="checkbox" value="on" + <?php if ($pconfig['other_preprocs']=="on") echo "checked"; ?>> + <?php echo gettext("Normalize/Decode RPC traffic and detects Back Orifice traffic on the network. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable FTP and Telnet Normalizer"); ?></td> + <td width="78%" class="vtable"><input name="ftp_preprocessor" type="checkbox" value="on" + <?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?>> + <?php echo gettext("Normalize/Decode FTP and Telnet traffic and protocol anomalies. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable POP Normalizer"); ?></td> + <td width="78%" class="vtable"><input name="pop_preproc" type="checkbox" value="on" + <?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?>> + <?php echo gettext("Normalize/Decode POP protocol for enforcement and buffer overflows. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable IMAP Normalizer"); ?></td> + <td width="78%" class="vtable"><input name="imap_preproc" type="checkbox" value="on" + <?php if ($pconfig['imap_preproc']=="on") echo "checked"; ?>> + <?php echo gettext("Normalize/Decode IMAP protocol for enforcement and buffer overflows. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SMTP Normalizer"); ?></td> + <td width="78%" class="vtable"><input name="smtp_preprocessor" type="checkbox" value="on" + <?php if ($pconfig['smtp_preprocessor']=="on") echo "checked"; ?>> + <?php echo gettext("Normalize/Decode SMTP protocol for enforcement and buffer overflows. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable DCE/RPC2 Detection"); ?></td> + <td width="78%" class="vtable"><input name="dce_rpc_2" type="checkbox" value="on" + <?php if ($pconfig['dce_rpc_2']=="on") echo "checked"; ?>> + <?php echo gettext("The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SIP Detection"); ?></td> + <td width="78%" class="vtable"><input name="sip_preproc" type="checkbox" value="on" + <?php if ($pconfig['sip_preproc']=="on") echo "checked"; ?>> + <?php echo gettext("The SIP preprocessor decodes SIP traffic and detects some vulnerabilities. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable GTP Detection"); ?></td> + <td width="78%" class="vtable"><input name="gtp_preproc" type="checkbox" value="on" + <?php if ($pconfig['gtp_preproc']=="on") echo "checked"; ?>> + <?php echo gettext("The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts."); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable DNS Detection"); ?></td> + <td width="78%" class="vtable"><input name="dns_preprocessor" type="checkbox" value="on" + <?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?>> + <?php echo gettext("The DNS preprocessor decodes DNS Response traffic and detects vulnerabilities. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SSL Data"); ?></td> + <td width="78%" class="vtable"> + <input name="ssl_preproc" type="checkbox" value="on" + <?php if ($pconfig['ssl_preproc']=="on") echo "checked"; ?>> + <?php echo gettext("SSL data searches for irregularities during SSL protocol exchange. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Sensitive Data"); ?></td> + <td width="78%" class="vtable"> + <input name="sensitive_data" type="checkbox" value="on" + <?php if ($pconfig['sensitive_data'] == "on") + echo "checked"; + elseif ($vrt_enabled == "off") + echo "disabled"; + ?>> + <?php echo gettext("Sensitive data searches for credit card or Social Security numbers and e-mail addresses in data."); ?> + <br/> + <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the Global Settings tab."); ?> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("SCADA Preprocessor Settings"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Modbus Detection"); ?></td> + <td width="78%" class="vtable"> + <input name="modbus_preproc" type="checkbox" value="on" + <?php if ($pconfig['modbus_preproc']=="on") echo "checked"; ?>> + <?php echo gettext("Modbus is a protocol used in SCADA networks. The default port is TCP 502.") . "<br/>" . + "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" . + gettext("If your network does not contain Modbus-enabled devices, you can leave this preprocessor disabled."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable DNP3 Detection"); ?></td> + <td width="78%" class="vtable"> + <input name="dnp3_preproc" type="checkbox" value="on" + <?php if ($pconfig['dnp3_preproc']=="on") echo "checked"; ?>> + <?php echo gettext("DNP3 is a protocol used in SCADA networks. The default port is TCP 20000.") . "<br/>" . + "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" . + gettext("If your network does not contain DNP3-enabled devices, you can leave this preprocessor disabled."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save" title="<?php echo + gettext("Save preprocessor settings"); ?>"> + <input name="id" type="hidden" value="<?=$id;?>"> + <input name="ResetAll" type="submit" class="formbtn" value="Reset" title="<?php echo + gettext("Reset all settings to defaults") . "\" onclick=\"return confirm('" . + gettext("WARNING: This will reset ALL preprocessor settings to their defaults. Click OK to continue or CANCEL to quit.") . + "');\""; ?>></td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note: "); ?></strong></span></span> + <?php echo gettext("Please save your settings before you exit. Preprocessor changes will rebuild the rules file. This "); ?> + <?php echo gettext("may take several seconds. Snort must also be restarted to activate any changes made on this screen."); ?></td> + </tr> </table> +</div> </td></tr></table> </form> +<script type="text/javascript"> +<?php + $isfirst = 0; + $aliases = ""; + $addrisfirst = 0; + $portisfirst = 0; + $aliasesaddr = ""; + $aliasesports = ""; + if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) + foreach($config['aliases']['alias'] as $alias_name) { + if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + if($addrisfirst == 1) $aliasesaddr .= ","; + $aliasesaddr .= "'" . $alias_name['name'] . "'"; + $addrisfirst = 1; + } else if ($alias_name['type'] == "port") { + if($portisfirst == 1) $aliasesports .= ","; + $aliasesports .= "'" . $alias_name['name'] . "'"; + $portisfirst = 1; + } + } +?> + + var addressarray=new Array(<?php echo $aliasesaddr; ?>); + var portsarray=new Array(<?php echo $aliasesports; ?>); + +function createAutoSuggest() { +<?php + echo "objAlias = new AutoSuggestControl(document.getElementById('pscan_ignore_scanners'), new StateSuggestions(addressarray));\n"; +?> +} + +setTimeout("createAutoSuggest();", 500); + +function frag3_enable_change() { + if (!document.iform.frag3_detection.checked) { + var msg = "WARNING: Disabling the Frag3 preprocessor is not recommended!\n\n"; + msg = msg + "Snort may fail to start because of other dependent preprocessors or "; + msg = msg + "rule options. Are you sure you want to disable it?\n\n"; + msg = msg + "Click OK to disable Frag3, or CANCEL to quit."; + if (!confirm(msg)) { + document.iform.frag3_detection.checked=true; + } + } + var endis = !(document.iform.frag3_detection.checked); + document.iform.frag3_overlap_limit.disabled=endis; + document.iform.frag3_min_frag_len.disabled=endis; + document.iform.frag3_policy.disabled=endis; + document.iform.frag3_max_frags.disabled=endis; + document.iform.frag3_memcap.disabled=endis; + document.iform.frag3_timeout.disabled=endis; +} + +function host_attribute_table_enable_change() { + var endis = !(document.iform.host_attribute_table.checked); + document.iform.host_attribute_file.disabled=endis; + document.iform.btn_import.disabled=endis; + document.iform.btn_edit_hat.disabled=endis; + document.iform.max_attribute_hosts.disabled=endis; + document.iform.max_attribute_services_per_host.disabled=endis; +} + +function http_inspect_enable_change() { + var endis = !(document.iform.http_inspect.checked); + document.iform.http_inspect_enable_xff.disabled=endis; + document.iform.server_flow_depth.disabled=endis; + document.iform.client_flow_depth.disabled=endis; + document.iform.http_server_profile.disabled=endis; + document.iform.http_inspect_memcap.disabled=endis; + document.iform.http_inspect_log_uri.disabled=endis; + document.iform.http_inspect_log_hostname.disabled=endis; +} + +function sf_portscan_enable_change() { + var endis = !(document.iform.sf_portscan.checked); + document.iform.pscan_protocol.disabled=endis; + document.iform.pscan_type.disabled=endis; + document.iform.pscan_memcap.disabled=endis; + document.iform.pscan_sense_level.disabled=endis; + document.iform.pscan_ignore_scanners.disabled=endis; +} + +function stream5_enable_change() { + if (!document.iform.stream5_reassembly.checked) { + var msg = "WARNING: Stream5 is a critical preprocessor, and disabling it is not recommended! "; + msg = msg + "The following preprocessors require Stream5 and will be automatically disabled if currently enabled:\n\n"; + msg = msg + " SMTP\t\tPOP\t\tSIP\n"; + msg = msg + " SENSITIVE_DATA\tSF_PORTSCAN\tDCE/RPC 2\n"; + msg = msg + " IMAP\t\tDNS\t\tSSL\n"; + msg = msg + " GTP\t\tDNP3\t\tMODBUS\n\n"; + msg = msg + "Snort may fail to start because of other preprocessors or rule options dependent on Stream5. "; + msg = msg + "Are you sure you want to disable it?\n\n"; + msg = msg + "Click OK to disable Stream5, or CANCEL to quit."; + if (!confirm(msg)) { + document.iform.stream5_reassembly.checked=true; + } + else { + alert("If Snort fails to start with Stream5 disabled, examine the system log for clues."); + document.iform.smtp_preprocessor.checked=false; + document.iform.dce_rpc_2.checked=false; + document.iform.sip_preproc.checked=false; + document.iform.sensitive_data.checked=false; + document.iform.imap_preproc.checked=false; + document.iform.pop_preproc.checked=false; + document.iform.ssl_preproc.checked=false; + document.iform.dns_preprocessor.checked=false; + document.iform.modbus_preproc.checked=false; + document.iform.dnp3_preproc.checked=false; + document.iform.sf_portscan.checked=false; + sf_portscan_enable_change(); + } + } + + var endis = !(document.iform.stream5_reassembly.checked); + document.iform.max_queued_bytes.disabled=endis; + document.iform.max_queued_segs.disabled=endis; + document.iform.stream5_mem_cap.disabled=endis; + document.iform.stream5_policy.disabled=endis; + document.iform.stream5_overlap_limit.disabled=endis; + document.iform.stream5_no_reassemble_async.disabled=endis; + document.iform.stream5_dont_store_lg_pkts.disabled=endis; + document.iform.stream5_tcp_timeout.disabled=endis; + document.iform.stream5_udp_timeout.disabled=endis; + document.iform.stream5_icmp_timeout.disabled=endis; +} + +function enable_change_all() { + http_inspect_enable_change(); + sf_portscan_enable_change(); + + // Enable/Disable Frag3 settings + var endis = !(document.iform.frag3_detection.checked); + document.iform.frag3_overlap_limit.disabled=endis; + document.iform.frag3_min_frag_len.disabled=endis; + document.iform.frag3_policy.disabled=endis; + document.iform.frag3_max_frags.disabled=endis; + document.iform.frag3_memcap.disabled=endis; + document.iform.frag3_timeout.disabled=endis; + + // Enable/Disable Stream5 settings + endis = !(document.iform.stream5_reassembly.checked); + document.iform.max_queued_bytes.disabled=endis; + document.iform.max_queued_segs.disabled=endis; + document.iform.stream5_mem_cap.disabled=endis; + document.iform.stream5_policy.disabled=endis; + document.iform.stream5_overlap_limit.disabled=endis; + document.iform.stream5_no_reassemble_async.disabled=endis; + document.iform.stream5_dont_store_lg_pkts.disabled=endis; + document.iform.stream5_tcp_timeout.disabled=endis; + document.iform.stream5_udp_timeout.disabled=endis; + document.iform.stream5_icmp_timeout.disabled=endis; +} + +// Set initial state of form controls +enable_change_all(); + +</script> <?php include("fend.inc"); ?> </body> </html> diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index c8a38ddb..7853b955 100644..100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -33,9 +33,10 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $flowbit_rules_file, $rebuild_rules; $snortdir = SNORTDIR; +$rules_map = array(); if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); @@ -57,13 +58,49 @@ if (isset($id) && $a_rule[$id]) { $pconfig['customrules'] = base64_decode($a_rule[$id]['customrules']); } -function load_rule_file($incoming_file) -{ - //read file into string, and get filesize - $contents = @file_get_contents($incoming_file); +function truncate($string, $length) { + + /******************************** + * This function truncates the * + * passed string to the length * + * specified adding ellipsis if * + * truncation was necessary. * + ********************************/ + if (strlen($string) > $length) + $string = substr($string, 0, ($length - 2)) . "..."; + return $string; +} - //split the contents of the string file into an array using the delimiter - return explode("\n", $contents); +function add_title_attribute($tag, $title) { + + /******************************** + * This function adds a "title" * + * attribute to the passed tag * + * and sets the value to the * + * value specified by "$title". * + ********************************/ + $result = ""; + if (empty($tag)) { + // If passed an empty element tag, then + // just create a <span> tag with title + $result = "<span title=\"" . $title . "\">"; + } + else { + // Find the ending ">" for the element tag + $pos = strpos($tag, ">"); + if ($pos !== false) { + // We found the ">" delimter, so add "title" + // attribute and close the element tag + $result = substr($tag, 0, $pos) . " title=\"" . $title . "\">"; + } + else { + // We did not find the ">" delimiter, so + // something is wrong, just return the + // tag "as-is" + $result = $tag; + } + } + return $result; } /* convert fake interfaces to real */ @@ -80,66 +117,211 @@ else if ($_POST['openruleset']) else $currentruleset = $categories[0]; -$ruledir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules"; +if (empty($categories[0]) && ($currentruleset != "custom.rules")) { + if (!empty($a_rule[$id]['ips_policy'])) + $currentruleset = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); + else + $currentruleset = "custom.rules"; +} + +/* One last sanity check -- if the rules directory is empty, default to loading custom rules */ +$tmp = glob("{$snortdir}/rules/*.rules"); +if (empty($tmp)) + $currentruleset = "custom.rules"; + +$ruledir = "{$snortdir}/rules"; $rulefile = "{$ruledir}/{$currentruleset}"; if ($currentruleset != 'custom.rules') { -if (!file_exists($rulefile)) { - $input_errors[] = "{$currentruleset} seems to be missing!!! Please go to the Category tab and save again the rule to regenerate it."; - $splitcontents = array(); -} else - //Load the rule file - $splitcontents = load_rule_file($rulefile); + // Read the current rules file into our rules map array. + // Test for the special case of an IPS Policy file. + if (substr($currentruleset, 0, 10) == "IPS Policy") + $rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']); + elseif (!file_exists($rulefile)) + $input_errors[] = gettext("{$currentruleset} seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again."); + else + $rules_map = snort_load_rules_map($rulefile); } -if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($splitcontents)) { - - $lineid= $_GET['ids']; - - //copy rule contents from array into string - $tempstring = $splitcontents[$lineid]; - - //explode rule contents into an array, (delimiter is space) - $rule_content = explode(' ', $tempstring); - - $findme = "# alert"; //find string for disabled alerts - $disabled = strstr($tempstring, $findme); - - //if find alert is false, then rule is disabled - if ($disabled !== false) { - //rule has been enabled - $tempstring = substr($tempstring, 2); - } else - $tempstring = "# ". $tempstring; - - //copy string into array for writing - $splitcontents[$lineid] = $tempstring; - - //write the new .rules file - @file_put_contents($rulefile, implode("\n", $splitcontents)); - - //write disable/enable sid to config.xml - $sid = snort_get_rule_part($tempstring, 'sid:', ";", 0); - if (is_numeric($sid)) { - // rule_sid_on registers - $sidon = explode("||", $a_rule[$id]['rule_sid_on']); - if (!empty($sidon)) - $sidon = @array_flip($sidon); - $sidoff = explode("||", $a_rule[$id]['rule_sid_off']); - if (!empty($sidoff)) - $sidoff = @array_flip($sidoff); - if ($disabled) { - unset($sidoff["disablesid {$sid}"]); - $sidon["enablesid {$sid}"] = count($sidon); - } else { - unset($sidon["enablesid {$sid}"]); - $sidoff["disablesid {$sid}"] = count($sidoff); +/* Load up our enablesid and disablesid arrays with enabled or disabled SIDs */ +$enablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_on'], "enablesid"); +$disablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_off'], "disablesid"); + +if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($rules_map)) { + + // Get the SID tag embedded in the clicked rule icon. + $sid= $_GET['ids']; + + // See if the target SID is in our list of modified SIDs, + // and toggle it if present; otherwise, add it to the + // appropriate list. + if (isset($enablesid[$sid])) { + unset($enablesid[$sid]); + if (!isset($disablesid[$sid])) + $disablesid[$sid] = "disablesid"; + } + elseif (isset($disablesid[$sid])) { + unset($disablesid[$sid]); + if (!isset($enablesid[$sid])) + $enablesid[$sid] = "enablesid"; + } + else { + if ($rules_map[1][$sid]['disabled'] == 1) + $enablesid[$sid] = "enablesid"; + else + $disablesid[$sid] = "disablesid"; + } + + // Write the updated enablesid and disablesid values to the config file. + $tmp = ""; + foreach ($enablesid as $k => $v) { + $tmp .= "||{$v} {$k}"; + } + if (!empty($tmp)) + $a_rule[$id]['rule_sid_on'] = $tmp; + else + unset($a_rule[$id]['rule_sid_on']); + $tmp = ""; + foreach ($disablesid as $k => $v) { + $tmp .= "||{$v} {$k}"; + } + if (!empty($tmp)) + $a_rule[$id]['rule_sid_off'] = $tmp; + else + unset($a_rule[$id]['rule_sid_off']); + + /* Update the config.xml file. */ + write_config(); + + $_GET['openruleset'] = $currentruleset; +// header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); +// exit; + $anchor = "rule_{$sid}"; +} + +if ($_GET['act'] == "disable_all" && !empty($rules_map)) { + + // Mark all rules in the currently selected category "disabled". + foreach (array_keys($rules_map) as $k1) { + foreach (array_keys($rules_map[$k1]) as $k2) { + if (isset($enablesid[$k2])) + unset($enablesid[$k2]); + $disablesid[$k2] = "disablesid"; } - - $a_rule[$id]['rule_sid_on'] = implode("||", array_flip($sidon)); - $a_rule[$id]['rule_sid_off'] = implode("||", array_flip($sidoff)); - write_config(); } + // Write the updated enablesid and disablesid values to the config file. + $tmp = ""; + foreach ($enablesid as $k => $v) { + $tmp .= "||{$v} {$k}"; + } + if (!empty($tmp)) + $a_rule[$id]['rule_sid_on'] = $tmp; + else + unset($a_rule[$id]['rule_sid_on']); + $tmp = ""; + foreach ($disablesid as $k => $v) { + $tmp .= "||{$v} {$k}"; + } + if (!empty($tmp)) + $a_rule[$id]['rule_sid_off'] = $tmp; + else + unset($a_rule[$id]['rule_sid_off']); + write_config(); + $_GET['openruleset'] = $currentruleset; + header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); + exit; +} + +if ($_GET['act'] == "enable_all" && !empty($rules_map)) { + + // Mark all rules in the currently selected category "enabled". + foreach (array_keys($rules_map) as $k1) { + foreach (array_keys($rules_map[$k1]) as $k2) { + if (isset($disablesid[$k2])) + unset($disablesid[$k2]); + $enablesid[$k2] = "enablesid"; + } + } + // Write the updated enablesid and disablesid values to the config file. + $tmp = ""; + foreach ($enablesid as $k => $v) { + $tmp .= "||{$v} {$k}"; + } + if (!empty($tmp)) + $a_rule[$id]['rule_sid_on'] = $tmp; + else + unset($a_rule[$id]['rule_sid_on']); + $tmp = ""; + foreach ($disablesid as $k => $v) { + $tmp .= "||{$v} {$k}"; + } + if (!empty($tmp)) + $a_rule[$id]['rule_sid_off'] = $tmp; + else + unset($a_rule[$id]['rule_sid_off']); + write_config(); + + $_GET['openruleset'] = $currentruleset; + header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); + exit; +} + +if ($_GET['act'] == "resetcategory" && !empty($rules_map)) { + + // Reset any modified SIDs in the current rule category to their defaults. + foreach (array_keys($rules_map) as $k1) { + foreach (array_keys($rules_map[$k1]) as $k2) { + if (isset($enablesid[$k2])) + unset($enablesid[$k2]); + if (isset($disablesid[$k2])) + unset($disablesid[$k2]); + } + } + + // Write the updated enablesid and disablesid values to the config file. + $tmp = ""; + foreach ($enablesid as $k => $v) { + $tmp .= "||{$v} {$k}"; + } + if (!empty($tmp)) + $a_rule[$id]['rule_sid_on'] = $tmp; + else + unset($a_rule[$id]['rule_sid_on']); + $tmp = ""; + foreach ($disablesid as $k => $v) { + $tmp .= "||{$v} {$k}"; + } + if (!empty($tmp)) + $a_rule[$id]['rule_sid_off'] = $tmp; + else + unset($a_rule[$id]['rule_sid_off']); + write_config(); + + $_GET['openruleset'] = $currentruleset; + header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); + exit; +} + +if ($_GET['act'] == "resetall" && !empty($rules_map)) { + + // Remove all modified SIDs from config.xml and save the changes. + unset($a_rule[$id]['rule_sid_on']); + unset($a_rule[$id]['rule_sid_off']); + + /* Update the config.xml file. */ + write_config(); + + $_GET['openruleset'] = $currentruleset; + header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); + exit; +} + +if ($_POST['clear']) { + unset($a_rule[$id]['customrules']); + write_config(); + $rebuild_rules = true; + snort_generate_conf($a_rule[$id]); + $rebuild_rules = false; header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); exit; } @@ -147,7 +329,9 @@ if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($splitcontents)) { if ($_POST['customrules']) { $a_rule[$id]['customrules'] = base64_encode($_POST['customrules']); write_config(); - sync_snort_package_config(); + $rebuild_rules = true; + snort_generate_conf($a_rule[$id]); + $rebuild_rules = false; $output = ""; $retcode = ""; exec("snort -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -T 2>&1", $output, $retcode); @@ -158,16 +342,36 @@ if ($_POST['customrules']) { for($i = $start; $i > $end; $i--) $error .= $output[$i]; $input_errors[] = "Custom rules have errors:\n {$error}"; - } else { + } + else { header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); exit; } -} else if ($_POST) { - unset($a_rule[$id]['customrules']); +} + +else if ($_POST['apply']) { + + /* Save new configuration */ write_config(); + + /*************************************************/ + /* Update the snort conf file and rebuild the */ + /* rules for this interface. */ + /*************************************************/ + $rebuild_rules = true; + snort_generate_conf($a_rule[$id]); + $rebuild_rules = false; + + /* Return to this same page */ header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); exit; } +else if ($_POST['cancel']) { + + /* Return to this same page */ + header("Location: /snort/snort_rules.php?id={$id}"); + exit; +} require_once("guiconfig.inc"); include_once("head.inc"); @@ -192,6 +396,297 @@ if ($savemsg) { ?> +<form action="/snort/snort_rules.php" method="post" name="iform" id="iform"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td> + <?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array); + echo '</td></tr>'; + echo '<tr><td class="tabnavtbl">'; + $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface ");; + $tab_array = array(); + $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); + ?> + </td></tr> + <tr><td><div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="4" cellspacing="0"> + <tr> + <td class="listtopic"><?php echo gettext("Available Rule Categories"); ?></td> + </tr> + + <tr> + <td class="vncell" height="30px"><strong><?php echo gettext("Category:"); ?></strong> <select id="selectbox" name="selectbox" class="formselect" onChange="go()"> + <option value='?id=<?=$id;?>&openruleset=custom.rules'>custom.rules</option> + <?php + $files = explode("||", $pconfig['rulesets']); + if ($a_rule[$id]['ips_policy_enable'] == 'on') + $files[] = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); + natcasesort($files); + foreach ($files as $value) { + if ($snortdownload != 'on' && substr($value, 0, 6) == "snort_") + continue; + if ($emergingdownload != 'on' && substr($value, 0, 8) == "emerging") + continue; + if (empty($value)) + continue; + echo "<option value='?id={$id}&openruleset={$value}' "; + if ($value == $currentruleset) + echo "selected"; + echo ">{$value}</option>\n"; + } + ?> + </select> <?php echo gettext("Select the rule category to view"); ?> + </td> + </tr> + + <?php if ($currentruleset == 'custom.rules'): ?> + <tr> + <td class="listtopic"><?php echo gettext("Defined Custom Rules"); ?></td> + </tr> + <tr> + <td valign="top" class="vtable"> + <input type='hidden' name='openruleset' value='custom.rules'> + <input type='hidden' name='id' value='<?=$id;?>'> + <textarea wrap="soft" cols="90" rows="40" name="customrules"><?=$pconfig['customrules'];?></textarea> + </td> + </tr> + <tr> + <td> + <input name="Submit" type="submit" class="formbtn" id="submit" value="<?php echo gettext(" Save "); ?>" title=" <?php echo gettext("Save custom rules"); ?>"/> + <input name="cancel" type="submit" class="formbtn" id="cancel" value="<?php echo gettext("Cancel"); ?>" title="<?php echo gettext("Cancel changes and return to last page"); ?>"/> + <input name="clear" type="submit" class="formbtn" id="clear" value="<?php echo gettext("Clear"); ?>" onclick="return confirm('<?php echo gettext("This will erase all custom rules for the interface. Are you sure?"); ?>')" title="<?php echo gettext("Deletes all custom rules"); ?>"/> + </td> + </tr> + <?php else: ?> + <tr> + <td class="listtopic"><?php echo gettext("Rule Signature ID (SID) Enable/Disable Overrides"); ?></td> + </tr> + <tr> + <td class="vncell"> + <table width="100%" align="center" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td rowspan="4" width="48%" valign="middle"><input type="submit" name="apply" id="apply" value="<?php echo gettext("Apply"); ?>" class="formbtn" + title="<?php echo gettext("Click to rebuild the rules with your changes"); ?>"/> + <input type='hidden' name='id' value='<?=$id;?>'/> + <input type='hidden' name='openruleset' value='<?=$currentruleset;?>'/><br/><br/> + <span class="vexpl"><span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . + gettext("Snort must be restarted to activate any SID enable/disable changes made on this tab."); ?></span></td> + <td class="vexpl" valign="middle"><?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=resetcategory'> + <img src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\" + onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"' + onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_x_mo.gif\"' border='0' + title='" . gettext("Click to remove enable/disable changes for rules in the selected category only") . "'></a>"?> + <?php echo gettext("Remove Enable/Disable changes in the current Category"); ?></td> + </tr> + <tr> + <td class="vexpl" valign="middle"><?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=resetall'> + <img src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\" + onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"' + onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_x_mo.gif\"' border='0' + title='" . gettext("Click to remove all enable/disable changes for rules in all categories") . "'></a>"?> + <?php echo gettext("Remove all Enable/Disable changes in all Categories"); ?></td> + </tr> + <tr> + <td class="vexpl" valign="middle"><?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=disable_all'> + <img src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\" + onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"' + onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_x_mo.gif\"' border='0' + title='" . gettext("Click to disable all rules in the selected category") . "'></a>"?> + <?php echo gettext("Disable all rules in the current Category"); ?></td> + </tr> + <tr> + <td class="vexpl" valign="middle"><?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=enable_all'> + <img src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\" + onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"' + onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_x_mo.gif\"' border='0' + title='" . gettext("Click to enable all rules in the selected category") . "'></a>"?> + <?php echo gettext("Enable all rules in the current Category"); ?></td> + </tr> + </table> + </td> + </tr> + + <tr> + <td class="listtopic"><?php echo gettext("Selected Category's Rules"); ?></td> + </tr> + <tr> + <td> + <table id="myTable" class="sortable" style="table-layout: fixed;" width="100%" border="0" cellpadding="0" cellspacing="0"> + <colgroup> + <col width="15" align="left" valign="middle"> + <col width="9%" align="center" axis="number"> + <col width="60" align="center" axis="string"> + <col width="14%" align="center" axis="string"> + <col width="11%" align="center" axis="string"> + <col width="14%" align="center" axis="string"> + <col width="11%" align="center" axis="string"> + <col axis="string"> + <col width="22" align="right" valign="middle"> + </colgroup> + <thead> + <tr> + <th class="list"> </th> + <th class="listhdrr"><?php echo gettext("SID"); ?></th> + <th class="listhdrr"><?php echo gettext("Proto"); ?></th> + <th class="listhdrr"><?php echo gettext("Source"); ?></th> + <th class="listhdrr"><?php echo gettext("Port"); ?></th> + <th class="listhdrr"><?php echo gettext("Destination"); ?></th> + <th class="listhdrr"><?php echo gettext("Port"); ?></th> + <th class="listhdrr"><?php echo gettext("Message"); ?></th> + <th class="list"><a href="javascript: void(0)" + onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>','FileViewer',800,600)"> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_service_restart.gif" <?php + echo "onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_services_restart_mo.gif\"' + onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_service_restart.gif\"' ";?> + title="<?php echo gettext("Click to view full text of all the category rules"); ?>" width="17" height="17" border="0"></a></th> + </tr> + </thead> + <tbody> + + <?php + $counter = 0; + foreach ($rules_map as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + $sid = snort_get_sid($v['rule']); + $gid = snort_get_gid($v['rule']); + if (isset($disablesid[$sid])) { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $iconb = "icon_reject_d.gif"; + } + elseif (($v['disabled'] == 1) && (!isset($enablesid[$sid]))) { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $iconb = "icon_block_d.gif"; + } + elseif (isset($enablesid[$sid])) { + $textss = $textse = ""; + $iconb = "icon_reject.gif"; + } + else { + $textss = $textse = ""; + $iconb = "icon_block.gif"; + } + + // Pick off the first section of the rule (prior to the start of the MSG field), + // and then use a REGX split to isolate the remaining fields into an array. + $tmp = substr($v['rule'], 0, strpos($v['rule'], "(")); + $tmp = trim(preg_replace('/^\s*#+\s*/', '', $tmp)); + $rule_content = preg_split('/[\s]+/', $tmp); + + // Create custom <span> tags for the fields we truncate so we can + // have a "title" attribute for tooltips to show the full string. + $srcspan = add_title_attribute($textss, $rule_content[2]); + $srcprtspan = add_title_attribute($textss, $rule_content[3]); + $dstspan = add_title_attribute($textss, $rule_content[5]); + $dstprtspan = add_title_attribute($textss, $rule_content[6]); + + $protocol = $rule_content[1]; //protocol field + $source = truncate($rule_content[2], 14); //source field + $source_port = truncate($rule_content[3], 10); //source port field + $destination = truncate($rule_content[5], 14); //destination field + $destination_port = truncate($rule_content[6], 10); //destination port field + $message = snort_get_msg($v['rule']); + + echo "<tr><td class=\"listt\" align=\"left\" valign=\"middle\"> $textss + <a id=\"rule_{$sid}\" href='?id={$id}&openruleset={$currentruleset}&act=toggle&ids={$sid}'> + <img src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" + width=\"11\" height=\"11\" border=\"0\" + title='" . gettext("Click to toggle enabled/disabled state") . "'></a> + $textse + </td> + <td class=\"listlr\" align=\"center\"> + {$textss}{$sid}{$textse} + </td> + <td class=\"listlr\" align=\"center\"> + {$textss}{$protocol}{$textse} + </td> + <td class=\"listlr\" align=\"center\"> + {$srcspan}{$source}</span> + </td> + <td class=\"listlr\" align=\"center\"> + {$srcprtspan}{$source_port}</span> + </td> + <td class=\"listlr\" align=\"center\"> + {$dstspan}{$destination}</span> + </td> + <td class=\"listlr\" align=\"center\"> + {$dstprtspan}{$destination_port}</span> + </td> + <td class=\"listbg\" style=\"word-wrap:break-word; whitespace:pre-line;\"><font color=\"white\"> + {$textss}{$message}{$textse}</font> + </td>"; + ?> + <td align="right" valign="middle" nowrap class="listt"> + <a href="javascript: void(0)" + onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>','FileViewer',800,600)"><img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" + title="<?php echo gettext("Click to view the entire rule text"); ?>" width="17" height="17" border="0"></a> + </td> + </tr> + <?php + $counter++; + } + } + unset($rulem, $v); + ?> + </tbody> + </table> + </td> + </tr> + <tr> + <td> + <table width="100%" border="0" cellspacing="0" cellpadding="1"> + <tr> + <td class="vexpl" colspan="2" height="30" valign="middle"><?php echo gettext("Rule Count: {$counter}"); ?></td> + </tr> + <tr> + <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" + width="11" height="11"></td> + <td><?php echo gettext("Rule default is Enabled"); ?></td> + </tr> + <tr> + <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" + width="11" height="11"></td> + <td nowrap><?php echo gettext("Rule default is Disabled"); ?></td> + </tr> + <tr> + <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_reject.gif" + width="11" height="11"></td> + <td nowrap><?php echo gettext("Rule changed to Enabled by user"); ?></td> + </tr> + <tr> + <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_reject_d.gif" + width="11" height="11"></td> + <td nowrap><?php echo gettext("Rule changed to Disabled by user"); ?></td> + </tr> + </table> + </td> + </tr> + <?php endif;?> + </table> + </div> + </td> + </tr> +</table> +</form> +<?php include("fend.inc"); ?> + <script language="javascript" type="text/javascript"> function go() { @@ -200,219 +695,29 @@ function go() if (destination) location.href = destination; } -function popup(url) + +function wopen(url, name, w, h) { - params = 'width='+screen.width; - params += ', height='+screen.height; - params += ', top=0, left=0' - params += ', fullscreen=yes'; - - newwin=window.open(url,'windowname4', params); - if (window.focus) {newwin.focus()} - return false; +// Fudge factors for window decoration space. +// In my tests these work well on all platforms & browsers. + w += 32; + h += 96; + var win = window.open(url, + name, + 'width=' + w + ', height=' + h + ', ' + + 'location=no, menubar=no, ' + + 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); + win.resizeTo(w, h); + win.focus(); } -</script> - -<form action="/snort/snort_rules.php" method="post" name="iform" id="iform"> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> -<tr><td> -<?php - $tab_array = array(); - $tab_array[] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tab_array[] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array(gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array(gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); -?> -</td></tr> -<tr> - <td> - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="3%" class="list"> </td> - <td class="listhdr" colspan="7"> - <br/>Category: - <select id="selectbox" name="selectbox" class="formselect" onChange="go()"> - <option value='?id=<?=$id;?>&openruleset=custom.rules'>custom.rules</option> - <?php - $files = explode("||", $pconfig['rulesets']); - foreach ($files as $value) { - if ($snortdownload != 'on' && strstr($value, "snort")) - continue; - if ($emergingdownload != 'on' && strstr($value, "emerging")) - continue; - echo "<option value='?id={$id}&openruleset={$value}' "; - if ($value === $currentruleset) - echo "selected"; - echo ">{$value}</option>\n"; - } - ?> - </select> - <br/> - </td> - <td width="5%" class="list"> </td> - </tr> -<?php if ($currentruleset == 'custom.rules' || empty($pconfig['rulesets'])): ?> - <tr> - <td width="3%" class="list"> </td> - <td valign="top" class="vtable"> - <input type='hidden' name='openruleset' value='custom.rules'> - <input type='hidden' name='id' value='<?=$id;?>'> - - <textarea wrap="on" cols="90" rows="50" name="customrules"><?=$pconfig['customrules'];?></textarea> - </td> - </tr> - <tr> - <td width="3%" class="list"> </td> - <td class="vtable"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> - </td> - </tr> -<?php else: ?> - <tr> - <td width="3%" class="list"> </td> - <td colspan="7" class="listhdr" > </td> - <td width="5%" class="list"> </td> - </tr> - <tr id="frheader"> - <td width="3%" class="list"> </td> - <td width="7%" class="listhdr"><?php echo gettext("SID"); ?></td> - <td width="4%" class="listhdrr"><?php echo gettext("Proto"); ?></td> - <td width="15%" class="listhdrr"><?php echo gettext("Source"); ?></td> - <td width="10%" class="listhdrr"><?php echo gettext("Port"); ?></td> - <td width="15%" class="listhdrr"><?php echo gettext("Destination"); ?></td> - <td width="10%" class="listhdrr"><?php echo gettext("Port"); ?></td> - <td width="30%" class="listhdrr"><?php echo gettext("Message"); ?></td> - <td width="5%" class="list"> </td> - </tr> -<?php - foreach ( $splitcontents as $counter => $value ) - { - $disabled = "False"; - $comments = "False"; - $findme = "# alert"; //find string for disabled alerts - $disabled_pos = strstr($value, $findme); - - $counter2 = 1; - $sid = snort_get_rule_part($value, 'sid:', ';', 0); - //check to see if the sid is numberical - if (!is_numeric($sid)) - continue; - - //if find alert is false, then rule is disabled - if ($disabled_pos !== false){ - $counter2 = $counter2+1; - $textss = "<span class=\"gray\">"; - $textse = "</span>"; - $iconb = "icon_block_d.gif"; - - $ischecked = ""; - } else { - $textss = $textse = ""; - $iconb = "icon_block.gif"; - - $ischecked = "checked"; - } - $rule_content = explode(' ', $value); - - $protocol = $rule_content[$counter2];//protocol location - $counter2++; - $source = substr($rule_content[$counter2], 0, 20) . "...";//source location - $counter2++; - $source_port = $rule_content[$counter2];//source port location - $counter2 = $counter2+2; - $destination = substr($rule_content[$counter2], 0, 20) . "...";//destination location - $counter2++; - $destination_port = $rule_content[$counter2];//destination port location - - if (strstr($value, 'msg: "')) - $message = snort_get_rule_part($value, 'msg: "', '";', 0); - else if (strstr($value, 'msg:"')) - $message = snort_get_rule_part($value, 'msg:"', '";', 0); - - echo "<tr><td width='3%' class='listt'> $textss - <a href='?id={$id}&openruleset={$currentruleset}&act=toggle&ids={$counter}'> - <img src='../themes/{$g['theme']}/images/icons/{$iconb}' - width='10' height='10' border='0' - title='" . gettext("click to toggle enabled/disabled status") . "'></a> - $textse - </td> - <td width='7%' class=\"listlr\"> - $textss $sid $textse - </td> - <td width='4%' class=\"listlr\"> - $textss $protocol $textse - </td> - <td width='15%' class=\"listlr\"> - $textss $source $textse - </td> - <td width='10%' class=\"listlr\"> - $textss $source_port $textse - </td> - <td width='15%' class=\"listlr\"> - $textss $destination $textse - </td> - <td width='10%' class=\"listlr\"> - $textss $destination_port $textse - </td> - <td width='30%' class=\"listbg\"><font color=\"white\"> - $textss $message $textse - </td>"; - ?> - <td width='5%' valign="middle" nowrap class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td><a href="javascript: void(0)" - onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>')"><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" - title="<?php echo gettext("edit rule"); ?>" width="17" height="17" border="0"></a></td> - <!-- Codes by Quackit.com --> - </tr> - </table> - </td> - </tr> -<?php +<?php if (!empty($anchor)): ?> + // Scroll the last enabled/disabled SID into view + window.location.hash = "<?=$anchor; ?>"; + window.scrollBy(0,-60); - } -?> - - </table> - </td> -</tr> <?php endif;?> -<tr> - <td colspan="9"> - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> - <tr> - <td width="16"><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" - width="11" height="11"></td> - <td><?php echo gettext("Rule Enabled"); ?></td> - </tr> - <tr> - <td><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" - width="11" height="11"></td> - <td nowrap><?php echo gettext("Rule Disabled"); ?></td> - </tr> - <tr> - <td colspan="10"> - <p><!--<strong><span class="red">Warning:<br/> </span></strong>Editing these r</p>--> - </td> - </tr> - </table> - </td> -</tr> -</table> -</td> -</tr> -</table> -</form> -<?php include("fend.inc"); ?> + +</script> </body> </html> diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index 809832ea..a1f45c07 100644..100755 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -37,6 +37,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); +global $flowbit_rules_file; $snortdir = SNORTDIR; if (!is_array($config['installedpackages']['snortglobal']['rule'])) { @@ -60,28 +61,59 @@ if (isset($id) && $a_rule[$id]) { $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_rule[$id]['uuid']; $file = $_GET['openruleset']; - -//read file into string, and get filesize also chk for empty files $contents = ''; -if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$file}")) - $contents = file_get_contents("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$file}"); +$wrap_flag = "off"; + +// Read the contents of the argument passed to us. +// It may be an IPS policy string, an individual SID, +// a standard rules file, or a complete file name. +// Test for the special case of an IPS Policy file. +if (substr($file, 0, 10) == "IPS Policy") { + $rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']); + if (isset($_GET['ids'])) { + $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule']; + $wrap_flag = "soft"; + } + else { + $contents = "# Snort IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']) . "\n\n"; + foreach (array_keys($rules_map) as $k1) { + foreach (array_keys($rules_map[$k1]) as $k2) { + $contents .= "# Category: " . $rules_map[$k1][$k2]['category'] . " SID: {$k2}\n"; + $contents .= $rules_map[$k1][$k2]['rule'] . "\n"; + } + } + } + unset($rules_map); +} +// Is it a SID to load the rule text from? +elseif (isset($_GET['ids'])) { + $rules_map = snort_load_rules_map("{$snortdir}/rules/{$file}"); + $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule']; + $wrap_flag = "soft"; +} +// Is it our special flowbit rules file? +elseif ($file == $flowbit_rules_file) + $contents = file_get_contents("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}"); +// Is it a rules file in the ../rules/ directory? +elseif (file_exists("{$snortdir}/rules/{$file}")) + $contents = file_get_contents("{$snortdir}/rules/{$file}"); +// Is it a fully qualified path and file? +elseif (file_exists($file)) + $contents = file_get_contents($file); +// It is not something we can display, so exit. else { header("Location: /snort/snort_rules.php?id={$id}&openruleset={$file}"); exit; } -//split the contents of the string file into an array using the delimiter -$splitcontents = explode("\n", $contents); - -$pgtitle = array(gettext("Advanced"), gettext("File Editor")); - +$pgtitle = array(gettext("Snort"), gettext("File Viewer")); ?> <?php include("head.inc");?> <body link="#000000" vlink="#000000" alink="#000000"> - <?php if ($savemsg) print_info_box($savemsg); ?> -<?php include("fbegin.inc");?> +<?php if ($savemsg) print_info_box($savemsg); ?> +<?php // include("fbegin.inc");?> <form action="snort_rules_edit.php" method="post"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> @@ -89,14 +121,20 @@ $pgtitle = array(gettext("Advanced"), gettext("File Editor")); <td class="tabcont"> <table width="100%" cellpadding="0" cellspacing="6" bgcolor="#eeeeee"> <tr> - <td> - <input type="button" class="formbtn" value="Cancel" onclick="window.close()"> + <td class="pgtitle" colspan="2">Snort: Rules Viewer</td> + </tr> + <tr> + <td width="20%"> + <input type="button" class="formbtn" value="Return" onclick="window.close()"> + </td> + <td align="right"> + <b><?php echo gettext("Rules File: ") . '</b> ' . $file; ?> </td> </tr> <tr> - <td valign="top" class="label"> - <div style="background: #eeeeee;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> - <textarea wrap="off" rows="33" cols="90" name="code2"><?=$contents;?></textarea> + <td valign="top" class="label" colspan="2"> + <div style="background: #eeeeee; width:100%; height:100%;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> + <textarea style="width:100%; height:100%;" wrap="<?=$wrap_flag?>" rows="33" cols="80" name="code2"><?=$contents;?></textarea> </div> </td> </tr> @@ -105,6 +143,6 @@ $pgtitle = array(gettext("Advanced"), gettext("File Editor")); </tr> </table> </form> -<?php include("fend.inc");?> +<?php // include("fend.inc");?> </body> </html> diff --git a/config/snort/snort_rules_flowbits.php b/config/snort/snort_rules_flowbits.php new file mode 100644 index 00000000..7a653af8 --- /dev/null +++ b/config/snort/snort_rules_flowbits.php @@ -0,0 +1,289 @@ +<?php +/* + * snort_rules_flowbits.php + * Copyright (C) 2004 Scott Ullrich + * Copyright (C) 2011-2012 Ermal Luci + * All rights reserved. + * + * originially part of m0n0wall (http://m0n0.ch/wall) + * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g, $rebuild_rules; + +$snortdir = SNORTDIR; +$flowbit_rules_file = FLOWBITS_FILENAME; +$rules_map = array(); +$supplist = array(); + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +$if_real = snort_get_real_interface($a_nat[$id]['interface']); +$snort_uuid = $a_nat[$id]['uuid']; + +/* We should normally never get to this page if Auto-Flowbits are disabled, but just in case... */ +if ($a_nat[$id]['autoflowbitrules'] == 'on') { + if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") && + filesize("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") > 0) { + $rules_map = snort_load_rules_map("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}"); + } + else + $savemsg = gettext("There are no flowbit-required rules necessary for the current enforcing rule set."); +} +else + $input_errors[] = gettext("Auto-Flowbit rule generation is disabled for this interface!"); + +if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { + $descr = snort_get_msg($rules_map[$_GET['gen_id']][$_GET['sidid']]['rule']); + if (empty($descr)) + $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n"; + else + $suppress = "# {$descr}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}"; + if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + $config['installedpackages']['snortglobal']['suppress'] = array(); + if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) + $config['installedpackages']['snortglobal']['suppress']['item'] = array(); + $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; + $found_list = false; + + if (empty($a_nat[$id]['suppresslistname']) || $a_nat[$id]['suppresslistname'] == 'default') { + $s_list = array(); + $s_list['name'] = $a_nat[$id]['interface'] . "suppress"; + $s_list['uuid'] = uniqid(); + $s_list['descr'] = "Auto-generated list for alert suppression"; + $s_list['suppresspassthru'] = base64_encode($suppress); + $a_suppress[] = $s_list; + $a_nat[$id]['suppresslistname'] = $s_list['name']; + $found_list = true; + } else { + foreach ($a_suppress as $a_id => $alist) { + if ($alist['name'] == $a_nat[$id]['suppresslistname']) { + $found_list = true; + if (!empty($alist['suppresspassthru'])) { + $tmplist = base64_decode($alist['suppresspassthru']); + $tmplist .= "\n{$suppress}"; + $alist['suppresspassthru'] = base64_encode($tmplist); + $a_suppress[$a_id] = $alist; + } + } + } + } + if ($found_list) { + write_config(); + $rebuild_rules = false; + sync_snort_package_config(); + $savemsg = gettext("Wrote suppress rule for 'gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' to the '{$a_nat[$id]['suppresslistname']}' Suppression List."); + } + else { + /* We did not find the defined list, so notify the user with an error */ + $input_errors[] = gettext("Suppress List '{$a_nat[$id]['suppresslistname']}' is defined for this interface, but it could not be found!"); + } +} + +function truncate($string, $length) { + + /******************************** + * This function truncates the * + * passed string to the length * + * specified adding ellipsis if * + * truncation was necessary. * + ********************************/ + if (strlen($string) > $length) + $string = substr($string, 0, ($length - 3)) . "..."; + return $string; +} + +/* Load up an array with the current Suppression List GID,SID values */ +$supplist = snort_load_suppress_sigs($a_nat[$id]); + +$if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']); +$pgtitle = "Services: Snort: {$if_friendly} Flowbit Rules"; +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" > + +<?php +include("fbegin.inc"); +if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} +if ($input_errors) print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> +<form action="snort_rules_flowbits.php" method="post" name="iform" id="iform"> +<div id="boxarea"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> +<td class="tabcont"> +<table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td valign="middle" class="listtopic"><?php echo gettext("Auto-Generated Flowbit-Required Rules"); ?></td> + </tr> + <tr> + <td width="78%" class="vncell"> + <?php echo gettext("The rules listed below are required to be included in the rules set ") . + gettext("because they set flowbits that are checked and relied upon by rules in the enforcing rules set. ") . + gettext("If these dependent flowbits are not set, then some of your chosen rules may not fire. ") . + gettext("Enabling all the rules that set these dependent flowbits ensures your chosen rules fire as intended. ") . + gettext("Most flowbits rules contain the \"noalert\" keyword to prevent an alert from firing ") . + gettext("when the flowbit is detected. For those flowbit rules that do not contain the \"noalert\" option, click the ") . + gettext("icon displayed beside the Signature ID (SID) to add the alert to the Suppression List if desired."); ?></td> + </tr> + <tr> + <td valign="middle" class="listtopic"><?php echo gettext("Flowbit-Required Rules for {$if_friendly}"); ?></td> + </tr> + <tr> + <td width="78%" class="vncell"> + <table width="100%" border="0" cellspacing="2" cellpadding="0"> + <tr> + <td width="17px"><img src="../themes/<?=$g['theme']?>/images/icons/icon_plus.gif" width='12' height='12' border='0'/></td> + <td><span class="vexpl"><?php echo gettext("Alert is Not Suppressed"); ?></span></td> + <td rowspan="3" align="right"><input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" onclick="parent.location='snort_rulesets.php?id=<?=$id;?>'" <?php + echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/></td> + </tr> + <tr> + <td width="17px"><img src="../themes/<?=$g['theme']?>/images/icons/icon_plus_d.gif" width='12' height='12' border='0'/></td> + <td><span class="vexpl"><?php echo gettext("Alert has been Suppressed"); ?></span></td> + </tr> + <tr> + <td width="17px"> </td> + <td colspan="2" class="vexpl"><?php echo "<span class=\"red\"><strong>" . + gettext("Note: ") . "</strong></span>". gettext("the icon is only ") . + gettext("displayed for flowbit rules without the \"noalert\" option."); ?></td> + </tr> + </table> + </td> + </tr> + <tr> + <td> + <table id="myTable" width="100%" class="sortable" border="1" cellpadding="0" cellspacing="0"> + <colgroup> + <col width="11%" axis="number"> + <col width="10%" axis="string"> + <col width="14%" axis="string"> + <col width="14%" axis="string"> + <col width="20%" axis="string"> + <col axis="string"> + </colgroup> + <thead> + <tr> + <th class="listhdrr" axis="number"><?php echo gettext("SID"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Proto"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Source"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Destination"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Flowbits"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Message"); ?></th> + </tr> + <thead> + <tbody> + <?php + $count = 0; + foreach ($rules_map as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + $sid = snort_get_sid($v['rule']); + $gid = snort_get_gid($v['rule']); + + // Pick off the first section of the rule (prior to the start of the MSG field), + // and then use a REGX split to isolate the remaining fields into an array. + $tmp = substr($v['rule'], 0, strpos($v['rule'], "(")); + $tmp = trim(preg_replace('/^\s*#+\s*/', '', $tmp)); + $rule_content = preg_split('/[\s]+/', $tmp); + + $protocol = $rule_content[1]; //protocol + $source = truncate($rule_content[2], 14); //source + $destination = truncate($rule_content[5], 14); //destination + $message = snort_get_msg($v['rule']); + $flowbits = implode("; ", snort_get_flowbits($v['rule'])); + if (strstr($flowbits, "noalert")) + $supplink = ""; + else { + if (!isset($supplist[$gid][$sid])) { + $supplink = "<a href=\"?id={$id}&act=addsuppress&sidid={$sid}&gen_id={$gid}\">"; + $supplink .= "<img src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\" "; + $supplink .= "width='12' height='12' border='0' title='"; + $supplink .= gettext("Click to add to Suppress List") . "'/></a>"; + } + else { + $supplink = "<img src=\"../themes/{$g['theme']}/images/icons/icon_plus_d.gif\" "; + $supplink .= "width='12' height='12' border='0' title='"; + $supplink .= gettext("Alert has been suppressed") . "'/>"; + } + } + + // Use "echo" to write the table HTML row-by-row. + echo "<tr>" . + "<td class=\"listr\">{$sid} {$supplink}</td>" . + "<td class=\"listr\">{$protocol}</td>" . + "<td class=\"listr\"><span title=\"{$rule_content[2]}\">{$source}</span></td>" . + "<td class=\"listr\"><span title=\"{$rule_content[5]}\">{$destination}</span></td>" . + "<td class=\"listr\" style=\"word-wrap:break-word; word-break:normal;\">{$flowbits}</td>" . + "<td class=\"listr\" style=\"word-wrap:break-word; word-break:normal;\">{$message}</td>" . + "</tr>"; + $count++; + } + } + unset($rulem, $v); + ?> + </tbody> + </table> + </td> + </tr> + <?php if ($count > 20): ?> + <tr> + <td align="center" valign="middle"> + <input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" onclick="parent.location='snort_rulesets.php?id=<?=$id;?>'" <?php + echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/> + <input name="id" type="hidden" value="<?=$id;?>" /> + </td> + </tr> + <?php endif; ?> +</table> +</td> +</tr> +</table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index cfaa7d18..7ec0edbd 100644..100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -32,9 +32,10 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $rebuild_rules; $snortdir = SNORTDIR; +$flowbit_rules_file = FLOWBITS_FILENAME; if (!is_array($config['installedpackages']['snortglobal']['rule'])) { $config['installedpackages']['snortglobal']['rule'] = array(); @@ -49,79 +50,120 @@ if (is_null($id)) { exit; } -function snort_remove_rules($files, $snortdir, $snort_uuid, $if_real) { - - if (empty($files)) - return; - - conf_mount_rw(); - foreach ($files as $file) { - @unlink("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$file}"); - if (substr($file, -9) == ".so.rules") { - $slib = substr($file, 6, -6); - @unlink("{$snortdir}/snort_{$snort_uuid}_{$if_real}/dynamicrules/{$slib}"); - } - } - conf_mount_ro(); -} - -function snort_copy_rules($files, $snortdir, $snort_uuid, $if_real) { - - if (empty($files)) - return; - - conf_mount_rw(); - foreach ($files as $file) { - if (!file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$file}")) - @copy("{$snortdir}/rules/{$file}", "{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$file}"); - if (substr($file, -9) == ".so.rules") { - $slib = substr($enabled_item, 6, -6); - if (!file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/dynamicrules/{$slib}")) - @copy("/usr/local/lib/snort/dynamicrules/{$file}", "{$snortdir}/snort_{$snort_uuid}_{$if_real}/dynamicrules/{$slib}"); - } - } - conf_mount_ro(); -} - if (isset($id) && $a_nat[$id]) { $pconfig['enable'] = $a_nat[$id]['enable']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['rulesets'] = $a_nat[$id]['rulesets']; + $pconfig['autoflowbitrules'] = $a_nat[$id]['autoflowbitrules']; + $pconfig['ips_policy_enable'] = $a_nat[$id]['ips_policy_enable']; + $pconfig['ips_policy'] = $a_nat[$id]['ips_policy']; } $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_nat[$id]['uuid']; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; +$snortcommunitydownload = $config['installedpackages']['snortglobal']['snortcommunityrules']; + +$no_emerging_files = false; +$no_snort_files = false; +$no_community_files = false; + +/* Test rule categories currently downloaded to $SNORTDIR/rules and set appropriate flags */ +$test = glob("{$snortdir}/rules/emerging-*.rules"); +if (empty($test)) + $no_emerging_files = true; +$test = glob("{$snortdir}/rules/snort_*.rules"); +if (empty($test)) + $no_snort_files = true; +if (!file_exists("{$snortdir}/rules/GPLv2_community.rules")) + $no_community_files = true; + +if (($snortdownload == 'off') || ($a_nat[$id]['ips_policy_enable'] != 'on')) + $policy_select_disable = "disabled"; + +if ($a_nat[$id]['autoflowbitrules'] == 'on') { + if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") && + filesize("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") > 0) { + $btn_view_flowb_rules = " title=\"" . gettext("View flowbit-required rules") . "\""; + } + else + $btn_view_flowb_rules = " disabled"; +} +else + $btn_view_flowb_rules = " disabled"; + +// If a Snort VRT policy is enabled and selected, remove all Snort VRT +// rules from the configured rule sets to allow automatic selection. +if ($a_nat[$id]['ips_policy_enable'] == 'on') { + if (isset($a_nat[$id]['ips_policy'])) { + $disable_vrt_rules = "disabled"; + $enabled_sets = explode("||", $a_nat[$id]['rulesets']); + + foreach ($enabled_sets as $k => $v) { + if (substr($v, 0, 6) == "snort_") + unset($enabled_sets[$k]); + } + $a_nat[$id]['rulesets'] = implode("||", $enabled_sets); + } +} +else + $disable_vrt_rules = ""; /* alert file */ if ($_POST["Submit"]) { + + if ($_POST['ips_policy_enable'] == "on") { + $a_nat[$id]['ips_policy_enable'] = 'on'; + $a_nat[$id]['ips_policy'] = $_POST['ips_policy']; + } + else { + $a_nat[$id]['ips_policy_enable'] = 'off'; + unset($a_nat[$id]['ips_policy']); + } + $enabled_items = ""; if (is_array($_POST['toenable'])) $enabled_items = implode("||", $_POST['toenable']); else $enabled_items = $_POST['toenable']; - $oenabled = explode("||", $a_nat[$id]['rulesets']); - $nenabled = explode("||", $enabled_items); - $tormv = array_diff($oenabled, $nenabled); - snort_remove_rules($tormv, $snortdir, $snort_uuid, $if_real); $a_nat[$id]['rulesets'] = $enabled_items; - snort_copy_rules(explode("||", $enabled_items), $snortdir, $snort_uuid, $if_real); + + if ($_POST['autoflowbits'] == "on") + $a_nat[$id]['autoflowbitrules'] = 'on'; + else { + $a_nat[$id]['autoflowbitrules'] = 'off'; + if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}")) + @unlink("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}"); + } write_config(); - sync_snort_package_config(); + + /*************************************************/ + /* Update the snort conf file and rebuild the */ + /* rules for this interface. */ + /*************************************************/ + $rebuild_rules = true; + snort_generate_conf($a_nat[$id]); + $rebuild_rules = false; header("Location: /snort/snort_rulesets.php?id=$id"); exit; } if ($_POST['unselectall']) { - if (!empty($pconfig['rulesets'])) - snort_remove_rules(explode("||", $pconfig['rulesets']), $snortdir, $snort_uuid, $if_real); - $a_nat[$id]['rulesets'] = ""; + if ($_POST['ips_policy_enable'] == "on") { + $a_nat[$id]['ips_policy_enable'] = 'on'; + $a_nat[$id]['ips_policy'] = $_POST['ips_policy']; + } + else { + $a_nat[$id]['ips_policy_enable'] = 'off'; + unset($a_nat[$id]['ips_policy']); + } + write_config(); sync_snort_package_config(); @@ -131,17 +173,33 @@ if ($_POST['unselectall']) { if ($_POST['selectall']) { $rulesets = array(); + + if ($_POST['ips_policy_enable'] == "on") { + $a_nat[$id]['ips_policy_enable'] = 'on'; + $a_nat[$id]['ips_policy'] = $_POST['ips_policy']; + } + else { + $a_nat[$id]['ips_policy_enable'] = 'off'; + unset($a_nat[$id]['ips_policy']); + } + if ($emergingdownload == 'on') { $files = glob("{$snortdir}/rules/emerging*.rules"); foreach ($files as $file) $rulesets[] = basename($file); } - if ($snortdownload == 'on') { + if ($snortcommunitydownload == 'on') { + $files = glob("{$snortdir}/rules/*_community.rules"); + foreach ($files as $file) + $rulesets[] = basename($file); + } + + /* Include the Snort VRT rules only if enabled and no IPS policy is set */ + if ($snortdownload == 'on' && $a_nat[$id]['ips_policy_enable'] == 'off') { $files = glob("{$snortdir}/rules/snort*.rules"); foreach ($files as $file) $rulesets[] = basename($file); } - snort_copy_rules($rulesets, $snortdir, $snort_uuid, $if_real); $a_nat[$id]['rulesets'] = implode("||", $rulesets); @@ -153,6 +211,9 @@ if ($_POST['selectall']) { } $enabled_rulesets_array = explode("||", $a_nat[$id]['rulesets']); + +$if_friendly = snort_get_friendly_interface($pconfig['interface']); +$pgtitle = "Snort: Interface {$if_friendly} Categories"; include_once("head.inc"); ?> @@ -160,12 +221,8 @@ include_once("head.inc"); <?php include("fbegin.inc"); -$if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface {$if_friendly} Categories"; - -if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> +if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} -<?php /* Display message */ if ($input_errors) { print_input_errors($input_errors); // TODO: add checks @@ -179,18 +236,30 @@ if ($savemsg) { <form action="snort_rulesets.php" method="post" name="iform" id="iform"> <input type="hidden" name="id" id="id" value="<?=$id;?>" /> -<table width="99%" border="0" cellpadding="0" cellspacing="0"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> -<?php - $tab_array = array(); - $tab_array[] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tab_array[] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array(gettext("Categories"), true, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array(gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); +<?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array); + echo '</td></tr>'; + echo '<tr><td class="tabnavtbl">'; + $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); + $tab_array = array(); + $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), true, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); ?> </td></tr> <tr> @@ -199,13 +268,18 @@ if ($savemsg) { <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <?php $isrulesfolderempty = glob("{$snortdir}/rules/*.rules"); - $iscfgdirempty = glob("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/*.rules"); - if (empty($isrulesfolderempty) && empty($iscfgdirempty)): + $iscfgdirempty = array(); + if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/custom.rules")) + $iscfgdirempty = (array)("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/custom.rules"); + if (empty($isrulesfolderempty)): ?> <tr> - <td> - <?php printf(gettext("# The rules directory is empty. %s/rules"), $snortdir); ?> <br/> - <?php echo gettext("Please go to the updates page to download/fetch the rules configured."); ?> + <td class="vexpl"><br/> + <?php printf(gettext("# The rules directory is empty: %s%s/rules%s"), '<strong>',$snortdir,'</strong>'); ?> <br/><br/> + <?php echo gettext("Please go to the ") . '<a href="snort_download_updates.php"><strong>' . gettext("Updates") . + '</strong></a>' . gettext(" tab to download the rules configured on the ") . + '<a href="snort_interfaces_global.php"><strong>' . gettext("Global") . + '</strong></a>' . gettext(" tab."); ?> </td> </tr> <?php else: @@ -218,31 +292,146 @@ if ($savemsg) { ?> <tr> <td> - <table id="sortabletable1" class="sortable" width="100%" border="0" + <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> - <td colspan="6" class="listtopic"><?php echo gettext("Check the rulesets that you would like Snort to load at startup."); ?><br/><br/></td> + <td colspan="6" class="listtopic"><?php echo gettext("Automatic flowbit resolution"); ?><br/></td> + </tr> + <tr> + <td colspan="6" valign="center" class="listn"> + <table width="100%" border="0" cellpadding="2" cellspacing="2"> + <tr> + <td width="15%" class="listn"><?php echo gettext("Resolve Flowbits"); ?></td> + <td width="85%"><input name="autoflowbits" id="autoflowbitrules" type="checkbox" value="on" + <?php if ($a_nat[$id]['autoflowbitrules'] == "on" || empty($a_nat[$id]['autoflowbitrules'])) echo "checked"; ?>/> + <span class="vexpl"><?php echo gettext("If checked, Snort will auto-enable rules required for checked flowbits. "); + echo gettext("The Default is "); ?><strong><?php echo gettext("Checked."); ?></strong></span></td> + </tr> + <tr> + <td width="15%" class="vncell"> </td> + <td width="85%" class="vtable"> + <?php echo gettext("Snort will examine the enabled rules in your chosen " . + "rule categories for checked flowbits. Any rules that set these dependent flowbits will " . + "be automatically enabled and added to the list of files in the interface rules directory."); ?><br/></td> + </tr> + <tr> + <td width="15%" class="listn"><?php echo gettext("Auto Flowbit Rules"); ?></td> + <td width="85%"><input type="button" class="formbtns" value="View" onclick="parent.location='snort_rules_flowbits.php?id=<?=$id;?>'" <?php echo $btn_view_flowb_rules; ?>/> + <span class="vexpl"><?php echo gettext("Click to view auto-enabled rules required to satisfy flowbit dependencies"); ?></span></td> + </tr> + <tr> + <td width="15%"> </td> + <td width="85%"> + <?php printf(gettext("%sNote: %sAuto-enabled rules generating unwanted alerts should have their GID:SID added to the Suppression List for the interface."), '<span class="red"><strong>', '</strong></span>'); ?> + <br/></td> + </tr> + </table> + </td> + </tr> + <tr> + <td colspan="6" class="listtopic"><?php echo gettext("Snort IPS Policy selection"); ?><br/></td> + </tr> + <tr> + <td colspan="6" valign="center" class="listn"> + <table width="100%" border="0" cellpadding="2" cellspacing="2"> + <tr> + <td width="15%" class="listn"><?php echo gettext("Use IPS Policy"); ?></td> + <td width="85%"><input name="ips_policy_enable" id="ips_policy_enable" type="checkbox" value="on" <?php if ($a_nat[$id]['ips_policy_enable'] == "on") echo "checked"; ?> + <?php if ($snortdownload == "off") echo "disabled" ?> onClick="enable_change()"/> <span class="vexpl"> + <?php echo gettext("If checked, Snort will use rules from the pre-defined IPS policy selected below."); ?></span></td> + </tr> + <tr> + <td width="15%" class="vncell"> </td> + <td width="85%" class="vtable"> + <?php printf(gettext("%sNote:%s You must be using the Snort VRT rules to use this option."),'<span class="red"><strong>','</strong></span>'); ?> + <?php echo gettext("Selecting this option disables manual selection of Snort VRT categories in the list below, " . + "although Emerging Threats categories may still be selected if enabled on the Global Settings tab. " . + "These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."); ?><br/></td> + </tr> + <tr> + <td width="15%" class="listn"><?php echo gettext("IPS Policy"); ?></td> + <td width="85%"><select name="ips_policy" class="formselect" <?=$policy_select_disable?> > + <option value="connectivity" <?php if ($pconfig['ips_policy'] == "connected") echo "selected"; ?>><?php echo gettext("Connectivity"); ?></option> + <option value="balanced" <?php if ($pconfig['ips_policy'] == "balanced") echo "selected"; ?>><?php echo gettext("Balanced"); ?></option> + <option value="security" <?php if ($pconfig['ips_policy'] == "security") echo "selected"; ?>><?php echo gettext("Security"); ?></option> + </select> + <span class="vexpl"><?php echo gettext("Snort IPS policies are: Connectivity, Balanced or Security."); ?></span></td> + </tr> + <tr> + <td width="15%"> </td> + <td width="85%"> + <?php echo gettext("Connectivity blocks most major threats with few or no false positives. " . + "Balanced is a good starter policy. It is speedy, has good base coverage level, and covers " . + "most threats of the day. It includes all rules in Connectivity." . + "Security is a stringent policy. It contains everything in the first two " . + "plus policy-type rules such as Flash in an Excel file."); ?><br/></td> + </tr> + </table> + </td> + </tr> + <tr> + <td colspan="6" class="listtopic"><?php echo gettext("Select the rulesets Snort will load at startup"); ?><br/></td> </tr> <tr> - <td colspan="2" valign="center"><br/><input value="Save" type="submit" name="Submit" id="Submit" /><br/<br/></td> - <td colspan="2" valign="center"><br/><input value="Select All" type="submit" name="selectall" id="selectall" /><br/<br/></td> - <td colspan="2" valign="center"><br/><input value="Unselect All" type="submit" name="unselectall" id="selectall" /><br/<br/></td> + <td colspan="6"> + <table width=90% align="center" border="0" cellpadding="2" cellspacing="0"> + <tr height="45px"> + <td valign="middle"><input value="Select All" class="formbtns" type="submit" name="selectall" id="selectall" title="<?php echo gettext("Add all to enforcing rules"); ?>"/></td> + <td valign="middle"><input value="Unselect All" class="formbtns" type="submit" name="unselectall" id="unselectall" title="<?php echo gettext("Remove all from enforcing rules"); ?>"/></td> + <td valign="middle"><input value=" Save " class="formbtns" type="submit" name="Submit" id="Submit" title="<?php echo gettext("Save changes to enforcing rules and rebuild"); ?>"/></td> + <td valign="middle"><span class="vexpl"><?php echo gettext("Click to save changes and auto-resolve flowbit rules (if option is selected above)"); ?></span></td> + </tr> + </table> </tr> - <tr> <td colspan="6"> </td> </tr> + <?php if ($no_community_files) + $msg_community = "NOTE: Snort Community Rules have not been downloaded. Perform a Rules Update to enable them."; + else + $msg_community = "Snort GPLv2 Community Rules (VRT certified)"; + ?> + <?php if ($snortcommunitydownload == 'on'): ?> <tr id="frheader"> - <?php if ($emergingdownload == 'on'): ?> - <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td> - <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Emerging Threats.');?></td> + <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td> + <td colspan="5" class="listhdrr"><?php echo gettext('Ruleset: Snort GPLv2 Community Rules');?></td> + </tr> + <?php if (in_array("GPLv2_community.rules", $enabled_rulesets_array)): ?> + <tr> + <td width="5" class="listr" align="center" valign="top"> + <input type="checkbox" name="toenable[]" value="GPLv2_community.rules" checked="checked"/></td> + <td colspan="5" class="listr"><a href='snort_rules.php?id=<?=$id;?>&openruleset=GPLv2_community.rules'><?php echo gettext("{$msg_community}"); ?></a></td> + </tr> + <?php else: ?> + <tr> + <td width="5" class="listr" align="center" valign="top"> + <input type="checkbox" name="toenable[]" value="GPLv2_community.rules" <?php if ($snortcommunitydownload == 'off') echo "disabled"; ?>/></td> + <td colspan="5" class="listr"><?php echo gettext("{$msg_community}"); ?></td> + </tr> + + <?php endif; ?> + <?php endif; ?> + + <?php if ($no_emerging_files) + $msg_emerging = "downloaded."; + else + $msg_emerging = "enabled."; + if ($no_snort_files) + $msg_snort = "downloaded."; + else + $msg_snort = "enabled."; + ?> + <tr id="frheader"> + <?php if ($emergingdownload == 'on' && !$no_emerging_files): ?> + <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> + <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Emerging Threats');?></td> <?php else: ?> - <td colspan="2" width="30%" class="listhdrr"><?php echo gettext("Emerging rules have not been enabled"); ?></td> + <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("Emerging Threats rules not {$msg_emerging}"); ?></td> <?php endif; ?> - <?php if ($snortdownload == 'on'): ?> - <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td> - <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort');?></td> - <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td> - <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort SO');?></td> + <?php if ($snortdownload == 'on' && !$no_snort_files): ?> + <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> + <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort Text Rules');?></td> + <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> + <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort SO Rules');?></td> <?php else: ?> - <td colspan="2" width="60%" class="listhdrr"><?php echo gettext("Snort rules have not been enabled"); ?></td> + <td colspan="4" align="center" width="60%" class="listhdrr"><?php echo gettext("Snort VRT rules have not been {$msg_snort}"); ?></td> <?php endif; ?> </tr> <?php @@ -302,7 +491,9 @@ if ($savemsg) { $file = $snortrules[$j]; echo "<td class='listr' width='5%' align=\"center\" valign=\"top\">"; if(is_array($enabled_rulesets_array)) { - if(in_array($file, $enabled_rulesets_array)) + if (!empty($disable_vrt_rules)) + $CHECKED = $disable_vrt_rules; + elseif(in_array($file, $enabled_rulesets_array)) $CHECKED = " checked=\"checked\""; else $CHECKED = ""; @@ -311,7 +502,7 @@ if ($savemsg) { echo " \n<input type='checkbox' name='toenable[]' value='{$file}' {$CHECKED} />\n"; echo "</td>\n"; echo "<td class='listr' width='25%' >\n"; - if (empty($CHECKED)) + if (empty($CHECKED) || $CHECKED == "disabled") echo $file; else echo "<a href='snort_rules.php?id={$id}&openruleset=" . urlencode($file) . "'>{$file}</a>\n"; @@ -322,7 +513,9 @@ if ($savemsg) { $file = $snortsorules[$j]; echo "<td class='listr' width='5%' align=\"center\" valign=\"top\">"; if(is_array($enabled_rulesets_array)) { - if(in_array($file, $enabled_rulesets_array)) + if (!empty($disable_vrt_rules)) + $CHECKED = $disable_vrt_rules; + elseif(in_array($file, $enabled_rulesets_array)) $CHECKED = " checked=\"checked\""; else $CHECKED = ""; @@ -342,8 +535,12 @@ if ($savemsg) { </td> </tr> <tr> -<td colspan="6"> </td> +<td colspan="6" class="vexpl"> <br/></td> </tr> + <tr> + <td colspan="6" align="center" valign="middle"> + <input value="Save" type="submit" name="Submit" id="Submit" class="formbtn" title=" <?php echo gettext("Click to Save changes and rebuild rules"); ?>"/></td> + </tr> <?php endif; ?> </table> </div> @@ -354,5 +551,38 @@ if ($savemsg) { <?php include("fend.inc"); ?> + +<script language="javascript" type="text/javascript"> + +function wopen(url, name, w, h) +{ +// Fudge factors for window decoration space. +// In my tests these work well on all platforms & browsers. +w += 32; +h += 96; + var win = window.open(url, + name, + 'width=' + w + ', height=' + h + ', ' + + 'location=no, menubar=no, ' + + 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); + win.resizeTo(w, h); + win.focus(); +} + +function enable_change() +{ + var endis = !(document.iform.ips_policy_enable.checked); + document.iform.ips_policy.disabled=endis; + + for (var i = 0; i < document.iform.elements.length; i++) { + if (document.iform.elements[i].type == 'checkbox') { + var str = document.iform.elements[i].value; + if (str.substr(0,6) == "snort_") + document.iform.elements[i].disabled = !(endis); + } + } +} +</script> + </body> </html> diff --git a/config/snort/snort_sync.xml b/config/snort/snort_sync.xml new file mode 100755 index 00000000..14a13321 --- /dev/null +++ b/config/snort/snort_sync.xml @@ -0,0 +1,193 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> +<![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* +snortsync.xml +part of pfSense (http://www.pfSense.com) +Copyright (C) 2013 Marcello Coutinho +based on pfblocker_sync.xml +All rights reserved. + +Based on m0n0wall (http://m0n0.ch/wall) +Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. +All rights reserved. +*/ +/* ========================================================================== */ +/* +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code MUST retain the above copyright notice, +this list of conditions and the following disclaimer. + +2. Redistributions in binary form MUST reproduce the above copyright +notice, this list of conditions and the following disclaimer in the +documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. +*/ +/* ========================================================================== */ +]]></copyright> + <description><![CDATA[Describe your package here]]></description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>snortsync</name> + <version>1.0</version> + <title>Snort: XMLRPC Sync (EXPERIMENTAL)</title> + <include_file>/usr/local/pkg/snort/snort.inc</include_file> + <tabs> + <tab> + <text>Snort Interfaces</text> + <url>/snort/snort_interfaces.php</url> + </tab> + <tab> + <text>Global Settings</text> + <url>/snort/snort_interfaces_global.php</url> + </tab> + <tab> + <text>Updates</text> + <url>/snort/snort_download_updates.php</url> + </tab> + <tab> + <text>Alerts</text> + <url>/snort/snort_alerts.php</url> + </tab> + <tab> + <text>Blocked</text> + <url>/snort/snort_blocked.php</url> + </tab> + <tab> + <text>Whitelists</text> + <url>/snort/snort_interfaces_whitelist.php</url> + </tab> + <tab> + <text>Suppress</text> + <url>/snort/snort_interfaces_suppress.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=snort/snort_sync.xml</url> + <active/> + </tab> + </tabs> + <fields> + <field> + <name>Snort Package XMLRPC Sync Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable Sync</fielddescr> + <fieldname>varsynconchanges</fieldname> + <description><![CDATA[All changes will be synced with apply config to the IPs listed below if this option is checked.<br/><br/> + <b>Important:</b> While using "Sync to hosts defined below", only sync from host A to B, A to C but <b>do not</B> enable XMLRPC sync <b>to</b> A. This will result in a loop!]]></description> + <type>select</type> + <required/> + <default_value>disabled</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>XMLRPC Timeout</fielddescr> + <fieldname>varsynctimeout</fieldname> + <description><![CDATA[Timeout in seconds for the XMLRPC timeout. Default: 150]]></description> + <type>input</type> + <default_value>150</default_value> + <size>5</size> + </field> + + <field> + <fielddescr>Refresh Rule Sets</fielddescr> + <fieldname>vardownloadrules</fieldname> + <description><![CDATA[Ask target hosts to refresh rule sets files on each sync operation.<br/><br/> + During each Snort package sync operation, ask the target remote host to check for + a new set of posted rule sets files and refresh the local copies if necessary. The default is + to refresh the files if newer versions have been posted.<br/><br/> + <b>Note: </b>The sync process will wait for the rules download and rebuild to finish on the target remote host before returning.]]></description> + <type>select</type> + <default_value>yes</default_value> + <options> + <option><name>Signal target host to refresh rules files</name><value>yes</value></option> + <option><name>Do NOT ask target host to refresh rules files</name><value>no</value></option> + </options> + </field> + + <field> + <fielddescr>Replication Targets</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>Enable</fielddescr> + <fieldname>varsyncdestinenable</fieldname> + <description><![CDATA[Enable this host as a replication target]]></description> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Protocol</fielddescr> + <fieldname>varsyncprotocol</fieldname> + <description><![CDATA[Choose the protocol of the destination host. Probably <b>http</b> or <b>https</b>]]></description> + <type>select</type> + <default_value>HTTP</default_value> + <options> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>IP-Address</fielddescr> + <fieldname>varsyncipaddress</fieldname> + <description><![CDATA[IP Address of the destination host.]]></description> + <type>input</type> + <size>15</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Port</fielddescr> + <fieldname>varsyncport</fieldname> + <description><![CDATA[Choose the sync port of the destination host.]]></description> + <type>input</type> + <size>3</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Admin Password</fielddescr> + <fieldname>varsyncpassword</fieldname> + <description><![CDATA[Password of the user "admin" on the destination host.]]></description> + <type>password</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Start Snort</fielddescr> + <fieldname>varsyncsnortstart</fieldname> + <description><![CDATA[Start Snort on target host if not already running.]]></description> + <type>checkbox</type> + <value>ON</value> + </rowhelperfield> + </rowhelper> + </field> + <field> + <name>WARNING: This feature is considered experimental and not recommended for production use</name> + <type>listtopic</type> + </field> + </fields> + <custom_delete_php_command> + </custom_delete_php_command> + <custom_php_resync_config_command> + write_config();snort_sync_on_changes(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid/proxy_monitor.sh b/config/squid/proxy_monitor.sh index fa5a87bb..e69de29b 100644 --- a/config/squid/proxy_monitor.sh +++ b/config/squid/proxy_monitor.sh @@ -1,72 +0,0 @@ -#!/bin/sh -# $Id$ */ -# -# proxy_monitor.sh -# Copyright (C) 2006 Scott Ullrich -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# 1. Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. -# - -set -e - -LOOP_SLEEP=55 - -if [ -f /var/run/squid_alarm ]; then - rm /var/run/squid_alarm -fi - -# Sleep 5 seconds on startup not to mangle with existing boot scripts. -sleep 5 - -# Squid monitor 1.2 -while [ /bin/true ]; do - if [ ! -f /var/run/squid_alarm ]; then - NUM_PROCS=`ps auxw | grep "[s]quid -D"|awk '{print $2}'| wc -l | awk '{ print $1 }'` - if [ $NUM_PROCS -lt 1 ]; then - # squid is down - echo "Squid has exited. Reconfiguring filter." | \ - logger -p daemon.info -i -t Squid_Alarm - echo "Attempting restart..." | logger -p daemon.info -i -t Squid_Alarm - /usr/local/etc/rc.d/squid.sh start - sleep 3 - echo "Reconfiguring filter..." | logger -p daemon.info -i -t Squid_Alarm - /etc/rc.filter_configure - touch /var/run/squid_alarm - fi - fi - NUM_PROCS=`ps auxw | grep "[s]quid -D"|awk '{print $2}'| wc -l | awk '{ print $1 }'` - if [ $NUM_PROCS -gt 0 ]; then - if [ -f /var/run/squid_alarm ]; then - echo "Squid has resumed. Reconfiguring filter." | \ - logger -p daemon.info -i -t Squid_Alarm - /etc/rc.filter_configure - rm /var/run/squid_alarm - fi - fi - sleep $LOOP_SLEEP -done - -if [ -f /var/run/squid_alarm ]; then - rm /var/run/squid_alarm -fi - diff --git a/config/squid/sqpmon.sh b/config/squid/sqpmon.sh new file mode 100644 index 00000000..6053e8ef --- /dev/null +++ b/config/squid/sqpmon.sh @@ -0,0 +1,75 @@ +#!/bin/sh +# $Id$ */ +# +# sqpmon.sh +# Copyright (C) 2006 Scott Ullrich +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +if [ `pgrep -f "sqpmon.sh"|wc -l` -ge 1 ]; then + exit 0 +fi + +set -e + +LOOP_SLEEP=55 + +if [ -f /var/run/squid_alarm ]; then + rm /var/run/squid_alarm +fi + +# Sleep 5 seconds on startup not to mangle with existing boot scripts. +sleep 5 + +# Squid monitor 1.2 +while [ /bin/true ]; do + if [ ! -f /var/run/squid_alarm ]; then + NUM_PROCS=`ps auxw | grep "[s]quid -D"|awk '{print $2}'| wc -l | awk '{ print $1 }'` + if [ $NUM_PROCS -lt 1 ]; then + # squid is down + echo "Squid has exited. Reconfiguring filter." | \ + logger -p daemon.info -i -t Squid_Alarm + echo "Attempting restart..." | logger -p daemon.info -i -t Squid_Alarm + /usr/local/etc/rc.d/squid.sh start + sleep 3 + echo "Reconfiguring filter..." | logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure + touch /var/run/squid_alarm + fi + fi + NUM_PROCS=`ps auxw | grep "[s]quid -D"|awk '{print $2}'| wc -l | awk '{ print $1 }'` + if [ $NUM_PROCS -gt 0 ]; then + if [ -f /var/run/squid_alarm ]; then + echo "Squid has resumed. Reconfiguring filter." | \ + logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure + rm /var/run/squid_alarm + fi + fi + sleep $LOOP_SLEEP +done + +if [ -f /var/run/squid_alarm ]; then + rm /var/run/squid_alarm +fi diff --git a/config/squid/squid.inc b/config/squid/squid.inc index 30f3884c..34186407 100644 --- a/config/squid/squid.inc +++ b/config/squid/squid.inc @@ -230,7 +230,7 @@ function squid_install_command() { /* kill any running proxy alarm scripts */ update_status("Checking for running processes... One moment please..."); log_error("Stopping any running proxy monitors"); - mwexec("ps awux | grep \"proxy_monitor\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill"); + mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); sleep(1); if (!file_exists(SQUID_CONFBASE . '/mime.conf') && file_exists(SQUID_CONFBASE . '/mime.conf.default')) @@ -251,7 +251,7 @@ function squid_install_command() { /* restart proxy alarm scripts */ log_error("Starting a proxy monitor script"); - mwexec_bg("/usr/local/etc/rc.d/proxy_monitor.sh"); + mwexec_bg("/usr/local/etc/rc.d/sqp_monitor.sh start"); update_status("Reconfiguring filter... One moment please..."); filter_configure(); @@ -269,8 +269,8 @@ function squid_deinstall_command() { mwexec('rm -rf $cachedir/swap.state'); mwexec('rm -rf $logdir'); update_status("Finishing package cleanup."); - mwexec('rm -f /usr/local/etc/rc.d/proxy_monitor.sh'); - mwexec("ps awux | grep \"proxy_monitor\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill"); + mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); + mwexec('rm -f /usr/local/etc/rc.d/sqp_monitor.sh'); mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); @@ -295,7 +295,7 @@ function squid_before_form_general($pkg) { } $field = &$pkg['fields']['field'][$i]; - for ($i = 0; $i < count($values) - 1; $i++) + for ($i = 0; $i < count($values); $i++) $field['options']['option'][] = array('name' => $names[$i], 'value' => $values[$i]); } @@ -858,11 +858,13 @@ http_access allow manager localhost EOD; if(!empty($settings['ext_cachemanager'])) { - $extmgr = explode(";", ($settings['ext_cachemanager'])); + $extmgr = array_unique(explode(";", rtrim($settings['ext_cachemanager'], ';'))); $count = 1; $conf .= "\n# Allow external cache managers\n"; // $conf .= "acl ext_manager src ".$settings['ext_cachemanager']."\n"; foreach ($extmgr as $mgr) { + if (empty($mgr)) + continue; $conf .= "acl ext_manager_".$count." src "; $conf .= $mgr." "; $conf .= "\n"; @@ -1037,9 +1039,12 @@ function squid_resync_auth() { $conf .= "http_access allow $acl\n"; } else { - $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); + $noauth = base64_decode($settings['no_auth_hosts']); if (!empty($noauth)) { - $conf .= "acl noauth src $noauth\n"; + foreach (explode("\n", $noauth) as $host) { + $host = trim($host); + $conf .= "acl noauth src $host\n"; + } $valid_acls[] = 'noauth'; } @@ -1470,6 +1475,10 @@ if [ -z "`ps auxw | grep "[s]quid -D"|awk '{print $2}'`" ];then EOD; conf_mount_rw(); write_rcfile($rc); + write_rcfile(array( + "file" => "sqp_monitor.sh", + "start" => "/usr/local/pkg/sqpmon.sh &", + "stop" => "ps awux | grep \"sqpmon\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill")); conf_mount_ro(); } ?> diff --git a/config/squid/squid.xml b/config/squid/squid.xml index 6ad2c450..3df0482a 100644 --- a/config/squid/squid.xml +++ b/config/squid/squid.xml @@ -7,7 +7,7 @@ /* $Id$ */ /* ========================================================================== */ /* - authng.xml + squid.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2007 to whom it may belong All rights reserved. @@ -134,9 +134,9 @@ <item>http://www.pfsense.org/packages/config/squid/squid_users.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/etc/rc.d/</prefix> + <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid/proxy_monitor.sh</item> + <item>http://www.pfsense.org/packages/config/squid/sqpmon.sh</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> @@ -195,7 +195,7 @@ <size>80</size> </field> <field> - <fielddescr>Enabled logging</fielddescr> + <fielddescr>Enable logging</fielddescr> <fieldname>log_enabled</fieldname> <description>This will enable the access log. Don't switch this on if you don't have much disk space left.</description> <type>checkbox</type> @@ -344,4 +344,4 @@ exec("/bin/rm -f /usr/local/etc/rc.d/squid*"); </custom_php_deinstall_command> <filter_rules_needed>squid_generate_rules</filter_rules_needed> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/squid/squid_ng.inc b/config/squid/squid_ng.inc index 03f6d48c..cfd2fe66 100644 --- a/config/squid/squid_ng.inc +++ b/config/squid/squid_ng.inc @@ -47,7 +47,7 @@ function global_write_squid_config() $active_interface = $config['installedpackages']['squid']['config'][0]['active_interface']; $transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy']; $log_enabled = $config['installedpackages']['squid']['config'][0]['log_enabled']; - $urlfier_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable']; + $urlfilter_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable']; $accesslog_disabled = $config['installedpackages']['squid']['config'][0]['accesslog_disabled']; $log_query_terms = $config['installedpackages']['squid']['config'][0]['log_query_terms']; $log_user_agents = $config['installedpackages']['squid']['config'][0]['log_user_agents']; @@ -560,7 +560,7 @@ function global_write_squid_config() $config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n"; } - unset($banned_ip_addr); + unset($banned_ip_array); unset($banned_ip_addr); unset($ind_banned_ip); diff --git a/config/squid/swapstate_check.php b/config/squid/swapstate_check.php index d70c2dd4..77730e33 100644 --- a/config/squid/swapstate_check.php +++ b/config/squid/swapstate_check.php @@ -35,6 +35,8 @@ $settings = $config['installedpackages']['squidcache']['config'][0]; if ($settings['harddisk_cache_system'] != "null"){ $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); $swapstate = $cachedir . '/swap.state'; + if (!file_exists($swapstate)) + return; $disktotal = disk_total_space(dirname($cachedir)); $diskfree = disk_free_space(dirname($cachedir)); $diskusedpct = round((($disktotal - $diskfree) / $disktotal) * 100); diff --git a/config/squid3/31/proxy_monitor.sh b/config/squid3/31/proxy_monitor.sh new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/config/squid3/31/proxy_monitor.sh diff --git a/config/squid-reverse/proxy_monitor.sh b/config/squid3/31/sqpmon.sh index 17de3997..244b3b61 100644 --- a/config/squid-reverse/proxy_monitor.sh +++ b/config/squid3/31/sqpmon.sh @@ -1,8 +1,8 @@ #!/bin/sh # $Id$ */ # -# proxy_monitor.sh -# Copyright (C) 2006 Scott Ullrich +# sqpmon.sh +# Copyright (C) 2006 Scott Ullrich # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -27,7 +27,7 @@ # POSSIBILITY OF SUCH DAMAGE. # -if [ `pgrep -f "proxy_monitor.sh"|wc -l` -ge 1 ]; then +if [ `pgrep -f "sqpmon.sh"|wc -l` -ge 1 ]; then exit 0 fi @@ -73,4 +73,3 @@ done if [ -f /var/run/squid_alarm ]; then rm /var/run/squid_alarm fi - diff --git a/config/squid-reverse/squid.inc b/config/squid3/31/squid.inc index 7d48390d..0256d078 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid3/31/squid.inc @@ -5,7 +5,8 @@ Copyright (C) 2006-2009 Scott Ullrich Copyright (C) 2006 Fernando Lemos Copyright (C) 2012 Martin Fuchs - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho + Copyright (C) 2013 Gekkenhuis All rights reserved. Redistribution and use in source and binary forms, with or without @@ -224,6 +225,20 @@ function squid_install_command() { $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist']; } } + + if(! empty($settingsnac['block_user_agent'])) { + if(strstr($settingsnac['block_user_agent'], ",")) { + $settingsnac['block_user_agent'] = base64_encode(implode("\n", explode(",", $settingsnac['block_user_agent']))); + $config['installedpackages']['squidnac']['config'][0]['block_user_agent'] = $settingsnac['block_user_agent']; + } + } + + if(! empty($settingsnac['block_reply_mime_type'])) { + if(strstr($settingsnac['block_reply_mime_type'], ",")) { + $settingsnac['block_reply_mime_type'] = base64_encode(implode("\n", explode(",", $settingsnac['block_reply_mime_type']))); + $config['installedpackages']['squidnac']['config'][0]['block_reply_mime_type'] = $settingsnac['block_reply_mime_type']; + } + } /*Migrate reverse settings*/ if (is_array($config['installedpackages']['squidreverse'])){ @@ -282,6 +297,10 @@ function squid_install_command() { squid_write_rcfile(); if(file_exists("/usr/local/pkg/swapstate_check.php")) exec("/bin/chmod a+x /usr/local/pkg/swapstate_check.php"); + write_rcfile(array( + "file" => "sqp_monitor.sh", + "start" => "/usr/local/pkg/sqpmon.sh &", + "stop" => "ps awux | grep \"sqpmon\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill")); foreach (array( SQUID_CONFBASE, SQUID_ACLDIR, @@ -295,7 +314,7 @@ function squid_install_command() { /* kill any running proxy alarm scripts */ update_status("Checking for running processes... One moment please..."); log_error("Stopping any running proxy monitors"); - mwexec("ps awux | grep \"proxy_monitor\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill"); + mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); sleep(1); if (!file_exists(SQUID_CONFBASE . '/mime.conf') && file_exists(SQUID_CONFBASE . '/mime.conf.default')) @@ -316,7 +335,7 @@ function squid_install_command() { /* restart proxy alarm scripts */ log_error("Starting a proxy monitor script"); - mwexec_bg("/usr/local/etc/rc.d/proxy_monitor.sh"); + mwexec_bg("/usr/local/etc/rc.d/sqp_monitor.sh start"); update_status("Reconfiguring filter... One moment please..."); filter_configure(); @@ -337,8 +356,8 @@ function squid_deinstall_command() { mwexec('rm -rf $cachedir/swap.state'); mwexec('rm -rf $logdir'); update_status("Finishing package cleanup."); - mwexec('rm -f /usr/local/etc/rc.d/proxy_monitor.sh'); - mwexec("ps awux | grep \"proxy_monitor\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill"); + mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); + mwexec('rm -f /usr/local/etc/rc.d/sqp_monitor.sh'); mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); @@ -1049,6 +1068,10 @@ acl manager proto cache_object acl purge method PURGE acl connect method CONNECT +# Define protocols used for redirects +acl HTTP proto HTTP +acl HTTPS proto HTTPS + EOD; @@ -1069,6 +1092,8 @@ EOD; 'banned_hosts' => 'src', 'whitelist' => 'dstdom_regex -i', 'blacklist' => 'dstdom_regex -i', + 'block_user_agent' => 'browser -i', + 'block_reply_mime_type' => 'rep_mime_type -i', ); foreach ($options as $option => $directive) { $contents = sq_text_area_decode($settings[$option]); @@ -1282,6 +1307,18 @@ function squid_resync_auth() { $conf .= "http_access deny blacklist\n"; } } + if(! empty($settingsnac['block_user_agent'])) { + if (squid_is_valid_acl('block_user_agent')) { + $conf .= "# Block access with user agents and browsers\n"; + $conf .= "http_access deny block_user_agent\n"; + } + } + if(! empty($settingsnac['block_reply_mime_type'])) { + if (squid_is_valid_acl('block_reply_mime_type')) { + $conf .= "# Block access with mime type in the reply\n"; + $conf .= "http_reply_access deny block_reply_mime_type\n"; + } + } $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); @@ -1814,27 +1851,54 @@ EOD; /* Uses XMLRPC to synchronize the changes to a remote node */ function squid_sync_on_changes() { global $config, $g; - - log_error("[squid] xmlrpc sync is starting."); - $synconchanges = $config['installedpackages']['squidsync']['config'][0]['synconchanges']; - if(!$synconchanges) - return; - foreach ($config['installedpackages']['squidsync']['config'] as $rs ){ - foreach($rs['row'] as $sh){ - $sync_to_ip = $sh['ipaddress']; - $password = $sh['password']; - if($sh['username']) - $username = $sh['username']; - else - $username = 'admin'; - if($password && $sync_to_ip) - squid_do_xmlrpc_sync($sync_to_ip, $username, $password); + if (is_array($config['installedpackages']['squidsync']['config'])){ + $squid_sync=$config['installedpackages']['squidsync']['config'][0]; + $synconchanges = $squid_sync['synconchanges']; + $synctimeout = $squid_sync['synctimeout']; + switch ($synconchanges){ + case "manual": + if (is_array($squid_sync[row])){ + $rs=$squid_sync[row]; + } + else{ + log_error("[squid] xmlrpc sync is enabled but there is no hosts to push on squid config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['ipaddress']=$system_carp['synchronizetoip']; + $rs[0]['username']=$system_carp['username']; + $rs[0]['password']=$system_carp['password']; + } + else{ + log_error("[squid] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)){ + log_error("[squid] xmlrpc sync is starting."); + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if($password && $sync_to_ip) + squid_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout); + } + log_error("[squid] xmlrpc sync is ending."); } - } - log_error("[squid] xmlrpc sync is ending."); + } } /* Do the actual XMLRPC sync */ -function squid_do_xmlrpc_sync($sync_to_ip, $username, $password) { +function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { global $config, $g; if(!$username) @@ -1846,6 +1910,10 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password) { if(!$sync_to_ip) return; + if(!$synctimeout) + $synctimeout=250; + + $xmlrpc_sync_neighbor = $sync_to_ip; if($config['system']['webgui']['protocol'] != "") { $synchronizetoip = $config['system']['webgui']['protocol']; @@ -1868,7 +1936,9 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password) { $xml['squidcache'] = $config['installedpackages']['squidcache']; $xml['squidnac'] = $config['installedpackages']['squidnac']; $xml['squidtraffic'] = $config['installedpackages']['squidtraffic']; - $xml['squidreverse'] = $config['installedpackages']['squidreverse']; + $xml['squidreversegeneral'] = $config['installedpackages']['squidreversegeneral']; + $xml['squidreversepeer'] = $config['installedpackages']['squidreversepeer']; + $xml['squidreverseuri'] = $config['installedpackages']['squidreverseuri']; $xml['squidauth'] = $config['installedpackages']['squidauth']; $xml['squidusers'] = $config['installedpackages']['squidusers']; /* assemble xmlrpc payload */ @@ -1886,15 +1956,15 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password) { $cli->setCredentials($username, $password); if($g['debug']) $cli->setDebug(1); - /* send our XMLRPC message and timeout after 250 seconds */ - $resp = $cli->send($msg, "250"); + /* send our XMLRPC message and timeout after defined sync timeout value*/ + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "squid Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "squid Settings Sync", ""); @@ -1916,14 +1986,14 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password) { $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "squid Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "squid Settings Sync", ""); @@ -1932,5 +2002,4 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password) { } } - -?>
\ No newline at end of file +?> diff --git a/config/squid-reverse/squid.xml b/config/squid3/31/squid.xml index 943f3ed5..aa76c0f1 100644 --- a/config/squid-reverse/squid.xml +++ b/config/squid3/31/squid.xml @@ -10,7 +10,7 @@ authng.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2007 to whom it may belong - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -22,7 +22,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -47,7 +47,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>squid</name> - <version>3.1.STABLE19</version> + <version>3.2.7</version> <title>Proxy server: General settings</title> <include_file>/usr/local/pkg/squid.inc</include_file> <menu> @@ -111,107 +111,112 @@ <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid.inc</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_reverse_general.xml</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_reverse_general.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_reverse_peer.xml</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_reverse_peer.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_reverse_uri.xml</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_reverse_uri.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_reverse_sync.xml</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_reverse_sync.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_sync.xml</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_sync.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_cache.xml</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_cache.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_nac.xml</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_nac.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_ng.xml</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_ng.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_ng.inc</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_ng.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_traffic.xml</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_traffic.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_upstream.xml</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_upstream.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_reverse.xml</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_reverse.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_reverse.inc</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_reverse.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_auth.xml</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_auth.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_users.xml</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_users.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/etc/rc.d/</prefix> + <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/proxy_monitor.sh</item> + <item>http://www.pfsense.org/packages/config/squid3/31/sqpmon.sh</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/31/swapstate_check.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/swapstate_check.php</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_reverse_redir.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_monitor.php</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_monitor.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_monitor_data.php</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_monitor_data.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_log_parser.php</item> + <item>http://www.pfsense.org/packages/config/squid3/31/squid_log_parser.php</item> </additional_files_needed> <fields> @@ -254,11 +259,11 @@ <default_value>on</default_value> </field> <field> - <fielddescr>Transparent proxy</fielddescr> + <fielddescr>Transparent HTTP proxy</fielddescr> <fieldname>transparent_proxy</fieldname> <description><![CDATA[Enable transparent mode to forward all requests for destination port 80 to the proxy server without any additional configuration necessary.<br> - <strong>NOTE:</strong> Transparent mode does not filter ssl(port 443) or any other http/https port.<br> - To filter both http and https protocol without touching user config, enable WPAD/PAC options on your dns/dhcp.]]></description> + <strong>NOTE:</strong> Transparent mode will filter ssl(port 443) if enable men-in-the-middle options below.<br> + To filter both http and https protocol without intercepting ssl connections, enable WPAD/PAC options on your dns/dhcp.]]></description> <type>checkbox</type> <enablefields>private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest</enablefields> <required/> @@ -448,4 +453,4 @@ exec("/bin/rm -f /usr/local/etc/rc.d/squid*"); </custom_php_deinstall_command> <filter_rules_needed>squid_generate_rules</filter_rules_needed> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/squid-reverse/squid_auth.inc b/config/squid3/31/squid_auth.inc index 7c99a01b..7c99a01b 100644 --- a/config/squid-reverse/squid_auth.inc +++ b/config/squid3/31/squid_auth.inc diff --git a/config/squid-reverse/squid_auth.xml b/config/squid3/31/squid_auth.xml index 307669c5..307669c5 100644 --- a/config/squid-reverse/squid_auth.xml +++ b/config/squid3/31/squid_auth.xml diff --git a/config/squid-reverse/squid_cache.xml b/config/squid3/31/squid_cache.xml index 7f371f49..7f371f49 100644 --- a/config/squid-reverse/squid_cache.xml +++ b/config/squid3/31/squid_cache.xml diff --git a/config/squid-reverse/squid_extauth.xml b/config/squid3/31/squid_extauth.xml index 41d9f633..41d9f633 100644 --- a/config/squid-reverse/squid_extauth.xml +++ b/config/squid3/31/squid_extauth.xml diff --git a/config/squid-reverse/squid_log_parser.php b/config/squid3/31/squid_log_parser.php index f6cd7de8..f6cd7de8 100755 --- a/config/squid-reverse/squid_log_parser.php +++ b/config/squid3/31/squid_log_parser.php diff --git a/config/squid-reverse/squid_monitor.php b/config/squid3/31/squid_monitor.php index 22d7dfcc..86c7d33a 100644 --- a/config/squid-reverse/squid_monitor.php +++ b/config/squid3/31/squid_monitor.php @@ -83,6 +83,7 @@ include("head.inc"); $tab_array[] = array(gettext("General"), false, "/pkg_edit.php?xml=squid_reverse_general.xml&id=0"); $tab_array[] = array(gettext("Web Servers"), false, "/pkg.php?xml=squid_reverse_peer.xml"); $tab_array[] = array(gettext("Mappings"), false, "/pkg.php?xml=squid_reverse_uri.xml"); + $tab_array[] = array(gettext("Redirects"), false, "/pkg.php?xml=squid_reverse_redir.xml"); $tab_array[] = array(gettext("Real time"), true, "/squid_monitor.php?menu=reverse"); $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=squid_reverse_sync.xml"); } @@ -115,7 +116,8 @@ include("head.inc"); <option value="15">15 lines</option> <option value="20">20 lines</option> <option value="25">25 lines</option> - <option value="30">30 lines</option> + <option value="100">100 lines</option> + <option value="200">200 lines</option> </select> <br/> <span class="vexpl"> diff --git a/config/squid-reverse/squid_monitor_data.php b/config/squid3/31/squid_monitor_data.php index 7e27919d..7e27919d 100644 --- a/config/squid-reverse/squid_monitor_data.php +++ b/config/squid3/31/squid_monitor_data.php diff --git a/config/squid-reverse/squid_nac.xml b/config/squid3/31/squid_nac.xml index bc4a278e..659d626f 100644 --- a/config/squid-reverse/squid_nac.xml +++ b/config/squid3/31/squid_nac.xml @@ -139,6 +139,24 @@ <encoding>base64</encoding> </field> <field> + <fielddescr>Block user agents</fielddescr> + <fieldname>block_user_agent</fieldname> + <description>Enter each user agent on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Block MIME types (reply only)</fielddescr> + <fieldname>block_reply_mime_type</fieldname> + <description>Enter each MIME type on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions. Useful to block javascript (application/x-javascript).</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> <name>Squid Allowed ports</name> <type>listtopic</type> </field> diff --git a/config/squid-reverse/squid_ng.inc b/config/squid3/31/squid_ng.inc index b0604b02..0e1e0515 100644 --- a/config/squid-reverse/squid_ng.inc +++ b/config/squid3/31/squid_ng.inc @@ -47,7 +47,7 @@ function global_write_squid_config() $active_interface = $config['installedpackages']['squid']['config'][0]['active_interface']; $transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy']; $log_enabled = $config['installedpackages']['squid']['config'][0]['log_enabled']; - $urlfier_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable']; + $urlfilter_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable']; $accesslog_disabled = $config['installedpackages']['squid']['config'][0]['accesslog_disabled']; $log_query_terms = $config['installedpackages']['squid']['config'][0]['log_query_terms']; $log_user_agents = $config['installedpackages']['squid']['config'][0]['log_user_agents']; @@ -560,7 +560,7 @@ function global_write_squid_config() $config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n"; } - unset($banned_ip_addr); + unset($banned_ip_array); unset($banned_ip_addr); unset($ind_banned_ip); diff --git a/config/squid-reverse/squid_ng.xml b/config/squid3/31/squid_ng.xml index 142536d6..142536d6 100644 --- a/config/squid-reverse/squid_ng.xml +++ b/config/squid3/31/squid_ng.xml diff --git a/config/squid-reverse/squid_reverse.inc b/config/squid3/31/squid_reverse.inc index 21b6c668..eb2d4c73 100644 --- a/config/squid-reverse/squid_reverse.inc +++ b/config/squid3/31/squid_reverse.inc @@ -4,6 +4,7 @@ squid_reverse.inc Copyright (C) 2012 Martin Fuchs Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2013 Gekkenhuis All rights reserved. Redistribution and use in source and binary forms, with or without @@ -40,6 +41,8 @@ function squid_resync_reverse() { $reverse_peers=$config['installedpackages']['squidreversepeer']['config']; if (is_array($config['installedpackages']['squidreverseuri'])) $reverse_maps=$config['installedpackages']['squidreverseuri']['config']; + if (is_array($config['installedpackages']['squidreverseredir'])) + $reverse_redir=$config['installedpackages']['squidreverseredir']['config']; $conf = "# Reverse Proxy settings\n"; @@ -68,7 +71,7 @@ function squid_resync_reverse() { $http_defsite=(empty($settings['reverse_http_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_http_defsite']); #set HTTPS port and defsite - $https_port=(empty($settings['reverse_https_port'])?"80":$settings['reverse_https_port']); + $https_port=(empty($settings['reverse_https_port'])?"443":$settings['reverse_https_port']); $https_defsite=(empty($settings['reverse_https_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_https_defsite']); foreach (explode(",", $ifaces) as $i => $iface) { @@ -124,6 +127,38 @@ function squid_resync_reverse() { } } + //REDIRECTS + if (is_array($reverse_redir)) { + foreach ($reverse_redir as $rdr) { + if($rdr['enable'] == "on" && $rdr['name'] != "" && $rdr['pathregex'] != "" && $rdr['redirurl'] != "") { + $conf_rdr = "# Redirect: {$rdr['description']}\n"; + + if (is_array($rdr['row'])) { + foreach ($rdr['row'] as $uri) { + $conf_rdr .= "acl rdr_dst_{$rdr['name']} dstdomain {$uri['uri']}\n"; + } + } + + $conf_rdr .= "acl rdr_path_{$rdr['name']} urlpath_regex {$rdr['pathregex']}\n"; + $conf_rdr .= "deny_info {$rdr['redirurl']} rdr_path_{$rdr['name']}\n"; + + foreach (explode(',', $rdr['protocol']) as $rdr_protocol) { + if($rdr_protocol == "HTTP") { + $conf_rdr .= "http_access deny HTTP rdr_dst_{$rdr['name']} rdr_path_{$rdr['name']}\n"; + } + + if($rdr_protocol == "HTTPS") { + $conf_rdr .= "http_access deny HTTPS rdr_dst_{$rdr['name']} rdr_path_{$rdr['name']}\n"; + } + } + + $conf_rdr .= "\n"; + } + + $conf .= $conf_rdr; + } + } + //ACLS and MAPPINGS //create an empty owa_dirs to populate based on user selected options @@ -133,7 +168,7 @@ function squid_resync_reverse() { array_push($owa_dirs,'owa','exchange','public','exchweb','ecp','OAB'); if($settings['reverse_owa_activesync']) array_push($owa_dirs,'Microsoft-Server-ActiveSync'); - if($settngs['reverse_owa_rpchttp']) + if($settings['reverse_owa_rpchttp']) array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll'); if($settings['reverse_owa_autodiscover']) array_push($owa_dirs,'autodiscover'); diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid3/31/squid_reverse.xml index ce09f8e7..ce09f8e7 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid3/31/squid_reverse.xml diff --git a/config/squid-reverse/squid_reverse_general.xml b/config/squid3/31/squid_reverse_general.xml index ec0bcb7a..2211bb20 100644 --- a/config/squid-reverse/squid_reverse_general.xml +++ b/config/squid3/31/squid_reverse_general.xml @@ -64,6 +64,10 @@ <url>/pkg.php?xml=squid_reverse_uri.xml</url> </tab> <tab> + <text>Redirects</text> + <url>/pkg.php?xml=squid_reverse_redir.xml</url> + </tab> + <tab> <text>Real time</text> <url>/squid_monitor.php?menu=reverse</url> </tab> diff --git a/config/squid-reverse/squid_reverse_peer.xml b/config/squid3/31/squid_reverse_peer.xml index 6341567e..abfbf19b 100644 --- a/config/squid-reverse/squid_reverse_peer.xml +++ b/config/squid3/31/squid_reverse_peer.xml @@ -64,6 +64,10 @@ <url>/pkg.php?xml=squid_reverse_uri.xml</url> </tab> <tab> + <text>Redirects</text> + <url>/pkg.php?xml=squid_reverse_redir.xml</url> + </tab> + <tab> <text>Real time</text> <url>/squid_monitor.php?menu=reverse</url> </tab> diff --git a/config/squid3/31/squid_reverse_redir.xml b/config/squid3/31/squid_reverse_redir.xml new file mode 100644 index 00000000..de25f56a --- /dev/null +++ b/config/squid3/31/squid_reverse_redir.xml @@ -0,0 +1,182 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ============================================================================ */ +/* + squid_reverse_redir.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2013 Gekkenhuis + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ============================================================================ */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ============================================================================ */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidreverseredir</name> + <version>none</version> + <title>Reverse Proxy server: Redirects</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + </tab> + <tab> + <text>Web Servers</text> + <url>/pkg.php?xml=squid_reverse_peer.xml</url> + </tab> + <tab> + <text>Mappings</text> + <url>/pkg.php?xml=squid_reverse_uri.xml</url> + </tab> + <tab> + <text>Redirects</text> + <url>/pkg.php?xml=squid_reverse_redir.xml</url> + <active/> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php?menu=reverse</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_reverse_sync.xml&id=0</url> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Status</fielddescr> + <fieldname>enable</fieldname> + </columnitem> + <columnitem> + <fielddescr>Redirect Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Redirect to</fielddescr> + <fieldname>redirurl</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>Squid Redirect Mappings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable this redirect</fielddescr> + <fieldname>enable</fieldname> + <description><![CDATA[If this field is checked, then this redirect will be available for reverse config.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Redirect name</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[Name to identify this redirect on squid reverse conf<br/> + example: REDIR1]]></description> + <type>input</type> + <size>20</size> + </field> + <field> + <fielddescr>Redirect Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[Redirect Description (optional)]]></description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Redirect Protocol</fielddescr> + <fieldname>protocol</fieldname> + <description><![CDATA[Protocol to redirect on.<br/> + Use CTRL + click to select multiple]]></description> + <type>select</type> + <multiple/> + <size>03</size> + <options> + <option> + <name>HTTP</name> + <value>HTTP</value> + </option> + <option> + <name>HTTPS</name> + <value>HTTPS</value> + </option> + </options> + </field> + <field> + <fielddescr>Blocked domains</fielddescr> + <fieldname>none</fieldname> + <description>Domains to redirect for</description> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr><![CDATA[<strong>Domains to match</strong><br/><br/> + Samples: mydomain.com sub.mydomain.com www.mydomain.com<br/><br/> + Do not enter http:// or https:// here! only the hostname is required.]]></fielddescr> + <fieldname>uri</fieldname> + <type>input</type> + <size>60</size> + </rowhelperfield> + </rowhelper> + </field> + <field> + <fielddescr>Path regex</fielddescr> + <fieldname>pathregex</fieldname> + <description><![CDATA[Path regex to match<br/><br/>]]> + Enter ^/$ to match the domain only.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>URL to redirect to</fielddescr> + <fieldname>redirurl</fieldname> + <description><![CDATA[URL to redirect to]]></description> + <type>input</type> + <size>60</size> + </field> + </fields> + + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/squid-reverse/squid_reverse_sync.xml b/config/squid3/31/squid_reverse_sync.xml index 408f14f1..041576b8 100755 --- a/config/squid-reverse/squid_reverse_sync.xml +++ b/config/squid3/31/squid_reverse_sync.xml @@ -9,7 +9,7 @@ /* squid_sync.xml part of the sarg package for pfSense - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -17,7 +17,7 @@ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -59,6 +59,10 @@ <url>/pkg.php?xml=squid_reverse_uri.xml</url> </tab> <tab> + <text>Redirects</text> + <url>/pkg.php?xml=squid_reverse_redir.xml</url> + </tab> + <tab> <text>Real time</text> <url>/squid_monitor.php?menu=reverse</url> </tab> @@ -76,8 +80,30 @@ <field> <fielddescr>Automatically sync squid configuration changes</fielddescr> <fieldname>synconchanges</fieldname> - <description>Automatically sync squid(normal and reverse) changes to the hosts defined below.</description> - <type>checkbox</type> + <description>Select a sync method for squid.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>250</default_value> + <options> + <option><name>250 seconds(Default)</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>30 seconds</name><value>30</value></option> + </options> </field> <field> <fielddescr>Remote Server</fielddescr> diff --git a/config/squid-reverse/squid_reverse_uri.xml b/config/squid3/31/squid_reverse_uri.xml index 81c9af3b..1232cfe3 100644 --- a/config/squid-reverse/squid_reverse_uri.xml +++ b/config/squid3/31/squid_reverse_uri.xml @@ -64,6 +64,10 @@ <active/> </tab> <tab> + <text>Redirects</text> + <url>/pkg.php?xml=squid_reverse_redir.xml</url> + </tab> + <tab> <text>Real time</text> <url>/squid_monitor.php?menu=reverse</url> </tab> diff --git a/config/squid-reverse/squid_sync.xml b/config/squid3/31/squid_sync.xml index 62a726f4..cdd91e78 100755 --- a/config/squid-reverse/squid_sync.xml +++ b/config/squid3/31/squid_sync.xml @@ -9,7 +9,7 @@ /* squid_sync.xml part of the sarg package for pfSense - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -92,8 +92,30 @@ <field> <fielddescr>Automatically sync squid configuration changes</fielddescr> <fieldname>synconchanges</fieldname> - <description>Automatically sync squid(normal and reverse) changes to the hosts defined below.</description> - <type>checkbox</type> + <description>Select a sync method for squid.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>250</default_value> + <options> + <option><name>250 seconds(Default)</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>30 seconds</name><value>30</value></option> + </options> </field> <field> <fielddescr>Remote Server</fielddescr> diff --git a/config/squid-reverse/squid_traffic.xml b/config/squid3/31/squid_traffic.xml index 62269792..62269792 100644 --- a/config/squid-reverse/squid_traffic.xml +++ b/config/squid3/31/squid_traffic.xml diff --git a/config/squid-reverse/squid_upstream.xml b/config/squid3/31/squid_upstream.xml index 049d301c..049d301c 100644 --- a/config/squid-reverse/squid_upstream.xml +++ b/config/squid3/31/squid_upstream.xml diff --git a/config/squid-reverse/squid_users.xml b/config/squid3/31/squid_users.xml index 791a5fa9..791a5fa9 100644 --- a/config/squid-reverse/squid_users.xml +++ b/config/squid3/31/squid_users.xml diff --git a/config/squid-reverse/swapstate_check.php b/config/squid3/31/swapstate_check.php index d70c2dd4..6ecfff3c 100644 --- a/config/squid-reverse/swapstate_check.php +++ b/config/squid3/31/swapstate_check.php @@ -29,7 +29,13 @@ require_once('config.inc'); require_once('util.inc'); -$settings = $config['installedpackages']['squidcache']['config'][0]; +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('SQUID_LOCALBASE', '/usr/pbi/squid-' . php_uname("m")); +else + define('SQUID_LOCALBASE','/usr/local'); + + $settings = $config['installedpackages']['squidcache']['config'][0]; // Only check the cache if Squid is actually caching. // If there is no cache then quietly do nothing. if ($settings['harddisk_cache_system'] != "null"){ @@ -45,7 +51,7 @@ if ($settings['harddisk_cache_system'] != "null"){ // or the drive is 90% full and swap.state is larger than 1GB, // kill it and initiate a rotate to write a fresh copy. if (($swapstate_pct > 75) || (($diskusedpct > 90) && ($swapstate_size > 1024*1024*1024))) { - mwexec_bg("/bin/rm $swapstate; /usr/local/sbin/squid -k rotate"); + mwexec_bg("/bin/rm $swapstate; ". SQUID_LOCALBASE . "/sbin/squid -k rotate"); log_error(gettext(sprintf("Squid swap.state file exceeded size limits. Removing and rotating. File was %d bytes, %d%% of total disk space.", $swapstate_size, $swapstate_pct))); } } diff --git a/config/squid3/33/sqpmon.sh b/config/squid3/33/sqpmon.sh new file mode 100644 index 00000000..244b3b61 --- /dev/null +++ b/config/squid3/33/sqpmon.sh @@ -0,0 +1,75 @@ +#!/bin/sh +# $Id$ */ +# +# sqpmon.sh +# Copyright (C) 2006 Scott Ullrich +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +if [ `pgrep -f "sqpmon.sh"|wc -l` -ge 1 ]; then + exit 0 +fi + +set -e + +LOOP_SLEEP=55 + +if [ -f /var/run/squid_alarm ]; then + rm /var/run/squid_alarm +fi + +# Sleep 5 seconds on startup not to mangle with existing boot scripts. +sleep 5 + +# Squid monitor 1.2 +while [ /bin/true ]; do + if [ ! -f /var/run/squid_alarm ]; then + NUM_PROCS=`ps auxw | grep "[s]quid -f"|awk '{print $2}'| wc -l | awk '{ print $1 }'` + if [ $NUM_PROCS -lt 1 ]; then + # squid is down + echo "Squid has exited. Reconfiguring filter." | \ + logger -p daemon.info -i -t Squid_Alarm + echo "Attempting restart..." | logger -p daemon.info -i -t Squid_Alarm + /usr/local/etc/rc.d/squid.sh start + sleep 3 + echo "Reconfiguring filter..." | logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure + touch /var/run/squid_alarm + fi + fi + NUM_PROCS=`ps auxw | grep "[s]quid -f"|awk '{print $2}'| wc -l | awk '{ print $1 }'` + if [ $NUM_PROCS -gt 0 ]; then + if [ -f /var/run/squid_alarm ]; then + echo "Squid has resumed. Reconfiguring filter." | \ + logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure + rm /var/run/squid_alarm + fi + fi + sleep $LOOP_SLEEP +done + +if [ -f /var/run/squid_alarm ]; then + rm /var/run/squid_alarm +fi diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc new file mode 100755 index 00000000..1da86847 --- /dev/null +++ b/config/squid3/33/squid.inc @@ -0,0 +1,2353 @@ +<?php +/* $Id$ */ +/* + squid.inc + Copyright (C) 2006-2009 Scott Ullrich + Copyright (C) 2006 Fernando Lemos + Copyright (C) 2012 Martin Fuchs + Copyright (C) 2012-2013 Marcello Coutinho + Copyright (C) 2013 Gekkenhuis + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once('globals.inc'); +require_once('config.inc'); +require_once('util.inc'); +require_once('pfsense-utils.inc'); +require_once('pkg-utils.inc'); +require_once('service-utils.inc'); + +if(!function_exists("filter_configure")) + require_once("filter.inc"); + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('SQUID_LOCALBASE', '/usr/pbi/squid-' . php_uname("m")); +else + define('SQUID_LOCALBASE','/usr/local'); + +define('SQUID_CONFBASE', SQUID_LOCALBASE .'/etc/squid'); +define('SQUID_CONFFILE', SQUID_CONFBASE . '/squid.conf'); +define('SQUID_BASE', '/var/squid/'); +define('SQUID_ACLDIR', '/var/squid/acl'); +define('SQUID_PASSWD', '/var/etc/squid.passwd'); +define('SQUID_LIB','/var/squid/lib'); +define('SQUID_SSL_DB','/var/squid/lib/ssl_db'); + +$valid_acls = array(); + +$uname=posix_uname(); +if ($uname['machine']=='amd64') + ini_set('memory_limit', '250M'); + + function sq_text_area_decode($text){ + return preg_replace('/\r\n/', "\n",base64_decode($text)); +} + + +function squid_get_real_interface_address($iface) { + global $config; + + $iface = convert_friendly_interface_to_real_interface_name($iface); + $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6")); + list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line); + + return array($ip, long2ip(hexdec($netmask))); +} + +function squid_chown_recursive($dir, $user, $group) { + chown($dir, $user); + chgrp($dir, $group); + $handle = opendir($dir) ; + while (($item = readdir($handle)) !== false) { + if (($item != ".") && ($item != "..")) { + $path = "$dir/$item"; + // Recurse unless it's the cache dir, that is slow and rarely necessary. + if (is_dir($path) && (basename($dir) != "cache")) + squid_chown_recursive($path, $user, $group); + elseif (is_file($path)) { + chown($path, $user); + chgrp($path, $group); + } + } + } +} + +/* setup cache */ +function squid_dash_z() { + global $config; + + //Do nothing if there is no cache config + if (!is_array($config['installedpackages']['squidcache']['config'])) + return; + + $settings = $config['installedpackages']['squidcache']['config'][0]; + + // If the cache system is null, there is no need to initialize the (irrelevant) cache dir. + if ($settings['harddisk_cache_system'] == "null") + return; + + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + + if(!is_dir($cachedir.'/')) { + log_error("Creating Squid cache dir $cachedir"); + make_dirs($cachedir); + // Double check permissions here, should be safe to recurse cache dir if it's small here. + mwexec("/usr/sbin/chown -R proxy:proxy $cachedir"); + } + + if(!is_dir($cachedir.'/00/')) { + log_error("Creating squid cache subdirs in $cachedir"); + mwexec(SQUID_LOCALBASE. "/sbin/squid -k shutdown -f " . SQUID_CONFFILE); + sleep(5); + mwexec(SQUID_LOCALBASE. "/sbin/squid -k kill -f " . SQUID_CONFFILE); + // Double check permissions here, should be safe to recurse cache dir if it's small here. + mwexec("/usr/sbin/chown -R proxy:proxy $cachedir"); + mwexec(SQUID_LOCALBASE. "/sbin/squid -z -f " . SQUID_CONFFILE); + } + + if(file_exists("/var/squid/cache/swap.state")) { + chown("/var/squid/cache/swap.state", "proxy"); + chgrp("/var/squid/cache/swap.state", "proxy"); + exec("chmod a+rw /var/squid/cache/swap.state"); + } + +} + +function squid_is_valid_acl($acl) { + global $valid_acls; + if(!is_array($valid_acls)) + return; + return in_array($acl, $valid_acls); +} + +function squid_install_command() { + global $config; + global $g; + update_status("Checking if there is configuration to migrate... One moment please..."); + /* migrate existing csv config fields */ + if (is_array($config['installedpackages']['squidauth']['config'])) + $settingsauth = $config['installedpackages']['squidauth']['config'][0]; + if (is_array($config['installedpackages']['squidcache']['config'])) + $settingscache = $config['installedpackages']['squidcache']['config'][0]; + if (is_array($config['installedpackages']['squidnac']['config'])) + $settingsnac = $config['installedpackages']['squidnac']['config'][0]; + if (is_array($config['installedpackages']['squid']['config'])) + $settingsgen = $config['installedpackages']['squid']['config'][0]; + + /* Set storage system */ + if ($g['platform'] == "nanobsd") { + $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_system'] = 'null'; + } + + /* migrate auth settings */ + if (!empty($settingsauth['no_auth_hosts'])) { + if(strstr($settingsauth['no_auth_hosts'], ",")) { + $settingsauth['no_auth_hosts'] = base64_encode(implode("\n", explode(",", $settingsauth['no_auth_hosts']))); + $config['installedpackages']['squidauth']['config'][0]['no_auth_hosts'] = $settingsauth['no_auth_hosts']; + } + } + + /* migrate cache settings */ + if (!empty($settingscache['donotcache'])) { + if(strstr($settingscache['donotcache'], ",")) { + $settingscache['donotcache'] = base64_encode(implode("\n", explode(",", $settingscache['donotcache']))); + $config['installedpackages']['squidcache']['config'][0]['donotcache'] = $settingscache['donotcache']; + } + } + + /* migrate nac settings */ + if(! empty($settingsnac['allowed_subnets'])) { + if(strstr($settingsnac['allowed_subnets'], ",")) { + $settingsnac['allowed_subnets'] = base64_encode(implode("\n", explode(",", $settingsnac['allowed_subnets']))); + $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'] = $settingsnac['allowed_subnets']; + } + } + if(! empty($settingsnac['banned_hosts'])) { + if(strstr($settingsnac['banned_hosts'], ",")) { + $settingsnac['banned_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_hosts']))); + $config['installedpackages']['squidnac']['config'][0]['banned_hosts'] = $settingsnac['banned_hosts']; + } + } + + if(! empty($settingsnac['banned_macs'])) { + if(strstr($settingsnac['banned_macs'], ",")) { + $settingsnac['banned_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_macs']))); + $config['installedpackages']['squidnac']['config'][0]['banned_macs'] = $settingsnac['banned_macs']; + } + } + + if(! empty($settingsnac['unrestricted_hosts'])) { + if(strstr($settingsnac['unrestricted_hosts'], ",")) { + $settingsnac['unrestricted_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_hosts']))); + $config['installedpackages']['squidnac']['config'][0]['unrestricted_hosts'] = $settingsnac['unrestricted_hosts']; + } + } + + if(! empty($settingsnac['unrestricted_macs'])) { + if(strstr($settingsnac['unrestricted_macs'], ",")) { + $settingsnac['unrestricted_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_macs']))); + $config['installedpackages']['squidnac']['config'][0]['unrestricted_macs'] = $settingsnac['unrestricted_macs']; + } + } + + if(! empty($settingsnac['whitelist'])) { + if(strstr($settingsnac['whitelist'], ",")) { + $settingsnac['whitelist'] = base64_encode(implode("\n", explode(",", $settingsnac['whitelist']))); + $config['installedpackages']['squidnac']['config'][0]['whitelist'] = $settingsnac['whitelist']; + } + } + + if(! empty($settingsnac['blacklist'])) { + if(strstr($settingsnac['blacklist'], ",")) { + $settingsnac['blacklist'] = base64_encode(implode("\n", explode(",", $settingsnac['blacklist']))); + $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist']; + } + } + + if(! empty($settingsnac['block_user_agent'])) { + if(strstr($settingsnac['block_user_agent'], ",")) { + $settingsnac['block_user_agent'] = base64_encode(implode("\n", explode(",", $settingsnac['block_user_agent']))); + $config['installedpackages']['squidnac']['config'][0]['block_user_agent'] = $settingsnac['block_user_agent']; + } + } + + if(! empty($settingsnac['block_reply_mime_type'])) { + if(strstr($settingsnac['block_reply_mime_type'], ",")) { + $settingsnac['block_reply_mime_type'] = base64_encode(implode("\n", explode(",", $settingsnac['block_reply_mime_type']))); + $config['installedpackages']['squidnac']['config'][0]['block_reply_mime_type'] = $settingsnac['block_reply_mime_type']; + } + } + + /*Migrate reverse settings*/ + if (is_array($config['installedpackages']['squidreverse'])){ + $old_reverse_settings=$config['installedpackages']['squidreverse']['config'][0]; + + //Settings + if (!is_array($config['installedpackages']['squidreversegeneral'])){ + $config['installedpackages']['squidreversegeneral']['config'][0]=$old_reverse_settings; + unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_cache_peer']); + unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_uri']); + unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_acl']); + } + + //PEERS + if (!is_array($config['installedpackages']['squidreversepeer'])){ + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) + foreach (explode(";",$cache_peers) as $cache_peer) + $config['installedpackages']['squidreversepeer']['config'][]=array('description'=>'migrated', + 'enable'=> 'on', + 'name'=> $cache_peer[0], + 'port'=> $cache_peer[1], + 'protocol' => $cache_peer[2]); + } + + //MAPPINGS + if (!is_array($config['installedpackages']['squidreverseuri'])){ + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls){ + foreach (explode(";",$acls) as $acl) + array_push(${'peer_'.$acl[0]},$acl[1]); + } + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) + foreach (explode(";",$uris) as $uri){ + $peer_list=(is_array(${'peer_'.$uri[0]})?implode(",",${'peer_'.$uri[0]}):""); + $config['installedpackages']['squidreverseuri']['config'][]=array('description'=>'migrated', + 'enable'=> 'on', + 'name'=> $uri[0], + 'uri'=> $uri[1], + 'vhost' => $uri[2], + 'peers'=>$peer_list); + } + } + } + + update_status("Writing configuration... One moment please..."); + + write_config(); + + /* create cache */ + update_status("Creating squid cache pools... One moment please..."); + squid_dash_z(); + /* make sure pinger is executable */ + if(file_exists(SQUID_LOCALBASE. "/libexec/squid/pinger")) + exec("/bin/chmod a+x ". SQUID_LOCALBASE. "/libexec/squid/pinger"); + if(file_exists("/usr/local/etc/rc.d/squid")) + exec("/bin/rm /usr/local/etc/rc.d/squid"); + squid_write_rcfile(); + if(file_exists("/usr/local/pkg/swapstate_check.php")) + exec("/bin/chmod a+x /usr/local/pkg/swapstate_check.php"); + write_rcfile(array( + "file" => "sqp_monitor.sh", + "start" => "/usr/local/pkg/sqpmon.sh &", + "stop" => "ps awux | grep \"sqpmon\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill")); + + foreach (array( SQUID_CONFBASE, + SQUID_ACLDIR, + SQUID_BASE, + SQUID_LIB, + SQUID_SSL_DB ) as $dir) { + make_dirs($dir); + squid_chown_recursive($dir, 'proxy', 'proxy'); + } + + /* kill any running proxy alarm scripts */ + update_status("Checking for running processes... One moment please..."); + log_error("Stopping any running proxy monitors"); + mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); + sleep(1); + + if (!file_exists(SQUID_CONFBASE . '/mime.conf') && file_exists(SQUID_CONFBASE . '/mime.conf.default')) + copy(SQUID_CONFBASE . '/mime.conf.default', SQUID_CONFBASE . '/mime.conf'); + + update_status("Checking cache... One moment please..."); + squid_dash_z(); + + if (!is_service_running('squid')) { + update_status("Starting... One moment please..."); + log_error("Starting Squid"); + mwexec_bg(SQUID_LOCALBASE. "/sbin/squid -f " . SQUID_CONFFILE); + } else { + update_status("Reloading Squid for configuration sync... One moment please..."); + log_error("Reloading Squid for configuration sync"); + mwexec_bg(SQUID_LOCALBASE. "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); + } + + /* restart proxy alarm scripts */ + log_error("Starting a proxy monitor script"); + mwexec_bg("/usr/local/etc/rc.d/sqp_monitor.sh start"); + + update_status("Reconfiguring filter... One moment please..."); + filter_configure(); +} + +function squid_deinstall_command() { + global $config, $g; + $plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."; + squid_install_cron(false); + if (is_array($config['installedpackages']['squidcache'])) + $settings = $config['installedpackages']['squidcache']['config'][0]; + else + $settings = array(); + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); + update_status("Removing swap.state ... One moment please..."); + update_output_window("$plswait_txt"); + mwexec('rm -rf $cachedir/swap.state'); + mwexec('rm -rf $logdir'); + update_status("Finishing package cleanup."); + mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); + mwexec('rm -f /usr/local/etc/rc.d/sqp_monitor.sh'); + mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); + mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); + mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); + update_status("Reloading filter..."); + filter_configure(); +} + +function squid_before_form_general($pkg) { + $values = get_dir(SQUID_CONFBASE . '/errors/'); + // Get rid of '..' and '.' and ... + array_shift($values); + array_shift($values); + array_shift($values); + array_shift($values); + + $name = array(); + foreach ($values as $value) + $names[] = implode(" ", explode("_", $value)); + + $i = 0; + foreach ($pkg['fields']['field'] as $field) { + if ($field['fieldname'] == 'error_language') + break; + $i++; + } + $field = &$pkg['fields']['field'][$i]; + + for ($i = 0; $i < count($values) - 1; $i++) + $field['options']['option'][] = array('name' => $names[$i], 'value' => $values[$i]); +} + +function squid_validate_general($post, $input_errors) { + global $config; + if (is_array($config['installedpackages']['squid'])) + $settings = $config['installedpackages']['squid']['config'][0]; + else + $settings = array(); + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $port = $post['proxy_port'] ? $post['proxy_port'] : $port; + + $icp_port = trim($post['icp_port']); + if (!empty($icp_port) && !is_port($icp_port)) + $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field'; + + if (substr($post['log_dir'], -1, 1) == '/') + $input_errors[] = 'You may not end log location with an / mark'; + + if ($post['log_dir']{0} != '/') + $input_errors[] = 'You must start log location with a / mark'; + if (strlen($post['log_dir']) <= 3) + $input_errors[] = "That is not a valid log location dir"; + + $log_rotate = trim($post['log_rotate']); + if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1))) + + $input_errors[] = 'You must enter a valid number of days in the \'Log rotate\' field'; + + $webgui_port = $config['system']['webgui']['port']; + if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { + $webgui_port = 80; + } + if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { + $webgui_port = 443; + } + + if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) { + $input_errors[] = "You can not run squid on the same port as the webgui"; + } + + if (($post['ssl_proxy'] == 'on') && ( $post['dca'] == '')) { + $input_errors[] = "SSL interception cannot be enabled without a CA."; + } + + foreach (array('defined_ip_proxy_off') as $hosts) { + foreach (explode(";", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) + $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; + } + } + foreach (array('defined_ip_proxy_off_dest') as $hosts) { + foreach (explode(";", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) + $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; + } + } + + if(!empty($post['dns_nameservers'])) { + $altdns = explode(";", ($post['dns_nameservers'])); + foreach ($altdns as $dnssrv) { + if (!is_ipaddr($dnssrv)) + $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; + break; + }} +} + +function squid_validate_upstream($post, $input_errors) { + if ($post['enabled'] == 'on') { + $addr = trim($post['proxyaddr']); + if (empty($addr)) + $input_errors[] = 'The field \'Hostname\' is required'; + else { + if (!is_ipaddr($addr) && !is_domain($addr)) + $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; + } + + foreach (array('proxyport' => 'TCP port', 'icpport' => 'ICP port') as $field => $name) { + $port = trim($post[$field]); + if (empty($port)) + $input_errors[] = "The field '$name' is required"; + else { + if (!is_port($port)) + $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; + } + } + } +} + +function squid_validate_cache($post, $input_errors) { + $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size', + 'memory_cache_size' => 'Memory cache size', + 'maximum_object_size' => 'Maximum object size', + ); + foreach ($num_fields as $field => $name) { + $value = trim($post[$field]); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = "You must enter a valid value for '$field'"; + } + + $value = trim($post['minimum_object_size']); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; + + if (!empty($post['cache_swap_low'])) { + $value = trim($post['cache_swap_low']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; + } + + if (!empty($post['cache_swap_high'])) { + $value = trim($post['cache_swap_high']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; + } + + if ($post['donotcache'] != "") { + foreach (split("\n", $post['donotcache']) as $host) { + $host = trim($host); + if (!is_ipaddr($host) && !is_domain($host)) + $input_errors[] = "The host '$host' is not a valid IP or host name"; + } + } + + squid_dash_z(); + +} + +function squid_validate_nac($post, $input_errors) { + $allowed_subnets = explode("\n", $post['allowed_subnets']); + foreach ($allowed_subnets as $subnet) { + $subnet = trim($subnet); + if (!empty($subnet) && !is_subnet($subnet)) + $input_errors[] = "The subnet '$subnet' is not a valid CIDR range"; + } + + foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) { + + if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@",$_POST[$hosts],$matches)){ + for ($x=0;$x < count($matches[1]);$x++){ + if ($matches[2][$x] == ""){ + if (!is_ipaddr($matches[1][$x])) + $input_errors[] = "'{$matches[1][$x]}' is not a valid IP address"; + } + else{ + if (!is_subnet($matches[0][$x])) + $input_errors[] = "The subnet '{$matches[0][$x]}' is not a valid CIDR range"; + } + } + } + } + + foreach (array('unrestricted_macs', 'banned_macs') as $macs) { + foreach (explode("\n", $post[$macs]) as $mac) { + $mac = trim($mac); + if (!empty($mac) && !is_macaddr($mac)) + $input_errors[] = "The mac '$mac' is not a valid MAC address"; + } + } + + foreach (explode(",", $post['timelist']) as $time) { + $time = trim($time); + if (!empty($time) && !squid_is_timerange($time)) + $input_errors[] = "The time range '$time' is not a valid time range"; + } + + if(!empty($post['ext_cachemanager'])) { + $extmgr = explode(";", ($post['ext_cachemanager'])); + foreach ($extmgr as $mgr) { + if (!is_ipaddr($mgr)) + $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; + }} +} + +function squid_validate_traffic($post, $input_errors) { + $num_fields = array( 'max_download_size' => 'Maximum download size', + 'max_upload_size' => 'Maximum upload size', + 'perhost_throttling' => 'Per-host bandwidth throttling', + 'overall_throttling' => 'Overall bandwidth throttling', + ); + foreach ($num_fields as $field => $name) { + $value = trim($post[$field]); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = "The field '$name' must contain a positive number"; + } + + if (!empty($post['quick_abort_min'])) { + $value = trim($post['quick_abort_min']); + if (!is_numeric($value)) + $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; + } + + if (!empty($post['quick_abort_max'])) { + $value = trim($post['quick_abort_max']); + if (!is_numeric($value)) + $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; + } + + if (!empty($post['quick_abort_pct'])) { + $value = trim($post['quick_abort_pct']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = "The field 'Finish when remaining %' must contain a percentage"; + } +} + +function squid_validate_reverse($post, $input_errors) { + + if(!empty($post['reverse_ip'])) { + $reverse_ip = explode(";", ($post['reverse_ip'])); + foreach ($reverse_ip as $reip) { + if (!is_ipaddr($reip)) + $input_errors[] = 'You must enter a valid IP address in the \'User-defined reverse-proxy IPs\' field'; + break; + }} + + $fqdn = trim($post['reverse_external_fqdn']); + if (!empty($fqdn) && !is_domain($fqdn)) + $input_errors[] = 'The field \'external FQDN\' must contain a valid domain name'; + + $port = trim($post['reverse_http_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; + + $port = trim($post['reverse_https_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number'; + + if ($post['reverse_ssl_cert'] == 'none') + $input_errors[] = 'A valid certificate for the external interface must be selected'; + + if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { + $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; + } + +/* + if (!is_cert($post['reverse_int_ca'])) + $input_errors[] = 'A valid certificate for the external interface must be selected'; +*/ + + $rowa = trim($post['reverse_owa_ip']); + if (!empty($rowa) && !is_ipaddr($rowa)) + $input_errors[] = 'The field \'OWA frontend IP address\' must contain a valid IP address'; + + + $contents = $post['reverse_cache_peer']; + if(!empty($contents)) { + $defs = explode("\r\n", ($contents)); + foreach ($defs as $def) { + $cfg = explode(";",($def)); + if (!is_ipaddr($cfg[1])) + $input_errors[] = "please choose a valid IP in the cache peer configuration."; + if (!is_port($cfg[2])) + $input_errors[] = "please choose a valid port in the cache peer configuration."; + if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) + $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; + }} + + +} + +function squid_validate_auth($post, $input_errors) { + $num_fields = array( array('auth_processes', 'Authentication processes', 1), + array('auth_ttl', 'Authentication TTL', 0), + ); + foreach ($num_fields as $field) { + $value = trim($post[$field[0]]); + if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) + $input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}"; + } + + $auth_method = $post['auth_method']; + if (($auth_method != 'none') && ($auth_method != 'local')) { + $server = trim($post['auth_server']); + if (empty($server)) + $input_errors[] = 'The field \'Authentication server\' is required'; + else if (!is_ipaddr($server) && !is_domain($server)) + $input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name'; + + $port = trim($post['auth_server_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number'; + + switch ($auth_method) { + case 'ldap': + $user = trim($post['ldap_user']); + if (empty($user)) + $input_errors[] = 'The field \'LDAP server user DN\' is required'; + else if (!$user) + $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; + break; + case 'radius': + $secret = trim($post['radius_secret']); + if (empty($secret)) + $input_errors[] = 'The field \'RADIUS secret\' is required'; + break; + case 'msnt': + foreach (explode(",", trim($post['msnt_secondary'])) as $server) { + if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) + $input_errors[] = "The host '$server' is not a valid IP address or domain name"; + } + break; + } + + $no_auth = explode("\n", $post['no_auth_hosts']); + foreach ($no_auth as $host) { + $host = trim($host); + if (!empty($host) && !is_subnet($host)) + $input_errors[] = "The host '$host' is not a valid CIDR range"; + } + } +} + +function squid_install_cron($should_install) { + global $config, $g; + if($g['booting']==true) + return; + $rotate_is_installed = false; + $swapstate_is_installed = false; + + if(!$config['cron']['item']) + return; + + if (is_array($config['installedpackages']['squidcache'])) + $settings = $config['installedpackages']['squidcache']['config'][0]; + else + $settings = array(); + + $x=0; + $rotate_job_id=-1; + $swapstate_job_id=-1; + foreach($config['cron']['item'] as $item) { + if(strstr($item['task_name'], "squid_rotate_logs")) { + $rotate_job_id = $x; + } elseif(strstr($item['task_name'], "squid_check_swapstate")) { + $swapstate_job_id = $x; + } + $x++; + } + $need_write = false; + switch($should_install) { + case true: + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + if($rotate_job_id < 0) { + $cron_item = array(); + $cron_item['task_name'] = "squid_rotate_logs"; + $cron_item['minute'] = "0"; + $cron_item['hour'] = "0"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/bin/rm {$cachedir}/swap.state; ". SQUID_LOCALBASE."/sbin/squid -k rotate -f " . SQUID_CONFFILE; + /* Add this cron_item as a new entry at the end of the item array. */ + $config['cron']['item'][] = $cron_item; + $need_write = true; + } + if($swapstate_job_id < 0) { + $cron_item = array(); + $cron_item['task_name'] = "squid_check_swapstate"; + $cron_item['minute'] = "*/15"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/local/pkg/swapstate_check.php"; + /* Add this cron_item as a new entry at the end of the item array. */ + $config['cron']['item'][] = $cron_item; + $need_write = true; + } + if ($need_write) { + parse_config(true); + write_config("Adding Squid Cron Jobs"); + } + break; + case false: + if($rotate_job_id >= 0) { + unset($config['cron']['item'][$rotate_job_id]); + $need_write = true; + } + if($swapstate_job_id >= 0) { + unset($config['cron']['item'][$swapstate_job_id]); + $need_write = true; + } + if ($need_write) { + parse_config(true); + write_config("Removing Squid Cron Jobs"); + } + break; + } + configure_cron(); +} + +function squid_check_ca_hashes(){ + global $config,$g; + + #check certificates + $cert_count=0; + if (is_dir(SQUID_LOCALBASE. '/share/certs')) + if ($handle = opendir(SQUID_LOCALBASE.'/share/certs')) { + while (false !== ($file = readdir($handle))) + if (preg_match ("/\d+.0/",$file)) + $cert_count++; + } + closedir($handle); + if ($cert_count < 10){ + conf_mount_rw(); + #create ca-root hashes from ca-root-nss package + log_error("Creating root certificate bundle hashes from the Mozilla Project"); + $cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt'); + $cert=0; + foreach ($cas as $ca){ + if (preg_match("/--BEGIN CERTIFICATE--/",$ca)) + $cert=1; + if ($cert == 1) + $crt.=$ca; + if (preg_match("/-END CERTIFICATE-/",$ca)){ + file_put_contents("/tmp/cert.pem",$crt, LOCK_EX); + $cert_hash=array(); + exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash); + file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX); + $crt=""; + $cert=0; + } + } + } +} + +function squid_resync_general() { + global $g, $config, $valid_acls; + + if (is_array($config['installedpackages']['squid'])) + $settings = $config['installedpackages']['squid']['config'][0]; + else + $settings=array(); + $conf = "# This file is automatically generated by pfSense\n"; + $conf .= "# Do not edit manually !\n\n"; + #Check ssl interception + if (($settings['ssl_proxy'] == 'on')) { + squid_check_ca_hashes(); + $srv_cert = lookup_ca($settings["dca"]); + if ($srv_cert != false) { + if(base64_decode($srv_cert['prv'])) { + #check if ssl_db was initilized by squid + if (! file_exists("/var/squid/lib/ssl_db/serial")){ + if (is_dir("/var/squid/lib/ssl_db")){ + mwexec("/bin/rm -rf /var/squid/lib/ssl_db"); + } + mwexec(SQUID_LOCALBASE."/libexec/squid/ssl_crtd -c -s /var/squid/lib/ssl_db/"); + } + #force squid user permission on /var/squid/lib/ssl_db/ + squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy'); + # cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext + $crt_pk=SQUID_CONFBASE."/serverkey.pem"; + $crt_capath=SQUID_LOCALBASE."/share/certs/"; + file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt'])); + $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); + $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n"; + $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n"; + $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n"; + $interception_checks .= "sslproxy_capath {$crt_capath}\n"; + if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"])) + $interception_checks.="sslproxy_cert_error allow all\n"; + if (preg_match("/sslproxy_flags/",$settings["interception_checks"])) + $interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n"; + if ($settings["interception_adapt"] != ""){ + foreach (explode(",",$settings["interception_adapt"]) as $adapt) + $interception_checks.="sslproxy_cert_adapt {$adapt} all\n"; + } + } + } + } + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127); + +#Read assigned interfaces + $real_ifaces = array(); + + if($settings['active_interface']) + $proxy_ifaces = explode(",", $settings['active_interface']); + else + $proxy_ifaces=array("lan"); + + if ($settings['transparent_proxy']=="on"){ + $transparent_ifaces = explode(",", $settings['transparent_active_interface']); + foreach ($transparent_ifaces as $t_iface){ + $t_iface_ip = squid_get_real_interface_address($t_iface); + if($t_iface_ip[0]) + $real_ifaces[]=$t_iface_ip; + } + } + else{ + $transparent_ifaces=array(); + } + + if ($settings['ssl_proxy']=="on"){ + $ssl_ifaces = explode(",", $settings['ssl_active_interface']); + foreach ($ssl_ifaces as $s_iface){ + $s_iface_ip = squid_get_real_interface_address($s_iface); + if($s_iface_ip[0]) + $real_ifaces[]=$s_iface_ip; + } + } + else{ + $ssl_ifaces=array(); + } + + #check all proxy interfaces selected + foreach ($proxy_ifaces as $iface) { + $iface_ip = squid_get_real_interface_address($iface); + if($iface_ip[0]) { + $real_ifaces[]=$iface_ip; + if (in_array($iface,$ssl_ifaces)) + $conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n"; + else + $conf .= "http_port {$iface_ip[0]}:{$port}\n"; + } + } + + if (($settings['transparent_proxy'] == 'on')) { + if ($settings['ssl_proxy'] == "on" && count($ssl_ifaces)>0){ + $conf .= "http_port 127.0.0.1:{$port} intercept {$ssl_interception}\n"; + $conf .= "https_port 127.0.0.1:{$ssl_port} intercept {$ssl_interception}\n"; + } + else{ + $conf .= "http_port 127.0.0.1:{$port} intercept\n"; + } + } + $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 7); + $dns_v4_first= ($settings['dns_v4_first'] == "on" ? "on" : "off" ); + $pidfile = "{$g['varrun_path']}/squid.pid"; + $language = ($settings['error_language'] ? $settings['error_language'] : 'en'); + $icondir = SQUID_CONFBASE . '/icons'; + $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost'); + $email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost'); + + $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); + if (! is_dir($logdir)){ + make_dirs($logdir); + squid_chown_recursive($logdir, 'proxy', 'proxy'); + } + $logdir_cache = $logdir . '/cache.log'; + $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); + + $conf .= <<< EOD +icp_port {$icp_port} +dns_v4_first {$dns_v4_first} +pid_filename {$pidfile} +cache_effective_user proxy +cache_effective_group proxy +error_default_language {$language} +icon_directory {$icondir} +visible_hostname {$hostname} +cache_mgr {$email} +access_log {$logdir_access} +cache_log {$logdir_cache} +cache_store_log none +{$interception_checks} + +EOD; + +// Per squid docs, setting logfile_rotate to 0 is safe and causes a simple close/reopen. +// Rotating also ensures that swap.state is rewritten, so is useful even if the logs +// are not being rotated. +$rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate']; +$conf .= "logfile_rotate {$rotate}\n"; +squid_install_cron(true); + + $conf .= <<< EOD +shutdown_lifetime 3 seconds + +EOD; + + if ($settings['allow_interface'] == 'on') { + $src = ''; + foreach ($real_ifaces as $iface) { + list($ip, $mask) = $iface; + $ip = long2ip(ip2long($ip) & ip2long($mask)); + $mask = 32-log((ip2long($mask) ^ ip2long('255.255.255.255'))+1,2); + if (!preg_match("@$ip/$mask@",$src)) + $src .= " $ip/$mask"; + } + $conf .= "# Allow local network(s) on interface(s)\n"; + $conf .= "acl localnet src $src\n"; + $valid_acls[] = 'localnet'; + } + if ($settings['disable_xforward']) $conf .= "forwarded_for off\n"; + if ($settings['disable_via']) $conf .= "via off\n"; + if ($settings['disable_squidversion']) $conf .= "httpd_suppress_version_string on\n"; + if (!empty($settings['uri_whitespace'])) $conf .= "uri_whitespace {$settings['uri_whitespace']}\n"; + else $conf .= "uri_whitespace strip\n"; //only used for first run + + if(!empty($settings['dns_nameservers'])) { + $altdns = explode(";", ($settings['dns_nameservers'])); + $conf .= "dns_nameservers "; + foreach ($altdns as $dnssrv) { + $conf .= $dnssrv." "; + } +// $conf .= "\n"; //Kill blank line after DNS-Servers + } + + return $conf; +} + + +function squid_resync_cache() { + global $config, $g; + if (is_array($config['installedpackages']['squidcache'])) + $settings = $config['installedpackages']['squidcache']['config'][0]; + else + $settings = array(); + //apply cache settings + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + $disk_cache_size = ($settings['harddisk_cache_size'] ? $settings['harddisk_cache_size'] : 100); + $level1 = ($settings['level1_subdirs'] ? $settings['level1_subdirs'] : 16); + $memory_cache_size = ($settings['memory_cache_size'] ? $settings['memory_cache_size'] : 8); + $max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size']." KB" : "10 KB"); + $min_objsize = ($settings['minimum_object_size'] ? $settings['minimum_object_size'] : 0); + $max_objsize_in_mem = ($settings['maximum_objsize_in_mem'] ? $settings['maximum_objsize_in_mem'] : 32); + $cache_policy = ($settings['cache_replacement_policy'] ? $settings['cache_replacement_policy'] : 'heap LFUDA'); + $memory_policy = ($settings['memory_replacement_policy'] ? $settings['memory_replacement_policy'] : 'heap GDSF'); + $offline_mode = ($settings['enable_offline'] == 'on' ? 'on' : 'off'); + $conf = ''; + if (!isset($settings['harddisk_cache_system'])) { + if ($g['platform'] == "nanobsd" || !is_array ($config['installedpackages']['squidcache']['config'])) + $disk_cache_system = 'null'; + else + $disk_cache_system = 'ufs'; + } + else{ + $disk_cache_system = $settings['harddisk_cache_system']; + } + #'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching. + if ($disk_cache_system != "null") { + $disk_cache_opts = "cache_dir {$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256"; + } +//check dynamic content +if(empty($settings['cache_dynamic_content'])){ + $conf.='acl dynamic urlpath_regex cgi-bin \?'."\n"; + $conf.="cache deny dynamic\n"; +} +else{ + if(preg_match('/youtube/',$settings['refresh_patterns'])){ + $conf.=<<< EOC +# Break HTTP standard for flash videos. Keep them in cache even if asked not to. +refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private + +# Let the clients favorite video site through with full caching +acl youtube dstdomain .youtube.com +cache allow youtube + +EOC; + } + if(preg_match('/windows/',$settings['refresh_patterns'])){ + $conf.=<<< EOC + +# Windows Update refresh_pattern +range_offset_limit -1 +refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims +refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims +refresh_pattern -i my.windowsupdate.website.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims + +EOC; + } + +if(preg_match('/symantec/',$settings['refresh_patterns'])){ + $conf.=<<< EOC + +# Symantec refresh_pattern +range_offset_limit -1 +refresh_pattern liveupdate.symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims +refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims + +EOC; + } +if(preg_match('/avast/',$settings['refresh_patterns'])){ + $conf.=<<< EOC + +# Avast refresh_pattern +range_offset_limit -1 +refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims + +EOC; + } +if(preg_match('/avira/',$settings['refresh_patterns'])){ + $conf.=<<< EOC + +# Avira refresh_pattern +range_offset_limit -1 +refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43200 reload-into-ims + +EOC; + } + $refresh_conf=<<< EOC + +# Add any of your own refresh_pattern entries above these. +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 + +EOC; +} + + If ($settings['custom_refresh_patterns'] !="") + $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n"; + + $conf .= <<< EOD + +cache_mem $memory_cache_size MB +maximum_object_size_in_memory {$max_objsize_in_mem} KB +memory_replacement_policy {$memory_policy} +cache_replacement_policy {$cache_policy} +$disk_cache_opts +minimum_object_size {$min_objsize} KB +maximum_object_size {$max_objsize} +offline_mode {$offline_mode} + +EOD; + + if (!empty($settings['cache_swap_low'])) $conf .= "cache_swap_low {$settings['cache_swap_low']}\n"; + if (!empty($settings['cache_swap_high'])) $conf .= "cache_swap_high {$settings['cache_swap_high']}\n"; + + $donotcache = sq_text_area_decode($settings['donotcache']); + if (!empty($donotcache)) { + file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache); + $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n"; + $conf .= "cache deny donotcache\n"; + } + elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) { + unlink(SQUID_ACLDIR . '/donotcache.acl'); + } + $conf .= "cache allow all\n"; + return $conf.$refresh_conf; +} + +function squid_resync_upstream() { + global $config; + $conf = "\n#Remote proxies\n"; + if (is_array($config['installedpackages']['squidremote']['config'])) + foreach ($config['installedpackages']['squidremote']['config'] as $settings){ + if ($settings['enable'] == 'on') { + $conf .= "cache_peer {$settings['proxyaddr']} {$settings['hierarchy']} {$settings['proxyport']} "; + if ($settings['icpport'] == '7') + $conf .= "{$settings['icpport']} {$settings['icpoptions']} {$settings['peermethod']} {$settings['allowmiss']} "; + else + $conf .= "{$settings['icpport']} "; + #auth settings + if (!empty($settings['username']) && !empty($settings['password'])){ + $conf .= " login={$settings['username']}:{$settings['password']}"; + } + else{ + $conf .= "{$settings['authoption']} "; + } + #other options settings + if (!empty($settings['weight'])) + $conf .= "weight={$settings['weight']} "; + if (!empty($settings['basetime'])) + $conf .= "basetime={$settings['basetime']} "; + if (!empty($settings['ttl'])) + $conf .= "ttl={$settings['ttl']} "; + if (!empty($settings['nodelay'])) + $conf .= "no-delay"; + } + $conf .= "\n"; + } + return $conf; +} + +function squid_resync_redirector() { + global $config; + + $httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on'); + if ($httpav_enabled) { + $conf = "url_rewrite_program /usr/local/bin/squirm\n"; + } else { + $conf = "# No redirector configured\n"; + } + return $conf; +} + +function squid_resync_nac() { + global $config, $valid_acls; + + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + if (is_array($config['installedpackages']['squidnac'])) + $settings = $config['installedpackages']['squidnac']['config'][0]; + else + $settings = array(); + $webgui_port = $config['system']['webgui']['port']; + $addtl_ports = $settings['addtl_ports']; + $addtl_sslports = $settings['addtl_sslports']; + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127); + $conf = <<< EOD + +# Setup some default acls +# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. +# acl localhost src 127.0.0.1/32 +acl allsrc src all +acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port $port $ssl_port 1025-65535 $addtl_ports +acl sslports port 443 563 $webgui_port $addtl_sslports + +# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. +#acl manager proto cache_object + +acl purge method PURGE +acl connect method CONNECT + +# Define protocols used for redirects +acl HTTP proto HTTP +acl HTTPS proto HTTPS + +EOD; + + $allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets'])); + #$allowed = ""; + #foreach ($allowed_subnets as $subnet) { + # if(!empty($subnet)) { + # $subnet = trim($subnet); + # $allowed .= "$subnet "; + # } + #} + if (!empty($allowed_subnets)) { + $conf .= "acl allowed_subnets src $allowed_subnets\n"; + $valid_acls[] = 'allowed_subnets'; + } + + $options = array( 'unrestricted_hosts' => 'src', + 'banned_hosts' => 'src', + 'whitelist' => 'dstdom_regex -i', + 'blacklist' => 'dstdom_regex -i', + 'block_user_agent' => 'browser -i', + 'block_reply_mime_type' => 'rep_mime_type -i', + ); + foreach ($options as $option => $directive) { + $contents = sq_text_area_decode($settings[$option]); + if (!empty($contents)) { + file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents); + $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n"; + $valid_acls[] = $option; + } + elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) { + unlink(SQUID_ACLDIR . "/$option.acl"); + } + } + + $conf .= <<< EOD +http_access allow manager localhost + +EOD; + + if (is_array($config['installedpackages']['squidcache'])){ + $settings_ch = $config['installedpackages']['squidcache']['config'][0]; + if(!empty($settings_ch['ext_cachemanager'])) { + $extmgr = explode(";", ($settings_ch['ext_cachemanager'])); + $conf .= "\n# Allow external cache managers\n"; + foreach ($extmgr as $mgr) { + $conf .= "acl ext_manager src {$mgr}\n"; + } + $conf .= "http_access allow manager ext_manager\n"; + } + } + + $conf .= <<< EOD + +http_access deny manager +http_access allow purge localhost +http_access deny purge +http_access deny !safeports +http_access deny CONNECT !sslports + +# Always allow localhost connections +# From 3.2 further configuration cleanups have been done to make things easier and safer. +# The manager, localhost, and to_localhost ACL definitions are now built-in. +# http_access allow localhost + +EOD; + + return $conf; +} + +function squid_resync_antivirus(){ + global $config; + + if (is_array($config['installedpackages']['squidantivirus'])) + $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; + else + $antivirus_config = array(); + + if ($antivirus_config['enable']=="on"){ + switch ($antivirus_config['client_info']){ + case "both": + $icap_send_client_ip="on"; + $icap_send_client_username="on"; + break; + case "IP": + $icap_send_client_ip="on"; + $icap_send_client_username="off"; + break; + case "username": + $icap_send_client_ip="off"; + $icap_send_client_username="on"; + break; + case "none": + $icap_send_client_ip="off"; + $icap_send_client_username="off"; + break; + } + if (is_array($config['installedpackages']['squid'])) + $squid_config=$config['installedpackages']['squid']['config'][0]; + $clwarn="clwarn.cgi.en_EN"; + if (preg_match("/de/i",$squid_config['error_language'])) + $clwarn="clwarn.cgi.de_DE"; + if (preg_match("/ru/i",$squid_config['error_language'])) + $clwarn="clwarn.cgi.ru_RU"; + if (preg_match("/fr/i",$squid_config['error_language'])) + $clwarn="clwarn.cgi.fr_FR"; + if (preg_match("/pt_br/i",$squid_config['error_language'])) + $clwarn="clwarn.cgi.pt_BR"; + copy(SQUID_LOCALBASE."/libexec/squidclamav/{$clwarn}","/usr/local/www/clwarn.cgi"); + + $conf = <<< EOF +icap_enable on +icap_send_client_ip {$icap_send_client_ip} +icap_send_client_username {$icap_send_client_username} +icap_client_username_encode off +icap_client_username_header X-Authenticated-User +icap_preview_enable on +icap_preview_size 1024 + +icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav +icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav + +adaptation_access service_req allow all +adaptation_access service_resp allow all + +EOF; + #check if icap is enabled on rc.conf.local + if (file_exists("/etc/rc.conf.local")){ + $rc_old_file=file("/etc/rc.conf.local"); + foreach ($rc_old_file as $rc_line){ + if (preg_match("/^(c_icap_enable|clamav_clamd_enable)/",$rc_line,$matches)){ + $rc_file.=$matches[1].'="YES"'."\n"; + ${$matches[1]}="ok"; + } + else + $rc_file.=$rc_line; + } + } + if (!isset($c_icap_enable)) + $rc_file.='c_icap_enable="YES"'."\n"; + if (!isset($clamav_clamd_enable)) + $rc_file.='clamav_clamd_enable="YES"'."\n"; + file_put_contents("/etc/rc.conf.local",$rc_file,LOCK_EX); + + #patch sample files to pfsense dirs + #squidclamav.conf + if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) + if (file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default")){ + $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default"); + $clamav_m[0]="@/var/run/clamav/clamd.ctl@"; + $clamav_r[0]="/var/run/clamav/clamd.sock"; + file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample",preg_replace($clamav_m,$clamav_r,$sample_file),LOCK_EX); + } + #c-icap.conf + if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) + if (file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default")){ + $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default"); + if (! preg_match ("/squidclamav/")) + $sample_file.="\nService squidclamav squidclamav.so\n"; + + file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample",$sample_file,LOCK_EX); + } + $loadsample=0; + if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")){ + $config['installedpackages']['squidantivirus']['config'][0]['squidclamav']=base64_encode(file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")); + $loadsample++; + } + if ($antivirus_config['c-icap_conf'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")){ + $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf']=base64_encode(file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")); + $loadsample++; + } + if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.default")){ + $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic']=base64_encode(file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.default")); + $loadsample++; + } + if($loadsample > 0){ + write_config(); + $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; + } + #check dirs + $dirs=array("/var/run/c-icap" => "clamav", + "/var/log/c-icap" => "clamav", + "/var/log/clamav" => "clamav", + "/var/run/clamav" => "clamav", + "/var/db/clamav" => "clamav"); + foreach ($dirs as $dir_path => $dir_user){ + if (!is_dir($dir_path)) + make_dirs($dir_path); + squid_chown_recursive($dir_path, $dir_user, $dir_user); + } + + #check startup scripts on pfsense > 2.1 + if (preg_match("/usr.pbi/",SQUID_LOCALBASE)){ + $rcd_files = scandir(SQUID_LOCALBASE."/etc/rc.d"); + foreach($rcd_files as $rcd_file) + if (!file_exists("/usr/local/etc/rc.d/{$rcd_file}")) + symlink (SQUID_LOCALBASE."/etc/rc.d/{$rcd_file}","/usr/local/etc/rc.d/{$rcd_file}"); + } + + #write advanced icap config files + file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf",base64_decode($antivirus_config['squidclamav']),LOCK_EX); + file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf",base64_decode($antivirus_config['c-icap_conf']),LOCK_EX); + file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic",base64_decode($antivirus_config['c-icap_magic']),LOCK_EX); + + #check antivirus daemons + #check icap + if (is_process_running("c-icap")){ + mwexec('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl'); + } + else{ + #check c-icap user on startup file + $c_icap_rcfile="/usr/local/etc/rc.d/c-icap"; + if (file_exists($c_icap_rcfile)){ + $sample_file=file_get_contents($c_icap_rcfile); + $cicapm[0]="@c_icap_user=.*}@"; + $cicapr[0]='c_icap_user="clamav"}'; + file_put_contents($c_icap_rcfile,preg_replace($cicapm,$cicapr,$sample_file),LOCK_EX); + } + mwexec("/usr/local/etc/rc.d/c-icap start"); + } + #check clamav + if (is_process_running("clamd")) + mwexec_bg("/usr/local/etc/rc.d/clamav-clamd reload"); + else + mwexec("/usr/local/etc/rc.d/clamav-clamd start"); + } +return $conf; +} + +function squid_resync_traffic() { + global $config, $valid_acls; + + if(!is_array($valid_acls)) + return; + if (is_array($config['installedpackages']['squidtraffic'])) + $settings = $config['installedpackages']['squidtraffic']['config'][0]; + else + $settings = array(); + + $conf = ''; + if (!empty($settings['quick_abort_min']) || ($settings['quick_abort_min']) == "0") + $conf .= "quick_abort_min {$settings['quick_abort_min']} KB\n"; + if (!empty($settings['quick_abort_max']) || ($settings['quick_abort_max']) == "0") + $conf .= "quick_abort_max {$settings['quick_abort_max']} KB\n"; + if (!empty($settings['quick_abort_pct'])) + $conf .= "quick_abort_pct {$settings['quick_abort_pct']}\n"; + + $up_limit = ($settings['max_upload_size'] ? $settings['max_upload_size'] : 0); + $down_limit = ($settings['max_download_size'] ? $settings['max_download_size'] : 0); + $conf .= "request_body_max_size $up_limit KB\n"; + if ($down_limit != 0) + $conf .= 'reply_body_max_size ' . $down_limit . " KB allsrc \n"; + + + // Only apply throttling past 10MB + // XXX: Should this really be hardcoded? + $threshold = 10 * 1024 * 1024; + $overall = $settings['overall_throttling']; + if (!isset($overall) || ($overall == 0)) + $overall = -1; + else + $overall *= 1024; + $perhost = $settings['perhost_throttling']; + if (!isset($perhost) || ($perhost == 0)) + $perhost = -1; + else + $perhost *= 1024; + $conf .= <<< EOD +delay_pools 1 +delay_class 1 2 +delay_parameters 1 $overall/$overall $perhost/$perhost +delay_initial_bucket_level 100 + +EOD; + + if(! empty($settings['unrestricted_hosts'])) { + foreach (array('unrestricted_hosts') as $item) { + if (in_array($item, $valid_acls)) + $conf .= "# Do not throttle unrestricted hosts\n"; + $conf .= "delay_access 1 deny $item\n"; + } + } + + if ($settings['throttle_specific'] == 'on') { + $exts = array(); + $binaries = 'bin,cab,sea,ar,arj,tar,tgz,gz,tbz,bz2,zip,7z,exe,com'; + $cdimages = 'iso,bin,mds,nrg,gho,bwt,b5t,pqi'; + $multimedia = 'aiff?,asf,avi,divx,mov,mp3,mp4,wmv,mpe?g,qt,ra?m'; + foreach (array( 'throttle_binaries' => $binaries, + 'throttle_cdimages' => $cdimages, + 'throttle_multimedia' => $multimedia) as $field => $set) { + if ($settings[$field] == 'on') + $exts = array_merge($exts, explode(",", $set)); + } + + foreach (explode(",", $settings['throttle_others']) as $ext) { + if (!empty($ext)) $exts[] = $ext; + } + + $contents = ''; + foreach ($exts as $ext) + $contents .= "\.$ext\$\n"; + file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents); + + $conf .= "# Throttle extensions matched in the url\n"; + $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; + $conf .= "delay_access 1 allow throttle_exts\n"; + $conf .= "delay_access 1 deny allsrc\n"; + } + else + $conf .= "delay_access 1 allow allsrc\n"; + + return $conf; +} + +function squid_get_server_certs() { + global $config; + $cert_arr = array(); + $cert_arr[] = array('refid' => 'none', 'descr' => 'none'); + foreach ($config['cert'] as $cert) { + $cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']); + } + return $cert_arr; +} + +#squid reverse +include('/usr/local/pkg/squid_reverse.inc'); + +function squid_resync_auth() { + global $config, $valid_acls; + + if (is_array($config['installedpackages']['squidauth']['config'])) + $settings = $config['installedpackages']['squidauth']['config'][0]; + else + $settings = array(); + + if (is_array($config['installedpackages']['squidnac']['config'])) + $settingsnac = $config['installedpackages']['squidnac']['config'][0]; + else + $settingsnac = array(); + + if (is_array($config['installedpackages']['squid']['config'])) + $settingsconfig = $config['installedpackages']['squid']['config'][0]; + else + $settingsconfig = array(); + + $conf = ''; + + // SSL interception acl options part 1 + if ($settingsconfig['ssl_proxy'] == "on" && ! empty($settingsnac['whitelist'])){ + $conf .= "always_direct allow whitelist\n"; + $conf .= "ssl_bump none whitelist\n"; + } + + // Package integration + if(!empty($settingsconfig['custom_options'])){ + $co_preg[0]='/;/'; + $co_rep[0]="\n"; + $co_preg[1]="/redirect_program/"; + $co_rep[1]="url_rewrite_program"; + $co_preg[2]="/redirector_bypass/"; + $co_rep[2]="url_rewrite_bypass"; + $conf.="# Package Integration\n".preg_replace($co_preg,$co_rep,$settingsconfig['custom_options'])."\n\n"; + } + + // Custom User Options + $conf .= "# Custom options\n".sq_text_area_decode($settingsconfig['custom_options_squid3'])."\n\n"; + + // Deny the banned guys before allowing the good guys + if(! empty($settingsnac['banned_hosts'])) { + if (squid_is_valid_acl('banned_hosts')) { + $conf .= "# These hosts are banned\n"; + $conf .= "http_access deny banned_hosts\n"; + } + } + if(! empty($settingsnac['banned_macs'])) { + if (squid_is_valid_acl('banned_macs')) { + $conf .= "# These macs are banned\n"; + $conf .= "http_access deny banned_macs\n"; + } + } + + // Unrestricted hosts take precedence over blacklist + if(! empty($settingsnac['unrestricted_hosts'])) { + if (squid_is_valid_acl('unrestricted_hosts') && $settings['unrestricted_auth']!= "on") { + $conf .= "# These hosts do not have any restrictions\n"; + $conf .= "http_access allow unrestricted_hosts\n"; + } + } + if(! empty($settingsnac['unrestricted_macs'])) { + if (squid_is_valid_acl('unrestricted_macs')) { + $conf .= "# These hosts do not have any restrictions\n"; + $conf .= "http_access allow unrestricted_macs\n"; + } + } + + // Whitelist and blacklist also take precedence over other allow rules + if(! empty($settingsnac['whitelist'])) { + if (squid_is_valid_acl('whitelist')) { + $conf .= "# Always allow access to whitelist domains\n"; + $conf .= "http_access allow whitelist\n"; + } + } + if(! empty($settingsnac['blacklist'])) { + if (squid_is_valid_acl('blacklist')) { + $conf .= "# Block access to blacklist domains\n"; + $conf .= "http_access deny blacklist\n"; + } + } + if(! empty($settingsnac['block_user_agent'])) { + if (squid_is_valid_acl('block_user_agent')) { + $conf .= "# Block access with user agents and browsers\n"; + $conf .= "http_access deny block_user_agent\n"; + } + } + if(! empty($settingsnac['block_reply_mime_type'])) { + if (squid_is_valid_acl('block_reply_mime_type')) { + $conf .= "# Block access with mime type in the reply\n"; + $conf .= "http_reply_access deny block_reply_mime_type\n"; + } + } + + // SSL interception acl options part 2 + if ($settingsconfig['ssl_proxy'] == "on"){ + $conf .= "always_direct allow all\n"; + $conf .= "ssl_bump server-first all\n"; + } + + // Include squidguard denied acl log in squid + if ($settingsconfig['log_sqd']) + $conf .= "acl sglog url_regex -i sgr=ACCESSDENIED\n"; + + $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); + $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); + // Allow the remaining ACLs if no authentication is set + if ($auth_method == 'none') { + // Include squidguard denied acl log in squid + if ($settingsconfig['log_sqd']) + $conf .="http_access deny sglog\n"; + + $conf .="# Setup allowed acls\n"; + $allowed = array('allowed_subnets'); + if ($settingsconfig['allow_interface'] == 'on') { + $conf .= "# Allow local network(s) on interface(s)\n"; + $allowed[] = "localnet"; + } + $allowed = array_filter($allowed, 'squid_is_valid_acl'); + foreach ($allowed as $acl) + $conf .= "http_access allow $acl\n"; + } + else { + $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); + if (!empty($noauth)) { + $conf .= "acl noauth src $noauth\n"; + $valid_acls[] = 'noauth'; + } + + // Set up the external authentication programs + $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 60); + $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); + $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); + switch ($auth_method) { + case 'local': + $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n"; + break; + case 'ldap': + $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); + $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); + $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; + break; + case 'radius': + $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; + break; + case 'msnt': + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; + squid_resync_msnt(); + break; + } + $conf .= <<< EOD +auth_param basic children $processes +auth_param basic realm $prompt +auth_param basic credentialsttl $auth_ttl minutes +acl password proxy_auth REQUIRED + +EOD; + + // Onto the ACLs + $password = array('localnet', 'allowed_subnets'); + $passwordless = array('unrestricted_hosts'); + if ($settings['unrestricted_auth'] == 'on') { + // Even the unrestricted hosts should authenticate + $password = array_merge($password, $passwordless); + $passwordless = array(); + } + $passwordless[] = 'noauth'; + $password = array_filter($password, 'squid_is_valid_acl'); + $passwordless = array_filter($passwordless, 'squid_is_valid_acl'); + + // Allow the ACLs that don't need to authenticate + foreach ($passwordless as $acl) + $conf .= "http_access allow $acl\n"; + + // Include squidguard denied acl log in squid + if ($settingsconfig['log_sqd']) + $conf .="http_access deny password sglog\n"; + + // Allow the other ACLs as long as they authenticate + foreach ($password as $acl) + $conf .= "http_access allow password $acl\n"; + } + + $conf .= "# Default block all to be sure\n"; + $conf .= "http_access deny allsrc\n"; + + return $conf; +} + +function squid_resync_users() { + global $config; + + $users = $config['installedpackages']['squidusers']['config']; + $contents = ''; + if (is_array($users)) { + foreach ($users as $user) + $contents .= $user['username'] . ':' . crypt($user['password'], base64_encode($user['password'])) . "\n"; + } + file_put_contents(SQUID_PASSWD, $contents); + chown(SQUID_PASSWD, 'proxy'); + chmod(SQUID_PASSWD, 0600); +} + +function squid_resync_msnt() { + global $config; + + if (is_array($config['installedpackages']['squidauth'])) + $settings = $config['installedpackages']['squidauth']['config'][0]; + else + $settings = array(); + $pdcserver = $settings['auth_server']; + $bdcserver = str_replace(',',' ',$settings['msnt_secondary']); + $ntdomain = $settings['auth_ntdomain']; + + file_put_contents(SQUID_CONFBASE."/msntauth.conf","server {$pdcserver} {$bdcserver} {$ntdomain}"); + chown(SQUID_CONFBASE."/msntauth.conf", 'proxy'); + chmod(SQUID_CONFBASE."/msntauth.conf", 0600); +} + +function squid_resync($via_rpc="no") { + global $config; + + # detect boot process + if (is_array($_POST)){ + if (preg_match("/\w+/",$_POST['__csrf_magic'])) + unset($boot_process); + else + $boot_process="on"; + } + + log_error("[Squid] - Squid_resync function call pr:".is_process_running('squid')." bp:".isset($boot_process)." rpc:".$via_rpc); + + if (is_process_running('squid') && isset($boot_process) && $via_rpc=="no") + return; + + conf_mount_rw(); + foreach (array( SQUID_CONFBASE, + SQUID_ACLDIR, + SQUID_BASE, + SQUID_LIB, + SQUID_SSL_DB ) as $dir) { + make_dirs($dir); + chown($dir, 'proxy'); + chgrp($dir, 'proxy'); + squid_chown_recursive($dir, 'proxy', 'proxy'); + } + $conf = squid_resync_general() . "\n"; + $conf .= squid_resync_cache() . "\n"; + $conf .= squid_resync_redirector() . "\n"; + $conf .= squid_resync_upstream() . "\n"; + $conf .= squid_resync_nac() . "\n"; + $conf .= squid_resync_traffic() . "\n"; + $conf .= squid_resync_reverse() . "\n"; + $conf .= squid_resync_auth()."\n"; + $conf .= squid_resync_antivirus(); + squid_resync_users(); + squid_write_rcfile(); + + if(!isset($boot_process) || $via_rpc="yes") + squid_sync_on_changes(); + + #write config file + file_put_contents(SQUID_CONFBASE . '/squid.conf', $conf); + + /* make sure pinger is executable */ + if(file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) + exec("chmod a+x " . SQUID_LOCALBASE . "/libexec/squid/pinger"); + + $log_dir=""; + #check if squid is enabled + if (is_array($config['installedpackages']['squid']['config'])){ + if ($config['installedpackages']['squid']['config'][0]['active_interface']!= "") + $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'].'/'; + } + #check if squidreverse is enabled + else if (is_array($config['installedpackages']['squidreversegeneral']['config'])){ + if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") + $log_dir="/var/squid/logs/"; + } + #do not start squid if there is no log dir + if ($log_dir != ""){ + if(!is_dir($log_dir)) { + log_error("Creating squid log dir $log_dir"); + make_dirs($log_dir); + squid_chown_recursive($log_dir, 'proxy', 'proxy'); + } + + squid_dash_z(); + + if (!is_service_running('squid')) { + log_error("Starting Squid"); + mwexec(SQUID_LOCALBASE . "/sbin/squid -f " . SQUID_CONFFILE); + } + else { + if (!isset($boot_process)){ + log_error("Reloading Squid for configuration sync"); + mwexec(SQUID_LOCALBASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); + } + } + + // Sleep for a couple seconds to give squid a chance to fire up fully. + for ($i=0; $i < 10; $i++) { + if (!is_service_running('squid')) + sleep(1); + } + filter_configure(); + } + conf_mount_ro(); +} + +function squid_print_javascript_auth() { + global $config; + $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); + + // No authentication for transparent proxy + if ($transparent_proxy) { + $javascript = <<< EOD +<script language="JavaScript"> +<!-- +function on_auth_method_changed() { + document.iform.auth_method.disabled = 1; + document.iform.auth_server.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_prompt.disabled = 1; + document.iform.auth_processes.disabled = 1; + document.iform.auth_ttl.disabled = 1; + document.iform.unrestricted_auth.disabled = 1; + document.iform.no_auth_hosts.disabled = 1; +} +--> +</script> + +EOD; + } + else { + $javascript = <<< EOD +<script language="JavaScript"> +<!-- +function on_auth_method_changed() { + var field = document.iform.auth_method; + var auth_method = field.options[field.selectedIndex].value; + + if (auth_method == 'none') { + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_prompt.disabled = 1; + document.iform.auth_processes.disabled = 1; + document.iform.auth_ttl.disabled = 1; + document.iform.unrestricted_auth.disabled = 1; + document.iform.no_auth_hosts.disabled = 1; + } + else { + document.iform.auth_prompt.disabled = 0; + document.iform.auth_processes.disabled = 0; + document.iform.auth_ttl.disabled = 0; + document.iform.unrestricted_auth.disabled = 0; + document.iform.no_auth_hosts.disabled = 0; + } + + switch (auth_method) { + case 'local': + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + break; + case 'ldap': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 0; + document.iform.ldap_user.disabled = 0; + document.iform.ldap_pass.disabled = 0; + document.iform.ldap_version.disabled = 0; + document.iform.ldap_userattribute.disabled = 0; + document.iform.ldap_filter.disabled = 0; + document.iform.ldap_basedomain.disabled = 0; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + break; + case 'radius': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 0; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 0; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + break; + case 'msnt': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 0; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 0; + break; + } +} +--> +</script> + +EOD; + } + + print($javascript); +} + +function squid_print_javascript_auth2() { + print("<script language=\"JavaScript\">on_auth_method_changed()</script>\n"); +} + +function squid_generate_rules($type) { + global $config; + $squid_conf = $config['installedpackages']['squid']['config'][0]; + + //check captive portal option + $cp_file='/etc/inc/captiveportal.inc'; + $pfsense_version=preg_replace("/\s/","",file_get_contents("/etc/version")); + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $cp_inc = file($cp_file); + $new_cp_inc=""; + $found_rule=0; + foreach ($cp_inc as $line){ + $new_line=$line; + //remove applied squid patch + if (preg_match('/} set 1 skipto 65314/',$line)){ + $found_rule++; + $new_line =""; + } + //add squid patch option based on current config + if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= $line; + } + if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; + $new_line .= $line; + } + $new_cp_inc .= $new_line; + } + if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { + copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); + } + if($found_rule > 0){ + file_put_contents($cp_file,$new_cp_inc, LOCK_EX); + } + + //normal squid rule check + if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { + return; + } + + if (!is_service_running('squid')) { + log_error("SQUID is installed but not started. Not installing \"{$type}\" rules."); + return; + } + #Read assigned interfaces + $proxy_ifaces = explode(",", $squid_conf['active_interface']); + $proxy_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $proxy_ifaces); + if ($squid_conf['transparent_proxy']=="on"){ + $transparent_ifaces = explode(",", $squid_conf['transparent_active_interface']); + $transparent_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $transparent_ifaces); + } + else{ + $transparent_ifaces=array(); + } + if ($squid_conf['ssl_proxy'] == "on"){ + $ssl_ifaces = explode(",", $squid_conf['ssl_active_interface']); + $ssl_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ssl_ifaces); + } + else{ + $ssl_ifaces=array(); + } + + $port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128); + $ssl_port = ($squid_conf['ssl_proxy_port'] ? $squid_conf['ssl_proxy_port'] : 3127); + + $fw_aliases = filter_generate_aliases(); + if(strstr($fw_aliases, "pptp =")) + $PPTP_ALIAS = "\$pptp"; + else + $PPTP_ALIAS = "\$PPTP"; + if(strstr($fw_aliases, "PPPoE =")) + $PPPOE_ALIAS = "\$PPPoE"; + else + $PPPOE_ALIAS = "\$pppoe"; + + #define ports based on transparent options and ssl filtering + $pf_rule_port=($squid_conf['ssl_proxy'] == "on" ? "{80,443}" : "80"); + switch($type) { + case 'nat': + $rules .= "\n# Setup Squid proxy redirect\n"; + if ($squid_conf['private_subnet_proxy_off'] == 'on') { + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}\n"; + } + /* Handle PPPOE case */ + if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; + } + } + if (!empty($squid_conf['defined_ip_proxy_off'])) { + $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); + $exempt_ip = ""; + foreach ($defined_ip_proxy_off as $ip_proxy_off) { + if(!empty($ip_proxy_off)) { + $ip_proxy_off = trim($ip_proxy_off); + if (is_alias($ip_proxy_off)) + $ip_proxy_off = '$'.$ip_proxy_off; + $exempt_ip .= ", $ip_proxy_off"; + } + } + $exempt_ip = substr($exempt_ip,2); + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port {$pf_transparent_rule_port}\n"; + } + /* Handle PPPOE case */ + if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; + } + } + if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { + $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); + $exempt_dest = ""; + foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { + if(!empty($ip_proxy_off_dest)) { + $ip_proxy_off_dest = trim($ip_proxy_off_dest); + if (is_alias($ip_proxy_off_dest)) + $ip_proxy_off_dest = '$'.$ip_proxy_off_dest; + $exempt_dest .= ", $ip_proxy_off_dest"; + } + } + $exempt_dest = substr($exempt_dest,2); + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port {$pf_transparent_rule_port}\n"; + } + /* Handle PPPOE case */ + if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; + } + } + foreach ($transparent_ifaces as $t_iface) { + $pf_transparent_rule_port=(in_array($t_iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 80 -> 127.0.0.1 port {$port}\n"; + if (in_array($t_iface,$ssl_ifaces)) + $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 443 -> 127.0.0.1 port {$ssl_port}\n"; + } + /* Handle PPPOE case */ + if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; + } + $rules .= "\n"; + break; + case 'filter': + case 'rule': + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443,{$port},{$ssl_port}}" : "{80,{$port}}"); + $rules .= "# Setup squid pass rules for proxy\n"; + $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$pf_transparent_rule_port} flags S/SA keep state\n"; + #$rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$port} flags S/SA keep state\n"; + $rules .= "\n"; + }; + if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { + $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; + } + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; + } + break; + default: + break; + } + + return $rules; +} + +function squid_write_rcfile() { + /* Declare a variable for the SQUID_CONFFILE constant. */ + /* Then the variable can be referenced easily in the Heredoc text that generates the rc file. */ + $squid_conffile_var = SQUID_CONFFILE; + $squid_local_base = SQUID_LOCALBASE; + $rc = array(); + $rc['file'] = 'squid.sh'; + $rc['start'] = <<<EOD +if [ -z "`ps auxw | grep "[s]quid "|awk '{print $2}'`" ];then + {$squid_local_base}/sbin/squid -f {$squid_conffile_var} +fi + +EOD; + + $rc['stop'] = <<<EOD +{$squid_local_base}/sbin/squid -k shutdown -f {$squid_conffile_var} +# Just to be sure... +sleep 5 +killall -9 squid 2>/dev/null +killall pinger 2>/dev/null + +EOD; + $rc['restart'] = <<<EOD +if [ -z "`ps auxw | grep "[s]quid "|awk '{print $2}'`" ];then + {$squid_local_base}/sbin/squid -f {$squid_conffile_var} + else + {$squid_local_base}/sbin/squid -k reconfigure -f {$squid_conffile_var} + fi + +EOD; + conf_mount_rw(); + write_rcfile($rc); + conf_mount_ro(); +} + +/* Uses XMLRPC to synchronize the changes to a remote node */ +function squid_sync_on_changes() { + global $config, $g; + if (is_array($config['installedpackages']['squidsync']['config'])){ + $squid_sync=$config['installedpackages']['squidsync']['config'][0]; + $synconchanges = $squid_sync['synconchanges']; + $synctimeout = $squid_sync['synctimeout']; + switch ($synconchanges){ + case "manual": + if (is_array($squid_sync[row])){ + $rs=$squid_sync[row]; + } + else{ + log_error("[squid] xmlrpc sync is enabled but there is no hosts to push on squid config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['ipaddress']=$system_carp['synchronizetoip']; + $rs[0]['username']=$system_carp['username']; + $rs[0]['password']=$system_carp['password']; + } + else{ + log_error("[squid] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)){ + log_error("[squid] xmlrpc sync is starting."); + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if($password && $sync_to_ip) + squid_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout); + } + log_error("[squid] xmlrpc sync is ending."); + } + } +} +/* Do the actual XMLRPC sync */ +function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { + global $config, $g; + + if(!$username) + return; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + if(!$synctimeout) + $synctimeout=250; + + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['squid'] = $config['installedpackages']['squid']; + $xml['squidupstream'] = $config['installedpackages']['squidupstream']; + $xml['squidcache'] = $config['installedpackages']['squidcache']; + $xml['squidantivirus'] = $config['installedpackages']['squidanitivirus']; + $xml['squidnac'] = $config['installedpackages']['squidnac']; + $xml['squidtraffic'] = $config['installedpackages']['squidtraffic']; + $xml['squidreversegeneral'] = $config['installedpackages']['squidreversegeneral']; + $xml['squidreversepeer'] = $config['installedpackages']['squidreversepeer']; + $xml['squidreverseuri'] = $config['installedpackages']['squidreverseuri']; + $xml['squidauth'] = $config['installedpackages']['squidauth']; + $xml['squidusers'] = $config['installedpackages']['squidusers']; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("[Squid] Beginning squid XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after defined sync timeout value*/ + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "squid Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "squid Settings Sync", ""); + } else { + log_error("[Squid] XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell squid to reload our settings on the destination sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/squid.inc');\n"; + $execcmd .= "squid_resync('yes');"; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("[Squid] XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "squid Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "[Squid] An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "squid Settings Sync", ""); + } else { + log_error("squid XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + +} +?> diff --git a/config/squid3/33/squid.xml b/config/squid3/33/squid.xml new file mode 100644 index 00000000..d64aabb9 --- /dev/null +++ b/config/squid3/33/squid.xml @@ -0,0 +1,557 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2013 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squid</name> + <version>3.3.4</version> + <title>Proxy server: General settings</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <menu> + <name>Proxy server</name> + <tooltiptext>Modify the proxy server's settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </menu> + <menu> + <name>Reverse Proxy</name> + <tooltiptext>Modify the proxy reverse server's settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + </menu> + <service> + <name>squid</name> + <rcfile>squid.sh</rcfile> + <executable>squid</executable> + <description>Proxy server Service</description> + </service> + <service> + <name>clamd</name> + <rcfile>clamav-clamd</rcfile> + <executable>clamd</executable> + <description>Clamav Antivirus</description> + </service> + <service> + <name>c-icap</name> + <rcfile>c-icap</rcfile> + <executable>c-icap</executable> + <description>Icap inteface for squid and clamav integration</description> + </service> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> + </tab> + <tab> + <text>Local Cache</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Antivirus</text> + <url>/pkg_edit.php?xml=squid_antivirus.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Authentication</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> + </tabs> + <!-- Installation --> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_reverse_general.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_reverse_peer.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_reverse_uri.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_reverse_sync.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_sync.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_cache.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_nac.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_ng.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_ng.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_traffic.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_upstream.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_reverse.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_reverse.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_auth.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_users.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_antivirus.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/sqpmon.sh</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/swapstate_check.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_reverse_redir.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_monitor.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_monitor_data.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/squid_log_parser.php</item> + </additional_files_needed> + + <fields> + <field> + <name>Squid General Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Proxy interface(s)</fielddescr> + <fieldname>active_interface</fieldname> + <description>The interface(s) the proxy server will bind to.</description> + <type>interfaces_selection</type> + <required/> + <default_value>lan</default_value> + <multiple/> + </field> + <field> + <fielddescr>Proxy port</fielddescr> + <fieldname>proxy_port</fieldname> + <description>This is the port the proxy server will listen on.</description> + <type>input</type> + <size>5</size> + <required/> + <default_value>3128</default_value> + </field> + <field> + <fielddescr>ICP port</fielddescr> + <fieldname>icp_port</fieldname> + <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP.</description> + <type>input</type> + <size>5</size> + </field> + + <field> + <fielddescr>Allow users on interface</fielddescr> + <fieldname>allow_interface</fieldname> + <description>If this field is checked, the users connected to the interface selected in the 'Proxy interface' field will be allowed to use the proxy, i.e., there will be no need to add the interface's subnet to the list of allowed subnets. This is just a shortcut.</description> + <type>checkbox</type> + <required/> + <default_value>on</default_value> + </field> + <field> + <fielddescr>Patch captive portal</fielddescr> + <fieldname>patch_cp</fieldname> + <description><![CDATA[Enable this option to force captive portal to non transparent proxy users.<br> + <strong>NOTE:</strong> You may need to reapply captive portal config after changing this option.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Resolv dns v4 first</fielddescr> + <fieldname>dns_v4_first</fieldname> + <description><![CDATA[Enable this option to force dns v4 lookup first. This option is very usefull if you have problems to access https sites.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Use alternate DNS-servers for the proxy-server</fielddescr> + <fieldname>dns_nameservers</fieldname> + <description>If you want to use other DNS-servers than the DNS-forwarder, enter the IPs here, separated by semi-colons (;).</description> + <type>input</type> + <size>70</size> + </field> + <field> + <name>Transparent Proxy Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Transparent HTTP proxy</fielddescr> + <fieldname>transparent_proxy</fieldname> + <description><![CDATA[Enable transparent mode to forward all requests for destination port 80 to the proxy server without any additional configuration necessary.<br> + <strong>NOTE:</strong> Transparent mode will filter ssl(port 443) if enable men-in-the-middle options below.<br> + To filter both http and https protocol without intercepting ssl connections, enable WPAD/PAC options on your dns/dhcp.]]></description> + <type>checkbox</type> + <enablefields>transparent_active_interface,private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest</enablefields> + <required/> + </field> + <field> + <fielddescr>Transparent Proxy interface(s)</fielddescr> + <fieldname>transparent_active_interface</fieldname> + <description>The interface(s) the proxy server will transparent intercept requests.</description> + <type>interfaces_selection</type> + <required/> + <default_value>lan</default_value> + <multiple/> + </field> + <field> + <fielddescr>Bypass proxy for Private Address destination</fielddescr> + <fieldname>private_subnet_proxy_off</fieldname> + <description>Do not forward traffic to Private Address Space (RFC 1918) <b>destination</b> through the proxy server but directly through the firewall.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Bypass proxy for these source IPs</fielddescr> + <fieldname>defined_ip_proxy_off</fieldname> + <description>Do not forward traffic from these <b>source</b> IPs, CIDR nets, hostnames, or aliases through the proxy server but directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description> + <type>input</type> + <size>70</size> + </field> + <field> + <fielddescr>Bypass proxy for these destination IPs</fielddescr> + <fieldname>defined_ip_proxy_off_dest</fieldname> + <description>Do not proxy traffic going to these <b>destination</b> IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description> + <type>input</type> + <size>70</size> + </field> + <field> + <name>SSL man in the middle Filtering</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>HTTPS/SSL interception</fielddescr> + <fieldname>ssl_proxy</fieldname> + <description><![CDATA[Enable SSL filtering.]]></description> + <type>checkbox</type> + <enablefields>ssl_active_interface,dcert,sslcrtd_children,ssl_proxy_port,interception_checks</enablefields> + </field> + <field> + <fielddescr>SSL Intercept interface(s)</fielddescr> + <fieldname>ssl_active_interface</fieldname> + <description>The interface(s) the proxy server will intercept ssl requests.</description> + <type>interfaces_selection</type> + <required/> + <default_value>lan</default_value> + <multiple/> + </field> + <field> + <fielddescr>SSL Proxy port</fielddescr> + <fieldname>ssl_proxy_port</fieldname> + <description>This is the port the proxy server will listen on to intercept ssl while using transparent proxy.</description> + <type>input</type> + <size>5</size> + <default_value>3129</default_value> + </field> + <field> + <fielddescr>CA</fielddescr> + <fieldname>dca</fieldname> + <description><![CDATA[Select Certificate Authority to use when SSL interception is enabled.<br> + To create a CA on pfsense, go to <strong>system -> Cert Manager<strong><br> + Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection.]]></description> + <type>select_source</type> + <source><![CDATA[$config['ca']]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> + </field> + <field> + <fielddescr>sslcrtd children</fielddescr> + <fieldname>sslcrtd_children</fieldname> + <description><![CDATA[This is the number of ssl crt deamon children to start. Default value is 5.<br> + if Squid is used in busy environments this may need to be increased, as well as the number of 'sslcrtd_children']]></description> + <type>input</type> + <size>2</size> + <default_value>5</default_value> + </field> + <field> + <fielddescr>Remote Cert checks</fielddescr> + <fieldname>interception_checks</fieldname> + <description><![CDATA[Select remote ssl cert checks to do.<br>Defaul is to do not select any of these options.]]></description> + <type>select</type> + <options> + <option><name>Accept remote server certificate Erros</name><value>sslproxy_cert_error</value></option> + <option><name>Do not verify remote certificate</name><value>sslproxy_flags</value></option> + </options> + <multiple/> + <size>3</size> + </field> + <field> + <fielddescr>Certificate adapt</fielddescr> + <fieldname>interception_adapt</fieldname> + <description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: Set subject CN<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description> + <type>select</type> + <options> + <option><name>Sets the "Not After" (setValidAfter).</name><value>setValidAfter</value></option> + <option><name>Sets the "Not Before" (setValidBefore).</name><value>setValidBefore</value></option> + <option><name>Sets CN property (setCommonName)</name><value>setCommonName</value></option> + </options> + <multiple/> + <size>3</size> + </field> + <field> + <name>Logging Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enabled logging</fielddescr> + <fieldname>log_enabled</fieldname> + <description>This will enable the access log. Don't switch this on if you don't have much disk space left.</description> + <type>checkbox</type> + <enablefields>log_query_terms,log_user_agents</enablefields> + </field> + <field> + <fielddescr>Log store directory</fielddescr> + <fieldname>log_dir</fieldname> + <description>The directory where the log will be stored (note: do not end with a / mark)</description> + <type>input</type> + <size>60</size> + <required/> + <default_value>/var/squid/logs</default_value> + </field> + <field> + <fielddescr>Log rotate</fielddescr> + <fieldname>log_rotate</fieldname> + <description>Defines how many days of logfiles will be kept. Rotation is disabled if left empty.</description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>Visible hostname</fielddescr> + <fieldname>visible_hostname</fieldname> + <description>This is the URL to be displayed in proxy server error messages.</description> + <type>input</type> + <size>60</size> + <default_value>localhost</default_value> + </field> + <field> + <fielddescr>Administrator email</fielddescr> + <fieldname>admin_email</fieldname> + <description>This is the email address displayed in error messages to the users.</description> + <type>input</type> + <size>60</size> + <default_value>admin@localhost</default_value> + </field> + <field> + <fielddescr>Language</fielddescr> + <fieldname>error_language</fieldname> + <description>Select the language in which the proxy server will display error messages to users.</description> + <type>select</type> + <default_value>en</default_value> + </field> + <field> + <fielddescr>Disable X-Forward</fielddescr> + <fieldname>disable_xforward</fieldname> + <description>If not set, Squid will include your system's IP address or name in the HTTP requests it forwards.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Disable VIA</fielddescr> + <fieldname>disable_via</fieldname> + <description>If not set, Squid will include a Via header in requests and replies as required by RFC2616.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Log denied pages by squidguard</fielddescr> + <fieldname>log_sqd</fieldname> + <description><![CDATA[Enable squidguard denied log to be included on squid logs.<br> + <strong>Note:</strong> This option only will work if you include this code on your sgerror.php file to force client browser send a second request to squid with denied string on url.<br><br> + $sge_prefix=(preg_match("/\?/",$cl['u'])?"&":"?");<br> + $str[] = '< iframe > src="'.$cl['u'].$sge_prefix.'sgr=ACCESSDENIED" width="1" height="1" > < /iframe >';<br><br> + removing extra space on iframe html code.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>What to do with requests that have whitespace characters in the URI</fielddescr> + <fieldname>uri_whitespace</fieldname> + <description><b> strip:</b> The whitespace characters are stripped out of the URL. This is the behavior recommended by RFC2396. <p> <b> deny:</b> The request is denied. The user receives an "Invalid Request" message.<p> <b> allow:</b> The request is allowed and the URI is not changed. The whitespace characters remain in the URI.<p> <b> encode:</b> The request is allowed and the whitespace characters are encoded according to RFC1738.<p> <b> chop:</b> The request is allowed and the URI is chopped at the first whitespace.</description> + <type>select</type> + <default_value>strip</default_value> + <options> + <option><name>strip</name><value>strip</value></option> + <option><name>deny</name><value>deny</value></option> + <option><name>allow</name><value>allow</value></option> + <option><name>encode</name><value>encode</value></option> + <option><name>chop</name><value>chop</value></option> + </options> + </field> + <field> + <fielddescr>Suppress Squid Version</fielddescr> + <fieldname>disable_squidversion</fieldname> + <description>If set, suppress Squid version string info in HTTP headers and HTML error pages.</description> + <type>checkbox</type> + </field> + <field> + <name>Custom Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Integrations</fielddescr> + <fieldname>custom_options</fieldname> + <description><![CDATA[Squid options added from packages like squidguard or havp for squid integration.]]></description> + <type>textarea</type> + <cols>78</cols> + <rows>5</rows> + </field> + <field> + <fielddescr>Custom Options</fielddescr> + <fieldname>custom_options_squid3</fieldname> + <description><![CDATA[Put your own custom options here,one per line. They'll be added to the configuration.<br> + <strong>They need to be squid.conf native options, otherwise squid will NOT work.</strong>]]></description> + <type>textarea</type> + <encoding>base64</encoding> + <cols>78</cols> + <rows>10</rows> + </field> + </fields> + <custom_php_command_before_form> + squid_before_form_general(&$pkg); + </custom_php_command_before_form> + <custom_add_php_command> + squid_resync(); + </custom_add_php_command> + <custom_php_validation_command> + squid_validate_general($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + unlink_if_exists("/usr/local/etc/rc.d/squid"); + </custom_php_resync_config_command> + <custom_php_install_command> + update_status("Checking Squid cache... One moment please..."); + update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."); + squid_install_command(); + squid_resync(); + exec("/bin/rm -f /usr/local/etc/rc.d/squid"); + </custom_php_install_command> + <custom_php_deinstall_command> + squid_deinstall_command(); + exec("/bin/rm -f /usr/local/etc/rc.d/squid*"); + </custom_php_deinstall_command> + <filter_rules_needed>squid_generate_rules</filter_rules_needed> +</packagegui> diff --git a/config/squid3/33/squid_antivirus.xml b/config/squid3/33/squid_antivirus.xml new file mode 100755 index 00000000..67319297 --- /dev/null +++ b/config/squid3/33/squid_antivirus.xml @@ -0,0 +1,158 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_antivirus.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2013 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidantivirus</name> + <version>none</version> + <title>Proxy server: Antivirus</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> + </tab> + <tab> + <text>Local Cache</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Antivirus</text> + <url>/pkg_edit.php?xml=squid_antivirus.xml&id=0</url> + <active/> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + + </tab> + <tab> + <text>Authentication</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> + </tabs> + <fields> + <field> + <name>Clamav anti-virus integration using c-icap</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable</fielddescr> + <fieldname>enable</fieldname> + <description>Enable squid antivirus check using clamav.</description> + <enablefields>max_check_size,Timeout,MaxKeepAliveRequests,KeepAliveTimeout,StartServers,MaxServers</enablefields> + <type>checkbox</type> + </field> + <field> + <fielddescr>Client forward options</fielddescr> + <fieldname>client_info</fieldname> + <description><![CDATA[Select what client info to forward to clamav.]]></description> + <type>select</type> + <default_value>strip</default_value> + <options> + <option><name>Send Both client username and ip info(Default)</name><value>both</value></option> + <option><name>Send only client username</name><value>username</value></option> + <option><name>Send only client ip</name><value>ip</value></option> + <option><name>Do not send client info</name><value>none</value></option> + </options> + </field> + <field> + <name>Advanced options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>squidclamav.conf</fielddescr> + <fieldname>squidclamav</fieldname> + <description>squidclamav.conf file. Leave empty to load sample file. Edit only if you know what are you doing.</description> + <type>textarea</type> + <encoding>base64</encoding> + <cols>75</cols> + <rows>15</rows> + </field> + <field> + <fielddescr>c-icap.conf</fielddescr> + <fieldname>c-icap_conf</fieldname> + <description>c-icap.conf file. Leave empty to load sample file. Edit only if you know what are you doing.</description> + <type>textarea</type> + <encoding>base64</encoding> + <cols>75</cols> + <rows>15</rows> + </field> + <field> + <fielddescr>c-icap.magic</fielddescr> + <fieldname>c-icap_magic</fieldname> + <description>c-icap.conf file. Leave empty to load sample file. Edit only if you know what are you doing.</description> + <type>textarea</type> + <encoding>base64</encoding> + <cols>75</cols> + <rows>15</rows> + </field> + </fields> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid3/squid_auth.inc b/config/squid3/33/squid_auth.inc index 7c99a01b..7c99a01b 100644 --- a/config/squid3/squid_auth.inc +++ b/config/squid3/33/squid_auth.inc diff --git a/config/squid3/33/squid_auth.xml b/config/squid3/33/squid_auth.xml new file mode 100755 index 00000000..111085a8 --- /dev/null +++ b/config/squid3/33/squid_auth.xml @@ -0,0 +1,269 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + Copyright (C) 2012-2013 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidauth</name> + <version>none</version> + <title>Proxy server: Authentication</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> + </tab> + <tab> + <text>Local Cache</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Antivirus</text> + <url>/pkg_edit.php?xml=squid_antivirus.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Authentication</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> + </tabs> + <fields> + <field> + <name>Squid Authentication General Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Authentication method</fielddescr> + <fieldname>auth_method</fieldname> + <description>Select an authentication method. This will allow users to be authenticated by local or external services.</description> + <type>select</type> + <required/> + <default_value>none</default_value> + <options> + <option><name>None</name><value>none</value></option> + <option><name>Local</name><value>local</value></option> + <option><name>LDAP</name><value>ldap</value></option> + <option><name>RADIUS</name><value>radius</value></option> + <option><name>NT domain</name><value>msnt</value></option> + </options> + <onchange>on_auth_method_changed()</onchange> + </field> + <field> + <fielddescr>Authentication server</fielddescr> + <fieldname>auth_server</fieldname> + <description>Enter here the IP or hostname of the server that will perform the authentication.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Authentication server port</fielddescr> + <fieldname>auth_server_port</fieldname> + <description>Enter here the port to use to connect to the authentication server. Leave this field blank to use the authentication method's default port.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Authentication prompt</fielddescr> + <fieldname>auth_prompt</fieldname> + <description>This string will be displayed at the top of the authentication request window.</description> + <type>input</type> + <default_value>Please enter your credentials to access the proxy</default_value> + </field> + <field> + <fielddescr>Authentication processes</fielddescr> + <fieldname>auth_processes</fieldname> + <description>The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly.</description> + <type>input</type> + <size>60</size> + <default_value>5</default_value> + </field> + <field> + <fielddescr>Authentication TTL</fielddescr> + <fieldname>auth_ttl</fieldname> + <description>This specifies for how long (in minutes) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.</description> + <type>input</type> + <size>60</size> + <default_value>60</default_value> + </field> + <field> + <fielddescr>Requiere authentication for unrestricted hosts</fielddescr> + <fieldname>unrestricted_auth</fieldname> + <description>If this option is enabled, even users tagged as unrestricted through access control are required to authenticate to use the proxy.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Subnets that don't need authentication</fielddescr> + <fieldname>no_auth_hosts</fieldname> + <description>Enter each subnet or IP address on a new line (in CIDR format, e.g.: 10.5.0.0/16, 192.168.1.50/32) that should not be asked for authentication to access the proxy.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <name>Squid Authentication Ldap Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>LDAP version</fielddescr> + <fieldname>ldap_version</fieldname> + <description>Enter LDAP protocol version (2 or 3).</description> + <type>select</type> + <default_value>2</default_value> + <options> + <option><name>2</name><value>2</value></option> + <option><name>3</name><value>3</value></option> + </options> + </field> + <field> + <fielddescr>LDAP server user DN</fielddescr> + <fieldname>ldap_user</fieldname> + <description>Enter here the user DN to use to connect to the LDAP server.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>LDAP password</fielddescr> + <fieldname>ldap_pass</fieldname> + <description>Enter here the password to use to connect to the LDAP server.</description> + <type>password</type> + <size>60</size> + </field> + <field> + <fielddescr>LDAP base domain</fielddescr> + <fieldname>ldap_basedomain</fieldname> + <description>For LDAP authentication, enter here the base domain in the LDAP server.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>LDAP username DN attribute</fielddescr> + <fieldname>ldap_userattribute</fieldname> + <description>Enter LDAP username DN attibute.</description> + <type>input</type> + <size>60</size> + <default_value>uid</default_value> + </field> + <field> + <fielddescr>LDAP search filter</fielddescr> + <fieldname>ldap_filter</fieldname> + <description>Enter LDAP search filter.</description> + <type>input</type> + <size>60</size> + <default_value>(&(objectClass=person)(uid=%s))</default_value> + </field> + <field> + <name>Squid Authentication NT Domain Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>NT domain</fielddescr> + <fieldname>auth_ntdomain</fieldname> + <description>Enter here the NT domain.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Secondary NT servers</fielddescr> + <fieldname>msnt_secondary</fieldname> + <description>Comma-separated list of secondary servers to be used for NT domain authentication.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <name>Squid Authentication Radius Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>RADIUS secret</fielddescr> + <fieldname>radius_secret</fieldname> + <description>The RADIUS secret for RADIUS authentication.</description> + <type>password</type> + <size>60</size> + </field> + </fields> + <custom_php_validation_command> + squid_validate_auth($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_after_form_command> + squid_print_javascript_auth2(); + </custom_php_after_form_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> + <custom_php_before_form_command> + squid_print_javascript_auth2(); + </custom_php_before_form_command> + <custom_php_after_head_command> + $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); + if($transparent_proxy) + $input_errors[] = "Authentication cannot be enabled while transparent proxy mode is enabled"; + squid_print_javascript_auth(); + </custom_php_after_head_command> +</packagegui> diff --git a/config/squid3/33/squid_cache.xml b/config/squid3/33/squid_cache.xml new file mode 100755 index 00000000..26d6463c --- /dev/null +++ b/config/squid3/33/squid_cache.xml @@ -0,0 +1,311 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + Copyright (C) 2012-2013 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidcache</name> + <version>none</version> + <title>Proxy server: Cache management</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> +<tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> + </tab> + <tab> + <text>Local Cache</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Antivirus</text> + <url>/pkg_edit.php?xml=squid_antivirus.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Authentication</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> + </tabs> + <fields> + <field> + <name>Squid Cache General Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Cache replacement policy</fielddescr> + <fieldname>cache_replacement_policy</fieldname> + <description>The cache replacement policy decides which objects will remain in cache and which objects are replaced to create space for the new objects. The default policy for cache replacement is LFUDA. Please see the type descriptions specified in the memory replacement policy for additional detail.</description> + <type>select</type> + <default_value>heap LFUDA</default_value> + <options> + <option><name>LRU</name><value>lru</value></option> + <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> + <option><name>Heap GDSF</name><value>heap GDSF</value></option> + <option><name>Heap LRU</name><value>heap LRU</value></option> + </options> + </field> + <field> + <fielddescr>Low-water-mark in %</fielddescr> + <fieldname>cache_swap_low</fieldname> + <description>Cache replacement begins when the swap usage is above the low-low-water mark and attempts to maintain utilisation near the low-water-mark.</description> + <type>input</type> + <size>5</size> + <default_value>90</default_value> + </field> + <field> + <fielddescr>High-water-mark in %</fielddescr> + <fieldname>cache_swap_high</fieldname> + <description>As swap utilisation gets close to the high-water-mark object eviction becomes more aggressive.</description> + <type>input</type> + <size>5</size> + <default_value>95</default_value> + </field> + <field> + <fielddescr>Do not cache</fielddescr> + <fieldname>donotcache</fieldname> + <description>Enter each domain or IP address on a new line that should never be cached.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Enable offline mode</fielddescr> + <fieldname>enable_offline</fieldname> + <description>Enable this option and the proxy server will never try to validate cached objects. The offline mode gives access to more cached information than the proposed feature would allow (stale cached versions, where the origin server should have been contacted).</description> + <type>checkbox</type> + <required/> + </field> + <field> + <fielddescr>External Cache-Managers</fielddescr> + <fieldname>ext_cachemanager</fieldname> + <description>Enter the IPs for the external Cache Managers to be allowed here, separated by semi-colons (;).</description> + <type>input</type> + <size>60</size> + </field> + <field> + <name>Squid Hard disk cacheSettings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Hard disk cache size</fielddescr> + <fieldname>harddisk_cache_size</fieldname> + <description>This is the amount of disk space (in megabytes) to use for cached objects.</description> + <type>input</type> + <required/> + <size>10</size> + <default_value>100</default_value> + </field> + <field> + <fielddescr>Hard disk cache system</fielddescr> + <fieldname>harddisk_cache_system</fieldname> + <description>This specifies the kind of storage system to use. <p> <b> ufs </b> is the old well-known Squid storage format that has always been there. <p> <b> aufs </b> uses POSIX-threads to avoid blocking the main Squid process on disk-I/O. (Formerly known as async-io.) <p> <b> diskd </b> uses a separate process to avoid blocking the main Squid process on disk-I/O. <p> <b> null </b> Does not use any storage. Ideal for Embedded/NanoBSD.</description> + <type>select</type> + <default_value>ufs</default_value> + <options> + <option><name>ufs</name><value>ufs</value></option> + <option><name>aufs</name><value>aufs</value></option> + <option><name>diskd</name><value>diskd</value></option> + <option><name>null</name><value>null</value></option> + </options> + </field> + <field> + <fielddescr>Level 1 subdirectories</fielddescr> + <fieldname>level1_subdirs</fieldname> + <description>Each level-1 directory contains 256 subdirectories, so a value of 256 level-1 directories will use a total of 65536 directories for the hard disk cache. This will significantly slow down the startup process of the proxy service, but can speed up the caching under certain conditions.</description> + <type>select</type> + <default_value>16</default_value> + <options> + <option><name>4</name><value>4</value></option> + <option><name>8</name><value>8</value></option> + <option><name>16</name><value>16</value></option> + <option><name>32</name><value>32</value></option> + <option><name>64</name><value>64</value></option> + <option><name>128</name><value>128</value></option> + <option><name>256</name><value>256</value></option> + </options> + </field> + <field> + <fielddescr>Hard disk cache location</fielddescr> + <fieldname>harddisk_cache_location</fieldname> + <description>This is the directory where the cache will be stored. (note: do not end with a /). If you change this location, squid needs to make a new cache, this could take a while</description> + <type>input</type> + <size>60</size> + <required/> + <default_value>/var/squid/cache</default_value> + </field> + <field> + <fielddescr>Minimum object size</fielddescr> + <fieldname>minimum_object_size</fieldname> + <description>Objects smaller than the size specified (in kilobytes) will not be saved on disk. The default value is 0, meaning there is no minimum.</description> + <type>input</type> + <required /> + <size>10</size> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Maximum object size</fielddescr> + <fieldname>maximum_object_size</fieldname> + <description>Objects larger than the size specified (in kilobytes) will not be saved on disk. If you wish to increase speed more than you want to save bandwidth, this should be set to a low value.</description> + <type>input</type> + <required/> + <size>10</size> + <default_value>4</default_value> + </field> + <field> + <name>Squid Memory Cache Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Memory cache size</fielddescr> + <fieldname>memory_cache_size</fieldname> + <description>This is the amount of physical RAM (in megabytes) to be used for negative cache and in-transit objects. This value should not exceed more than 50% of the installed RAM. The minimum value is 1MB.</description> + <type>input</type> + <size>10</size> + <required/> + <default_value>8</default_value> + </field> + <field> + <fielddescr>Maximum object size in RAM</fielddescr> + <fieldname>maximum_objsize_in_mem</fieldname> + <description>Objects smaller than the size specified (in kilobytes) will be saved in RAM. Default is 32.</description> + <type>input</type> + <size>10</size> + <required/> + <default_value>32</default_value> + </field> + <field> + <fielddescr>Memory replacement policy</fielddescr> + <fieldname>memory_replacement_policy</fieldname> + <description>The memory replacement policy determines which objects are purged from memory when space is needed. The default policy for memory replacement is GDSF. <p> <b> LRU: Last Recently Used Policy </b> - The LRU policies keep recently referenced objects. i.e., it replaces the object that has not been accessed for the longest time. <p> <b> Heap GDSF: Greedy-Dual Size Frequency </b> - The Heap GDSF policy optimizes object-hit rate by keeping smaller, popular objects in cache. It achieves a lower byte hit rate than LFUDA though, since it evicts larger (possibly popular) objects. <p> <b> Heap LFUDA: Least Frequently Used with Dynamic Aging </b> - The Heap LFUDA policy keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate since one large, popular object will prevent many smaller, slightly less popular objects from being cached. <p> <b> Heap LRU: Last Recently Used </b> - Works like LRU, but uses a heap instead. <p> Note: If using the LFUDA replacement policy, the value of Maximum Object Size should be increased above its default of 12KB to maximize the potential byte hit rate improvement of LFUDA.</description> + <type>select</type> + <default_value>heap GDSF</default_value> + <options> + <option><name>LRU</name><value>lru</value></option> + <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> + <option><name>Heap GDSF</name><value>heap GDSF</value></option> + <option><name>Heap LRU</name><value>heap LRU</value></option> + </options> + </field> + <field> + <name>Dynamic and Update Content</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Cache Dynamic Content</fielddescr> + <fieldname>cache_dynamic_content</fieldname> + <description><![CDATA[Select this option to <a target=_new href='http://wiki.squid-cache.org/ConfigExamples/DynamicContent'>enable caching of dynamic content.</a><br> + ]]></description> + <type>checkbox</type> + <size>10</size> + </field> + <field> + <fielddescr>Refresh Patterns</fielddescr> + <fieldname>refresh_patterns</fieldname> + <description><![CDATA[With dynamic cache enabled, you can also apply squid wiki refresh_patterns to sites like <a target=_new href='http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube'>Youtube</a> and <a target=_new href='http://wiki.squid-cache.org/SquidFaq/WindowsUpdate'>windowsupdate</a><br> + <br><strong>Notes:</strong><br> + Squid wiki suggests 'Finish transfer if less than x KB remaining' on 'traffic mgmt' squid tab to -1 but you can apply your own values to control cache.<br><br> + set Maximum download size on 'traffic mgmt' squid tab to a value that fits patterns your are applying.<br>Microsoft may need 200Mb and youtube 4GB.]]></description> + <type>select</type> + <default_value>none</default_value> + <options> + <option><name>Youtube</name><value>youtube</value></option> + <option><name>Windows Update</name><value>windows</value></option> + <option><name>Symantec Antivirus</name><value>symantec</value></option> + <option><name>Avira</name><value>avira</value></option> + <option><name>Avast</name><value>avast</value></option> + </options> + <multiple/> + <size>06</size> + </field> + <field> + <fielddescr>Custom refresh_patterns</fielddescr> + <fieldname>custom_refresh_patterns</fieldname> + <description>Enter custom refresh_patterns for better dynamic cache. This options will be included only if dynamic cache is enabled.</description> + <type>textarea</type> + <cols>67</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + </fields> + <custom_php_command_before_form> + if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) { + $needs_dash_z = true; + } + </custom_php_command_before_form> + <custom_php_validation_command> + squid_validate_cache($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + if($needs_dash_z) + squid_dash_z(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid3/33/squid_cpauth.php b/config/squid3/33/squid_cpauth.php new file mode 100644 index 00000000..e0971c5d --- /dev/null +++ b/config/squid3/33/squid_cpauth.php @@ -0,0 +1,24 @@ +#!/usr/local/bin/php -q +<?php + +$NONINTERACTIVE_SCRIPT = TRUE; + +$fp = fopen('php://stdin', 'r'); +while($args = split(" ",trim(fgets($fp, 4096)))){ + print captive_ip_to_username($args); +} + +function captive_ip_to_username($args){ + $current_sessions = file("/var/db/captiveportal.db"); + foreach($current_sessions as $session){ + list($a, $b, $IP_Address, $Mac_Address, $Username) = explode(",", $session,5); + #this test allow access if user's ip is listed on captive portal + #args array has (ip, site, protocol and port) passed by squid helper + #include a more complex test here to allow or deny access based on username returned + # this script will not return username to squid logs + if($IP_Address == $args[0]) return "OK\n"; + } + return "ERR\n"; +} + +?> diff --git a/config/squid3/squid_extauth.xml b/config/squid3/33/squid_extauth.xml index 41d9f633..41d9f633 100644 --- a/config/squid3/squid_extauth.xml +++ b/config/squid3/33/squid_extauth.xml diff --git a/config/squid3/33/squid_ident.php b/config/squid3/33/squid_ident.php new file mode 100644 index 00000000..ad13beb6 --- /dev/null +++ b/config/squid3/33/squid_ident.php @@ -0,0 +1,148 @@ +#!/usr/bin/php +#http://blog.dataforce.org.uk/2010/03/Ident-Server +<?php + /** + * Simple PHP-Based inetd ident server, version 0.1. + * Copyright (c) 2010 - Shane "Dataforce" Mc Cormack + * This code is licensed under the MIT License, of which a copy can be found + * at http://www.opensource.org/licenses/mit-license.php + * + * The latest version of the code can be found at + * http://blog.dataforce.org.uk/index.php?p=news&id=135 + * + * This should be run from inetd, it will take input on stdin and write to stdout. + * + * By default users can spoof ident by having a .ident file in /home/<username>/.ident + * If this is present, it will be read. + * It should be a file with a format like so: + * + * <pid> <ident> + * <local host>:<local port>:<target host>:<target port> <ident> + * + * The first line that matches is used, any bit can be a * and it will always match, + * so "* user" is valid. In future more sophisticated matches will be permitted + * (eg 127.*) but for now its either all or nothing. + * + * Its worth noting that <target host> is the host that requests the ident, so if this + * is likely to be different than the host that was connected to, then "STRICT_HOST" will + * need to be set to false. + * + * At the moment <local host> is ignored, in future versions this might be changed, so + * it is still required. + * + * Lines with a ':' in them are assumed to be of the second format, and must contain + * all 4 sections or they will be ignored. + * + * Lines starting with a # are ignored. + * + * There are some special values that can be used as idents: + * ! = Send an error instead. + * * = Send the default ident. + * ? = Send a random ident (In future a 3rd parameter will specify the format, + * # for a number, @ for a letter, ? for either, but this is not implemented yet) + * + * In future there will also be support for /home/user/.ident.d/ directories, where + * every file will be read for the ident response untill one matches. + * This will allow multiple processes to create files rather than needing to + * lock and edit .ident + */ + + // Allow spoofing idents. + define('ALLOW_SPOOF', true); + + // Requesting host must be the same as the host that was connected to. + define('STRICT_HOST', true); + + // Error to send when '!' is used as an ident. + define('HIDE_ERROR', 'UNKNOWN-ERROR'); + + openlog('simpleIdent', LOG_PID | LOG_ODELAY, LOG_DAEMON); + + $result = 'ERROR : UNKNOWN-ERROR' . "\n"; + + $host = $_SERVER['REMOTE_HOST']; + + syslog(LOG_INFO, 'Connection from: '.$host); + + // Red in the line from the socket. + $fh = @fopen('php://stdin', 'r'); + if ($fh) { + $input = @fgets($fh); + $line = trim($input); + if ($input !== FALSE && !empty($line)) { + $result = trim($input) . ' : ' . $result; + // Get the data from it. + $bits = explode(',', $line); + $source = trim($bits[0]); + $dest = isset($bits[1]) ? trim($bits[1]) : ''; + + // Check if it is valid + if (preg_match('/^[0-9]+$/', $source) && preg_match('/^[0-9]+$/', $dest)) { + // Now actually look for this! + $match = STRICT_HOST ? ":$source .*$host:$dest " : ":$source.*:$dest"; + + $output = `netstat -napW 2>&1 | grep '$match' | awk '{print \$7}'`; + + $bits = explode('/', $output); + $pid = $bits[0]; + + if (preg_match('/^[0-9]+$/', $pid)) { + $user = `ps -o ruser=SOME-REALLY-WIDE-USERNAMES-ARE-PERMITTED-HERE $pid | tail -n 1`; + + $senduser = trim($user); + + // Look for special ident file: /home/user/.ident this is an ini-format file. + $file = '/home/'.trim($user).'/.ident'; + + if (file_exists($file)) { + $config = file($file, FILE_SKIP_EMPTY_LINES | FILE_IGNORE_NEW_LINES | FILE_TEXT); + foreach ($config as $line) { + // Ignore comments. + $line = trim($line); + if (substr($line, 1) == '#') { continue; } + + // Make sure line is valid. + $bits = explode(' ', $line); + if (count($bits) == 1) { continue; } + + // Check type of line + if (strpos($bits[0], ':') !== FALSE) { + // LocalHost:LocalPort:RemoteHost:RemotePort + $match = explode(':', $bits[0]); + if (count($match) != 4) { continue; } + + if (($match[1] == '*' || $match[1] == $source) && + ($match[2] == '*' || $match[2] == $host) && + ($match[3] == '*' || $match[3] == $dest)) { + syslog(LOG_INFO, 'Spoof for '.$senduser.': '.$line); + $senduser = $bits[1]; + break; + } + } else if ($bits[0] == '*' || $bits[0] == $pid) { + syslog(LOG_INFO, 'Spoof for '.$senduser.': '.$line); + $senduser = $bits[1]; + } + } + + if ($senduser == "*") { + $senduser = trim(user); + } else if ($senduser == "?") { + $senduser = 'user'.rand(1000,9999); + } + } + + if ($senduser != "!") { + $result = $source . ', ' . $dest . ' : USERID : UNIX : ' . trim($senduser); + } else { + $result = $source . ', ' . $dest . ' : ERROR : ' . HIDE_ERROR; + } + } + } + } + } + + echo $result; + syslog(LOG_INFO, 'Result: '.$result); + closelog(); + exit(0); +?> diff --git a/config/squid3/33/squid_log_parser.php b/config/squid3/33/squid_log_parser.php new file mode 100755 index 00000000..f6cd7de8 --- /dev/null +++ b/config/squid3/33/squid_log_parser.php @@ -0,0 +1,57 @@ +#!/usr/local/bin/php -q +<?php +/* ========================================================================== */ +/* + squid_log_parser.php + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012 Carlos Cesario - carloscesario@gmail.com + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + +# ------------------------------------------------------------------------------ +# Simple Squid Log parser to rewrite line with date/time human readable +# Usage: cat /var/squid/log/access.log | parser_squid_log.php +# ------------------------------------------------------------------------------ + +$logline = fopen("php://stdin", "r"); +while(!feof($logline)) { + $line = fgets($logline); + $line = rtrim($line); + if ($line != "") { + $fields = explode(' ', $line); + // Apply date format + $fields[0] = date("d.m.Y H:i:s",$fields[0]); + foreach($fields as $field) { + // Write the Squid log line with date/time human readable + echo "{$field} "; + } + echo "\n"; + } +} +fclose($logline); +?>
\ No newline at end of file diff --git a/config/squid3/33/squid_monitor.php b/config/squid3/33/squid_monitor.php new file mode 100755 index 00000000..3a7b1d01 --- /dev/null +++ b/config/squid3/33/squid_monitor.php @@ -0,0 +1,199 @@ +<?php +/* ========================================================================== */ +/* + squid_monitor.php + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012 Carlos Cesario - carloscesario@gmail.com + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + +require_once("/etc/inc/util.inc"); +require_once("/etc/inc/functions.inc"); +require_once("/etc/inc/pkg-utils.inc"); +require_once("/etc/inc/globals.inc"); +require_once("guiconfig.inc"); + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Status: Proxy Monitor"; +include("head.inc"); +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php include("fbegin.inc"); ?> + +<?php if($one_two): ?> + + <p class="pgtitle"><?=$pgtitle?></font></p> + +<?php endif; ?> + +<?php if ($savemsg) print_info_box($savemsg); ?> + +<!-- Function to call programs logs --> +<script language="JavaScript"> + function showLog(content,url,program) + { + new PeriodicalExecuter(function(pe) { + new Ajax.Updater(content, url, { + method: 'post', + asynchronous: true, + evalScripts: true, + parameters: { maxlines: $('maxlines').getValue(), + strfilter: $('strfilter').getValue(), + program: program } + }) + }, 1) + } +</script> +<div id="mainlevel"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td> + <?php + $tab_array = array(); + if ($_REQUEST["menu"]=="reverse"){ + $tab_array[] = array(gettext("General"), false, "/pkg_edit.php?xml=squid_reverse_general.xml&id=0"); + $tab_array[] = array(gettext("Web Servers"), false, "/pkg.php?xml=squid_reverse_peer.xml"); + $tab_array[] = array(gettext("Mappings"), false, "/pkg.php?xml=squid_reverse_uri.xml"); + $tab_array[] = array(gettext("Redirects"), false, "/pkg.php?xml=squid_reverse_redir.xml"); + $tab_array[] = array(gettext("Real time"), true, "/squid_monitor.php?menu=reverse"); + $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=squid_reverse_sync.xml"); + } + else{ + $tab_array[] = array(gettext("General"), false, "/pkg_edit.php?xml=squid.xml&id=0"); + $tab_array[] = array(gettext("Remote Cache"), false, "/pkg.php?xml=squid_upstream.xml"); + $tab_array[] = array(gettext("Local Cache"), false, "/pkg_edit.php?xml=squid_cache.xml&id=0"); + $tab_array[] = array(gettext("Antivirus"), false, "/pkg_edit.php?xml=antivirus.xml&id=0"); + $tab_array[] = array(gettext("ACLs"), false, "/pkg_edit.php?xml=squid_nac.xml&id=0"); + $tab_array[] = array(gettext("Traffic Mgmt"), false, "/pkg_edit.php?xml=squid_traffic.xml&id=0"); + $tab_array[] = array(gettext("Authentication"), false, "/pkg_edit.php?xml=squid_auth.xml&id=0"); + $tab_array[] = array(gettext("Users"), false, "/pkg.php?xml=squid_users.xml"); + $tab_array[] = array(gettext("Real time"), true, "/squid_monitor.php"); + $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=squid_sync.xml"); + } + display_top_tabs($tab_array); + ?> +</td></tr> + <tr> + <td> +<div id="mainarea" style="padding-top: 0px; padding-bottom: 0px; "> + <form id="paramsForm" name="paramsForm" method="post"> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6"> + <tbody> + <tr> + <td width="22%" valign="top" class="vncellreq">Max lines:</td> + <td width="78%" class="vtable"> + <select name="maxlines" id="maxlines"> + <option value="5">5 lines</option> + <option value="10" selected="selected">10 lines</option> + <option value="15">15 lines</option> + <option value="20">20 lines</option> + <option value="25">25 lines</option> + <option value="100">100 lines</option> + <option value="200">200 lines</option> + </select> + <br/> + <span class="vexpl"> + <?=gettext("Max. lines to be displayed.");?> + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">String filter:</td> + <td width="78%" class="vtable"> + <input name="strfilter" type="text" class="formfld search" id="strfilter" size="50" value=""> + <br/> + <span class="vexpl"> + <?=gettext("Enter a grep like string/pattern to filterlog.");?><br> + <?=gettext("eg. username, ip addr, url.");?><br> + <?=gettext("Use <b>!</b> to invert the sense of matching, to select non-matching lines.");?> + </span> + </td> + </tr> + </tbody> + </table> + </form> + + <!-- Squid Table --> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tbody> + <tr> + <td> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <td colspan="6" class="listtopic"><center><?=gettext("Squid Logs"); ?><center></td> + </tr> + <tbody id="squidView"> + <script language="JavaScript"> + // Call function to show squid log + showLog('squidView', 'squid_monitor_data.php','squid'); + </script> + </tbody> + </table> + </td> + </tr> + </tbody> + </table> +<?php if ($_REQUEST["menu"]!="reverse"){?> + <!-- SquidGuard Table --> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tbody> + <tr> + <td> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <td colspan="5" class="listtopic"><center><?=gettext("SquidGuard Logs"); ?><center></td> + </tr> + <tbody id="sguardView"> + <script language="JavaScript"> + // Call function to show squidGuard log + showLog('sguardView', 'squid_monitor_data.php','sguard'); + </script> + </tbody> + </table> + </td> + </tr> + </tbody> + </table> +</div> +<?php }?> +</td> +</tr> +</table> +</div> + + +<?php +include("fend.inc"); +?> + +</body> +</html> diff --git a/config/squid3/33/squid_monitor_data.php b/config/squid3/33/squid_monitor_data.php new file mode 100755 index 00000000..7e27919d --- /dev/null +++ b/config/squid3/33/squid_monitor_data.php @@ -0,0 +1,175 @@ +<?php +/* ========================================================================== */ +/* + squid_monitor_data.php + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012 Carlos Cesario - carloscesario@gmail.com + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ +# ------------------------------------------------------------------------------ +# Defines +# ------------------------------------------------------------------------------ +require_once("guiconfig.inc"); + +# ------------------------------------------------------------------------------ +# Requests +# ------------------------------------------------------------------------------ +if ($_POST) { + # Actions + $filter = preg_replace('/(@|!|>|<)/',"",htmlspecialchars($_POST['strfilter'])); + $program = strtolower($_POST['program']); + switch ($program) { + case 'squid': + // Define log file + $log='/var/squid/logs/access.log'; + //show table headers + show_tds(array("Date","IP","Status","Address","User","Destination")); + //fetch lines + $logarr=fetch_log($log); + // Print lines + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\s+/", $logent); + + // Apply date format to first line + //$logline[0] = date("d.m.Y H:i:s",$logline[0]); + + // Word wrap the URL + $logline[7] = htmlentities($logline[7]); + $logline[7] = html_autowrap($logline[7]); + + // Remove /(slash) in destination row + $logline_dest = preg_split("/\//", $logline[9]); + + // Apply filter and color + // Need validate special chars + if ($filter != "") + $logline = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>",$logline); + echo "<tr valign=\"top\">\n"; + echo "<td class=\"listlr\" nowrap>{$logline[0]} {$logline[1]}</td>\n"; + echo "<td class=\"listr\">{$logline[3]}</td>\n"; + echo "<td class=\"listr\">{$logline[4]}</td>\n"; + echo "<td class=\"listr\" width=\"*\">{$logline[7]}</td>\n"; + echo "<td class=\"listr\">{$logline[8]}</td>\n"; + echo "<td class=\"listr\">{$logline_dest[1]}</td>\n"; + echo "</tr>\n"; + } + break; + case 'sguard'; + $log='/var/squidGuard/log/block.log'; + //show table headers + show_tds(array("Date-Time","ACL","Address","Host","User")); + //fetch lines + $logarr=fetch_log($log); + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\s+/", $logent); + + // Apply time format + $logline[0] = date("d.m.Y", strtotime($logline[0])); + + // Word wrap the URL + $logline[4] = htmlentities($logline[4]); + $logline[4] = html_autowrap($logline[4]); + + + // Apply filter color + // Need validate special chars + if ($filter != "") + $logline = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>",$logline); + + + echo "<tr>\n"; + echo "<td class=\"listlr\" nowrap>{$logline[0]} {$logline[1]}</td>\n"; + echo "<td class=\"listr\">{$logline[3]}</td>\n"; + echo "<td class=\"listr\" width=\"*\">{$logline[4]}</td>\n"; + echo "<td class=\"listr\">{$logline[5]}</td>\n"; + echo "<td class=\"listr\">{$logline[6]}</td>\n"; + echo "</tr>\n"; + } + break; + } +} + +# ------------------------------------------------------------------------------ +# Functions +# ------------------------------------------------------------------------------ + +// From SquidGuard Package +function html_autowrap($cont) +{ + # split strings + $p = 0; + $pstep = 25; + $str = $cont; + $cont = ''; + for ( $p = 0; $p < strlen($str); $p += $pstep ) { + $s = substr( $str, $p, $pstep ); + if ( !$s ) break; + $cont .= $s . "<wbr/>"; + } + return $cont; +} + + +// Show Squid Logs +function fetch_log($log){ + global $filter,$program; + // Get Data from form post + $lines = $_POST['maxlines']; + if (preg_match("/!/",htmlspecialchars($_POST['strfilter']))) + $grep_arg="-iv"; + else + $grep_arg="-i"; + + //Check program to execute or no the parser + if($program == "squid") + $parser = "| php -q squid_log_parser.php"; + else + $parser = ""; + + // Get logs based in filter expression + if($filter != "") { + exec("tail -2000 {$log} | /usr/bin/grep {$grep_arg} " . escapeshellarg($filter). " | tail -r -n {$lines} {$parser} " , $logarr); + } + else { + exec("tail -r -n {$lines} {$log} {$parser}", $logarr); + } + // return logs + return $logarr; +}; + +function show_tds($tds){ + echo "<tr valign='top'>\n"; + foreach ($tds as $td){ + echo "<td class='listhdrr'>".gettext($td)."</td>\n"; + } + echo "</tr>\n"; +} + +?> diff --git a/config/squid3/33/squid_nac.xml b/config/squid3/33/squid_nac.xml new file mode 100755 index 00000000..bffefb61 --- /dev/null +++ b/config/squid3/33/squid_nac.xml @@ -0,0 +1,191 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + Copyright (C) 2012-2013 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidnac</name> + <version>none</version> + <title>Proxy server: Access control</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> + </tab> + <tab> + <text>Local Cache</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Antivirus</text> + <url>/pkg_edit.php?xml=squid_antivirus.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Authentication</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> + </tabs> + <fields> + <field> + <name>Squid Access Control Lists</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Allowed subnets</fielddescr> + <fieldname>allowed_subnets</fieldname> + <description>Enter each subnet on a new line that is allowed to use the proxy. The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24). Note that the proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Unrestricted IPs</fielddescr> + <fieldname>unrestricted_hosts</fieldname> + <description>Enter unrestricted IP address / network(in CIDR format) on a new line that is not to be filtered out by the other access control directives set in this page.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Banned host addresses</fielddescr> + <fieldname>banned_hosts</fieldname> + <description>Enter each IP address / network(in CIDR format) on a new line that is not to be allowed to use the proxy.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Whitelist</fielddescr> + <fieldname>whitelist</fieldname> + <description>Enter each destination domain on a new line that will be accessable to the users that are allowed to use the proxy. You also can use regular expressions.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Blacklist</fielddescr> + <fieldname>blacklist</fieldname> + <description>Enter each destination domain on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Block user agents</fielddescr> + <fieldname>block_user_agent</fieldname> + <description>Enter each user agent on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Block MIME types (reply only)</fielddescr> + <fieldname>block_reply_mime_type</fieldname> + <description>Enter each MIME type on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions. Useful to block javascript (application/x-javascript).</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <name>Squid Allowed ports</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>acl safeports</fielddescr> + <fieldname>addtl_ports</fieldname> + <description>This is a space-separated list of "safe ports" in addition to the already defined list: 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535</description> + <type>input</type> + <size>60</size> + <default_value></default_value> + </field> + <field> + <fielddescr>acl sslports</fielddescr> + <fieldname>addtl_sslports</fieldname> + <description>This is a space-separated list of ports to allow SSL "CONNECT" in addition to the already defined list: 443 563</description> + <type>input</type> + <size>60</size> + <default_value></default_value> + </field> + </fields> + <custom_php_validation_command> + squid_validate_nac($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid3/33/squid_ng.inc b/config/squid3/33/squid_ng.inc new file mode 100755 index 00000000..0e1e0515 --- /dev/null +++ b/config/squid3/33/squid_ng.inc @@ -0,0 +1,1070 @@ +<?php +/* $Id$ */ + +/* + squid_ng.inc + part of pfSense (www.pfSense.com) + + Copyright (C) 2005 Michael Capp <michael.capp@gmail.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ + +if(!function_exists("filter_configure")) + require_once("filter.inc"); + +function global_write_squid_config() +{ + global $config; + conf_mount_rw(); + config_lock(); + + /* define squid configuration file in variable for replace function */ + $squidconfig = "/usr/local/etc/squid/squid.conf"; + + /* squid.xml values */ + $active_interface = $config['installedpackages']['squid']['config'][0]['active_interface']; + $transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy']; + $log_enabled = $config['installedpackages']['squid']['config'][0]['log_enabled']; + $urlfilter_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable']; + $accesslog_disabled = $config['installedpackages']['squid']['config'][0]['accesslog_disabled']; + $log_query_terms = $config['installedpackages']['squid']['config'][0]['log_query_terms']; + $log_user_agents = $config['installedpackages']['squid']['config'][0]['log_user_agents']; + $proxy_port = $config['installedpackages']['squid']['config'][0]['proxy_port']; + $visible_hostname = $config['installedpackages']['squid']['config'][0]['visible_hostname']; + $cache_admin_email = $config['installedpackages']['squid']['config'][0]['cache_admin_email']; + $error_language = $config['installedpackages']['squid']['config'][0]['error_language']; + $cachemgr_enabled = $config['installedpackages']['squid']['config'][0]['cachemgr_enabled']; + + /* squid_upstream.xml values */ + $proxy_forwarding = $config['installedpackages']['squidupstream']['config'][0]['proxy_forwarding']; + $client_ip_forwarding = $config['installedpackages']['squidupstream']['config'][0]['client_ip_forwarding']; + $user_forwarding = $config['installedpackages']['squidupstream']['config'][0]['user_forwarding']; + $upstream_proxy = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy']; + $upstream_proxy_port = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy_port']; + $upstream_username = $config['installedpackages']['squidupstream']['config'][0]['upstream_username']; + $upstream_password = $config['installedpackages']['squidupstream']['config'][0]['upstream_psasword']; + + /* squid_cache.xml values */ + $memory_cache_size = $config['installedpackages']['squidcache']['config'][0]['memory_cache_size']; + $harddisk_cache_size = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']; + $minimum_object_size = $config['installedpackages']['squidcache']['config'][0]['minimum_object_size']; + $maximum_object_size = $config['installedpackages']['squidcache']['config'][0]['maximum_object_size']; + $level_subdirs = $config['installedpackages']['squidcache']['config'][0]['level_subdirs']; + $memory_replacement = $config['installedpackages']['squidcache']['config'][0]['memory_replacement']; + $cache_replacement = $config['installedpackages']['squidcache']['config'][0]['cache_replacement']; + $domain = $config['installedpackages']['squidcache']['config'][0]['domain']; + $enable_offline = $config['installedpackages']['squidcache']['config'][0]['enable_offline']; + + /* squid_nac.xml values */ + $allowed_subnets = $config['installedpackages']['squidnac']['config'][0]['allowed_subnets']; + $unrestricted_ip_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_ip_address']; + $unrestricted_mac_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_mac_addresses']; + $banned_ip_addr = $config['installedpackages']['squidnac']['config'][0]['banned_ip_addresses']; + $banned_mac_addr = $config['installedpackages']['squidnac']['config'][0]['banned_mac_addresses']; + $override_hosts = $config['installedpackages']['squidnac']['config'][0]['override_hosts']; + + /* squid_traffic.xml values */ + $max_download_size = $config['installedpackages']['squidtraffic']['config'][0]['max_download_size']; + $max_upload_size = $config['installedpackages']['squidtraffic']['config'][0]['max_upload_size']; + $dl_overall = $config['installedpackages']['squidtraffic']['config'][0]['dl_overall']; + $dl_per_host = $config['installedpackages']['squidtraffic']['config'][0]['dl_per_host']; + $throttle_binary_files = $config['installedpackages']['squidtraffic']['config'][0]['throttle_binary_files']; + $throttle_cd_images = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_images']; + $throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia']; + + /* squid_auth.xml values */ + $auth_method = $config['installedpackages']['squidauth']['config'][0]['auth_method']; + $auth_processes = $config['installedpackages']['squidauth']['config'][0]['auth_processes']; + $auth_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['auth_cache_ttl']; + $limit_ip_addr = $config['installedpackages']['squidauth']['config'][0]['limit_ip_addr']; + $user_ip_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['user_ip_cache_ttl']; + $req_unrestricted_auth = $config['installedpackages']['squidauth']['config'][0]['req_unrestricted_auth']; + $auth_realm_prompt = $config['installedpackages']['squidauth']['config'][0]['auth_realm_prompt']; + $no_domain_auth = $config['installedpackages']['squidauth']['config'][0]['no_domain_auth']; + $min_pass_length = $config['installedpackages']['squidauth']['config'][0]['min_pass_length']; + $bypass_extended = $config['installedpackages']['squidauth']['config'][0]['bypass_extended']; + + /* squid_extauth.xml (ldap) values */ + $ldap_basedn = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_basedn']; + $ldap_server = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_server']; + $ldap_type = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_type']; + $ldap_port = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_port']; + $bind_dn_username = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_username']; + $bind_dn_password = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_password']; + + /* squid_extauth.xml (radius) values */ + $radius_server = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_server']; + $radius_port = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_port']; + $radius_identifier = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_identifier']; + $radius_secret = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_secret']; + + /* static variable assignments for directory mapping */ + $acldir = "/usr/local/etc/squid/advanced/acls"; + $ncsadir = "/usr/local/etc/squid/advanced/ncsa"; + $ntlmdir = "/usr/local/etc/squid/advanced/ntlm"; + $radiusdir = "/usr/local/etc/squid/advanced/radius"; + + $fout = fopen($squidconfig, "w"); + + $config_array = array('shutdown_lifetime 5 seconds' . "\n\n"); + + if (isset($cachemgr_enabled) && ($cachemgr_enabled == "on")) { + mwexec("cp /usr/local/libexec/squid/cachemgr.cgi /usr/local/www/cachemgr.cgi"); + mwexec("chmod a+rx /usr/local/www/cachemgr.cgi"); + } else { + mwexec("rm -f /usr/local/www/cachemgr.cgi"); + } + unset($cachemgr_enabled); + + if (!isset($icp_port) or ($icp_port == "")) { + $icp_port = "3130"; + } + $config_array[] = 'icp_port ' . $icp_port . "\n"; + unset($icp_port); + + if(!isset($proxy_port) or ($proxy_port == "")) { + $proxy_port = "3128"; + } + + if (isset($transparent_proxy) && ($transparent_proxy != "on")) { + $int = convert_friendly_interface_to_real_interface_name($active_interface); + $listen_ip = find_interface_ip($int); + + $config_array[] = 'http_port ' . $listen_ip . ':' . $proxy_port . "\n\n"; + $config_array[] = 'acl QUERY urlpath_regex cgi-bin \?' . "\n"; + $config_array[] = 'no_cache deny QUERY' . "\n\n"; + } + $config_array[] = 'http_port 127.0.0.1:' . $proxy_port . "\n\n"; + unset($proxy_port); + + if (isset($domain) && ($domain !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/dst_nocache.acl","w"); + + $domain_array = split("; ",$domain); + foreach ($domain_array as $no_cache_domain) { + fwrite($aclout, $no_cache_domain . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl no_cache_domains dstdomain "' . $acldir . '/dst_nocache.acl"' . "\n"; + $config_array[] = 'no_cache deny no_cache_domains' . "\n\n"; + } + unset($no_cache_domain); + unset($domain_array); + unset($domain); + + $config_array[] = 'cache_effective_user squid' . "\n"; + $config_array[] = 'cache_effective_group squid' . "\n\n"; + $config_array[] = 'pid_filename /var/run/squid.pid' . "\n\n"; + + if (!isset($memory_cache_size) or ($memory_cache_size == "")) { + $memory_cache_size = "8"; + } + $config_array[] = 'cache_mem ' . $memory_cache_size . ' MB' . "\n"; + unset($memory_cache_size); + + if (!isset($harddisk_cache_size) or ($harddisk_cache_size == "")) { + $harddisk_cache_size = "500"; + } + + if (!isset($level_subdirs) or ($level_subdirs == "")) { + $level_subdirs = "16"; + } + + $config_array[] = 'cache_dir diskd /var/squid/cache ' . $harddisk_cache_size . ' ' . $level_subdirs . ' 256' . "\n\n"; + unset($harddisk_cache_size); + unset($level_subdirs); + + if (!isset($error_language) or ($error_language == "")) { + $error_language = "English"; + } + $config_array[] = 'error_directory /usr/local/etc/squid/errors/' . $error_language . "\n\n"; + unset($error_language); + + if (isset($offline_mode) && ($offline_mode == "on")) { + $config_array[] = 'offline_mode on' . "\n\n"; + } else { + $config_array[] = 'offline_mode off' . "\n\n"; + } + + if (!isset($memory_replacement) or ($memory_replacement == "")) { + $memory_replacement = "heap GDSF"; + } + $config_array[] = 'memory_replacement_policy ' . $memory_replacement . "\n"; + unset($memory_replacement); + + if (!isset($cache_replacement) or ($cache_replacement == "")) { + $cache_replacement="heap GDSF"; + } + $config_array[] = 'cache_replacement_policy ' . $cache_replacement . "\n\n"; + unset($cache_replacement); + + if (isset($accesslog_disabled) && ($accesslog_disabled == "on")) { + $config_array[] = 'cache_access_log none' . "\n"; + } else { + $config_array[] = 'cache_access_log /var/log/access.log' . "\n"; + } + $config_array[] = 'cache_log /var/log/cache.log' . "\n"; + $config_array[] = 'cache_store_log none' . "\n"; + unset($accesslog_disabled); + unset($log_enabled); + + if (isset($log_query_terms) && ($log_query_terms == "on")) { + $config_array[] = 'strip_query_terms off' . "\n"; + } else { + $config_array[] = 'strip_query_terms on' . "\n"; + } + unset($log_query_terms); + + $config_array[] = 'useragent_log /var/log/useragent.log' . "\n\n"; + unset($log_user_agents); + + $config_array[] = 'log_mime_hdrs off' . "\n"; + $config_array[] = 'emulate_httpd_log on' . "\n"; + + switch ($user_forwarding) { + case "on": + $config_array[] = 'forwarded_for on' . "\n\n"; + break; + case "off": + $config_array[] = 'forwarded_for off' . "\n\n"; + break; + default: + $config_array[] = 'forwarded_for off' . "\n\n"; + break; + } + unset($user_forwarding); + + switch ($auth_method) { + case "none": + break; + case "local_auth": + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd' . "\n"; + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + + break; + case "radius_auth"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_rad_auth -h ' . $radius_server . ' -p ' . $radius_port . ' -i ' . $radius_identifier . ' -w ' . $radius_secret . "\n"; + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + + break; + case "ldap_bind"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_ldap_auth'; + $config_array[] = ' -b "' . $ldap_basedn . '"'; + $config_array[] = ' -D "' . $bind_dn_username . '"'; + $config_array[] = " -w " . $bind_dn_password; + $config_array[] = ' -f "(&(objectClass=person)(cn=%s))"'; + $config_array[] = " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n"; + + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + + break; + case "windows_auth"; + break; + } + + if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n"; + + $throttle_out = fopen($acldir . "/dst_throttle_binary.acl", "w"); + fwrite($throttle_out, $binary_out); + fclose($throttle_out); + $config_array[] = 'acl for_throttled_binary url_regex -i "' . $acldir . '/dst_throttle_binary.acl"' . "\n"; + } else { + if (file_exists($acldir . "/dst_throttle_binary.acl")) unlink($acldir . "/dst_throttle_binary.acl"); + } + unset($throttle_binary_files); + unset($throttle_out); + unset($binary_out); + + if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $cd_out = "\.b5t$\n\.bin$\n\.bwt$\n\.cdi$\n\.cue$\n\.gho$\n\.img$\n\.iso$\n\.mds$\n\.nrg$\n\.pqi$\n"; + + $throttle_out = fopen($acldir . "/dst_throttle_cd.acl","w"); + fwrite($throttle_out, $cd_out); + fclose($throttle_out); + $config_array[] = 'acl for_throttled_cd url_regex -i "' . $acldir . '/dst_throttle_cd.acl"' . "\n"; + } else { + if (file_exists($acldir . "/dst_throttle_cd.acl")) { + unlink($acldir . "/dst_throttle_cd.acl"); + } + } + unset($throttle_cd_images); + unset($throttle_out); + unset($cd_out); + + if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $multimedia_out = "\.aiff?$\n\.asf$\n\.avi$\n\.divx$\n\.mov$\n\.mp3$\n\.mpe?g$\n\.qt$\n\.ra?m$\n"; + + $throttle_out = fopen($acldir . "/dst_throttle_multimedia.acl","w"); + fwrite($throttle_out, $multimedia_out); + fclose($throttle_out); + $config_array[] = 'acl for_throttled_multimedia url_regex -i "' . $acldir . '/dst_throttle_multimedia.acl"' . "\n"; + } else { + if (file_exists($acldir . "/dst_throttle_multimedia.acl")) { + unlink($acldir . "/dst_throttle_multimedia.acl"); + } + } + unset($throttle_multimedia); + unset($multimedia_out); + unset($throttle_out); + + $config_array[] = 'acl within_timeframe time MTWHFAS 00:00-24:00' . "\n\n"; + + /* obtain interface subnet and address for Squid rules */ + $lactive_interface = strtolower($active_interface); + + $lancfg = $config['interfaces'][$lactive_interface]; + $lanif = $lancfg['if']; + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + $config_array[] = 'acl all src 0.0.0.0/0.0.0.0' . "\n"; + $config_array[] = 'acl localnet src ' . $lansa . '/' . $lansn . "\n"; + $config_array[] = 'acl localhost src 127.0.0.1/255.255.255.255' . "\n"; + $config_array[] = 'acl SSL_ports port 443 563 873 # https, snews, rsync' . "\n"; + $config_array[] = 'acl Safe_ports port 80 # http' . "\n"; + $config_array[] = 'acl Safe_ports port 21 # ftp' . "\n"; + $config_array[] = 'acl Safe_ports port 443 563 873 # https, snews, rsync' . "\n"; + $config_array[] = 'acl Safe_ports port 70 # gopher' . "\n"; + $config_array[] = 'acl Safe_ports port 210 # wais' . "\n"; + $config_array[] = 'acl Safe_ports port 1025-65535 # unregistered ports' . "\n"; + $config_array[] = 'acl Safe_ports port 280 # http-mgmt' . "\n"; + $config_array[] = 'acl Safe_ports port 488 # gss-http' . "\n"; + $config_array[] = 'acl Safe_ports port 591 # filemaker' . "\n"; + $config_array[] = 'acl Safe_ports port 777 # multiling http' . "\n"; + $config_array[] = 'acl Safe_ports port 800 # Squids port (for icons)' . "\n\n"; + + /* allow access through proxy for custom admin port */ + $custom_port = $config['system']['webgui']['port']; + if (isset($custom_port) && ($custom_port !== "")) { + $config_array[] = 'acl pf_admin_port port ' . $custom_port . "\n"; + unset($custom_port); + } else { + $admin_protocol = $config['system']['webgui']['protocol']; + switch ($admin_protocol) { + case "http"; + $config_array[] = 'acl pf_admin_port port 80' ."\n"; + break; + case "https"; + $config_array[] = 'acl pf_admin_port port 443' . "\n"; + break; + default; + $config_array[] = 'acl pf_admin_port port 80' . "\n"; + break; + } + unset($admin_protocol); + } + + /* define override hosts as specified in squid_nac.xml */ + if (isset($override_hosts) && ($override_hosts !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_override_hosts.acl", "w"); + + $override_hosts_array = split("; ", $override_hosts); + foreach ($override_hosts_array as $ind_override_host) { + fwrite($aclout, $ind_override_host . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl override_hosts src "/usr/local/etc/squid/advanced/acls/src_override_hosts.acl"' . "\n"; + } + /* clear variables */ + unset($override_hosts_array); + unset($ind_override_host); + unset($override_hosts); + + /* define subnets allowed to utilize proxy service */ + if (isset($allowed_subnets) && ($allowed_subnets !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + mwexec("touch {$acldir}/src_subnets.acl"); + } + + $aclout = fopen($acldir . "/src_subnets.acl","w"); + + $allowed_subnets_array = split("; ",$allowed_subnets); + foreach ($allowed_subnets_array as $ind_allowed_subnets) { + fwrite($aclout, $ind_allowed_subnets . "\n"); + } + + fclose($aclout); + } else { + + $aclout = fopen($acldir . "/src_subnets.acl","w"); + fwrite($aclout, $lansa . "/" . $lansn . "\n"); + fclose($aclout); + } + + $config_array[] = 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n"; + + unset($allowed_subnets_array); + unset($ind_allowed_subnets); + unset($allowed_subnets); + + /* define ip addresses that have 'unrestricted' access */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_unrestricted_ip.acl","w"); + + $unrestricted_ip_array = split("; ",$unrestricted_ip_addr); + foreach ($unrestricted_ip_array as $ind_unrestricted_ip) { + fwrite($aclout, $ind_unrestricted_ip . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_unrestricted_ip src "/usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"' . "\n"; + } + unset($unrestricted_ip_array); + unset($unrestricted_ip_addr); + unset($ind_unrestricted_ip); + + /* define mac addresses that have 'unrestricted' access */ + if (isset($unrestricted_mac_addr) && ($unrestricted_mac_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_unrestricted_mac.acl","w"); + + $unrestricted_mac_array = split("; ",$unrestricted_mac_addr); + foreach ($unrestricted_mac_array as $ind_unrestricted_mac) { + fwrite($aclout, $ind_unrestricted_mac . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_unrestricted_mac src "/usr/local/etc/squid/advanced/acls/src_unrestricted_mac.acl"' . "\n"; + } + unset($unrestricted_mac_array); + unset($unrestricted_mac_addr); + unset($ind_unrestricted_mac); + + /* define ip addresses that are banned from using the proxy service */ + if (isset($banned_ip_addr) && ($banned_ip_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_banned_ip.acl","w"); + + $banned_ip_array = split("; ",$banned_ip_addr); + foreach ($banned_ip_array as $ind_banned_ip) { + fwrite($aclout, $ind_banned_ip . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n"; + } + unset($banned_ip_array); + unset($banned_ip_addr); + unset($ind_banned_ip); + + /* define mac addresses that are banned from using the proxy service */ + if (isset($banned_mac_addr) && ($banned_mac_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_banned_mac.acl","w"); + + $banned_mac_array = split("; ",$banned_mac_addr); + foreach ($banned_mac_array as $ind_banned_mac) { + fwrite($aclout, $ind_banned_mac . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_banned_mac src "/usr/local/etc/squid/advanced/acls/src_banned_mac.acl"' . "\n"; + } + unset($banned_mac_array); + unset($banned_mac_addr); + unset($ind_banned_mac); + + $config_array[] = 'acl pf_ips dst ' . $lanip . "\n"; + $config_array[] = 'acl CONNECT method CONNECT' . "\n\n"; + + if (isset($auth_method) && ($auth_method == "none")) { + $config_array[] = 'http_access allow localnet' . "\n"; + } + $config_array[] = 'http_access allow localhost' . "\n"; + + if (isset($override_hosts) && ($override_hosts !== "")) { + $config_array[] = 'http_access allow override_hosts' . "\n"; + } + $config_array[] = "\n"; + + switch ($config['system']['webgui']['protocol']) { + case "http": + $config_array[] = 'http_access allow pf_ips' . "\n"; + $config_array[] = 'http_access allow pf_admin_port' . "\n"; + $config_array[] = 'http_access deny !pf_networks' . "\n\n"; + break; + case "https": + $config_array[] = 'http_access allow CONNECT pf_ips' . "\n"; + $config_array[] = 'http_access allow CONNECT pf_admin_port' . "\n"; + $config_array[] = 'http_access deny CONNECT !pf_networks' . "\n\n"; + break; + } + + $config_array[] = 'http_access deny !Safe_ports' . "\n"; + $config_array[] = 'http_access deny CONNECT !SSL_ports' . "\n\n"; + + if (isset($auth_method) && ($auth_method != "none")) { + $config_array[] = 'http_access allow pf_networks for_inetusers within_timeframe' . "\n"; + } + + $config_array[] = 'http_access deny all' . "\n\n"; + + if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "")) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + + if ($dl_overall == "unlimited") { + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . "\n"; + } else { + $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; + } + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr == "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; + + /* this will define bandwidth delay restrictions for specified throttles */ + if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; + } + if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; + } + if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; + } else { + $config_array[] = 'delay_access 1 allow all' . "\n"; + } + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; + } + + if (isset($dl_per_host) && ($dl_per_host !== "") and isset($dl_overall) && ($dl_overall == "")) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + + if ($dl_per_host == "unlimited") { + $config_array[] = 'delay_parameters 1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . '-1/-1 -1/-1' . "\n"; + } else { + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . "\n"; + } + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; + + /* this will define bandwidth delay restrictions for specified throttles */ + if ($throttle_binary_files == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; + } + if ($throttle_cd_images == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; + } + if ($throttle_multimedia == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' ."\n"; + } else { + $config_array[] = 'delay_access 1 allow all' . "\n"; + } + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n\n"; + } + + if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host !== "")) { + /* if no bandwidth restrictions are specified, then these parameters are not necessary */ + if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { + + if ((isset($dl_overall) && ($dl_overall == "unlimited")) and (isset($dl_per_host) && ($dl_per_host !== ""))) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_overall * 250) . "\n"; + } elseif (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "unlimited")) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; + } + } + + if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; + + /* this will define bandwidth delay restrictions for specified throttles */ + if ($throttle_binary_files == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; + } + if ($throttle_cd_images == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; + } + if ($throttle_multimedia == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; + } else { + $config_array[] = 'delay_access 1 allow all' . "\n"; + } + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; + } + } + + $config_array[] = 'header_access X-Forwarded-For deny all' . "\n"; + $config_array[] = 'header_access Via deny all' . "\n\n"; + + /* TODO: acl customization for snmp support */ + /* fwrite($fout, "\n"); */ + + if (isset($urlfilter_enable) && ($urlfilter_enable == "on")) { + $config_array[] = 'redirect_program /usr/sbin/squidGuard' . "\n"; + $config_array[] = 'redirect_children 5' . "\n\n"; + } + + if (isset($max_upload_size) && ($max_upload_size != "")) { + $config_array[] = 'request_body_max_size ' . $max_download_size . 'KB' . "\n"; + } + + if (isset($max_download_size) && ($max_download_size != "")) { + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'reply_body_max_size 0 allow pf_unrestricted_ip' . "\n"; + /* fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n"); */ + $config_array[] = 'reply_body_max_size ' . $max_download_size * 1024 . ' allow all' . "\n\n"; + } + + /* set default value for maximum_object_size */ + if (!isset($maximum_object_size) or ($maximum_object_size == "")) { + $maximum_object_size = "4096"; + } + + /* set default value for minimum_object_size */ + if (!isset($minimum_object_size) or ($minimum_object_size == "")) { + $minimum_object_size = "0"; + } + $config_array[] = 'maximum_object_size ' . $maximum_object_size . ' KB' . "\n"; + $config_array[] = 'minimum_object_size ' . $minimum_object_size . ' KB' . "\n\n"; + + if (isset($proxy_forwarding) && ($proxy_forwarding == "on")) { + $config_array[] = 'cache_peer ' . $upstream_proxy . ' parent ' . $upstream_proxy_port . ' 3130 login=' . upstream_username . ':' . upstream_password . ' default no-query' . "\n"; + $config_array[] = 'never_direct allow all' . "\n"; + } + unset($proxy_forwarding); + + + /* define default ruleset for transparent proxy operation */ + if (isset($transparent_proxy) && ($transparent_proxy == "on")) { + $config_array[] = 'httpd_accel_host virtual' . "\n"; + $config_array[] = 'httpd_accel_port 80' . "\n"; + $config_array[] = 'httpd_accel_with_proxy on' . "\n"; + $config_array[] = 'httpd_accel_uses_host_header on' . "\n\n"; + } + unset($transparent_proxy); + + + /* define visible hostname */ + if (isset($visible_hostname) && ($visible_hostname !== "")) { + $config_array[] = 'visible_hostname ' . $visible_hostname . "\n"; + } + unset($visible_hostname); + + /* define cache administrators email address within error messages */ + if (isset($cache_admin_email) && ($cache_admin_email !== "")) { + $config_array[] = 'cache_mgr ' . $cache_admin_email . "\n\n"; + } + unset($cache_admin_email); + + /* write configuration file */ + foreach ($config_array as $config_item) + { + fwrite($fout, trim($config_item)); + + if (stristr($config_item, "\n")) + { + for ($i = 1; $i < count(explode("\n", $config_item)); $i++) + { + fwrite($fout, "\n"); + } + } + + } + fclose($fout); + + conf_mount_ro(); + config_unlock(); + + touch($squidconfig); +} /* end function write_squid_config */ + +function squid3_custom_php_install_command() { + /* write initial static config for transparent proxy */ + write_static_squid_config(); + + touch("/tmp/squid3_custom_php_install_command"); + + /* make sure this all exists, see: + * http://forum.pfsense.org/index.php?topic=23.msg2391#msg2391 + */ + update_output_window("Setting up Squid environment..."); + mwexec("mkdir -p /var/squid"); + mwexec("chown squid:squid /var/squid"); + mwexec("mkdir -p /var/squid/logs"); + mwexec("chown squid:squid /var/squid/logs"); + mwexec("mkdir -p /var/squid/cache"); + mwexec("chown squid:squid /var/squid/cache"); + mwexec("mkdir -p /usr/local/etc/squid/advanced"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced"); + mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls"); + mwexec("touch /usr/local/etc/squid/advanced/acls/src_subnets.acl"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl"); + mwexec("touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); + mwexec("cp /usr/local/etc/squid/mime.conf.default /usr/local/etc/squid/mime.conf"); + + + /* set a few extra items noted by regan */ + update_output_window("Creating logs and setting user information..."); + $fdsquid = fopen("/usr/local/etc/rc.d/aSquid.sh", "w"); + fwrite($fdsquid, "#/bin/sh\n"); + fwrite($fdsquid, "# \n"); + fwrite($fdsquid, "# This file was created by the pfSense package system\n"); + fwrite($fdsquid, "# Sets up squid option on each bootup that are not persistent\n"); + fwrite($fdsquid, "# \n\n"); + fwrite($fdsquid, "chown squid:wheel /dev/pf\n"); + fwrite($fdsquid, "chmod ug+rw /dev/pf\n"); + fwrite($fdsquid, "touch /var/log/useragent.log\n"); + fwrite($fdsquid, "touch /var/log/access.log\n"); + fwrite($fdsquid, "touch /var/log/cache.log\n"); + fwrite($fdsquid, "chown squid:wheel /var/log/cache.log\n"); + fwrite($fdsquid, "chown squid:wheel /var/log/access.log\n"); + fwrite($fdsquid, "chown squid:wheel /var/log/useragent.log\n"); + fwrite($fdsquid, "\n"); + fclose($fdsquid); + mwexec("chmod a+rx /usr/local/etc/rc.d/aSquid.sh"); + mwexec("/usr/local/etc/rc.d/aSquid.sh"); + + update_output_window("Creating Proxy Server initialization scripts..."); + $start = "touch /tmp/ro_root_mount; /usr/local/sbin/squid -D; touch /tmp/filter_dirty"; + $stop = "/usr/local/sbin/squid -k shutdown"; + write_rcfile(array( + "file" => "squid.sh", + "start" => $start, + "stop" => $stop + ) + ); + + mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh"); + + /* create log directory hierarchies if they don't exist */ + update_output_window("Creating required directory hierarchies..."); + + if (!file_exists("/var/squid/logs")) { + mwexec("mkdir -p /var/squid/logs"); + } + mwexec("/usr/sbin/chown squid:squid /var/squid/logs"); + + + if (!file_exists("/var/squid/cache")) { + mwexec("mkdir -p /var/squid/cache"); + } + mwexec("/usr/sbin/chown squid:squid /var/squid/cache"); + + if (!file_exists("/usr/local/etc/squid/advanced/acls")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls"); + + if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa"); + + if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm"); + + if (!file_exists("/usr/local/etc/squid/advanced/radius")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/radius"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius"); + + $devfs_file = fopen("/etc/devfs.conf", "a"); + fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable. "); + fwrite($devfs_file, "own pf root:squid"); + fwrite($devfs_file, "perm pf 0640"); + fclose($devfs_file); + + update_output_window("Initializing Cache... This may take a moment..."); + mwexec("/usr/local/sbin/squid -z"); + + update_output_window("Starting Proxy Server..."); + start_service("squid"); +} + +function squid3_custom_php_deinstall_command() { + update_output_window("Stopping proxy service..."); + stop_service("squid"); + sleep(1); + /* brute force any remaining squid processes out */ + mwexec("/usr/bin/killall squid"); + mwexec("/usr/bin/killall pinger"); + update_output_window("Recursively removing directories hierarchies. If existant, log files in /var/squid/logs will remain..."); + mwexec("rm -rf /var/squid/cache"); + update_output_window("Removing configuration files..."); + unlink_if_exists("/usr/local/etc/rc.d/squid.sh"); + unlink_if_exists("/usr/local/libexec/squid"); + unlink_if_exists("/usr/local/etc/rc.d/aSquid.sh"); + mwexec("rm -f /usr/local/etc/rc.d/squid*"); + mwexec("rm -f /usr/local/www/cachemgr.cgi"); + filter_configure(); +} + +function write_static_squid_config() { + touch("/tmp/write_static_squid_config"); + global $config; + $lancfg = $config['interfaces']['lan']; + $lanif = $lancfg['if']; + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + $fout = fopen("/usr/local/etc/squid/squid.conf","w"); + fwrite($fout, "#\n"); + fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n"); + fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n"); + fwrite($fout, "#\n"); + + /* set # of dns children */ + fwrite($fout, "dns_children 15\n"); + + fwrite($fout, "shutdown_lifetime 5 seconds\n"); + fwrite($fout, "icp_port 0\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); + fwrite($fout, "no_cache deny QUERY\n"); + fwrite($fout, "\n"); + + fwrite($fout, "pid_filename /var/run/squid.pid\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_mem 24 MB\n"); + fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n"); + fwrite($fout, "\n"); + + fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n"); + fwrite($fout, "\n"); + + fwrite($fout, "memory_replacement_policy heap GDSF\n"); + fwrite($fout, "cache_replacement_policy heap GDSF\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_access_log none\n"); + fwrite($fout, "cache_log none\n"); + fwrite($fout, "cache_store_log none\n"); + fwrite($fout, "\n"); + + fwrite($fout, "log_mime_hdrs off\n"); + fwrite($fout, "emulate_httpd_log on\n"); + fwrite($fout, "forwarded_for off\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl all src 0.0.0.0/0.0.0.0\n"); + fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); + fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); + fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n"); + fwrite($fout, "acl Safe_ports port 80 # http\n"); + fwrite($fout, "acl Safe_ports port 21 # ftp\n"); + fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n"); + fwrite($fout, "acl Safe_ports port 70 # gopher\n"); + fwrite($fout, "acl Safe_ports port 210 # wais\n"); + fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); + fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n"); + fwrite($fout, "acl Safe_ports port 488 # gss-http\n"); + fwrite($fout, "acl Safe_ports port 591 # filemaker\n"); + fwrite($fout, "acl Safe_ports port 777 # multiling http\n"); + fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl CONNECT method CONNECT\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#access to squid; local machine; no restrictions\n"); + fwrite($fout, "http_access allow localnet\n"); + fwrite($fout, "http_access allow localhost\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#Deny non web services\n"); + fwrite($fout, "http_access deny !Safe_ports\n"); + fwrite($fout, "http_access deny CONNECT !SSL_ports\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#Set custom configured ACLs\n"); + fwrite($fout, "http_access deny all\n"); + fwrite($fout, "visible_hostname pfSense\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_effective_user squid\n"); + fwrite($fout, "cache_effective_group squid\n"); + fwrite($fout, "\n"); + + fwrite($fout, "maximum_object_size 4096 KB\n"); + fwrite($fout, "minimum_object_size 0 KB\n"); + fwrite($fout, "\n"); + + fwrite($fout, "request_body_max_size 0 KB\n"); + fwrite($fout, "reply_body_max_size 0 allow all\n"); + fwrite($fout, "\n"); + + fwrite($fout, "httpd_accel_host virtual\n"); + fwrite($fout, "httpd_accel_port 80\n"); + fwrite($fout, "httpd_accel_with_proxy on\n"); + fwrite($fout, "httpd_accel_uses_host_header on\n"); + + fclose($fout); +} + +function mod_htpasswd() { + global $config; + conf_mount_rw(); + config_lock(); + + if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); + + $passfile = fopen("/usr/local/etc/squid/advanced/ncsa/passwd", "w+"); + + if (isset($config['installedpackages']['squidextlocalauth']['config']) && $config['installedpackages']['squidextlocalauth']['config'] != "") { + foreach($config['installedpackages']['squidextlocalauth']['config'] as $rowhelper) { + $encpass = generate_htpasswd($rowhelper['username'], $rowhelper['password']); + fwrite($passfile, $rowhelper['username'] . ":" . $encpass . "\n"); + } + } + + fclose($passfile); + + conf_mount_ro(); + config_unlock(); +} + +function generate_htpasswd($username, $password) { + $all = explode( " ", + "a b c d e f g h i j k l m n o p q r s t u v w x y z " + . "A B C D E F G H I J K L M N O P Q R S T U V W X Y Z " + . "0 1 2 3 4 5 6 7 8 9"); + + for ($i = 0; $i < 9; $i++) { + srand((double)microtime()*1000000); + $randy = rand(0,61); + $seed .= $all[$randy]; + } + + $crypt = crypt($password, "$1$$seed"); + return $crypt; +} + +?> diff --git a/config/squid3/33/squid_ng.xml b/config/squid3/33/squid_ng.xml new file mode 100755 index 00000000..142536d6 --- /dev/null +++ b/config/squid3/33/squid_ng.xml @@ -0,0 +1,267 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squid</name> + <version>2.5.12_4</version> + <title>Services: Proxy Server</title> + <category>Security</category> + <aftersaveredirect>/pkg_edit.php?xml=squid_ng.xml&id=0</aftersaveredirect> + <include_file>/usr/local/pkg/squid_ng.inc</include_file> + <menu> + <name>Squid</name> + <tooltiptext>Modify settings for Proxy Server</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url> + </menu> + <menu> + <name>Squid stats</name> + <tooltiptext>Show Squid statistics</tooltiptext> + <section>Services</section> + <url>/cachemgr.cgi</url> + </menu> + <service> + <name>squid</name> + <rcfile>squid.sh</rcfile> + </service> + <tabs> + <tab> + <text>General Settings</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Network Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Auth</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Extended Auth</text> + <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url> + </tab> + </tabs> + <configpath>installedpackages->package->squidng->configuration->settings</configpath> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid/squid_cache.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid/squid_nac.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid/squid_ng.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid/squid_traffic.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid/squid_upstream.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid/squid_auth.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid/squid_auth.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid/squid_extauth.xml</item> + </additional_files_needed> + <fields> + <field> + <fielddescr>Proxy Listening Interface</fielddescr> + <fieldname>active_interface</fieldname> + <description>This defines the active listening interface to which the proxy server will listen for its requests.</description> + <type>interfaces_selection</type> + </field> + <field> + <fielddescr>Transparent Proxy</fielddescr> + <fieldname>transparent_proxy</fieldname> + <description>If transparent mode is enabled; all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>URL Filtering Enabled</fielddescr> + <fieldname>urlfilter_enable</fieldname> + <description>This enables the advanced functionality in conjunction with squidGuard to provide an array of URL filtering options. This squidGuard functionality can be additionally configured from Services -> Advanced Proxy Filtering</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Disable Access Log</fielddescr> + <fieldname>accesslog_disabled</fieldname> + <description>Disable the access log entirely. By default, Squid keeps a log of all requests it processes in /var/log/access.log. This can grow to be fairly large. If you do not require this logging, check this box to disable.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Log Query Terms</fielddescr> + <fieldname>log_query_terms</fieldname> + <description>This will log the complete URL rather than the part of the URL containing dynamic queries.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Log User Agents</fielddescr> + <fieldname>log_user_agents</fieldname> + <description>This will enable the useragent string to be written to a separate log. The results are not shown in the GUI and should only be used for debugging purposes.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Proxy Port</fielddescr> + <fieldname>proxy_port</fieldname> + <description>This is the port the Proxy Server will listen for client requests on. The default is 3128.</description> + <type>input</type> + <size>4</size> + <combinefieldsend>true</combinefieldsend> + </field> + <field> + <fielddescr>ICP Port</fielddescr> + <fieldname>icp_port</fieldname> + <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. The default value is 0, which means this function is disabled.</description> + <type>input</type> + <size>4</size> + </field> + <field> + <fielddescr>Visible Hostname</fielddescr> + <fieldname>visible_hostname</fieldname> + <description>This URL is displayed on the Proxy Server error messages.</description> + <type>input</type> + <size>35</size> + </field> + <field> + <fielddescr>Cache Administrator E-Mail</fielddescr> + <fieldname>cache_admin_email</fieldname> + <description>This E-Mail address is displayed on the Proxy Server error messages.</description> + <type>input</type> + <size>35</size> + </field> + <field> + <fielddescr>Error Messages Language</fielddescr> + <fieldname>error_language</fieldname> + <description>Select the language in which the Proxy Server shall display error messages to users.</description> + <type>select</type> + <options> + <option><name>Bulgarian</name><value>Bulgarian</value></option> + <option><name>Catalan</name><value>Catalan</value></option> + <option><name>Czech</name><value>Czech</value></option> + <option><name>Danish</name><value>Danish</value></option> + <option><name>Dutch</name><value>Dutch</value></option> + <option><name>English</name><value>English</value></option> + <option><name>Estonian</name><value>Estonian</value></option> + <option><name>Finnish</name><value>Finnish</value></option> + <option><name>French</name><value>French</value></option> + <option><name>German</name><value>German</value></option> + <option><name>Hebrew</name><value>Hebrew</value></option> + <option><name>Hungarian</name><value>Hungarian</value></option> + <option><name>Italian</name><value>Italian</value></option> + <option><name>Japanese</name><value>Japanese</value></option> + <option><name>Korean</name><value>Korean</value></option> + <option><name>Lithuanian</name><value>Lithuanian</value></option> + <option><name>Polish</name><value>Polish</value></option> + <option><name>Portuguese</name><value>Portuguese</value></option> + <option><name>Romanian</name><value>Romanian</value></option> + <option><name>Russian-1251</name><value>Russian-1251</value></option> + <option><name>Russian-koi8-r</name><value>Russian-koi8-r</value></option> + <option><name>Serbian</name><value>Serbian</value></option> + <option><name>Simplify Chinese</name><value>Simplify Chinese</value></option> + <option><name>Slovak</name><value>Slovak</value></option> + <option><name>Spanish</name><value>Spanish</value></option> + <option><name>Swedish</name><value>Swedish</value></option> + <option><name>Traditional Chinese</name><value>Traditional Chinese</value></option> + <option><name>Turkish</name><value>Turkish</value></option> + </options> + </field> + <field> + <fielddescr>Enable cachemgr</fielddescr> + <fieldname>cachemgr_enabled</fieldname> + <description>Enable Squid's cachemgr.cgi to provide stats. Once enabled you can access this from the pfSense menus. <b>Note:</b> This page is not secured by pfSense, any user with access to the pfSense admin port can view the stats. The page prompts for a password but it only required for shutting down Squid.</description> + <type>checkbox</type> + </field> + + </fields> + <custom_add_php_command_late> + global_write_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + start_service("squid"); + </custom_add_php_command_late> + <custom_php_install_command> + squid3_custom_php_install_command(); + write_static_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + start_service("squid"); + </custom_php_install_command> + <custom_php_deinstall_command> + squid3_custom_php_deinstall_command(); + stop_service("squid"); + </custom_php_deinstall_command> +</packagegui> diff --git a/config/squid3/33/squid_reverse.inc b/config/squid3/33/squid_reverse.inc new file mode 100755 index 00000000..c4061ba4 --- /dev/null +++ b/config/squid3/33/squid_reverse.inc @@ -0,0 +1,225 @@ +<?php +/* $Id$ */ +/* + squid_reverse.inc + Copyright (C) 2012 Martin Fuchs + Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2013 Gekkenhuis + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +function squid_resync_reverse() { + global $config; + //if(!is_array($valid_acls)) + // return; + + //CONFIG FILE + if (is_array($config['installedpackages']['squidreversegeneral'])) + $settings = $config['installedpackages']['squidreversegeneral']['config'][0]; + if (is_array($config['installedpackages']['squidreversepeer'])) + $reverse_peers=$config['installedpackages']['squidreversepeer']['config']; + if (is_array($config['installedpackages']['squidreverseuri'])) + $reverse_maps=$config['installedpackages']['squidreverseuri']['config']; + if (is_array($config['installedpackages']['squidreverseredir'])) + $reverse_redir=$config['installedpackages']['squidreverseredir']['config']; + + $conf = "# Reverse Proxy settings\n"; + + if(isset($settings["reverse_ssl_cert"]) && $settings["reverse_ssl_cert"] != "none") { + $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); + if ($svr_cert != false) { + if(base64_decode($svr_cert['crt'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",sq_text_area_decode($svr_cert['crt'])); + $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt"; + } + if(base64_decode($svr_cert['prv'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key",sq_text_area_decode($svr_cert['prv'])); + $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; + } + } + } + + if (!empty($settings['reverse_int_ca'])) + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . sq_text_area_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); + + $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); + $real_ifaces = array(); + + #set HTTP port and defsite + $http_port=(empty($settings['reverse_http_port'])?"80":$settings['reverse_http_port']); + $http_defsite=(empty($settings['reverse_http_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_http_defsite']); + + #set HTTPS port and defsite + $https_port=(empty($settings['reverse_https_port'])?"443":$settings['reverse_https_port']); + $https_defsite=(empty($settings['reverse_https_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_https_defsite']); + + foreach (explode(",", $ifaces) as $i => $iface) { + $real_ifaces[] = squid_get_real_interface_address($iface); + if($real_ifaces[$i][0]) { + //HTTP + if (!empty($settings['reverse_http'])) + $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + //HTTPS + if (!empty($settings['reverse_https'])) + $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + } + } + + if(!empty($settings['reverse_ip'])) { + $reverse_ip = explode(";", ($settings['reverse_ip'])); + foreach ($reverse_ip as $reip) { + //IPv6 Addresses need to be enclosed in brackets + if (strpos($reip, ':')) $reip = '[' . $reip . ']'; + + //HTTP + if (!empty($settings['reverse_http'])) + $conf .= "http_port {$reip}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + //HTTPS + if (!empty($settings['reverse_https'])) + $conf .= "https_port {$reip}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + } + } + + //PEERS + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) + $conf .= "cache_peer {$settings['reverse_owa_ip']} parent 443 0 proxy-only no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_pfs\n"; + + $active_peers=array(); + if (is_array($reverse_peers)) + foreach ($reverse_peers as $rp){ + if ($rp['enable'] =="on" && $rp['name'] !="" && $rp['ip'] !="" && $rp['port'] !=""){ + $conf_peer = "#{$rp['description']}\n"; + $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASS "; + if($rp['protocol'] == 'HTTPS') + $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + $conf_peer .= "name=rvp_{$rp['name']}\n\n"; + + // add peer only if reverse proxy is enabled for http + if($rp['protocol'] == 'HTTP' && $settings['reverse_http'] =="on"){ + $conf .= $conf_peer; + array_push($active_peers,$rp['name']); + } + // add peer only if if reverse proxy is enabled for https + if($rp['protocol'] == 'HTTPS' && $settings['reverse_https'] =="on"){ + if (!in_array($rp['name'],$active_peers)){ + $conf .= $conf_peer; + array_push($active_peers,$rp['name']); + } + } + } + } + + //REDIRECTS + if (is_array($reverse_redir)) { + foreach ($reverse_redir as $rdr) { + if($rdr['enable'] == "on" && $rdr['name'] != "" && $rdr['pathregex'] != "" && $rdr['redirurl'] != "") { + $conf_rdr = "# Redirect: {$rdr['description']}\n"; + + if (is_array($rdr['row'])) { + foreach ($rdr['row'] as $uri) { + $conf_rdr .= "acl rdr_dst_{$rdr['name']} dstdomain {$uri['uri']}\n"; + } + } + + $conf_rdr .= "acl rdr_path_{$rdr['name']} urlpath_regex {$rdr['pathregex']}\n"; + $conf_rdr .= "deny_info {$rdr['redirurl']} rdr_path_{$rdr['name']}\n"; + + foreach (explode(',', $rdr['protocol']) as $rdr_protocol) { + if($rdr_protocol == "HTTP") { + $conf_rdr .= "http_access deny HTTP rdr_dst_{$rdr['name']} rdr_path_{$rdr['name']}\n"; + } + + if($rdr_protocol == "HTTPS") { + $conf_rdr .= "http_access deny HTTPS rdr_dst_{$rdr['name']} rdr_path_{$rdr['name']}\n"; + } + } + + $conf_rdr .= "\n"; + } + + $conf .= $conf_rdr; + } + } + + //ACLS and MAPPINGS + + //create an empty owa_dirs to populate based on user selected options + $owa_dirs=array(); + if (($settings['reverse_owa'] == 'on') && $settings['reverse_https'] =="on"){ + if(!empty($settings['reverse_owa_ip'])){ + array_push($owa_dirs,'owa','exchange','public','exchweb','ecp','OAB'); + if($settings['reverse_owa_activesync']) + array_push($owa_dirs,'Microsoft-Server-ActiveSync'); + if($settings['reverse_owa_rpchttp']) + array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll'); + if($settings['reverse_owa_autodiscover']) + array_push($owa_dirs,'autodiscover'); + if($settings['reverse_owa_webservice']){ + array_push($owa_dirs,'EWS'); + //$conf .= "ignore_expect_100 on\n"; Obsolete on 3.3 + } + } + if (is_array($owa_dirs)) + foreach ($owa_dirs as $owa_dir) + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/$owa_dir.*$\n"; + } + //$conf .= "ssl_unclean_shutdown on"; + if (is_array($reverse_maps)) + foreach ($reverse_maps as $rm){ + if ($rm['enable'] == "on" && $rm['name']!="" && $rm['peers']!=""){ + if (is_array($rm['row'])) + foreach ($rm['row'] as $uri){ + $url_regex=($uri['uri'] == '' ? $settings['reverse_external_fqdn'] : $uri['uri'] ); + //$conf .= "acl rvm_{$rm['name']} url_regex -i {$uri['uri']}{$url_regex}.*$\n"; + $conf .= "acl rvm_{$rm['name']} url_regex -i {$url_regex}\n"; + if($rm['name'] != $last_rm_name){ + $cache_peer_never_direct_conf .= "never_direct allow rvm_{$rm['name']}\n"; + $http_access_conf .= "http_access allow rvm_{$rm['name']}\n"; + foreach (explode(',',$rm['peers']) as $map_peer) + if (in_array($map_peer,$active_peers)){ + $cache_peer_allow_conf .= "cache_peer_access rvp_{$map_peer} allow rvm_{$rm['name']}\n"; + $cache_peer_deny_conf .= "cache_peer_access rvp_{$map_peer} deny allsrc\n"; + } + $last_rm_name=$rm['name']; + } + } + } + } + + //ACCESS + if ($settings['reverse_owa'] == 'on' && !empty($settings['reverse_owa_ip']) && $settings['reverse_https'] =="on") { + $conf .= "cache_peer_access OWA_HOST_pfs allow OWA_URI_pfs\n"; + $conf .= "cache_peer_access OWA_HOST_pfs deny allsrc\n"; + $conf .= "never_direct allow OWA_URI_pfs\n"; + $conf .= "http_access allow OWA_URI_pfs\n"; + } + + $conf .= $cache_peer_allow_conf.$cache_peer_deny_conf.$cache_peer_never_direct_conf.$http_access_conf."\n"; + + if (!empty($settings['deny_info_tcp_reset'])) + $conf .= "deny_info TCP_RESET allsrc\n"; + + return $conf; +} +?> diff --git a/config/squid3/33/squid_reverse.xml b/config/squid3/33/squid_reverse.xml new file mode 100755 index 00000000..ce09f8e7 --- /dev/null +++ b/config/squid3/33/squid_reverse.xml @@ -0,0 +1,357 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidreverse</name> + <version>none</version> + <title>Proxy server: Reverse Proxy</title> + <include_file>squid.inc</include_file> + <tabs> +<tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Upstream</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Reverse</text> + <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Authentication</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> + </tabs> + <fields> + <field> + <name>Squid Reverse proxy General Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Reverse Proxy interface</fielddescr> + <fieldname>reverse_interface</fieldname> + <description>The interface(s) the reverse-proxy server will bind to.</description> + <type>interfaces_selection</type> + <required/> + <default_value>wan</default_value> + <multiple/> + </field> + <field> + <fielddescr>User-defined reverse-proxy IPs</fielddescr> + <fieldname>reverse_ip</fieldname> + <description>Squid will additionally bind to this user-defined IPs for reverse-proxy operation. Useful for virtual IPs such as CARP. Separate by semi-colons (;).</description> + <type>input</type> + <size>70</size> + </field> + <field> + <fielddescr>external FQDN</fielddescr> + <fieldname>reverse_external_fqdn</fieldname> + <description>The external full-qualified-domain-name of the WAN address.</description> + <type>input</type> + <required/> + <size>70</size> + </field> + <field> + <fielddescr>Reset TCP connections if request is unauthorized</fielddescr> + <fieldname>deny_info_tcp_reset</fieldname> + <description>If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized.</description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <name>Squid Reverse HTTP Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable HTTP reverse mode</fielddescr> + <fieldname>reverse_http</fieldname> + <description>If this field is checked, the proxy-server will act in HTTP reverse mode. <br>(You have to add a rule with destination "WAN-address")</description> + <type>checkbox</type> + <enablefields>reverse_http_port,reverse_http_defsite</enablefields> + <required/> + <default_value>off</default_value> + </field> + <field> + <fielddescr>reverse HTTP port</fielddescr> + <fieldname>reverse_http_port</fieldname> + <description>This is the port the HTTP reverse-proxy will listen on. (leave empty to use 80)</description> + <type>input</type> + <size>5</size> + <default_value>80</default_value> + </field> + <field> + <fielddescr>reverse HTTP default site</fielddescr> + <fieldname>reverse_http_defsite</fieldname> + <description>This is the HTTP reverse default site. (leave empty to use the external fqdn)</description> + <type>input</type> + <size>60</size> + </field> + <field> + <name>Squid Reverse HTTPS Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable HTTPS reverse proxy</fielddescr> + <fieldname>reverse_https</fieldname> + <description>If this field is checked, the proxy-server will act in HTTPS reverse mode. <br>(You have to add a rule with destination "WAN-address")</description> + <type>checkbox</type> + <enablefields>reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_autodiscover,reverse_ssl_chain</enablefields> + <required/> + <default_value>off</default_value> + </field> + <field> + <fielddescr>reverse HTTPS port</fielddescr> + <fieldname>reverse_https_port</fieldname> + <description>This is the port the HTTPS reverse-proxy will listen on. (leave empty to use 443)</description> + <type>input</type> + <size>5</size> + <default_value>443</default_value> + </field> + <field> + <fielddescr>reverse HTTPS default site</fielddescr> + <fieldname>reverse_https_defsite</fieldname> + <description>This is the HTTPS reverse default site. (leave empty to use the external fqdn)</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>reverse SSL certificate</fielddescr> + <fieldname>reverse_ssl_cert</fieldname> + <description>Choose the SSL Server Certificate here.</description> + <type>select_source</type> + <source><![CDATA[$config['cert']]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> + </field> + <field> + <fielddescr>intermediate CA certificate (if needed)</fielddescr> + <fieldname>reverse_int_ca</fieldname> + <description>Paste a signed certificate in X.509 PEM format here.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Ignore internal Certificate validation</fielddescr> + <fieldname>reverse_ignore_ssl_valid</fieldname> + <description>If this field is checked, internal certificate validation will be ignored.</description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <fielddescr>Enable OWA reverse proxy</fielddescr> + <fieldname>reverse_owa</fieldname> + <description>If this field is checked, squid will act as an accelerator/ SSL offloader for Outlook Web App.</description> + <type>checkbox</type> + <enablefields>reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_webservice,reverse_owa_autodiscover</enablefields> + </field> + <field> + <fielddescr>OWA frontend IP address</fielddescr> + <fieldname>reverse_owa_ip</fieldname> + <description>This is the internal IP Address of the OWA frontend server.</description> + <type>input</type> + <size>15</size> + </field> + <field> + <fielddescr>Enable ActiveSync</fielddescr> + <fieldname>reverse_owa_activesync</fieldname> + <description>If this field is checked, ActiveSync will be enabled.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable Outlook Anywhere</fielddescr> + <fieldname>reverse_owa_rpchttp</fieldname> + <description>If this field is checked, RPC over HTTP will be enabled.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable Exchange WebServices</fielddescr> + <fieldname>reverse_owa_webservice</fieldname> + <description><![CDATA[If this field is checked, Exchange WebServices will be enabled.<br> + <strong>There are potential DoS side effects to its use, please avoid unless you must.</strong>]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable AutoDiscover</fielddescr> + <fieldname>reverse_owa_autodiscover</fieldname> + <description>If this field is checked, AutoDiscover will be enabled.</description> + <type>checkbox</type> + </field> + <field> + <name>Squid Reverse Mappings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr><b>peer definitions</b> <br>publishing hosts</fielddescr> + <fieldname>reverse_cache_peer</fieldname> + <description><![CDATA[Enter each peer definition on a new line. Directives have to be separated by a semicolon(;).<BR> + syntax: [peer alias];[internal ip address];[port];[HTTP / HTTPS]<br> + example: HOST1;192.168.0.1;80;HTTP<br> + <strong>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</strong>]]></description> + <type>textarea</type> + <cols>60</cols> + <rows>10</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr><b>URI definitions</b> <br>published URIs</fielddescr> + <fieldname>reverse_uri</fieldname> + <description><![CDATA[Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;)<BR> + syntax: [group the uri belongs to];[URI to publish](;[vhost fqdn]) <BR> + (a group can contain multiple URIs, without vhost fqdn the external fqdn is used, you also can specity http:// or https://)<BR> + example: URI1;public;server.pfsense.org.<BR> + <STRONG>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</STRONG>]]></description> + <type>textarea</type> + <cols>60</cols> + <rows>10</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr><b>ACL definitions</b> <br>published URIs</fielddescr> + <fieldname>reverse_acl</fieldname> + <description><![CDATA[Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;). <br> + syntax: [peer alias];[uri group alias] <br>example: HOST1;URI1 <br> + <strong>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</strong>]]></description> + <type>textarea</type> + <cols>60</cols> + <rows>10</rows> + <encoding>base64</encoding> + </field> + +<!-- + <field> + <fielddescr>internal hosts</fielddescr> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>IP address</fielddescr> + <fieldname>reverse_cache_peer_ip</fieldname> + <type>input</type> + <size>15</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Protocol</fielddescr> + <fieldname>reverse_cache_peer_proto</fieldname> + <type>select</type> + <options> + <option> <name>HTTP</name> <value>HTTP</value> </option> + <option> <name>HTTPS</name> <value>HTTPS</value> </option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>port</fielddescr> + <fieldname>reverse_cache_peer_port</fieldname> + <type>input</type> + <size>5</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>peer name</fielddescr> + <fieldname>reverse_cache_peer_name</fieldname> + <type>input</type> + <size>25</size> + </rowhelperfield> + </rowhelper> + </field> + + <field> + <fielddescr>published URI</fielddescr> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>URI</fielddescr> + <fieldname>reverse_cache_peer_uri</fieldname> + <type>input</type> + <size>50</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>peer name</fielddescr> + <fieldname>reverse_cache_peer</fieldname> + <type>input</type> + <size>25</size> + </rowhelperfield> + </rowhelper> + </field> +--> + + </fields> + <custom_php_command_before_form> + squid_before_form_general(&$pkg); + </custom_php_command_before_form> + <custom_php_validation_command> + squid_validate_reverse($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/squid3/33/squid_reverse_general.xml b/config/squid3/33/squid_reverse_general.xml new file mode 100755 index 00000000..374666d7 --- /dev/null +++ b/config/squid3/33/squid_reverse_general.xml @@ -0,0 +1,252 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_reverse_general.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidreversegeneral</name> + <version>none</version> + <title>Reverse Proxy server: General</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Web Servers</text> + <url>/pkg.php?xml=squid_reverse_peer.xml</url> + </tab> + <tab> + <text>Mappings</text> + <url>/pkg.php?xml=squid_reverse_uri.xml</url> + </tab> + <tab> + <text>Redirects</text> + <url>/pkg.php?xml=squid_reverse_redir.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php?menu=reverse</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_reverse_sync.xml&id=0</url> + </tab> + </tabs> + <fields> + <field> + <name>Squid Reverse proxy General Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Reverse Proxy interface</fielddescr> + <fieldname>reverse_interface</fieldname> + <description>The interface(s) the reverse-proxy server will bind to.</description> + <type>interfaces_selection</type> + <required/> + <default_value>wan</default_value> + <multiple/> + </field> + <field> + <fielddescr>User-defined reverse-proxy IPs</fielddescr> + <fieldname>reverse_ip</fieldname> + <description>Squid will additionally bind to this user-defined IPs for reverse-proxy operation. Useful for virtual IPs such as CARP. Separate by semi-colons (;).</description> + <type>input</type> + <size>70</size> + </field> + <field> + <fielddescr>external FQDN</fielddescr> + <fieldname>reverse_external_fqdn</fieldname> + <description>The external full-qualified-domain-name of the WAN address.</description> + <type>input</type> + <required/> + <size>70</size> + </field> + <field> + <fielddescr>Reset TCP connections if request is unauthorized</fielddescr> + <fieldname>deny_info_tcp_reset</fieldname> + <description>If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized.</description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <name>Squid Reverse HTTP Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable HTTP reverse mode</fielddescr> + <fieldname>reverse_http</fieldname> + <description>If this field is checked, the proxy-server will act in HTTP reverse mode. <br>(You have to add a rule with destination "WAN-address")</description> + <type>checkbox</type> + <enablefields>reverse_http_port,reverse_http_defsite</enablefields> + <required/> + <default_value>off</default_value> + </field> + <field> + <fielddescr>reverse HTTP port</fielddescr> + <fieldname>reverse_http_port</fieldname> + <description>This is the port the HTTP reverse-proxy will listen on. (leave empty to use 80)</description> + <type>input</type> + <size>5</size> + <default_value>80</default_value> + </field> + <field> + <fielddescr>reverse HTTP default site</fielddescr> + <fieldname>reverse_http_defsite</fieldname> + <description>This is the HTTP reverse default site. (leave empty to use the external fqdn)</description> + <type>input</type> + <size>60</size> + </field> + <field> + <name>Squid Reverse HTTPS Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable HTTPS reverse proxy</fielddescr> + <fieldname>reverse_https</fieldname> + <description>If this field is checked, the proxy-server will act in HTTPS reverse mode. <br>(You have to add a rule with destination "WAN-address")</description> + <type>checkbox</type> + <enablefields>reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_autodiscover,reverse_ssl_chain</enablefields> + <required/> + <default_value>off</default_value> + </field> + <field> + <fielddescr>reverse HTTPS port</fielddescr> + <fieldname>reverse_https_port</fieldname> + <description>This is the port the HTTPS reverse-proxy will listen on. (leave empty to use 443)</description> + <type>input</type> + <size>5</size> + <default_value>443</default_value> + </field> + <field> + <fielddescr>reverse HTTPS default site</fielddescr> + <fieldname>reverse_https_defsite</fieldname> + <description>This is the HTTPS reverse default site. (leave empty to use the external fqdn)</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>reverse SSL certificate</fielddescr> + <fieldname>reverse_ssl_cert</fieldname> + <description>Choose the SSL Server Certificate here.</description> + <type>select_source</type> + <source><![CDATA[$config['cert']]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> + </field> + <field> + <fielddescr>intermediate CA certificate (if needed)</fielddescr> + <fieldname>reverse_int_ca</fieldname> + <description>Paste a signed certificate in X.509 PEM format here.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Ignore internal Certificate validation</fielddescr> + <fieldname>reverse_ignore_ssl_valid</fieldname> + <description>If this field is checked, internal certificate validation will be ignored.</description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <name>OWA Reverse proxy General Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable OWA reverse proxy</fielddescr> + <fieldname>reverse_owa</fieldname> + <description><![CDATA[If this field is checked, squid will act as an accelerator/ SSL offloader for Outlook Web App.<br><br> + See also:<br> + <a target=_new href='http://support.microsoft.com/?scid=kb%3Ben-us%3B327800&x=17&y=16'>How to configure SSL Offloading for Outlook Web Access in Exchange 2000 Server and in Exchange Server 2003</a> + ]]></description> + <type>checkbox</type> + <enablefields>reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_webservice,reverse_owa_autodiscover</enablefields> + </field> + <field> + <fielddescr>OWA frontend IP address</fielddescr> + <fieldname>reverse_owa_ip</fieldname> + <description>This is the internal IP Address of the OWA frontend server.</description> + <type>input</type> + <size>15</size> + </field> + <field> + <fielddescr>Enable ActiveSync</fielddescr> + <fieldname>reverse_owa_activesync</fieldname> + <description>If this field is checked, ActiveSync will be enabled.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable Outlook Anywhere</fielddescr> + <fieldname>reverse_owa_rpchttp</fieldname> + <description>If this field is checked, RPC over HTTP will be enabled.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable Exchange WebServices</fielddescr> + <fieldname>reverse_owa_webservice</fieldname> + <description><![CDATA[If this field is checked, Exchange WebServices will be enabled.<br> + <strong>There are potential DoS side effects to its use, please avoid unless you must.</strong>]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable AutoDiscover</fielddescr> + <fieldname>reverse_owa_autodiscover</fieldname> + <description>If this field is checked, AutoDiscover will be enabled.</description> + <type>checkbox</type> + </field> + </fields> + <custom_php_command_before_form> + squid_before_form_general(&$pkg); + </custom_php_command_before_form> + <custom_php_validation_command> + squid_validate_reverse($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/squid3/33/squid_reverse_peer.xml b/config/squid3/33/squid_reverse_peer.xml new file mode 100755 index 00000000..abfbf19b --- /dev/null +++ b/config/squid3/33/squid_reverse_peer.xml @@ -0,0 +1,167 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_reverse_peer.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidreversepeer</name> + <version>none</version> + <title>Reverse Proxy server: Peers</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + </tab> + <tab> + <text>Web Servers</text> + <url>/pkg.php?xml=squid_reverse_peer.xml</url> + <active/> + </tab> + <tab> + <text>Mappings</text> + <url>/pkg.php?xml=squid_reverse_uri.xml</url> + </tab> + <tab> + <text>Redirects</text> + <url>/pkg.php?xml=squid_reverse_redir.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php?menu=reverse</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_reverse_sync.xml&id=0</url> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Status</fielddescr> + <fieldname>enable</fieldname> + </columnitem> + <columnitem> + <fielddescr>Alias</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Ip address</fielddescr> + <fieldname>ip</fieldname> + </columnitem> + <columnitem> + <fielddescr>Port</fielddescr> + <fieldname>port</fieldname> + </columnitem> + <columnitem> + <fielddescr>Protocol</fielddescr> + <fieldname>Protocol</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>Squid Reverse Peer Mappings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable this peer</fielddescr> + <fieldname>enable</fieldname> + <description>If this field is checked, then this peer will be available for reverse config.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Peer Alias</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[Name to identify this peer on squid reverse conf<br> + example: HOST1]]></description> + <type>input</type> + <size>20</size> + </field> + <field> + <fielddescr>Peer IP</fielddescr> + <fieldname>ip</fieldname> + <description><![CDATA[Ip Address of this peer.<br> + example: 192.168.0.1]]></description> + <type>input</type> + <size>20</size> + </field> + <field> + <fielddescr>Peer Port</fielddescr> + <fieldname>port</fieldname> + <description><![CDATA[Listening port of this peer.<br> + example: 80]]></description> + <type>input</type> + <size>20</size> + </field> + <field> + <fielddescr>Peer Protocol</fielddescr> + <fieldname>protocol</fieldname> + <description><![CDATA[Protocol listening on this peer port.]]></description> + <type>select</type> + <options> + <option> <name>HTTP</name> <value>HTTP</value> </option> + <option> <name>HTTPS</name> <value>HTTPS</value> </option> + </options> + </field> + <field> + <fielddescr>Peer Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[Peer Description (optional)]]></description> + <type>input</type> + <size>60</size> + </field> + </fields> + <custom_php_command_before_form> + squid_before_form_general(&$pkg); + </custom_php_command_before_form> + <custom_php_validation_command> + squid_validate_reverse($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/squid3/33/squid_reverse_redir.xml b/config/squid3/33/squid_reverse_redir.xml new file mode 100755 index 00000000..de25f56a --- /dev/null +++ b/config/squid3/33/squid_reverse_redir.xml @@ -0,0 +1,182 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ============================================================================ */ +/* + squid_reverse_redir.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2013 Gekkenhuis + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ============================================================================ */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ============================================================================ */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidreverseredir</name> + <version>none</version> + <title>Reverse Proxy server: Redirects</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + </tab> + <tab> + <text>Web Servers</text> + <url>/pkg.php?xml=squid_reverse_peer.xml</url> + </tab> + <tab> + <text>Mappings</text> + <url>/pkg.php?xml=squid_reverse_uri.xml</url> + </tab> + <tab> + <text>Redirects</text> + <url>/pkg.php?xml=squid_reverse_redir.xml</url> + <active/> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php?menu=reverse</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_reverse_sync.xml&id=0</url> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Status</fielddescr> + <fieldname>enable</fieldname> + </columnitem> + <columnitem> + <fielddescr>Redirect Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Redirect to</fielddescr> + <fieldname>redirurl</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>Squid Redirect Mappings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable this redirect</fielddescr> + <fieldname>enable</fieldname> + <description><![CDATA[If this field is checked, then this redirect will be available for reverse config.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Redirect name</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[Name to identify this redirect on squid reverse conf<br/> + example: REDIR1]]></description> + <type>input</type> + <size>20</size> + </field> + <field> + <fielddescr>Redirect Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[Redirect Description (optional)]]></description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Redirect Protocol</fielddescr> + <fieldname>protocol</fieldname> + <description><![CDATA[Protocol to redirect on.<br/> + Use CTRL + click to select multiple]]></description> + <type>select</type> + <multiple/> + <size>03</size> + <options> + <option> + <name>HTTP</name> + <value>HTTP</value> + </option> + <option> + <name>HTTPS</name> + <value>HTTPS</value> + </option> + </options> + </field> + <field> + <fielddescr>Blocked domains</fielddescr> + <fieldname>none</fieldname> + <description>Domains to redirect for</description> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr><![CDATA[<strong>Domains to match</strong><br/><br/> + Samples: mydomain.com sub.mydomain.com www.mydomain.com<br/><br/> + Do not enter http:// or https:// here! only the hostname is required.]]></fielddescr> + <fieldname>uri</fieldname> + <type>input</type> + <size>60</size> + </rowhelperfield> + </rowhelper> + </field> + <field> + <fielddescr>Path regex</fielddescr> + <fieldname>pathregex</fieldname> + <description><![CDATA[Path regex to match<br/><br/>]]> + Enter ^/$ to match the domain only.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>URL to redirect to</fielddescr> + <fieldname>redirurl</fieldname> + <description><![CDATA[URL to redirect to]]></description> + <type>input</type> + <size>60</size> + </field> + </fields> + + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/squid3/33/squid_reverse_sync.xml b/config/squid3/33/squid_reverse_sync.xml new file mode 100755 index 00000000..041576b8 --- /dev/null +++ b/config/squid3/33/squid_reverse_sync.xml @@ -0,0 +1,135 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_sync.xml + part of the sarg package for pfSense + Copyright (C) 2012-2013 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidsync</name> + <version>1.0</version> + <title>Reverse Proxy server: XMLRPC Sync</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + </tab> + <tab> + <text>Web Servers</text> + <url>/pkg.php?xml=squid_reverse_peer.xml</url> + </tab> + <tab> + <text>Mappings</text> + <url>/pkg.php?xml=squid_reverse_uri.xml</url> + </tab> + <tab> + <text>Redirects</text> + <url>/pkg.php?xml=squid_reverse_redir.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php?menu=reverse</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_reverse_sync.xml&id=0</url> + <active/> + </tab> + </tabs> + <fields> + <field> + <name>XMLRPC Sync</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Automatically sync squid configuration changes</fielddescr> + <fieldname>synconchanges</fieldname> + <description>Select a sync method for squid.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>250</default_value> + <options> + <option><name>250 seconds(Default)</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>30 seconds</name><value>30</value></option> + </options> + </field> + <field> + <fielddescr>Remote Server</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>IP Address</fielddescr> + <fieldname>ipaddress</fieldname> + <description>IP Address of remote server</description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Password for remote server.</description> + <type>password</type> + <size>20</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid3/33/squid_reverse_uri.xml b/config/squid3/33/squid_reverse_uri.xml new file mode 100755 index 00000000..1232cfe3 --- /dev/null +++ b/config/squid3/33/squid_reverse_uri.xml @@ -0,0 +1,159 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_reverse_general.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidreverseuri</name> + <version>none</version> + <title>Reverse Proxy server: Mappings</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + </tab> + <tab> + <text>Web Servers</text> + <url>/pkg.php?xml=squid_reverse_peer.xml</url> + </tab> + <tab> + <text>Mappings</text> + <url>/pkg.php?xml=squid_reverse_uri.xml</url> + <active/> + </tab> + <tab> + <text>Redirects</text> + <url>/pkg.php?xml=squid_reverse_redir.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php?menu=reverse</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_reverse_sync.xml&id=0</url> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Status</fielddescr> + <fieldname>enable</fieldname> + </columnitem> + <columnitem> + <fielddescr>Group Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Peers</fielddescr> + <fieldname>peers</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>Squid Reverse Peer Mappings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable this URI</fielddescr> + <fieldname>enable</fieldname> + <description><![CDATA[If this field is checked, then this URI(Uniform Resource Name) will be available for reverse config.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Group name</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[Name to identify this URI on squid reverse conf<br> + example: URI1]]></description> + <type>input</type> + <size>20</size> + </field> + <field> + <fielddescr>Group Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[URI Group Description (optional)]]></description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Peers</fielddescr> + <fieldname>peers</fieldname> + <description><![CDATA[Apply this Group Mappings to selected Peers<br> + Use CTRL + click to select.]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['squidreversepeer']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>05</size> + </field> + <field> + <fielddescr><![CDATA[URIs]]></fielddescr> + <fieldname>none</fieldname> + <description><![CDATA[URI to publish]]></description> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr><![CDATA[<strong>Url regex to match</strong><br><br> + Samples: .mydomain.com .mydomain.com/test<br> + www.mydomain.com http://www.mydomain.com/ ^http://www.mydomain.com/.*$]]></fielddescr> + <fieldname>uri</fieldname> + <type>input</type> + <size>70</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/squid3/33/squid_sync.xml b/config/squid3/33/squid_sync.xml new file mode 100755 index 00000000..e67defc7 --- /dev/null +++ b/config/squid3/33/squid_sync.xml @@ -0,0 +1,151 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_sync.xml + part of the sarg package for pfSense + Copyright (C) 2012-2013 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidsync</name> + <version>1.0</version> + <title>Proxy server: XMLRPC Sync</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> + </tab> + <tab> + <text>Local Cache</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Antivirus</text> + <url>/pkg_edit.php?xml=squid_antivirus.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Authentication</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + <active/> + </tab> + </tabs> + <fields> + <field> + <name>XMLRPC Sync</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Automatically sync squid configuration changes</fielddescr> + <fieldname>synconchanges</fieldname> + <description>Select a sync method for squid.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>250</default_value> + <options> + <option><name>250 seconds(Default)</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>30 seconds</name><value>30</value></option> + </options> + </field> + <field> + <fielddescr>Remote Server</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>IP Address</fielddescr> + <fieldname>ipaddress</fieldname> + <description>IP Address of remote server</description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Password for remote server.</description> + <type>password</type> + <size>20</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid3/33/squid_traffic.xml b/config/squid3/33/squid_traffic.xml new file mode 100755 index 00000000..82e849c1 --- /dev/null +++ b/config/squid3/33/squid_traffic.xml @@ -0,0 +1,208 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + Copyright (C) 2012-2013 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidtraffic</name> + <version>none</version> + <title>Proxy server: Traffic management</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> + </tab> + <tab> + <text>Local Cache</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Antivirus</text> + <url>/pkg_edit.php?xml=squid_antivirus.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Authentication</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> + </tabs> + <fields> + <field> + <name>Squid Traffic Managment Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Maximum download size</fielddescr> + <fieldname>max_download_size</fieldname> + <description>Limit the maximum total download size to the size specified here (in kilobytes). Set to 0 to disable.</description> + <type>input</type> + <size>10</size> + <required/> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Maximum upload size</fielddescr> + <fieldname>max_upload_size</fieldname> + <description>Limit the maximum total upload size to the size specified here (in kilobytes). Set to 0 to disable.</description> + <type>input</type> + <size>10</size> + <required/> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Overall bandwidth throttling</fielddescr> + <fieldname>overall_throttling</fieldname> + <description>This value specifies (in kilobytes per second) the bandwidth throttle for downloads. Users will gradually have their download speed increased according to this value. Set to 0 to disable bandwidth throttling.</description> + <type>input</type> + <size>10</size> + <required/> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Per-host throttling</fielddescr> + <fieldname>perhost_throttling</fieldname> + <description>This value specifies the download throttling per host. Set to 0 to disable this.</description> + <type>input</type> + <size>10</size> + <required/> + <default_value>0</default_value> + </field> + <field> + <name>Squid Transfer Extension Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Throttle only specific extensions</fielddescr> + <fieldname>throttle_specific</fieldname> + <description>Leave this checked to be able to choose the extensions that throttling will be applied to. Otherwise, all files will be throttled.</description> + <type>checkbox</type> + <enablefields>throttle_binaries,throttle_cdimages,throttle_multimedia,throttle_others</enablefields> + <default_value>on</default_value> + </field> + <field> + <fielddescr>Throttle binary files</fielddescr> + <fieldname>throttle_binaries</fieldname> + <description>Check this to apply bandwidth throttle to binary files. This includes compressed archives and executables.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Throttle CD images</fielddescr> + <fieldname>throttle_cdimages</fieldname> + <description>Check this to apply bandwidth throttle to CD image files.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Throttle multimedia files</fielddescr> + <fieldname>throttle_multimedia</fieldname> + <description>Check this to apply bandwidth throttle to multimedia files, such as movies or songs.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Throttle other extensions</fielddescr> + <fieldname>throttle_others</fieldname> + <description>Comma-separated list of extensions to apply bandwidth throttle to.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <name>Squid Transfer Quick Abort Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Finish transfer if less than x KB remaining</fielddescr> + <fieldname>quick_abort_min</fieldname> + <description>If the transfer has less than x KB remaining, it will finish the retrieval. Set to 0 to abort the transfer immediately.</description> + <type>input</type> + <size>10</size> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Abort transfer if more than x KB remaining</fielddescr> + <fieldname>quick_abort_max</fieldname> + <description>If the transfer has more than x KB remaining, it will abort the retrieval. Set to 0 to abort the transfer immediately.</description> + <type>input</type> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Finish transfer if more than x % finished</fielddescr> + <fieldname>quick_abort_pct</fieldname> + <description>If more than x % of the transfer has completed, it will finish the retrieval.</description> + <type>input</type> + <size>10</size> + <default_value>0</default_value> + </field> + </fields> + <custom_php_validation_command> + squid_validate_traffic($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid3/33/squid_upstream.xml b/config/squid3/33/squid_upstream.xml new file mode 100755 index 00000000..407cedd8 --- /dev/null +++ b/config/squid3/33/squid_upstream.xml @@ -0,0 +1,361 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_upstream.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + Copyright (C) 2012-2013 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidremote</name> + <version>none</version> + <title>Proxy server: Remote proxy settings</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> +<tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> + <active/> + </tab> + <tab> + <text>Local Cache</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Antivirus</text> + <url>/pkg_edit.php?xml=squid_antivirus.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Authentication</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Status</fielddescr> + <fieldname>enable</fieldname> + </columnitem> + <columnitem> + <fielddescr>name</fielddescr> + <fieldname>proxyaddr</fieldname> + </columnitem> + <columnitem> + <fielddescr>Port</fielddescr> + <fieldname>proxyport</fieldname> + </columnitem> + <columnitem> + <fielddescr>ICP</fielddescr> + <fieldname>icpport</fieldname> + </columnitem> + <columnitem> + <fielddescr>Peer type</fielddescr> + <fieldname>hierarchy</fieldname> + </columnitem> + <columnitem> + <fielddescr>Method</fielddescr> + <fieldname>peermethod</fieldname> + </columnitem> + </adddeleteeditpagefields> + + <fields> + <field> + <name>General Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable</fielddescr> + <fieldname>enable</fieldname> + <description>This option enables the proxy server to forward requests to an upstream/neighbor server.</description> + <type>checkbox</type> + <required/> + </field> + <field> + <fielddescr>Hostname</fielddescr> + <fieldname>proxyaddr</fieldname> + <description>Enter here the IP address or host name of the upstream proxy.</description> + <type>input</type> + <size>35</size> + <required/> + </field> + <field> + <fielddescr>Name</fielddescr> + <fieldname>proxyname</fieldname> + <description>Unique name for the peer.Required if you have multiple peers on the same host but different ports.</description> + <type>input</type> + <size>35</size> + <required/> + </field> + <field> + <fielddescr>TCP port</fielddescr> + <fieldname>proxyport</fieldname> + <description>Enter the port to use to connect to the upstream proxy.</description> + <type>input</type> + <size>5</size> + <default_value>3128</default_value> + <required/> + </field> + <field> + <fielddescr>Timeout</fielddescr> + <fieldname>connecttimeout</fieldname> + <description>A peer-specific connect timeout. Also see the peer_connect_timeout directive.</description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>Fail Limit</fielddescr> + <fieldname>connectfailLimit</fieldname> + <description>How many times connecting to a peer must fail before it is marked as down. Default is 10.</description> + <type>input</type> + <size>5</size> + <default_value>10</default_value> + </field> + <field> + <fielddescr>Max</fielddescr> + <fieldname>maxconn</fieldname> + <description>Limit the amount of connections Squid may open to this peer.</description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>Allow Miss</fielddescr> + <fieldname>allowmiss</fieldname> + <description><![CDATA[<strong>allow-miss</strong> - Disable Squid's use of only-if-cached when forwarding requests to siblings. This is primarily useful when icp_hit_stale is used by the sibling.<br><br> + <strong>no-tproxy</strong> - Do not use the client-spoof TPROXY support when forwarding requests to this peer. Use normal address selection instead.<br><br> + <strong>proxy-only</strong> - Objects fetched from the peer will not be stored locally.]]></description> + <type>select</type> + <default_value>allow-miss</default_value> + <options> + <option><name>Allow Miss</name><value>allow-miss</value></option> + <option><name>No Tproxy</name><value>no-tproxy</value></option> + <option><name>Proxy Only</name><value>proxy-only</value></option> + </options> + <multiple/> + <size>4</size> + </field> + <field> + <name>Peer settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Hierarchy</fielddescr> + <fieldname>hierarchy</fieldname> + <description>Specify remote caches hierarchy.</description> + <type>select</type> + <default_value>parent</default_value> + <options> + <option><name>parent</name><value>parent</value></option> + <option><name>sibling</name><value>sibling</value></option> + <option><name>multicast</name><value>multicast</value></option> + </options> + </field> + <field> + <fielddescr>Select method</fielddescr> + <fieldname>peermethod</fieldname> + <description><![CDATA[The default peer selection method is ICP, with the first responding peer being used as source. These options can be used for better load balancing.<br><br> + <strong>default</strong> - This is a parent cache which can be used as a "last-resort" if a peer cannot be located by any of the peer-selection methods.<br> + If specified more than once, only the first is used.<br><br> + <strong>round-robin</strong> - Load-Balance parents which should be used in a round-robin fashion in the absence of any ICP queries.<br>weight=N can be used to add bias.<br><br> + <strong>weighted-round-robin</strong> - Load-Balance parents which should be used in a round-robin fashion with the frequency of each parent being based on the round trip time.<br> + Closer parents are used more often. Usually used for background-ping parents. weight=N can be used to add bias.<br><br> + <strong>carp</strong> - Load-Balance parents which should be used as a CARP array. The requests will be distributed among the parents based on the CARP load balancing hash function based on their weight.<br><br> + <strong>userhash</strong> - Load-balance parents based on the client proxy_auth or ident username.<br><br> + <strong>sourcehash</strong> - Load-balance parents based on the client source IP.<br><br> + <strong>multicast-siblings</strong> - To be used only for cache peers of type "multicast".<br> + ALL members of this multicast group have "sibling" relationship with it, not "parent". This is to a multicast group when the requested object would be fetched only from a "parent" cache, anyway.<br> + It's useful, e.g., when configuring a pool of redundant Squid proxies, being members of the same multicast group.]]></description> + <type>select</type> + <default_value>round-robin</default_value> + <options> + <option><name>round-robin</name><value>round-robin</value></option> + <option><name>default</name><value>default</value></option> + <option><name>weighted-round-robin</name><value>weighted-round-robin</value></option> + <option><name>carp</name><value>carp</value></option> + <option><name>userhash</name><value>userhash</value></option> + <option><name>sourcehash</name><value>sourcehash</value></option> + <option><name>multicast-sibling</name><value>multicast-sibling</value></option> + </options> + </field> + <field> + <fielddescr>weight</fielddescr> + <fieldname>weight</fieldname> + <description>Use to affect the selection of a peer during any weighted peer-selection mechanisms. The weight must be an integer; default is 1,larger weights are favored more.</description> + <type>input</type> + <size>5</size> + <default>1</default> + </field> + <field> + <fielddescr>basetime</fielddescr> + <fieldname>basetime</fieldname> + <description><![CDATA[Specify a base amount to be subtracted from round trip times of parents.<br> + It is subtracted before division by weight in calculating which parent to fectch from. If the rtt is less than the base time the rtt is set to a minimal value.]]></description> + <type>input</type> + <size>5</size> + <default>1</default> + </field> + <field> + <fielddescr>ttl</fielddescr> + <fieldname>ttl</fieldname> + <description><![CDATA[Specify a TTL to use when sending multicast ICP queries to this address<br> + Only useful when sending to a multicast group. Because we don't accept ICP replies from random hosts, you must configure other group members as peers with the 'multicast-responder' option.]]></description> + <type>input</type> + <size>5</size> + <default>1</default> + </field> + <field> + <fielddescr>no-delay</fielddescr> + <fieldname>nodelay</fieldname> + <description><![CDATA[To prevent access to this neighbor from influencing the delay pools.]]></description> + <type>checkbox</type> + </field> + <field> + <name>ICP settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>ICP port</fielddescr> + <fieldname>icpport</fieldname> + <description>Enter the port to connect to the upstream proxy for the ICP protocol. Use port number 7 to disable ICP communication between the proxies.</description> + <type>input</type> + <size>5</size> + <default_value>7</default_value> + </field> + <field> + <fielddescr>ICP Options</fielddescr> + <fieldname>icpoptions</fieldname> + <description><![CDATA[You MUST also set icp_port and icp_access explicitly when using these options.<br> + The defaults will prevent peer traffic using ICP<br><br> + <strong>no-query</strong> - Disable ICP queries to this neighbor.<br><br> + <strong>multicast-responder</strong> -Indicates the named peer is a member of a multicast group.<br> + ICP queries will not be sent directly to the peer, but ICP replies will be accepted from it.<br><br> + <strong>closest-only</strong> - Indicates that, for ICP_OP_MISS replies, we'll only forward CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.<br><br> + <strong>background-ping</strong> - To only send ICP queries to this neighbor infrequently.<br> + This is used to keep the neighbor round trip time updated and is usually used in conjunction with weighted-round-robin.]]></description> + <type>select</type> + <default_value>no-query</default_value> + <options> + <option><name>no-query</name><value>no-query</value></option> + <option><name>multicast-responder</name><value>multicast-responder</value></option> + <option><name>closest-only</name><value>closest-only</value></option> + <option><name>background-ping</name><value>background-ping</value></option> + </options> + </field> + <field> + <name>Auth settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Username</fielddescr> + <fieldname>username</fieldname> + <description>If the upstream proxy requires a username, specify it here.</description> + <type>input</type> + </field> + <field> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>If the upstream proxy requires a password, specify it here.</description> + <type>password</type> + </field> + <field> + <fielddescr>Authentication options</fielddescr> + <fieldname>authoption</fieldname> + <description><![CDATA[<br><strong>login=user:password</strong> - If this is a personal/workgroup proxy and your parent requires proxy authentication.<br><br> + <strong>login=PASSTHRU</strong> - Send login details received from client to this peer. Authentication is not required by Squid for this to work.<br> + This will pass any form of authentication but only Basic auth will work through a proxy unless the connection-auth options are also used.<br><br> + <strong>login=PASS</strong> - Send login details received from client to this peer.Authentication is not required by this option.<br> + To combine this with proxy_auth both proxies must share the same user database as HTTP only allows for a single login (one for proxy, one for origin server).<br> + Also be warned this will expose your users proxy password to the peer. USE WITH CAUTION<br><br> + <strong>login=*:password</strong> - Send the username to the upstream cache, but with a fixed password. This is meant to be used when the peer is in another administrative domain, but it is still needed to identify each user.<br><br> + <strong>login=NEGOTIATE</strong> - If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.<br> + The first principal from the default keytab or defined by the environment variable KRB5_KTNAME will be used.<br> + WARNING: The connection may transmit requests from multiple clients. Negotiate often assumes end-to-end authentication and a single-client. Which is not strictly true here.<br><br> + <strong>login=NEGOTIATE:principal_name</strong>If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.<br> + The principal principal_name from the default keytab or defined by the environment variable KRB5_KTNAME will be used. + WARNING: The connection may transmit requests from multiple clients. Negotiate often assumes end-to-end authentication and a single-client. Which is not strictly true here.<br><br> + <strong>connection-auth=on</strong> - Tell Squid that this peer does support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.<br> + Default is auto to automatically determine the status of the peer.<br><br> + <strong>connection-auth=off</strong> - Tell Squid that this peer does not support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.<br> + Default is auto to automatically determine the status of the peer.]]></description> + <type>select</type> + <default_value>login=*:password</default_value> + <options> + <option><name>login=*:password</name><value>login=*:password</value></option> + <option><name>login=user:password</name><value>login=user:password</value></option> + <option><name>login=PASSTHRU</name><value>login=PASSTHRU</value></option> + <option><name>login=PASS</name><value>login=PASS</value></option> + <option><name>login=NEGOTIATE</name><value>login=NEGOTIATE</value></option> + <option><name>login=NEGOTIATE:principal_name</name><value>login=NEGOTIATE:principal_name</value></option> + <option><name>connection-auth=on</name><value>connection-auth=on</value></option> + <option><name>connection-auth=off</name><value>connection-auth=off</value></option> + </options> + </field> + </fields> + <custom_php_validation_command> + squid_validate_upstream($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid3/33/squid_users.xml b/config/squid3/33/squid_users.xml new file mode 100755 index 00000000..4acf9dd6 --- /dev/null +++ b/config/squid3/33/squid_users.xml @@ -0,0 +1,137 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + Copyright (C) 2012-2013 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidusers</name> + <version>none</version> + <title>Proxy server: Local users</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <delete_string>A proxy server user has been deleted.</delete_string> + <addedit_string>A proxy server user has been created/modified.</addedit_string> + <tabs> +<tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> + </tab> + <tab> + <text>Local Cache</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Antivirus</text> + <url>/pkg_edit.php?xml=squid_antivirus.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Authentication</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + <active/> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Username</fielddescr> + <fieldname>username</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>Squid Local Users</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Username</fielddescr> + <fieldname>username</fieldname> + <description>Enter the username here.</description> + <type>input</type> + <required/> + </field> + <field> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Enter the password here.</description> + <type>password</type> + <required/> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>You may enter a description here for your reference (not parsed).</description> + <type>input</type> + </field> + </fields> + <custom_php_resync_config_command> + squid_resync_users(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid3/33/swapstate_check.php b/config/squid3/33/swapstate_check.php new file mode 100644 index 00000000..6ecfff3c --- /dev/null +++ b/config/squid3/33/swapstate_check.php @@ -0,0 +1,58 @@ +#!/usr/local/bin/php -q +<?php +/* + swapstate_check.php + Copyright (C) 2011 Jim Pingle + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +require_once('config.inc'); +require_once('util.inc'); + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('SQUID_LOCALBASE', '/usr/pbi/squid-' . php_uname("m")); +else + define('SQUID_LOCALBASE','/usr/local'); + + $settings = $config['installedpackages']['squidcache']['config'][0]; +// Only check the cache if Squid is actually caching. +// If there is no cache then quietly do nothing. +if ($settings['harddisk_cache_system'] != "null"){ + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + $swapstate = $cachedir . '/swap.state'; + $disktotal = disk_total_space(dirname($cachedir)); + $diskfree = disk_free_space(dirname($cachedir)); + $diskusedpct = round((($disktotal - $diskfree) / $disktotal) * 100); + $swapstate_size = filesize($swapstate); + $swapstate_pct = round(($swapstate_size / $disktotal) * 100); + + // If the swap.state file is taking up more than 75% disk space, + // or the drive is 90% full and swap.state is larger than 1GB, + // kill it and initiate a rotate to write a fresh copy. + if (($swapstate_pct > 75) || (($diskusedpct > 90) && ($swapstate_size > 1024*1024*1024))) { + mwexec_bg("/bin/rm $swapstate; ". SQUID_LOCALBASE . "/sbin/squid -k rotate"); + log_error(gettext(sprintf("Squid swap.state file exceeded size limits. Removing and rotating. File was %d bytes, %d%% of total disk space.", $swapstate_size, $swapstate_pct))); + } +} +?>
\ No newline at end of file diff --git a/config/squid3/proxy_monitor.sh b/config/squid3/old/proxy_monitor.sh index 00430018..00430018 100644 --- a/config/squid3/proxy_monitor.sh +++ b/config/squid3/old/proxy_monitor.sh diff --git a/config/squid3/squid.inc b/config/squid3/old/squid.inc index 784fea8f..784fea8f 100644 --- a/config/squid3/squid.inc +++ b/config/squid3/old/squid.inc diff --git a/config/squid3/squid.xml b/config/squid3/old/squid.xml index ea13625e..ea13625e 100644 --- a/config/squid3/squid.xml +++ b/config/squid3/old/squid.xml diff --git a/config/squid3/old/squid_auth.inc b/config/squid3/old/squid_auth.inc new file mode 100644 index 00000000..7c99a01b --- /dev/null +++ b/config/squid3/old/squid_auth.inc @@ -0,0 +1,446 @@ +<?php +/* $Id$ */ + +/* + squid_auth.inc + part of pfSense (www.pfSense.com) + + Copyright (C) 2005 Michael Capp <michael.capp@gmail.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ + +function global_eval_auth_options() +{ + global $config; + conf_mount_rw(); + config_lock(); + + switch ($config['installedpackages']['squidauth']['config'][0]['auth_method']) { + case "none": + dynamic_auth_content("pkg_edit"); + dynamic_no_auth(); + break; + case "local_auth": + dynamic_auth_content("pkg"); + /* create empty passwd file to prevent stat error with squid reload */ + touch ("/usr/local/etc/squid/advanced/ncsa/passwd"); + dynamic_local_auth(); + break; + case "ldap_bind": + dynamic_auth_content("pkg_edit"); + dynamic_ldap_auth(); + break; + case "domain_auth": + $filecontents = file("/usr/local/pkg/squid_auth.xml"); + dynamic_auth_content("pkg_edit"); + dynamic_domain_auth(); + break; + case "radius_auth": + $filecontents = file("/usr/local/pkg/squid_auth.xml"); + dynamic_auth_content("pkg_edit"); + dynamic_radius_auth(); + break; + default: + $filecontents = file("/usr/local/pkg/squid_auth.xml"); + dynamic_auth_content("pkg_edit"); + dynamic_no_auth(); + break; + } + + config_unlock(); + conf_mount_ro(); + +} /* end function global_eval_auth_options */ + +function dynamic_no_auth() { + global $config; + conf_mount_rw(); + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); + fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); + fwrite($fout, "<packagegui>\n"); + fwrite($fout, " <name>squidextnoauth</name>\n"); + fwrite($fout, " <title>Services: Proxy Server -> Extended Authentication Settings</title>\n"); + fwrite($fout, " <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tabs>\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>General Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Upstream Proxy</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Cache Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Network Access Control</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Traffic Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Extended Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); + fwrite($fout, " <active/>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </tabs>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <fields>\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>No Authentication Defined</fielddescr>\n"); + fwrite($fout, " <fieldname>no_auth</fieldname>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, " </fields>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <custom_add_php_command_late>\n"); + fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");"); + fwrite($fout, "\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); + fwrite($fout, " </custom_add_php_command_late>\n"); + fwrite($fout, "\n"); + fwrite($fout, "</packagegui>\n"); + fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); +} + +function dynamic_local_auth() { + global $config; + conf_mount_rw(); + + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); + + fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); + fwrite($fout, "\n"); + fwrite($fout, "<packagegui>\n"); + fwrite($fout, " <name>squidextlocalauth</name>\n"); + fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n"); + fwrite($fout, " <version>2.5.10_4</version>\n"); + fwrite($fout, " <configpath>installedpackages->package->squidextlocalauth->configuration->settings</configpath>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <files></files>\n"); + fwrite($fout, " <menu></menu>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <aftersaveredirect>/pkg.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tabs>\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>General Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Upstream Proxy</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Cache Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Network Access Control</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Traffic Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Extended Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&id=0</url>\n"); + fwrite($fout, " <active/>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </tabs>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <adddeleteeditpagefields>\n"); + fwrite($fout, " <columnitem>\n"); + fwrite($fout, " <fielddescr>Username</fielddescr>\n"); + fwrite($fout, " <fieldname>username</fieldname>\n"); + fwrite($fout, " </columnitem>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <columnitem>\n"); + fwrite($fout, " <fielddescr>Description</fielddescr>\n"); + fwrite($fout, " <fieldname>description</fieldname>\n"); + fwrite($fout, " </columnitem>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <columnitem>\n"); + fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n"); + fwrite($fout, " <fieldname>group</fieldname>\n"); + fwrite($fout, " </columnitem>\n"); + fwrite($fout, " </adddeleteeditpagefields>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <fields>\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Username</fielddescr>\n"); + fwrite($fout, " <fieldname>username</fieldname>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>15</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Password</fielddescr>\n"); + fwrite($fout, " <fieldname>password</fieldname>\n"); + fwrite($fout, " <type>password</type>\n"); + fwrite($fout, " <size>8</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Description (Optional)</fielddescr>\n"); + fwrite($fout, " <fieldname>description</fieldname>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>30</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n"); + fwrite($fout, " <fieldname>group</fieldname>\n"); + fwrite($fout, " <type>select</type>\n"); + fwrite($fout, " <options>\n"); + fwrite($fout, " <option><name>Standard</name><value>Standard</value></option>\n"); + fwrite($fout, " <option><name>Extended</name><value>Extended</value></option>\n"); + fwrite($fout, " </options>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </fields>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <custom_add_php_command_late>\n"); + fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n"); + fwrite($fout, "\n"); + fwrite($fout, " mod_htpasswd();\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); + fwrite($fout, " </custom_add_php_command_late>\n"); + fwrite($fout, "\n"); + fwrite($fout, "</packagegui>\n"); + + fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); +} + +function dynamic_ldap_auth() { + global $config; + conf_mount_rw(); + + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); + + fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); + fwrite($fout, "\n"); + fwrite($fout, "<packagegui>\n"); + fwrite($fout, " <name>squidextldapauth</name>\n"); + fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n"); + fwrite($fout, " <version>2.5.11</version>\n"); + fwrite($fout, " <configpath>installedpackages->package->squidextldapauth->configuration->settings</configpath>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <files></files>\n"); + fwrite($fout, " <menu></menu>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tabs>\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>General Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Upstream Proxy</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Cache Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Network Access Control</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Traffic Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Extended Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); + fwrite($fout, " <active/>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </tabs>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <fields>\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Base DN</fielddescr>\n"); + fwrite($fout, " <fieldname>ldap_basedn</fieldname>\n"); + fwrite($fout, " <description>This is the base where the LDAP search starts. All subsequent organizational units (OUs)will be included. Example: \"ou=users,o=company\" will search for users in and under the specified company.</description>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>50</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>LDAP Server</fielddescr>\n"); + fwrite($fout, " <fieldname>ldap_server</fieldname>\n"); + fwrite($fout, " <description>This is the LDAP server that the bind will be attempted against.</description>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>20</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>LDAP Type</fielddescr>\n"); + fwrite($fout, " <fieldname>ldap_type</fieldname>\n"); + fwrite($fout, " <description>This specifies the supported LDAP types.</description>\n"); + fwrite($fout, " <type>select</type>\n"); + fwrite($fout, " <options>\n"); + fwrite($fout, " <option><name>Active Directory</name><value>active_directory</value></option>\n"); + fwrite($fout, " <option><name>Novell eDirectory</name><value>novell_edirectory</value></option>\n"); + fwrite($fout, " <option><name>LDAP v2</name><value>ldap_v2</value></option>\n"); + fwrite($fout, " <option><name>LDAP v3</name><value>ldap_v3</value></option>\n"); + fwrite($fout, " </options>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>LDAP Port</fielddescr>\n"); + fwrite($fout, " <fieldname>ldap_port</fieldname>\n"); + fwrite($fout, " <description>This is the port that LDAP bind will attempt on. The default is \"389\".</description>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>5</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Bind DN Username</fielddescr>\n"); + fwrite($fout, " <fieldname>bind_dn_username</fieldname>\n"); + fwrite($fout, " <description>If \"anonymous bind\" is not supported, please specify the bind username that can access the Base DN hierarchy.</description>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>30</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Bind DN Password</fielddescr>\n"); + fwrite($fout, " <fieldname>bind_dn_password</fieldname>\n"); + fwrite($fout, " <description>This is the associated password with the Bind DN Username previously specified.</description>\n"); + fwrite($fout, " <type>password</type>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </fields>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <custom_add_php_command_late>\n"); + fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n"); + fwrite($fout, "\n"); + fwrite($fout, " mod_htpasswd();\n"); + fwrite($fout, "\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); + fwrite($fout, " </custom_add_php_command_late>\n"); + fwrite($fout, "\n"); + fwrite($fout, "</packagegui>\n"); + + fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); +} + +/* dynamically re-writes all squid xml files to handle adddeletecolumnitems properly */ +function dynamic_auth_content($pkgvar) { + + switch ($pkgvar) { + case "pkg": + if ($handle = opendir("/usr/local/pkg")) { + while (($file = readdir($handle)) != false) { + if (stristr($file, "squid_") && stristr($file, ".xml")) { + $filecontents = file("/usr/local/pkg/" . $file); + $fout = fopen("/usr/local/pkg/" . $file, "w"); + foreach($filecontents as $line) { + if (stristr($line, "<url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>")) { + fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&id=0</url>\n"); + } else { + fwrite($fout, $line); + } + } + } + } + } + break; + + case "pkg_edit": + if ($handle = opendir("/usr/local/pkg")) { + while (($file = readdir($handle)) != false) { + if (stristr($file, "squid_") && stristr($file, ".xml")) { + $filecontents = file("/usr/local/pkg/" . $file); + $fout = fopen("/usr/local/pkg/" . $file,"w"); + foreach($filecontents as $line) { + if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&id=0</url>")) { + fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); + } else { + fwrite($fout, $line); + } + } + } + } + } + break; + } + +} /* end function dynamic_auth_content */ +?>
\ No newline at end of file diff --git a/config/squid3/squid_auth.xml b/config/squid3/old/squid_auth.xml index c8e34553..c8e34553 100644 --- a/config/squid3/squid_auth.xml +++ b/config/squid3/old/squid_auth.xml diff --git a/config/squid3/squid_cache.xml b/config/squid3/old/squid_cache.xml index 881f15b3..881f15b3 100644 --- a/config/squid3/squid_cache.xml +++ b/config/squid3/old/squid_cache.xml diff --git a/config/squid3/old/squid_extauth.xml b/config/squid3/old/squid_extauth.xml new file mode 100644 index 00000000..41d9f633 --- /dev/null +++ b/config/squid3/old/squid_extauth.xml @@ -0,0 +1,106 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidextnoauth</name> + <version>none</version> + <title>Services: Proxy Server -> Extended Authentication Settings</title> + <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url> + </tab> + + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + + <tab> + <text>Auth</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + + <tab> + <text>Extended Auth</text> + <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url> + <active/> + </tab> + + </tabs> + <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath> + <fields> + <field> + <fielddescr>No Authentication Defined</fielddescr> + <fieldname>no_auth</fieldname> + <type>text</type> + </field> + </fields> + + <custom_add_php_command_late> + require_once("/usr/local/pkg/squid_ng.inc"); + + global_write_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + </custom_add_php_command_late> + +</packagegui> diff --git a/config/squid3/squid_nac.xml b/config/squid3/old/squid_nac.xml index 193a89c6..193a89c6 100644 --- a/config/squid3/squid_nac.xml +++ b/config/squid3/old/squid_nac.xml diff --git a/config/squid3/squid_ng.inc b/config/squid3/old/squid_ng.inc index 03f6d48c..03f6d48c 100644 --- a/config/squid3/squid_ng.inc +++ b/config/squid3/old/squid_ng.inc diff --git a/config/squid3/squid_ng.xml b/config/squid3/old/squid_ng.xml index cb535cd3..cb535cd3 100644 --- a/config/squid3/squid_ng.xml +++ b/config/squid3/old/squid_ng.xml diff --git a/config/squid3/squid_traffic.xml b/config/squid3/old/squid_traffic.xml index d560a7ad..d560a7ad 100644 --- a/config/squid3/squid_traffic.xml +++ b/config/squid3/old/squid_traffic.xml diff --git a/config/squid3/squid_upstream.xml b/config/squid3/old/squid_upstream.xml index ad494524..ad494524 100644 --- a/config/squid3/squid_upstream.xml +++ b/config/squid3/old/squid_upstream.xml diff --git a/config/squid3/squid_users.xml b/config/squid3/old/squid_users.xml index eef6389f..eef6389f 100644 --- a/config/squid3/squid_users.xml +++ b/config/squid3/old/squid_users.xml diff --git a/config/squidGuard/squidguard.inc b/config/squidGuard/squidguard.inc index 7b10536d..d58dfb79 100644 --- a/config/squidGuard/squidguard.inc +++ b/config/squidGuard/squidguard.inc @@ -1,17 +1,20 @@ <?php # ------------------------------------------------------------------------------ /* squidguard.inc - 2006-2011 Serg Dvoriancev + + Copyright (C) 2006-2011 Serg Dvoriancev + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Marcello Coutinho part of pfSense (www.pfSense.com) Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright + 2. Redistributions in binary form MUST reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. @@ -302,13 +305,9 @@ function squidguard_validate_rewrite($post, $input_errors) { # ----------------------------------------------------------------------------- function squidguard_resync() { $upload_file = ''; - $submit = ''; - $url = ''; - $proxy = ''; - - $submit = isset($_POST['submit']) ? $_POST['submit'] : $_GET['submit']; - $url = isset($_POST[F_BLACKLISTURL]) ? $_POST[F_BLACKLISTURL] : $_GET[F_BLACKLISTURL]; - $proxy = isset($_POST['blacklist_proxy']) ? $_POST['blacklist_proxy'] : $_GET['blacklist_proxy']; + $submit = isset($_REQUEST['submit']) ? $_REQUEST['submit'] : ''; + $url = isset($_REQUEST[F_BLACKLISTURL]) ? $_REQUEST[F_BLACKLISTURL] : ''; + $proxy = isset($_REQUEST['blacklist_proxy'])? $_REQUEST['blacklist_proxy'] : ''; sg_init(convert_pfxml_to_sgxml()); @@ -332,6 +331,10 @@ function squidguard_resync() { //} squidguard_cron_install(); + + //Sync only with apply button to avoid multiples reloads on backup server while editing master config + if ($submit == APPLY_BTN) + squidguard_sync_on_changes(); } # ----------------------------------------------------------------------------- @@ -372,6 +375,44 @@ function squidguard_resync_acl() { } } +# ----------------------------------------------------------------------------- +# squidguard_resync_dest +# ----------------------------------------------------------------------------- + +function squidguard_resync_dest() { + global $config; # !!! ORDER !!! + + $conf = $config['installedpackages'][MODULE_DESTINATION]['config']; + $id = isset($_POST['id']) ? $_POST['id'] : $_GET['id']; + + # --- sources part --- + # move current id by order + if (($id !== '') and is_array($conf)) { + $src_new = array(); + + foreach ($conf as $key => $src) { + $order = $src[F_ORDER]; + # n_key: no_move=$key+$order or move=$order+$key + $n_key = is_numeric($order) ? sprintf("%04d%04d", $order, $key) : sprintf("%04d%04d", $key, 9999); + unset($src[F_ORDER]); # ! must be unset for display correct default position in 'select'! + $src_new[$n_key] = $src; + } + # sort by key + ksort($src_new); + reset($src_new); + + $src_new = array_values($src_new); # make keys '0, 1, 2, ...' + + # renew config + unset ($config['installedpackages'][MODULE_DESTINATION]['config']); + $config['installedpackages'][MODULE_DESTINATION]['config'] = $src_new; + write_config('Update squidguarddest config'); + + # renew global $squidguard_config + sg_init(convert_pfxml_to_sgxml()); + } +} + # ============================================================================= # common functions # ============================================================================= @@ -595,6 +636,28 @@ function squidguard_before_form_acl($pkg, $is_acl=true) { } # ----------------------------------------------------------------------------- +# squidguard_before_form_dest +# ----------------------------------------------------------------------------- +function squidguard_before_form_dest($pkg) { + global $g, $squidguard_config; + $destination_items = get_sgconf_items_list(F_DESTINATIONS, 'name'); +//var_dump($squidguard_config); + $i=0; + foreach($pkg['fields']['field'] as $field) { + # order + if ($field['fieldname'] == 'order') { + $fld = &$pkg['fields']['field'][$i]; + if (is_array($destination_items)) + foreach($destination_items as $nmkey => $nm) + $fld['options']['option'][] = array('name'=>$nm, 'value'=>$nmkey); + $fld['options']['option'][] = array('name'=>'--- Last ---', 'value'=>'9999'); + $fld['options']['option'][] = array('name'=>'-----', 'value'=>''); # ! this is must be last ! + } + $i++; + } +} + +# ----------------------------------------------------------------------------- # make_grid_general_items # ----------------------------------------------------------------------------- function make_grid_general_items($id = '') @@ -916,6 +979,12 @@ function convert_pfxml_to_sgxml() { $sgxml[F_LOGDIR] = SQUIDGUARD_LOGDIR; $sgxml[F_DBHOME] = SQUIDGUARD_DBHOME; + $sgxml[F_LDAPENABLE] = $pfxml['ldap_enable']; + $sgxml[F_LDAPBINDDN] = $pfxml['ldapbinddn']; + $sgxml[F_LDAPBINDPASS] = $pfxml['ldapbindpass']; + $sgxml[F_LDAPVERSION] = $pfxml['ldapversion']; + $sgxml[F_STRIPNTDOMAIN] = $pfxml['stripntdomain']; + $sgxml[F_STRIPREALM] = $pfxml['striprealm']; $sgxml[F_BINPATH] = SQUIDGUARD_BINPATH; $sgxml[F_WORKDIR] = SQUIDGUARD_WORKDIR; $sgxml[F_SGCONF_XML] = SQUIDGUARD_WORKDIR . SQUIDGUARD_CONFXML; @@ -1399,4 +1468,184 @@ function squidguard_blacklist_list() return $res; } -?>
\ No newline at end of file + +// ##### The following part is based on the code of pfblocker ##### + +/* Uses XMLRPC to synchronize the changes to a remote node */ +function squidguard_sync_on_changes() { + global $config, $g; + if (is_array($config['installedpackages']['squidguardsync'])){ + $synconchanges = $config['installedpackages']['squidguardsync']['config'][0]['varsyncenablexmlrpc']; + $varsynctimeout = $config['installedpackages']['squidguardsync']['config'][0]['varsynctimeout']; + } + else + { + return; + } + + // if checkbox is NOT checked do nothing + switch ($synconchanges){ + case "manual": + if (is_array($config['installedpackages']['squidguardsync']['config'][0]['row'])){ + $rs=$config['installedpackages']['squidguardsync']['config'][0]['row']; + } + else{ + log_error("[Squidguard] xmlrpc sync is enabled but there is no hosts to push on Squidguard config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['varsyncdestinenable']="on"; + $rs[0]['varsyncprotocol']=($config['system']['webgui']['protocol']!=""?$config['system']['webgui']['protocol']:"https"); + $rs[0]['varsyncipaddress']=$system_carp['synchronizetoip']; + $rs[0]['varsyncpassword']=$system_carp['password']; + $rs[0]['varsyncport']=($config['system']['webgui']['port']!=""?$config['system']['webgui']['port']:"443"); + if (! is_ipaddr($system_carp['synchronizetoip'])){ + log_error("[Squidguard] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); + return; + } + } + else{ + log_error("[Squidguard] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)){ + log_error("[SquidGuard] xmlrpc sync is starting with timeout {$varsynctimeout} seconds."); + foreach($rs as $sh){ + if($sh['varsyncdestinenable']){ + $varsyncprotocol = $sh['varsyncprotocol']; + $sync_to_ip = $sh['varsyncipaddress']; + $password = $sh['varsyncpassword']; + $varsyncport = $sh['varsyncport']; + if($password && $sync_to_ip) + squidguard_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout); + else + log_error("SquidGuard: XMLRPC Sync with {$sh['varsyncipaddress']} has incomplete credentials. No XMLRPC Sync done!"); + } + else { + log_error("SquidGuard: XMLRPC Sync with {$sh['varsyncipaddress']} is disabled"); + } + } + log_error("[SquidGuard] xmlrpc sync is ending."); + } +} + +/* Do the actual XMLRPC sync */ +function squidguard_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout) { + global $config, $g; + + if($varsynctimeout == '' || $varsynctimeout == 0) + $varsynctimeout = 150; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + if(!$varsyncport) + return; + + if(!$varsyncprotocol) + return; + + // Check and choose correct protocol type, port number and IP address + $synchronizetoip .= "$varsyncprotocol" . '://'; + $port = "$varsyncport"; + + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['squidguardgeneral'] = $config['installedpackages']['squidguardgeneral']; + $xml['squidguardacl'] = $config['installedpackages']['squidguardacl']; + $xml['squidguarddefault'] = $config['installedpackages']['squidguarddefault']; + $xml['squidguarddest'] = $config['installedpackages']['squidguarddest']; + $xml['squidguardrewrite'] = $config['installedpackages']['squidguardrewrite']; + $xml['squidguardtime'] = $config['installedpackages']['squidguardtime']; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("SquidGuard: Beginning squidguard XMLRPC sync with {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after $varsynctimeout seconds */ + $resp = $cli->send($msg, $varsynctimeout); + if(!$resp) { + $error = "A communications error occurred while squidguard was attempting XMLRPC sync with {$url}:{$port}."; + log_error("SquidGuard: $error"); + file_notice("sync_settings", $error, "squidguard Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $varsynctimeout); + $error = "An error code was received while squidguard XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("SquidGuard: $error"); + file_notice("sync_settings", $error, "squidguard Settings Sync", ""); + } else { + log_error("SquidGuard: XMLRPC has synced data successfully with {$url}:{$port}."); + } + + /* tell squidguard to reload our settings on the destionation sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/squidguard.inc');\n"; + // pfblocker just needed one fuction to reload after XMLRPC. squidguard needs more so we point to a fuction below which contains all fuctions + $execcmd .= "squidguard_all_after_XMLRPC_resync();"; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("SquidGuard XMLRPC is reloading data on {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + $resp = $cli->send($msg, $varsynctimeout); + if(!$resp) { + $error = "A communications error occurred while squidguard was attempting XMLRPC sync with {$url}:{$port} (exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "squidguard Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $varsynctimeout); + $error = "An error code was received while squidguard XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "squidguard Settings Sync", ""); + } else { + log_error("SquidGuard: XMLRPC has reloaded data successfully on {$url}:{$port} (exec_php)."); + } + +} + +// ##### The part above is based on the code of pfblocker ##### + +// This function restarts all other needed functions after XMLRPC so that the content of .XML + .INC will be written in the files +// Adding more functions will increase the time to sync +function squidguard_all_after_XMLRPC_resync() { + + squidguard_resync_acl(); + squidguard_resync_dest(); + squidguard_resync(); + + log_error("SquidGuard: Finished XMLRPC process. It should be OK. For more information look at the host which started sync."); +} + +?> diff --git a/config/squidGuard/squidguard.xml b/config/squidGuard/squidguard.xml index d84d53ab..e1fb3d41 100644 --- a/config/squidGuard/squidguard.xml +++ b/config/squidGuard/squidguard.xml @@ -2,11 +2,11 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <description>Describe your package here</description> + <description>[<![CDATA[Describe your package here]]></description> <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>squidguardgeneral</name> - <version>1.3_1 pkg v.1.9</version> + <version>1.4_4 pkg v.1.9.3</version> <title>Proxy filter SquidGuard: General settings</title> <include_file>/usr/local/pkg/squidguard.inc</include_file> <!-- Installation --> @@ -50,16 +50,20 @@ <text>Log</text> <url>/squidGuard/squidguard_log.php</url> </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=squidguard_sync.xml</url> + </tab> </tabs> <service> - <name>squidGuard</name> - <description>Proxy server filter Service</description> - <executable>squidGuard</executable> + <name>squidGuard</name> + <description><![CDATA[Proxy server filter Service]]></description> + <executable>squidGuard</executable> </service> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squidGuard/squidguard.inc</item> + <item>http://www.pfsense.org/packages/config/squidGuard/squidguard.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> @@ -67,74 +71,141 @@ <item>http://www.pfsense.org/packages/config/squidGuard/squidguard_configurator.inc</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squidGuard/squidguard_acl.xml</item> + <item>http://www.pfsense.org/packages/config/squidGuard/squidguard_acl.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squidGuard/squidguard_default.xml</item> + <item>http://www.pfsense.org/packages/config/squidGuard/squidguard_default.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squidGuard/squidguard_dest.xml</item> + <item>http://www.pfsense.org/packages/config/squidGuard/squidguard_dest.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squidGuard/squidguard_rewr.xml</item> + <item>http://www.pfsense.org/packages/config/squidGuard/squidguard_rewr.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squidGuard/squidguard_time.xml</item> + <item>http://www.pfsense.org/packages/config/squidGuard/squidguard_time.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/squidGuard/</prefix> - <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squidGuard/squidguard_log.php</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squidGuard/squidguard_sync.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/squidGuard/</prefix> - <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squidGuard/squidguard_blacklist.php</item> + <prefix>/usr/local/www/squidGuard/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squidGuard/squidguard_log.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/</prefix> - <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squidGuard/sgerror.php</item> + <prefix>/usr/local/www/squidGuard/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squidGuard/squidguard_blacklist.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squidGuard/sgerror.php</item> </additional_files_needed> <fields> <field> <fielddescr>Enable</fielddescr> <fieldname>squidguard_enable</fieldname> - <description>Check this for enable squidGuard</description> + <description><![CDATA[Check this option to enable squidGuard]]></description> + <type>checkbox</type> + </field> + <field> + <name>LDAP Options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable LDAP Filter</fielddescr> + <fieldname>ldap_enable</fieldname> + <description><![CDATA[Enable options for setup ldap connection to create filters with ldap search]]></description> + <type>checkbox</type> + <enablefields>ldapbinddn,ldapbindpass,stripntdomain,striprealm,ldapversion</enablefields> + </field> + <field> + <fielddescr>LDAP DN</fielddescr> + <fieldname>ldapbinddn</fieldname> + <description><![CDATA[Configure your LDAP DN (ex: cn=Administrator,cn=Users,dc=domain)]]></description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>LDAP DN Password</fielddescr> + <fieldname>ldapbindpass</fieldname> + <description><![CDATA[Password must be initialize with letters (Ex: Change123), valid format: [a-zA-Z\/][a-zA-Z0-9/_\-\.\/\:\%\+\?=&]]]></description> + <type>password</type> + </field> + <field> + <fielddescr>Strip NT domain name</fielddescr> + <fieldname>stripntdomain</fieldname> + <description><![CDATA[Strip NT domain name component from user names (/ or \ separated).]]></description> <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <fielddescr>Strip Kerberos Realm</fielddescr> + <fieldname>striprealm</fieldname> + <description><![CDATA[Strip Kerberos Realm component from user names (@ separated).]]></description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <fielddescr>LDAP Version</fielddescr> + <fieldname>ldapversion</fieldname> + <type>select</type> + <default_value>3</default_value> + <options> + <option> + <name>Version 2</name> + <value>2</value> + </option> + <option> + <name>Version 3</name> + <value>3</value> + </option> + </options> + </field> + <field> + <name>Logging options</name> + <type>listtopic</type> </field> <field> <fielddescr>Enable GUI log</fielddescr> <fieldname>enable_guilog</fieldname> - <description>Check this for enable GUI log.</description> + <description><![CDATA[Check this option to log the access to the Proxy Filter GUI.]]></description> <type>checkbox</type> </field> <field> <fielddescr>Enable log</fielddescr> <fieldname>enable_log</fieldname> - <description>Check this for enable log of the proxy filter. Usually log used for testing filter settings.</description> + <description><![CDATA[Check this option to log the proxy filter settings like blocked websites in Common ACL, Group ACL and Target Categories. This option is usually used to check the filter settings.]]></description> <type>checkbox</type> </field> <field> <fielddescr>Enable log rotation</fielddescr> <fieldname>log_rotation</fieldname> - <description>Check this for enable daily rotate a log of the proxy filter. Use this option for limit log file size.</description> + <description><![CDATA[Check this option to rotate the logs every day. This is recommended if you enable any kind of logging to limit file size and do not run out of disk space.]]></description> <type>checkbox</type> </field> + <field> + <name>Miscellaneous</name> + <type>listtopic</type> + </field> <field> <fielddescr>Clean Advertising</fielddescr> <fieldname>adv_blankimg</fieldname> - <description>Check this to display a blank gif image instead the default block page. With this option you get a cleaner page.</description> + <description><![CDATA[Check this option to display a blank gif image instead of the default block page. With this option the user gets a cleaner webpage.]]></description> <type>checkbox</type> </field> <field> @@ -144,24 +215,24 @@ <field> <fielddescr>Blacklist</fielddescr> <fieldname>blacklist</fieldname> - <description>Check this for enable blacklist</description> + <description><![CDATA[Check this option to enable blacklist]]></description> <type>checkbox</type> </field> <field> <fielddescr>Blacklist proxy</fielddescr> <fieldname>blacklist_proxy</fieldname> - <description> - Blacklist upload proxy - enter here, or leave blank. - Format: host:[port login:pass] . Default proxy port 1080. + <description><![CDATA[<br> + Blacklist upload proxy - enter here, or leave blank.<br> + Format: host:[port login:pass] . Default proxy port 1080.<br> Example: '192.168.0.1:8080 user:pass' - </description> + ]]></description> <type>input</type> <size>100</size> </field> <field> <fielddescr>Blacklist URL</fielddescr> <fieldname>blacklist_url</fieldname> - <description>Enter FTP, HTTP or LOCAL (firewall) URL blacklist archive, or leave blank.</description> + <description><![CDATA[Enter the path to the blacklist (blacklist.tar.gz) here. You can use FTP, HTTP or LOCAL URL blacklist archive or leave blank. The LOCAL path could be your pfsense (/tmp/blacklist.tar.gz).]]></description> <type>input</type> <size>100</size> </field> diff --git a/config/squidGuard/squidguard_acl.xml b/config/squidGuard/squidguard_acl.xml index 1b631ca3..243576e8 100644 --- a/config/squidGuard/squidguard_acl.xml +++ b/config/squidGuard/squidguard_acl.xml @@ -2,7 +2,7 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <description>Describe your package here</description> + <description><![CDATA[Describe your package here]]></description> <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>squidguardacl</name> @@ -45,201 +45,201 @@ <text>Log</text> <url>/squidGuard/squidguard_log.php</url> </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=squidguard_sync.xml</url> + </tab> </tabs> <adddeleteeditpagefields> - <columnitem> - <fielddescr>Disabled</fielddescr> - <fieldname>disabled</fieldname> - </columnitem> - <columnitem> - <fielddescr>Name</fielddescr> - <fieldname>name</fieldname> - </columnitem> - <columnitem> - <fielddescr>Time</fielddescr> - <fieldname>time</fieldname> - </columnitem> - <columnitem> - <fielddescr>Description</fielddescr> - <fieldname>description</fieldname> - </columnitem> + <columnitem> + <fielddescr>Disabled</fielddescr> + <fieldname>disabled</fieldname> + </columnitem> + <columnitem> + <fielddescr>Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Time</fielddescr> + <fieldname>time</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> </adddeleteeditpagefields> <fields> - <field> - <fielddescr>Disabled</fielddescr> - <fieldname>disabled</fieldname> - <description>Check this for disable this ACL rule.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Name</fielddescr> - <fieldname>name</fieldname> - <description> - Enter the unique name here. - Name must consist of minimum 2 symbols, first from which letter. <br> - All other symbols must be [a-Z_0-9]. - </description> - <type>input</type> - <required/> - <size>100</size> - </field> - <field> - <fielddescr>Order</fielddescr> - <fieldname>order</fieldname> - <description> - Select the new position for ACL item. ACL are evaluated on a first-match source basis.<br> - <b>Note:</b> <br> - Search for a suitable ACL by field 'source' will occur before the first match. If you want to define an exception for some sources (IP) from the IP range, put them on first of the list. <br> - <b>For example:</b> <br> - ACL with single (or short range) source ip 10.0.0.15, must be placed before ACL with more large ip range 10.0.0.0/24 <br> - </description> - <type>select</type> - </field> - <field> - <fielddescr>Client (source)</fielddescr> - <fieldname>source</fieldname> - <description> - Enter client's IP address or domain or "username" here. For separate use space. - <br><b>Example:</b> - <br>ip: 192.168.0.1 or subnet 192.168.0.0/24 or subnet 192.168.1.0/255.255.255.0 or range 192.168.1.1-192.168.1.10 - <br>domain: foo.bar match foo.bar or *.foo.bar - <br>username: 'user1' - </description> - <type>textarea</type> - <cols>65</cols> - <rows>3</rows> - <required/> - </field> - <field> - <fielddescr>Time</fielddescr> - <fieldname>time</fieldname> - <description>Select time in which 'Target Rules' will operate, or leave 'none' for action of rules without time restriction. If this option is set, then in off-time will operate the second rule set.</description> - <type>select</type> - </field> - <field> - <fielddescr>Target Rules</fielddescr> - <fieldname>dest</fieldname> - <description></description> - <type>input</type> - <size>100</size> - </field> - <field> - <fielddescr>Not to allow IP addresses in URL</fielddescr> - <fieldname>notallowingip</fieldname> - <description> - To make sure that people don't bypass the URL filter. - by simply using the IP addresses instead of the fully qualified domain names, you can check this option. - This option has no effect on the WhiteList. - </description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Redirect mode</fielddescr> - <fieldname>redirect_mode</fieldname> - <description> - Select redirect mode here. - <br> Note: if you use 'transparent proxy', then 'int' redirect mode will not accessible. -<!-- <br><b> int size limit :</b> if content size 0 or > 'size limit', then client moved to 'blank image' page; --> - <br> Options: - <A title="To 'url' will added special client information;" > - <span style="background-color: #dddddd;" >ext url err page</span></A> , - <A title="Client view 'url' content without any notification about;" > - <span style="background-color: #dddddd;" > ext url redirect</span></A> , - <A title="Client will moved to specified url with displaying url in addres bar;" > - <span style="background-color: #dddddd;" > ext url as 'move'</span></A> , - <A title="Client will moved to specified url with showing progress(only!) in status bar;" > - <span style="background-color: #dddddd;" > ext url as 'found'.</span></A> - </u> - </description> - <type>select</type> - <value>rmod_none</value> - <options> - <option><name>none</name> <value>rmod_none</value></option> - <option><name>int error page (enter error message)</name> <value>rmod_int</value></option> - <option><name>int blank page </name> <value>rmod_int_bpg</value></option> -<!-- <option><name>int blank image</name> <value>rmod_int_bim</value></option> --> -<!-- <option><name>int size limit (enter size in bytes)</name> <value>rmod_int_szl</value></option> --> - <option><name>ext url err page (enter URL)</name> <value>rmod_ext_err</value></option> - <option><name>ext url redirect (enter URL)</name> <value>rmod_ext_rdr</value></option> - <option><name>ext url move (enter URL)</name> <value>rmod_ext_mov</value></option> - <option><name>ext url found (enter URL)</name> <value>rmod_ext_fnd</value></option> - </options> - </field> - <field> - <fielddescr>Redirect</fielddescr> - <fieldname>redirect</fieldname> - <description> - Enter external redirection URL, error message or size (bytes) here. - </description> - <type>textarea</type> - <cols>65</cols> - <rows>2</rows> - </field> + <field> + <fielddescr>Disabled</fielddescr> + <fieldname>disabled</fieldname> + <description><![CDATA[Check this to disable this ACL rule.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Name</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[ + Enter a unique name of this rule here.<br> + The name must consist between 2 and 15 symbols [a-Z_0-9]. The first one must be a letter.<br> + ]]></description> + <type>input</type> + <required/> + <size>100</size> + </field> + <field> + <fielddescr>Order</fielddescr> + <fieldname>order</fieldname> + <description><![CDATA[ + Select the new position for this ACL item. ACLs are evaluated on a first-match source basis.<br> + <b>Note:</b><br> + Search for a suitable ACL by field 'source' will occur before the first match. If you want to define an exception for some sources (IP) from the IP range, put them on first of the list.<br> + <b>Example:</b><br> + ACL with single (or short range) source ip 10.0.0.15 must be placed before ACL with more large ip range 10.0.0.0/24.<br> + ]]></description> + <type>select</type> + </field> + <field> + <fielddescr>Client (source)</fielddescr> + <fieldname>source</fieldname> + <description><![CDATA[ + Enter client's IP address or domain or "username" here. To separate them use space.<br> + <b>Example:</b><br> + <b>IP:</b> 192.168.0.1 - <b>Subnet:</b> 192.168.0.0/24 or 192.168.1.0/255.255.255.0 - <b>IP-Range:</b> 192.168.1.1-192.168.1.10<br> + <b>Domain:</b> foo.bar matches foo.bar or *.foo.bar<br> + <b>Username:</b> 'user1' <br> + <b>Ldap search (Ldap filter must be enabled in General Settings):</b> <br> + ldapusersearch ldap://192.168.0.100/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=domain%2cDC=com))<br> + <i>Attention: these line don't have break line, all on one line</i> + ]]></description> + <type>textarea</type> + <cols>65</cols> + <rows>3</rows> + <required/> + </field> + <field> + <fielddescr>Time</fielddescr> + <fieldname>time</fieldname> + <description><![CDATA[Select the time in which 'Target Rules' will operate or leave 'none' for rules without time restriction. If this option is set then in off-time the second ruleset will operate.]]></description> + <type>select</type> + </field> + <field> + <fielddescr>Target Rules</fielddescr> + <fieldname>dest</fieldname> + <description><![CDATA[]]></description> + <type>input</type> + <size>100</size> + </field> + <field> + <fielddescr>Do not allow IP-Addresses in URL</fielddescr> + <fieldname>notallowingip</fieldname> + <description><![CDATA[To make sure that people do not bypass the URL filter by simply using the IP-Addresses instead of the FQDN you can check this option. This option has no effect on the whitelist.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Redirect mode</fielddescr> + <fieldname>redirect_mode</fieldname> + <description> + Select redirect mode here. + <br> Note: if you use 'transparent proxy', then 'int' redirect mode will not accessible. +<!-- <br><b> int size limit :</b> if content size 0 or > 'size limit', then client moved to 'blank image' page; --> + <br> Options: + <A title="To 'url' will added special client information;" > + <span style="background-color: #dddddd;" >ext url err page</span></A> , + <A title="Client view 'url' content without any notification about;" > + <span style="background-color: #dddddd;" > ext url redirect</span></A> , + <A title="Client will moved to specified url with displaying url in addres bar;" > + <span style="background-color: #dddddd;" > ext url as 'move'</span></A> , + <A title="Client will moved to specified url with showing progress(only!) in status bar;" > + <span style="background-color: #dddddd;" > ext url as 'found'.</span></A> + </u> + </description> + <type>select</type> + <value>rmod_none</value> + <options> + <option><name>none</name> <value>rmod_none</value></option> + <option><name>int error page (enter error message)</name> <value>rmod_int</value></option> + <option><name>int blank page </name> <value>rmod_int_bpg</value></option> +<!-- <option><name>int blank image</name> <value>rmod_int_bim</value></option> --> +<!-- <option><name>int size limit (enter size in bytes)</name> <value>rmod_int_szl</value></option> --> + <option><name>ext url err page (enter URL)</name> <value>rmod_ext_err</value></option> + <option><name>ext url redirect (enter URL)</name> <value>rmod_ext_rdr</value></option> + <option><name>ext url move (enter URL)</name> <value>rmod_ext_mov</value></option> + <option><name>ext url found (enter URL)</name> <value>rmod_ext_fnd</value></option> + </options> + </field> + <field> + <fielddescr>Redirect</fielddescr> + <fieldname>redirect</fieldname> + <description><![CDATA[Enter the external redirection URL, error message or size (bytes) here.]]></description> + <type>textarea</type> + <cols>65</cols> + <rows>2</rows> + </field> <!-- not need now - <field> - <fielddescr>Redirect for off-time</fielddescr> - <fieldname>overredirect</fieldname> - <description> - Enter external redirection URL, error message or size (bytes) here. - </description> - <type>textarea</type> - <cols>65</cols> - <rows>2</rows> - </field> + <field> + <fielddescr>Redirect for off-time</fielddescr> + <fieldname>overredirect</fieldname> + <description><![CDATA[ + Enter external redirection URL, error message or size (bytes) here. + ]]></description> + <type>textarea</type> + <cols>65</cols> + <rows>2</rows> + </field> --> - <field> - <fielddescr>Use SafeSearch engine</fielddescr> - <fieldname>safesearch</fieldname> - <description> - To protect your children from adult content, you can use the protected mode of search engines. - Now it is supported by Google, Yandex, Yahoo, MSN, Live Search, Bing. Make sure that the search engines can, and others, it is recommended to prohibit. - <br>Note: ! This option overrides 'Rewrite' setting. ! - </description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Rewrite</fielddescr> - <fieldname>rewrite</fieldname> - <description>Enter rewrite condition name for this rule, or leave blank.</description> - <type>select</type> - </field> - <field> - <fielddescr>Rewrite for off-time</fielddescr> - <fieldname>overrewrite</fieldname> - <description>Enter rewrite condition name for this rule, or leave blank.</description> - <type>select</type> - </field> - <field> - <fielddescr>Description</fielddescr> - <fieldname>description</fieldname> - <description>You may enter a description here for your reference (not parsed).</description> - <type>input</type> - <size>100</size> - </field> - <field> - <fielddescr>Log</fielddescr> - <fieldname>enablelog</fieldname> - <description>Check this for log this item.</description> - <type>checkbox</type> - </field> + <field> + <fielddescr>Use SafeSearch engine</fielddescr> + <fieldname>safesearch</fieldname> + <description><![CDATA[ + To protect your children from adult content you can use the protected mode of search engines.<br> + At the moment it is supported by Google, Yandex, Yahoo, MSN, Live Search and Bing. Make sure that the search engines can be accessed. It is recommended to prohibit access to others.<br> + <b>Note:</b> This option overrides 'Rewrite' setting. + ]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Rewrite</fielddescr> + <fieldname>rewrite</fieldname> + <description><![CDATA[Enter the rewrite condition name for this rule or leave it blank.]]></description> + <type>select</type> + </field> + <field> + <fielddescr>Rewrite for off-time</fielddescr> + <fieldname>overrewrite</fieldname> + <description><![CDATA[Enter the rewrite condition name for this rule or leave it blank.]]></description> + <type>select</type> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[You may enter any description here for your reference.]]></description> + <type>input</type> + <size>100</size> + </field> + <field> + <fielddescr>Log</fielddescr> + <fieldname>enablelog</fieldname> + <description><![CDATA[Check this option to enable logging for this ACL.]]></description> + <type>checkbox</type> + </field> </fields> <custom_php_validation_command> - squidguard_validate_acl(&$_POST, &$input_errors); + squidguard_validate_acl(&$_POST, &$input_errors); </custom_php_validation_command> <custom_php_command_before_form> - squidguard_before_form_acl(&$pkg); + squidguard_before_form_acl(&$pkg); </custom_php_command_before_form> <custom_php_after_form_command> - squidGuard_print_javascript(); + squidGuard_print_javascript(); </custom_php_after_form_command> <custom_php_resync_config_command> - squidguard_resync_acl(); + squidguard_resync_acl(); </custom_php_resync_config_command> <custom_delete_php_command> - squidguard_resync_acl(); + squidguard_resync_acl(); </custom_delete_php_command> <custom_add_php_command> </custom_add_php_command> <custom_add_php_command_late> </custom_add_php_command_late> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/squidGuard/squidguard_blacklist.php b/config/squidGuard/squidguard_blacklist.php index 5e8382ae..98e0aecd 100644 --- a/config/squidGuard/squidguard_blacklist.php +++ b/config/squidGuard/squidguard_blacklist.php @@ -236,6 +236,7 @@ window.setTimeout('getactivity()', 150); $tab_array[] = array(gettext("Rewrites"), false, "/pkg.php?xml=squidguard_rewr.xml"); $tab_array[] = array(gettext("Blacklist"), true, "/squidGuard/squidguard_blacklist.php"); $tab_array[] = array(gettext("Log"), false, "/squidGuard/squidguard_log.php"); + $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=squidguard_sync.xml&id=0"); display_top_tabs($tab_array); ?> </td> diff --git a/config/squidGuard/squidguard_configurator.inc b/config/squidGuard/squidguard_configurator.inc index bfa94ca9..ab44ae8d 100644 --- a/config/squidGuard/squidguard_configurator.inc +++ b/config/squidGuard/squidguard_configurator.inc @@ -54,8 +54,8 @@ require_once('service-utils.inc'); # squid package must exists by default system path (for v.2.0/2.1) # todo: move include string to the squid-function call string position -if (file_exists('squid.inc')) { - require_once('squid.inc'); +if (file_exists('/usr/local/pkg/squid.inc')) { + require_once('/usr/local/pkg/squid.inc'); } # ------------------------------------------------------------------------------ @@ -112,9 +112,12 @@ define('REDIRECT_URL_ARGS', '&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u'); # ------------------------------------------------------------------------------ $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); -if ($pf_version > 2.0) - define('SQUIDGUARD_LOCALBASE', '/usr/pbi/squidguard-' . php_uname("m")); -else +if ($pf_version > 2.0) { + if (file_exists('/usr/pbi/squidguard-squid3-' . php_uname("m"))) + define('SQUIDGUARD_LOCALBASE', '/usr/pbi/squidguard-squid3-' . php_uname("m")); + else + define('SQUIDGUARD_LOCALBASE', '/usr/pbi/squidguard-' . php_uname("m")); +} else define('SQUIDGUARD_LOCALBASE','/usr/local'); if (!defined('SQUID_LOCALBASE') && ($pf_version > 2.0)) @@ -241,6 +244,12 @@ define('F_SQUIDGUARD', 'squidGuard'); define('F_LOGDIR', 'logdir'); define('F_DBHOME', 'dbhome'); define('F_WORKDIR', 'workdir'); +define('F_LDAPENABLE', 'ldap_enable'); +define('F_LDAPBINDDN', 'ldapbinddn'); +define('F_LDAPBINDPASS', 'ldapbindpass'); +define('F_LDAPVERSION', 'ldapversion'); +define('F_STRIPNTDOMAIN', 'stripntdomain'); +define('F_STRIPREALM', 'striprealm'); define('F_BINPATH', 'binpath'); define('F_PROCCESSCOUNT', 'process_count'); define('F_SQUIDCONFIGFILE', 'squid_configfile'); @@ -328,6 +337,7 @@ function sg_init($init = '') $squidguard_config[F_BINPATH] = SQUIDGUARD_BINPATH; $squidguard_config[F_SQUIDCONFIGFILE] = SQUID_CONFIGFILE; $squidguard_config[F_PROCCESSCOUNT] = REDIRECTOR_PROCESS_COUNT; + } else { # copy config from $init foreach($init as $key => $in) @@ -414,7 +424,6 @@ function squid_reconfigure($remove_only = '') global $squidguard_config; $conf = ''; $cust_opt = $config['installedpackages']['squid']['config'][0]['custom_options']; - # remove old options if (!empty($cust_opt)) { $conf = explode(";", $cust_opt); @@ -443,8 +452,11 @@ function squid_reconfigure($remove_only = '') # update config if (is_array($conf)) $conf = implode(";", $conf); - $config['installedpackages']['squid']['config'][0]['custom_options'] = $conf; - write_config('Update redirector options to squid config.'); + /* Only update squid options if we have something to do, otherwise this can interfere with squid's default options in a new install. */ + if ($conf != $cust_opt) { + $config['installedpackages']['squid']['config'][0]['custom_options'] = $conf; + write_config('Update redirector options to squid config.'); + } # resync squid package, if installed if (function_exists('squid_resync')) { @@ -843,6 +855,15 @@ function sg_create_config() $sgconf[] = CONFIG_SG_HEADER; $sgconf[] = "logdir {$squidguard_config[F_LOGDIR]}"; $sgconf[] = "dbhome {$squidguard_config[F_DBHOME]}"; + if ( $squidguard_config[F_LDAPENABLE] == 'on' ) { + $sgconf[] = "ldapbinddn {$squidguard_config[F_LDAPBINDDN]}"; + $sgconf[] = "ldapbindpass {$squidguard_config[F_LDAPBINDPASS]}"; + $sgconf[] = "ldapprotover {$squidguard_config[F_LDAPVERSION]}"; + if ( $squidguard_config[F_STRIPNTDOMAIN] ) + $sgconf[] = "stripntdomain true"; + if ( $squidguard_config[F_STRIPREALM] ) + $sgconf[] = "striprealm true"; + } # --- Times --- if ($squidguard_config[F_TIMES]) { @@ -874,13 +895,17 @@ function sg_create_config() $sg_tag->set("src", $src[F_NAME], "", $src[F_DESCRIPTION]); # separate IP, domains, usernames - $tsrc = explode(" ", trim($src[F_SOURCE])); - foreach($tsrc as $sr) { - $sr = trim($sr); - if (empty($sr)) continue; - if (is_ipaddr_valid($sr)) $sg_tag->items[] = "ip $sr"; - elseif (is_domain_valid($sr)) $sg_tag->items[] = "domain $sr"; - elseif (is_username($sr)) $sg_tag->items[] = "user " . str_replace("'", "", $sr); + if (strpos(trim($src[F_SOURCE]), 'ldapusersearch') === false) { + $tsrc = explode(" ", trim($src[F_SOURCE])); + foreach($tsrc as $sr) { + $sr = trim($sr); + if (empty($sr)) continue; + if (is_ipaddr_valid($sr)) $sg_tag->items[] = "ip $sr"; + elseif (is_domain_valid($sr)) $sg_tag->items[] = "domain $sr"; + elseif (is_username($sr)) $sg_tag->items[] = "user " . str_replace("'", "", $sr); + } + } else { + $sg_tag->items[] = trim($src[F_SOURCE]); } if ($squidguard_config[F_ENABLELOG] == 'on' ) { @@ -1167,6 +1192,16 @@ function sg_create_simple_config($blk_dbhome, $blk_destlist, $redirect_to = "404 # init section $sgconf[] = "logdir $logdir"; $sgconf[] = "dbhome $dbhome"; + if ( $squidguard_config[F_LDAPENABLE] == 'on' ) { + $sgconf[] = "ldapbinddn {$squidguard_config[F_LDAPBINDDN]}"; + $sgconf[] = "ldapbindpass {$squidguard_config[F_LDAPBINDPASS]}"; + $sgconf[] = "ldapprotover {$squidguard_config[F_LDAPVERSION]}"; + if ( $squidguard_config[F_STRIPNTDOMAIN] ) + $sgconf[] = "stripntdomain true"; + if ( $squidguard_config[F_STRIPREALM] ) + $sgconf[] = "striprealm true"; + } + $sgconf[] = ""; # destination section @@ -1750,11 +1785,13 @@ function sg_check_src($sgx, $input_errors) # source may be as one ('source') field or as two ('ip' and 'domain') fields $src = (isset($sgx[F_SOURCE])) ? $sgx[F_SOURCE] : $sgx[F_IP] . " " . $sgx[F_DOMAINS]; - $src = explode(" ", $src); - foreach ($src as $s_item) { - if ($s_item) { - if (!is_ipaddr_valid($s_item) and !is_domain_valid($s_item) and !is_username($s_item)) - $elog[] = "SRC '{$sgx[F_NAME]}': Item '$s_item' is not a ip address or a domain or a 'username'."; + if (strpos($sgx[F_SOURCE], 'ldapusersearch') === false) { + $src = explode(" ", $src); + foreach ($src as $s_item) { + if ($s_item) { + if (!is_ipaddr_valid($s_item) and !is_domain_valid($s_item) and !is_username($s_item) and (strpos($s_item, 'ldapusersearch') !== false)) + $elog[] = "SRC '{$sgx[F_NAME]}': Item '$s_item' is not a ip address or a domain or a 'username'."; + } } } @@ -1883,17 +1920,18 @@ function acl_remove_blacklist_items($items) # ----------------------------------------------------------------------------- function sg_script_logrotate() { - $lines = 1000; # SG logfile truncate lines count - global $squidguard_config; - $sglogname = $squidguard_config[F_LOGDIR] . "/" . SQUIDGUARD_LOGFILE; + global $squidguard_config; + + $sglogname = $squidguard_config[F_LOGDIR] . "/" . SQUIDGUARD_LOGFILE; $sgguilogname = $squidguard_config[F_LOGDIR] . "/" . SQUIDGUARD_GUILOGFILE; + $sgconflogname = $squidguard_config[F_LOGDIR] . "/" . SQUIDGUARD_CONFLOGFILE; $res = <<<EOD #!/bin/sh # # This file generated automaticly with SquidGuard configurator -# Rotates the block logile +# Rotates the block logfile tail -{$lines} {$sglogname} > {$sglogname}.0 tail -{$lines} {$sglogname}.0 > {$sglogname} rm -f {$sglogname}.0 @@ -1901,6 +1939,10 @@ rm -f {$sglogname}.0 tail -{$lines} {$sgguilogname} > {$sgguilogname}.0 tail -{$lines} {$sgguilogname}.0 > {$sgguilogname} rm -f {$sgguilogname}.0 +# Rotates the squidguard conf logile +tail -{$lines} {$sgconflogname} > {$sgconflogname}.0 +tail -{$lines} {$sgconflogname}.0 > {$sgconflogname} +rm -f {$sgconflogname}.0 EOD; return $res; } @@ -2486,4 +2528,4 @@ class TSgTag } } -?>
\ No newline at end of file +?> diff --git a/config/squidGuard/squidguard_default.xml b/config/squidGuard/squidguard_default.xml index ff05085a..01380ea5 100644 --- a/config/squidGuard/squidguard_default.xml +++ b/config/squidGuard/squidguard_default.xml @@ -2,7 +2,7 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <description>Describe your package here</description> + <description><![CDATA[Describe your package here]]></description> <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>squidguarddefault</name> @@ -43,110 +43,107 @@ <text>Log</text> <url>/squidGuard/squidguard_log.php</url> </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=squidguard_sync.xml</url> + </tab> </tabs> <fields> - <field> - <fielddescr>Target Rules</fielddescr> - <fieldname>dest</fieldname> - <description></description> - <type>input</type> - <size>100</size> - </field> - <field> - <fielddescr>Not to allow IP addresses in URL</fielddescr> - <fieldname>notallowingip</fieldname> - <description> - To make sure that people don't bypass the URL filter - by simply using the IP addresses instead of the fully qualified domain names, you can check this option. - This option has no effect on the WhiteList. - </description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Proxy Denied Error</fielddescr> - <fieldname>deniedmessage</fieldname> - <description>The first part of the error message displayed to clients when denied. Defaults to "Request denied by $g['product_name'] proxy"</description> - <type>textarea</type> - <cols>65</cols> - <rows>2</rows> - </field> - - <field> - <fielddescr>Redirect mode</fielddescr> - <fieldname>redirect_mode</fieldname> - <description> - Select redirect mode here. - <br> Note: if you use 'transparent proxy', then 'int' redirect mode will not accessible. -<!-- <br><b> int size limit :</b> if content size 0 or > 'size limit', then client moved to 'blank image' page; --> - <br> Options: - <A title="To 'url' will added special client information;" > - <span style="background-color: #dddddd;" >ext url err page</span></A> , - <A title="Client view 'url' content without any notification about;" > - <span style="background-color: #dddddd;" > ext url redirect</span></A> , - <A title="Client will moved to specified url with displaying url in addres bar;" > - <span style="background-color: #dddddd;" > ext url as 'move'</span></A> , - <A title="Client will moved to specified url with showing progress(only!) in status bar;" > - <span style="background-color: #dddddd;" > ext url as 'found'.</span></A> - </u> - </description> - <type>select</type> - <value>rmod_none</value> - <options> - <!--option><name>none</name> <value>rmod_none</value></option--> - <option><name>int error page (enter error message)</name> <value>rmod_int</value></option> - <option><name>int blank page </name> <value>rmod_int_bpg</value></option> - <!--option><name>int blank image</name> <value>rmod_int_bim</value></option--> - <!--option><name>int size limit (enter size in bytes)</name> <value>rmod_int_szl</value></option--> - <option><name>ext url err page (enter URL)</name> <value>rmod_ext_err</value></option> - <option><name>ext url redirect (enter URL)</name> <value>rmod_ext_rdr</value></option> - <option><name>ext url move (enter URL)</name> <value>rmod_ext_mov</value></option> - <option><name>ext url found (enter URL)</name> <value>rmod_ext_fnd</value></option> - </options> - </field> - <field> - <fielddescr>Redirect info</fielddescr> - <fieldname>redirect</fieldname> - <description> - Enter external redirection URL, error message or size (bytes) here. - </description> - <type>textarea</type> - <cols>65</cols> - <rows>2</rows> - </field> - <field> - <fielddescr>Use SafeSearch engine</fielddescr> - <fieldname>safesearch</fieldname> - <description> - To protect your children from adult content, you can use the protected mode of search engines. - Now it is supported by Google, Yandex, Yahoo, MSN, Live Search, Bing. Make sure that the search engines can, and others, it is recommended to prohibit. - <br>Note: ! This option overrides 'Rewrite' setting. ! - </description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Rewrite</fielddescr> - <fieldname>rewrite</fieldname> - <description>Enter rewrite condition name for this rule, or leave blank.</description> - <type>select</type> - </field> - <field> - <fielddescr>Log</fielddescr> - <fieldname>enablelog</fieldname> - <description>Check this for log this item.</description> - <type>checkbox</type> - </field> + <field> + <fielddescr>Target Rules</fielddescr> + <fieldname>dest</fieldname> + <description><![CDATA[]]></description> + <type>input</type> + <size>100</size> + </field> + <field> + <fielddescr>Do not allow IP-Addresses in URL</fielddescr> + <fieldname>notallowingip</fieldname> + <description><![CDATA[To make sure that people do not bypass the URL filter by simply using the IP-Addresses instead of the FQDN you can check this option. This option has no effect on the whitelist.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Proxy Denied Error</fielddescr> + <fieldname>deniedmessage</fieldname> + <description><![CDATA[The first part of the error message displayed to clients when access was denied. Defaults to <b>"Request denied by $g['product_name'] proxy"</b>]]></description> + <type>textarea</type> + <cols>65</cols> + <rows>2</rows> + </field> + <field> + <fielddescr>Redirect mode</fielddescr> + <fieldname>redirect_mode</fieldname> + <description> + Select redirect mode here. + <br> Note: if you use 'transparent proxy', then 'int' redirect mode will not accessible. +<!-- <br><b> int size limit :</b> if content size 0 or > 'size limit', then client moved to 'blank image' page; --> + <br> Options: + <A title="To 'url' will added special client information;" > + <span style="background-color: #dddddd;" >ext url err page</span></A> , + <A title="Client view 'url' content without any notification about;" > + <span style="background-color: #dddddd;" > ext url redirect</span></A> , + <A title="Client will moved to specified url with displaying url in addres bar;" > + <span style="background-color: #dddddd;" > ext url as 'move'</span></A> , + <A title="Client will moved to specified url with showing progress(only!) in status bar;" > + <span style="background-color: #dddddd;" > ext url as 'found'.</span></A> + </u> + </description> + <type>select</type> + <value>rmod_none</value> + <options> + <!--option><name>none</name> <value>rmod_none</value></option--> + <option><name>int error page (enter error message)</name> <value>rmod_int</value></option> + <option><name>int blank page </name> <value>rmod_int_bpg</value></option> + <!--option><name>int blank image</name> <value>rmod_int_bim</value></option--> + <!--option><name>int size limit (enter size in bytes)</name> <value>rmod_int_szl</value></option--> + <option><name>ext url err page (enter URL)</name> <value>rmod_ext_err</value></option> + <option><name>ext url redirect (enter URL)</name> <value>rmod_ext_rdr</value></option> + <option><name>ext url move (enter URL)</name> <value>rmod_ext_mov</value></option> + <option><name>ext url found (enter URL)</name> <value>rmod_ext_fnd</value></option> + </options> + </field> + <field> + <fielddescr>Redirect info</fielddescr> + <fieldname>redirect</fieldname> + <description><![CDATA[Enter external redirection URL, error message or size (bytes) here.]]></description> + <type>textarea</type> + <cols>65</cols> + <rows>2</rows> + </field> + <field> + <fielddescr>Use SafeSearch engine</fielddescr> + <fieldname>safesearch</fieldname> + <description><![CDATA[ + To protect your children from adult content you can use the protected mode of search engines.<br> + At the moment it is supported by Google, Yandex, Yahoo, MSN, Live Search and Bing. Make sure that the search engines can be accessed. It is recommended to prohibit access to others.<br> + <b>Note:</b> This option overrides 'Rewrite' setting. + ]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Rewrite</fielddescr> + <fieldname>rewrite</fieldname> + <description><![CDATA[Enter the rewrite condition name for this rule or leave it blank.]]></description> + <type>select</type> + </field> + <field> + <fielddescr>Log</fielddescr> + <fieldname>enablelog</fieldname> + <description><![CDATA[Check this option to enable logging for this ACL.]]></description> + <type>checkbox</type> + </field> </fields> <custom_php_validation_command> - squidguard_validate_acl(&$_POST, &$input_errors); + squidguard_validate_acl(&$_POST, &$input_errors); </custom_php_validation_command> <custom_php_command_before_form> - squidguard_before_form_acl(&$pkg, false); + squidguard_before_form_acl(&$pkg, false); </custom_php_command_before_form> <custom_php_after_form_command> - squidGuard_print_javascript(); + squidGuard_print_javascript(); </custom_php_after_form_command> <custom_add_php_command/> <custom_php_resync_config_command> -// squidguard_resync(); +// squidguard_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/squidGuard/squidguard_dest.xml b/config/squidGuard/squidguard_dest.xml index 9c425816..3525098e 100644 --- a/config/squidGuard/squidguard_dest.xml +++ b/config/squidGuard/squidguard_dest.xml @@ -2,7 +2,7 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <description>Describe your package here</description> + <description><![CDATA[Describe your package here]]></description> <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>squidguarddest</name> @@ -45,132 +45,145 @@ <text>Log</text> <url>/squidGuard/squidguard_log.php</url> </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=squidguard_sync.xml</url> + </tab> </tabs> <adddeleteeditpagefields> - <columnitem> - <fielddescr>Name</fielddescr> - <fieldname>name</fieldname> - </columnitem> - <columnitem> - <fielddescr>Redirect</fielddescr> - <fieldname>redirect</fieldname> - </columnitem> - <columnitem> - <fielddescr>Description</fielddescr> - <fieldname>description</fieldname> - </columnitem> + <columnitem> + <fielddescr>Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Redirect</fielddescr> + <fieldname>redirect</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> </adddeleteeditpagefields> <fields> - <field> - <fielddescr>Name</fielddescr> - <fieldname>name</fieldname> - <description> - Enter the unique name here. - Name must consist of minimum 2 symbols, first from which letter. <br> - All other symbols must be [a-Z_0-9]. - </description> - <type>input</type> - <size>100</size> - <required/> - </field> - <field> - <fielddescr>Domains list</fielddescr> - <fieldname>domains</fieldname> - <description> - Enter destination domains or IP-address here. For separate use ' '(space). - <p> <b>Example:</b> 'mail.ru e-mail.ru yahoo.com 192.168.1.1' . - </description> - <type>textarea</type> - <cols>60</cols> - <rows>10</rows> - </field> - <field> - <fielddescr>URLs list</fielddescr> - <fieldname>urls</fieldname> - <description> - Enter url's here. - For separate urls's use ' '(space). - <p> <b>Example:</b> 'host.com/xxx 12.10.220.125/alisa' . - </description> - <type>textarea</type> - <cols>60</cols> - <rows>10</rows> - </field> - <field> - <fielddescr>Expressions</fielddescr> - <fieldname>expressions</fieldname> - <description> - Enter word fragments, what may be contains in destinations URL path. - For separate expression words use '|'. - <p> <b>Example:</b> 'mail|casino|game' . - </description> - <type>textarea</type> - <cols>60</cols> - <rows>10</rows> - </field> - <field> - <fielddescr>Redirect mode</fielddescr> - <fieldname>redirect_mode</fieldname> - <description> - Select redirect mode here. - <br> Note: if you use 'transparent proxy', then 'int' redirect mode will not accessible. -<!-- <br><b> int size limit :</b> if content size 0 or > 'size limit', then client moved to 'blank image' page; --> - <br> Options: - <A title="To 'url' will added special client information;" > - <span style="background-color: #dddddd;" >ext url err page</span></A> , - <A title="Client view 'url' content without any notification about;" > - <span style="background-color: #dddddd;" > ext url redirect</span></A> , - <A title="Client will moved to specified url with displaying url in addres bar;" > - <span style="background-color: #dddddd;" > ext url as 'move'</span></A> , - <A title="Client will moved to specified url with showing progress(only!) in status bar;" > - <span style="background-color: #dddddd;" > ext url as 'found'.</span></A> - </u> - </description> - <type>select</type> - <value>rmod_none</value> - <options> - <option><name>none</name> <value>rmod_none</value></option> - <option><name>int error page (enter error message)</name> <value>rmod_int</value></option> - <option><name>int blank page </name> <value>rmod_int_bpg</value></option> - <option><name>int blank image</name> <value>rmod_int_bim</value></option> -<!-- <option><name>int size limit (enter size in bytes)</name> <value>rmod_int_szl</value></option> --> - <option><name>ext url err page (enter URL)</name> <value>rmod_ext_err</value></option> - <option><name>ext url redirect (enter URL)</name> <value>rmod_ext_rdr</value></option> - <option><name>ext url move (enter URL)</name> <value>rmod_ext_mov</value></option> - <option><name>ext url found (enter URL)</name> <value>rmod_ext_fnd</value></option> - </options> - </field> - <field> - <fielddescr>Redirect</fielddescr> - <fieldname>redirect</fieldname> - <description> - Enter external redirection URL, error message or size (bytes) here. - </description> - <type>textarea</type> - <cols>60</cols> - <rows>2</rows> - </field> - <field> - <fielddescr>Log</fielddescr> - <fieldname>enablelog</fieldname> - <type>checkbox</type> - <description>Check this for log this item.</description> - </field> - <field> - <fielddescr>Description</fielddescr> - <fieldname>description</fieldname> - <description>You may enter a description here for your reference (not parsed).</description> - <type>input</type> - <size>90</size> - </field> - </fields> - <custom_delete_php_command/> + <field> + <fielddescr>Name</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[ + Enter a unique name of this rule here.<br> + The name must consist between 2 and 15 symbols [a-Z_0-9]. The first one must be a letter.<br> + ]]></description> + <type>input</type> + <size>100</size> + <required/> + </field> + <field> + <fielddescr>Order</fielddescr> + <fieldname>order</fieldname> + <description><![CDATA[ + Select the new position for this target category. Target categories are listed in this order on ALCs and are matched from the top down in sequence.<br> + ]]></description> + <type>select</type> + </field> + <field> + <fielddescr>Domain List</fielddescr> + <fieldname>domains</fieldname> + <description><![CDATA[ + Enter destination domains or IP-addresses here. To separate them use space.<br> + <b>Example:</b> mail.ru e-mail.ru yahoo.com 192.168.1.1 + ]]></description> + <type>textarea</type> + <cols>60</cols> + <rows>10</rows> + </field> + <field> + <fielddescr>URL List</fielddescr> + <fieldname>urls</fieldname> + <description><![CDATA[ + Enter destination URLs here. To separate them use space.<br> + <b>Example:</b> host.com/xxx 12.10.220.125/alisa + ]]></description> + <type>textarea</type> + <cols>60</cols> + <rows>10</rows> + </field> + <field> + <fielddescr>Regular Expression</fielddescr> + <fieldname>expressions</fieldname> + <description><![CDATA[ + Enter word fragments of the destination URL. To separate them use <b>|</b> . + <b>Example:</b> mail|casino|game|\.rsdf$ + ]]></description> + <type>textarea</type> + <cols>60</cols> + <rows>10</rows> + </field> + <field> + <fielddescr>Redirect mode</fielddescr> + <fieldname>redirect_mode</fieldname> + <description> + Select redirect mode here. + <br> Note: if you use 'transparent proxy', then 'int' redirect mode will not accessible. +<!-- <br><b> int size limit :</b> if content size 0 or > 'size limit', then client moved to 'blank image' page; --> + <br> Options: + <A title="To 'url' will added special client information;" > + <span style="background-color: #dddddd;" >ext url err page</span></A> , + <A title="Client view 'url' content without any notification about;" > + <span style="background-color: #dddddd;" > ext url redirect</span></A> , + <A title="Client will moved to specified url with displaying url in addres bar;" > + <span style="background-color: #dddddd;" > ext url as 'move'</span></A> , + <A title="Client will moved to specified url with showing progress(only!) in status bar;" > + <span style="background-color: #dddddd;" > ext url as 'found'.</span></A> + </u> + </description> + <type>select</type> + <value>rmod_none</value> + <options> + <option><name>none</name> <value>rmod_none</value></option> + <option><name>int error page (enter error message)</name> <value>rmod_int</value></option> + <option><name>int blank page </name> <value>rmod_int_bpg</value></option> + <option><name>int blank image</name> <value>rmod_int_bim</value></option> +<!-- <option><name>int size limit (enter size in bytes)</name> <value>rmod_int_szl</value></option> --> + <option><name>ext url err page (enter URL)</name> <value>rmod_ext_err</value></option> + <option><name>ext url redirect (enter URL)</name> <value>rmod_ext_rdr</value></option> + <option><name>ext url move (enter URL)</name> <value>rmod_ext_mov</value></option> + <option><name>ext url found (enter URL)</name> <value>rmod_ext_fnd</value></option> + </options> + </field> + <field> + <fielddescr>Redirect</fielddescr> + <fieldname>redirect</fieldname> + <description><![CDATA[Enter the external redirection URL, error message or size (bytes) here.]]></description> + <type>textarea</type> + <cols>60</cols> + <rows>2</rows> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[You may enter any description here for your reference.]]></description> + <type>input</type> + <size>90</size> + </field> + <field> + <fielddescr>Log</fielddescr> + <fieldname>enablelog</fieldname> + <type>checkbox</type> + <description><![CDATA[Check this option to enable logging for this ACL.]]></description> + </field> + </fields> + <custom_php_command_before_form> + squidguard_before_form_dest(&$pkg); + </custom_php_command_before_form> <custom_php_validation_command> - squidguard_validate_destination($_POST, &$input_errors); + squidguard_validate_destination($_POST, &$input_errors); </custom_php_validation_command> <custom_php_resync_config_command> + squidguard_resync_dest(); </custom_php_resync_config_command> + <custom_delete_php_command> + squidguard_resync_dest(); + </custom_delete_php_command> <custom_php_after_form_command> - squidGuard_print_javascript(); + squidGuard_print_javascript(); </custom_php_after_form_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/squidGuard/squidguard_log.php b/config/squidGuard/squidguard_log.php index e5f19407..8eba2311 100644 --- a/config/squidGuard/squidguard_log.php +++ b/config/squidGuard/squidguard_log.php @@ -275,6 +275,7 @@ window.setTimeout('getactivity()', 150); $tab_array[] = array(gettext("Rewrites"), false, "/pkg.php?xml=squidguard_rewr.xml"); $tab_array[] = array(gettext("Blacklist"), false, "/squidGuard/squidguard_blacklist.php"); $tab_array[] = array(gettext("Log"), true, "$selfpath"); + $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=squidguard_sync.xml&id=0"); display_top_tabs($tab_array); ?> </td> @@ -323,4 +324,4 @@ window.setTimeout('getactivity()', 150); Rounded("div#mainarea","bl br","#FFF","#eeeeee","smooth"); </script--> </body> -</html>
\ No newline at end of file +</html> diff --git a/config/squidGuard/squidguard_rewr.xml b/config/squidGuard/squidguard_rewr.xml index 8a3f801f..c21cb1c0 100644 --- a/config/squidGuard/squidguard_rewr.xml +++ b/config/squidGuard/squidguard_rewr.xml @@ -2,7 +2,7 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <description>Describe your package here</description> + <description><![CDATA[Describe your package here]]></description> <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>squidguardrewrite</name> @@ -43,6 +43,10 @@ <text>Log</text> <url>/squidGuard/squidguard_log.php</url> </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=squidguard_sync.xml</url> + </tab> </tabs> <adddeleteeditpagefields> <columnitem> @@ -58,11 +62,10 @@ <field> <fielddescr>Name</fielddescr> <fieldname>name</fieldname> - <description> - Enter the unique name here. - Name must consist of minimum 2 symbols, first from which letter. <br> - All other symbols must be [a-Z_0-9]. - </description> + <description><![CDATA[ + Enter a unique name of this rule here.<br> + The name must consist between 2 and 15 symbols [a-Z_0-9]. The first one must be a letter.<br> + ]]></description> <type>input</type> <required/> <size>100</size> @@ -89,13 +92,13 @@ <fielddescr>Opt.</fielddescr> <fieldname>mode</fieldname> <type>select</type> - <value>no</value> - <options> - <option> <name>---------</name> <value>no</value> </option> - <option> <name>no case </name> <value>nocase</value> </option> - <option> <name>redirect </name> <value>redirect</value> </option> - <option> <name>no case + redirect</name> <value>nocase_redirect</value> </option> - </options> + <value>no</value> + <options> + <option> <name>---------</name> <value>no</value> </option> + <option> <name>no case </name> <value>nocase</value> </option> + <option> <name>redirect </name> <value>redirect</value> </option> + <option> <name>no case + redirect</name> <value>nocase_redirect</value> </option> + </options> </rowhelperfield> <!-- <rowhelperfield> <fielddescr>Http 301</fielddescr> @@ -113,18 +116,18 @@ <field> <fielddescr>Log</fielddescr> <fieldname>enablelog</fieldname> - <description>Check this for log this item.</description> + <description><![CDATA[Check this option to enable logging for this ACL.]]></description> <type>checkbox</type> </field> <field> <fielddescr>Description</fielddescr> <fieldname>description</fieldname> - <description>You may enter a description here for your reference (not parsed).<br> - <b> Note: </b> <br> - <b>Rewrite rule</b> - define how url will are replaced.<br> - <b>Target URL or regular expression</b> - contains destination url or regular expression. Regular expression example: */cc32e46.exe <br> - <b>Replace to</b> - contains replacing url. - </description> + <description><![CDATA[You may enter any description here for your reference.<br> + <b>Note:</b><br> + <b>Rewrite rule:</b> Define how the URL will be replaced.<br> + <b>Target URL or Regular Expression:</b> Contains destination URL or regular expression. This is the URL or RegEx the user wants to visit.<br> + <b>Replace to URL:</b> Contains the replacing URL. This is the URL the user will see instead the original one. + ]]></description> <type>input</type> <size>100</size> </field> @@ -138,4 +141,4 @@ <custom_php_resync_config_command> // squidguard_resync_rewrite(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/squidGuard/squidguard_sync.xml b/config/squidGuard/squidguard_sync.xml new file mode 100644 index 00000000..f0537faf --- /dev/null +++ b/config/squidGuard/squidguard_sync.xml @@ -0,0 +1,171 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> +<![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* +squidguardsync.xml +part of pfSense (http://www.pfSense.com) +Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> +Copyright (C) 2013 Marcello Coutinho +based on pfblocker_sync.xml +All rights reserved. + +Based on m0n0wall (http://m0n0.ch/wall) +Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. +All rights reserved. +*/ +/* ========================================================================== */ +/* +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, +this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright +notice, this list of conditions and the following disclaimer in the +documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. +*/ +/* ========================================================================== */ +]]></copyright> + <description><![CDATA[Describe your package here]]></description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidguardsync</name> + <version>1.3_1 pkg v.1.9</version> + <title>Proxy filter SquidGuard: XMLRPC Sync</title> + <include_file>/usr/local/pkg/squidguard.inc</include_file> + <tabs> + <tab> + <text>General settings</text> + <url>/pkg_edit.php?xml=squidguard.xml&id=0</url> + </tab> + <tab> + <text>Common ACL</text> + <url>/pkg_edit.php?xml=squidguard_default.xml&id=0</url> + </tab> + <tab> + <text>Groups ACL</text> + <url>/pkg.php?xml=squidguard_acl.xml</url> + </tab> + <tab> + <text>Target categories</text> + <url>/pkg.php?xml=squidguard_dest.xml</url> + </tab> + <tab> + <text>Times</text> + <url>/pkg.php?xml=squidguard_time.xml</url> + </tab> + <tab> + <text>Rewrites</text> + <url>/pkg.php?xml=squidguard_rewr.xml</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/squidGuard/squidguard_blacklist.php</url> + </tab> + <tab> + <text>Log</text> + <url>/squidGuard/squidguard_log.php</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=squidguard_sync.xml&id=0</url> + <active/> + </tab> + </tabs> + <fields> + <field> + <name>SquidGuard XMLRPC Sync</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable Sync</fielddescr> + <fieldname>varsyncenablexmlrpc</fieldname> + <description><![CDATA[All changes will be synced immediately to the IPs listed below if this option is checked.<br> + <b>Important:</b> While using "Sync to hosts defined below", only sync from host A to B, A to C but <b>do not</B> enable XMLRPC sync <b>to</b> A. This will result in a loop!]]></description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>XMLRPC timeout</fielddescr> + <fieldname>varsynctimeout</fieldname> + <description><![CDATA[Timeout in seconds for the XMLRPC timeout. Default: 150]]></description> + <type>input</type> + <default_value>150</default_value> + <size>5</size> + </field> + + <field> + <fielddescr>Destination Server</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>Enable</fielddescr> + <fieldname>varsyncdestinenable</fieldname> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> + <fielddescr>GUI Protocol</fielddescr> + <fieldname>varsyncprotocol</fieldname> + <description><![CDATA[Choose the protocol of the destination host. Probably <b>http</b> or <b>https</b>]]></description> + <type>select</type> + <default_value>HTTP</default_value> + <options> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>GUI IP-Address</fielddescr> + <fieldname>varsyncipaddress</fieldname> + <description><![CDATA[IP Address of the destination host.]]></description> + <type>input</type> + <size>15</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>GUI Port</fielddescr> + <fieldname>varsyncport</fieldname> + <description><![CDATA[Choose the port of the destination host.]]></description> + <type>input</type> + <size>3</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>GUI Admin Password</fielddescr> + <fieldname>varsyncpassword</fieldname> + <description><![CDATA[Password of the user "admin" on the destination host.]]></description> + <type>password</type> + <size>20</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_delete_php_command> + squidguard_sync_on_changes(); + </custom_delete_php_command> + <custom_php_resync_config_command> + squidguard_sync_on_changes(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squidGuard/squidguard_time.xml b/config/squidGuard/squidguard_time.xml index c27de273..dfd589aa 100644 --- a/config/squidGuard/squidguard_time.xml +++ b/config/squidGuard/squidguard_time.xml @@ -2,7 +2,7 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <description>Describe your package here</description> + <description><![CDATA[Describe your package here]]></description> <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>squidguardtime</name> @@ -45,6 +45,10 @@ <text>Log</text> <url>/squidGuard/squidguard_log.php</url> </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=squidguard_sync.xml</url> + </tab> </tabs> <adddeleteeditpagefields> <columnitem> @@ -60,11 +64,10 @@ <field> <fielddescr>Name</fielddescr> <fieldname>name</fieldname> - <description> - Enter the unique name here. - Name must consist of minimum 2 symbols, first from which letter. <br> - All other symbols must be [a-Z_0-9]. - </description> + <description><![CDATA[ + Enter a unique name of this rule here.<br> + The name must consist between 2 and 15 symbols [a-Z_0-9]. The first one must be a letter.<br> + ]]></description> <type>input</type> <required/> <size>100</size> @@ -76,7 +79,7 @@ <rowhelperfield> <fielddescr>Time type</fielddescr> <fieldname>timetype</fieldname> - <description></description> + <description><![CDATA[]]></description> <type>select</type> <value>weekly</value> <options> @@ -87,7 +90,7 @@ <rowhelperfield> <fielddescr>Days</fielddescr> <fieldname>timedays</fieldname> - <description></description> + <description><![CDATA[]]></description> <type>select</type> <value>*</value> <options> @@ -110,7 +113,7 @@ <rowhelperfield> <fielddescr>Time range</fielddescr> <fieldname>sg_timerange</fieldname> - <description>00:00-08:00</description> + <description><![CDATA[00:00-08:00]]></description> <type>input</type> <size>20</size> <value>00:00-23:59</value> @@ -120,12 +123,11 @@ <field> <fielddescr>Description</fielddescr> <fieldname>description</fieldname> - <description>You may enter a description here for your reference (not parsed). <br> - <b> Note: </b> <br> - Field <b>'Date or date range'</b> have format 'yyyy.mm.dd'; 'yyyy.mm.dd-yyyy.mm.dd'; or use '*' in format. <br> - Example: '2007.05.01'; '2007.04.14-2007.04.17'; '*.12.24'; '2007.*.01'; <br> - Field <b>'Time range'</b> have format 'hh:mm-hh:mm'. Example: '08:00-18:00'; - </description> + <description><![CDATA[You may enter any description here for your reference.<br> + <b>Note:</b><br> + <b>Example for Date or Date Range:</b> 2007.12.31 <b>or</b> 2007.11.31-2007.12.31 <b>or</b> *.12.31 <b>or</b> 2007.*.31<br> + <b>Example for Time Range:</b> 08:00-18:00 + ]]></description> <type>input</type> <size>80</size> </field> @@ -139,4 +141,4 @@ <custom_php_resync_config_command> // squidguard_resync_time(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/sudo/sudo.inc b/config/sudo/sudo.inc new file mode 100644 index 00000000..a65753a1 --- /dev/null +++ b/config/sudo/sudo.inc @@ -0,0 +1,179 @@ +<?php +/* + sudo.inc + + Copyright (C) 2013 Jim Pingle (jpingle@gmail.com) + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +$pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); +switch ($pfs_version) { + case "1.2": + case "2.0": + define('SUDO_BASE','/usr/local'); + break; + default: + // Hackish way to detect if someone manually did pkg_add rather than use pbi. + if (is_dir('/usr/pbi/sudo-' . php_uname("m"))) + define('SUDO_BASE', '/usr/pbi/sudo-' . php_uname("m")); + else + define('SUDO_BASE','/usr/local'); +} + +define('SUDO_CONFIG_DIR', SUDO_BASE . '/etc'); +define('SUDO_SUDOERS', SUDO_CONFIG_DIR . '/sudoers'); + +function sudo_install() { + global $g, $config; + /* If we don't have a config, pre-load some good default sudo entries. */ + if (!is_array($config['installedpackages']['sudo']['config'][0]['row'])) { + $config['installedpackages']['sudo']['config'][0]['row'] = array( + 0 => array( + "username" => "user:root", + "runas" => "user:root", + "cmdlist" => "ALL" + ), + 1 => array( + "username" => "user:admin", + "runas" => "user:root", + "cmdlist" => "ALL" + ), + 2 => array( + "username" => "group:admins", + "runas" => "user:root", + "cmdlist" => "ALL" + ) + ); + } +} + +function sudo_write_config() { + global $config; + $sudoers = ""; + if (!is_array($config['installedpackages']['sudo']['config'][0]['row'])) { + /* No config, wipe sudoers file and bail. */ + unlink(SUDO_SUDOERS); + log_error("No sudo configuration found, removing sudoers file to prevent unpredictable results."); + return; + } + $sudocfg = &$config['installedpackages']['sudo']['config'][0]['row']; + /* Parse the config and massage it into proper sudo config lines. */ + foreach ($sudocfg as $sudo_commands) { + // (user|group) ALL=(ALL|user spec) ALL|command list + list($etype, $ename) = explode(":", $sudo_commands['username']); + $user = ($etype == "group") ? "%{$ename}" : $ename; + list($rtype, $rname) = explode(":", $sudo_commands['runas']); + $runas = ($rtype == "group") ? ":{$rname}" : $rname; + $nopasswd = ($sudo_commands['nopasswd'] == "ON") ? "NOPASSWD:" : ""; + $commands = (empty($sudo_commands['cmdlist'])) ? "ALL" : $sudo_commands['cmdlist']; + $commands = ($commands == "all") ? "ALL" : $commands; + $sudoers .= "{$user} ALL=({$runas}) {$nopasswd} {$commands}\n"; + } + + /* Check validity of the sudoers data created above. */ + $tmpsudoers = tempnam("/tmp", "sudoers"); + file_put_contents($tmpsudoers, $sudoers); + $result = exec("/usr/local/sbin/visudo -c -f {$tmpsudoers}"); + + /* If the file is OK, move it into place with the correct permissions, otherwise log an error and trash it. */ + if (stristr($result, "parsed OK")) { + rename($tmpsudoers, SUDO_SUDOERS); + chmod(SUDO_SUDOERS, 0440); + } else { + log_error("Sudoers file invalid: {$result}"); + unlink($tmpsudoers); + } +} + +/* Get a list of users and groups in a format we can use to make proper sudoers entries. +Optionally include "ALL" as a user (for use by the Run As list) + */ +function sudo_get_users($list_all_user = false) { + global $config; + if (!is_array($config['system']['user'])) + $config['system']['user'] = array(); + $a_user = &$config['system']['user']; + if (!is_array($config['system']['group'])) + $config['system']['group'] = array(); + $a_group = &$config['system']['group']; + $users = array(); + + /* Make an entry for root, even though admin is essentially the same as root, they are distinct. */ + $tmpuser = array(); + $tmpuser["name"] = "user:root"; + $tmpuser["descr"] = "User: root"; + $users[] = $tmpuser; + + /* Add the all user if we want it */ + if ($list_all_user) { + $tmpuser = array(); + $tmpuser["name"] = "user:ALL"; + $tmpuser["descr"] = "User: ALL Users"; + $users[] = $tmpuser; + } + + foreach ($a_user as $user) { + $tmpuser = array(); + $tmpuser["name"] = "user:{$user['name']}"; + $tmpuser["descr"] = "User: {$user['name']}"; + $users[] = $tmpuser; + } + + /* Add the wheel group here. We may need other manual groups later (e.g. operator) */ + $tmpuser = array(); + $tmpuser["name"] = "group:wheel"; + $tmpuser["descr"] = "Group: wheel"; + $users[] = $tmpuser; + + foreach ($a_group as $group) { + /* The "all" group is internal and doesn't make sense to use here. */ + if ($group['name'] == "all") + continue; + $tmpgroup = array(); + $tmpgroup["name"] = "group:{$group['name']}"; + $tmpgroup["descr"] = "Group: {$group['name']}"; + $users[] = $tmpgroup; + } + + return $users; +} + +/* Make sure commands passed in are valid executables to help ensure a valid sudoers file and expected behavior. + This also forces the user to give full paths to executables, which they should be doing anyhow. + */ +function sudo_validate_commands($input_errors) { + $idx = 0; + while(isset($_POST["cmdlist{$idx}"])) { + $commands = $_POST["cmdlist" . $idx++]; + if (strtoupper($commands) == "ALL") + continue; + $commands = explode(",", $commands); + foreach ($commands as $command) { + list($cmd, $params) = explode(" ", trim($command), 2); + if (!is_executable($cmd)) + $input_errors[] = htmlspecialchars($cmd) . " is not an executable command."; + } + } +} +?> diff --git a/config/sudo/sudo.xml b/config/sudo/sudo.xml new file mode 100644 index 00000000..56163abf --- /dev/null +++ b/config/sudo/sudo.xml @@ -0,0 +1,89 @@ +<?xml version="1.0" encoding="utf-8" ?> +<packagegui> + <description>Sudo Command Control</description> + <requirements>None</requirements> + <name>sudo</name> + <version>0.1</version> + <title>Sudo - Shell Command Privilege Delegation Utility</title> + <include_file>/usr/local/pkg/sudo.inc</include_file> + <menu> + <name>sudo</name> + <tooltiptext></tooltiptext> + <section>System</section> + <url>/pkg_edit.php?xml=sudo.xml</url> + </menu> + <configpath>installedpackages->package->sudo</configpath> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/sudo/sudo.inc</item> + </additional_files_needed> + <fields> + <field> + <type>listtopic</type> + <name>Sudo Options</name> + </field> + <field> + <type>info</type> + <description><![CDATA[ +User permission definitions for allowing the use of sudo by shell users to run commands as other users, such as root. +<br /><br />More information on the full command options may be found in the <a href="http://www.sudo.ws/sudoers.man.html">sudoers manual</a>. +<br /><br />By default the command is "ALL" meaning the user can run any commands. Leaving the commands field blank assumes "ALL". A comma-separated list of commands can be supplied to limit the user to individual binaries. Full paths to binaries must be used. + ]]></description> + </field> + <field> + <fielddescr>User Permissions</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>User/Group</fielddescr> + <fieldname>username</fieldname> + <type>select_source</type> + <source><![CDATA[sudo_get_users()]]></source> + <source_name>descr</source_name> + <source_value>name</source_value> + <required/> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Run As</fielddescr> + <fieldname>runas</fieldname> + <type>select_source</type> + <source><![CDATA[sudo_get_users(true)]]></source> + <source_name>descr</source_name> + <source_value>name</source_value> + <required/> + </rowhelperfield> + <rowhelperfield> + <fielddescr>No Password</fielddescr> + <fieldname>nopasswd</fieldname> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Command List</fielddescr> + <fieldname>cmdlist</fieldname> + <description>Commands the user may run. Comma-separated list, full paths preferred. Default: ALL</description> + <type>input</type> + <size>30</size> + <value>ALL</value> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_install_command> + <![CDATA[ + sudo_install(); + sudo_write_config(); + ]]> + </custom_php_install_command> + <custom_php_resync_config_command> + <![CDATA[ + sudo_write_config(); + ]]> + </custom_php_resync_config_command> + <custom_php_validation_command> + <![CDATA[ + sudo_validate_commands(&$input_errors); + ]]> + </custom_php_validation_command> +</packagegui> diff --git a/config/syslog-ng/syslog-ng.inc b/config/syslog-ng/syslog-ng.inc index b56cef39..75d5bb4d 100644 --- a/config/syslog-ng/syslog-ng.inc +++ b/config/syslog-ng/syslog-ng.inc @@ -109,6 +109,7 @@ function syslogng_validate_advanced($post, $input_errors) { $input_errors[] = 'Creation or modification of \'_DEFAULT\' objects not permitted. Change default settings under \'General\' tab.'; } + $post['objectparameters'] = base64_encode($post['objectparameters']); $new_object[] = array("objecttype"=>$post['objecttype'], "objectname"=>$post['objectname'], "objectparameters"=>$post['objectparameters']); if(empty($objects)) { @@ -192,8 +193,11 @@ function syslogng_build_default_objects($settings) { } } $default_objects[0]['objectparameters'] .= "); };"; + $default_objects[0]['objectparameters'] = base64_encode($default_objects[0]['objectparameters']); $default_objects[1] = array("objecttype"=>"destination", "objectname"=>"_DEFAULT", "objectparameters"=>"{ file(\"$default_logdir/$default_logfile\"); };"); + $default_objects[1]['objectparameters'] = base64_encode($default_objects[1]['objectparameters']); $default_objects[2] = array("objecttype"=>"log", "objectname"=>"_DEFAULT", "objectparameters"=>"{ source(_DEFAULT); destination(_DEFAULT); };"); + $default_objects[2]['objectparameters'] = base64_encode($default_objects[2]['objectparameters']); return $default_objects; } @@ -231,7 +235,7 @@ function syslogng_get_log_files($objects) { foreach($objects as $object) { if($object['objecttype'] == 'destination') { - preg_match("/file\(['\"]([^'\"]*)['\"]/", $object['objectparameters'], $match); + preg_match("/file\(['\"]([^'\"]*)['\"]/", base64_decode($object['objectparameters']), $match); if($match) { $log_file = $match[1]; array_push($log_files, $log_file); @@ -249,9 +253,9 @@ function syslogng_build_conf($objects) { foreach($objects as $object) { if($object['objecttype'] == 'log' || $object['objecttype'] == 'options') { - $conf .= $object['objecttype'] . " " . $object['objectparameters'] . "\n"; + $conf .= $object['objecttype'] . " " . base64_decode($object['objectparameters']) . "\n"; } else { - $conf .= $object['objecttype'] . " " . $object['objectname'] . " " . $object['objectparameters'] . "\n"; + $conf .= $object['objecttype'] . " " . $object['objectname'] . " " . base64_decode($object['objectparameters']) . "\n"; } } diff --git a/config/syslog-ng/syslog-ng_advanced.xml b/config/syslog-ng/syslog-ng_advanced.xml index 36a02a07..2ddcf1e0 100644 --- a/config/syslog-ng/syslog-ng_advanced.xml +++ b/config/syslog-ng/syslog-ng_advanced.xml @@ -112,6 +112,7 @@ <fieldname>objectparameters</fieldname> <description>Enter the object parameters</description> <type>textarea</type> + <encoding>base64</encoding> <cols>65</cols> <rows>5</rows> <required/> diff --git a/config/systempatches/apply_patches.php b/config/systempatches/apply_patches.php new file mode 100644 index 00000000..3ac0d671 --- /dev/null +++ b/config/systempatches/apply_patches.php @@ -0,0 +1,11 @@ +#!/usr/local/bin/php +<?php +require_once("config.inc"); +require_once("patches.inc"); + +global $g, $config; + +echo "Applying patches..."; +bootup_apply_patches(); +echo "Done.\n"; +?>
\ No newline at end of file diff --git a/config/systempatches/patches.inc b/config/systempatches/patches.inc index d17e3614..60c9a391 100644 --- a/config/systempatches/patches.inc +++ b/config/systempatches/patches.inc @@ -29,11 +29,20 @@ require_once("globals.inc"); require_once("util.inc"); -$git_root_url = "http://github.com/bsdperimeter/pfsense/commit/"; +global $git_root_url, $patch_suffix, $patch_dir, $patch_cmd; +$git_root_url = "http://github.com/pfsense/pfsense/commit/"; $patch_suffix = ".patch"; $patch_dir = "/var/patches"; $patch_cmd = "/usr/bin/patch"; +function patch_package_install() { + patch_add_shellcmd(); +} + +function patch_package_deinstall() { + patch_remove_shellcmd(); +} + function patch_commit($patch, $action, $test=false, $fulldetail=false) { global $patch_dir, $patch_cmd, $patch_suffix; $directory = empty($patch['basedir']) ? "/" : $patch['basedir']; @@ -41,15 +50,17 @@ function patch_commit($patch, $action, $test=false, $fulldetail=false) { $check = ($test) ? "--check" : ""; $force = ($action == "revert") ? "-f" : "-t"; $direction = ($action == "revert") ? "--reverse" : "--forward"; - $whitespace = $patch['ignorewhitespace'] ? "--ignore-whitespace" : ""; + $whitespace = isset($patch['ignorewhitespace']) ? "--ignore-whitespace" : ""; $pathstrip = '-p' . $patch['pathstrip']; $full_patch_command = "{$patch_cmd} --directory={$directory} {$force} {$pathstrip} {$filename} {$check} {$direction} {$whitespace}"; + conf_mount_rw(); patch_write($patch); if (!$fulldetail) $output = (mwexec($full_patch_command, true) == 0); else $output = $full_patch_command . "\n\n" . shell_exec($full_patch_command . ' 2>&1'); patch_erase($patch); + conf_mount_ro(); return $output; } @@ -139,4 +150,55 @@ function is_github_url($url) { $urlbits = explode("/", $url); return (substr($urlbits[2], -10) == "github.com"); } -?>
\ No newline at end of file + +function bootup_apply_patches() { + global $config; + + $a_patches = &$config['installedpackages']['patches']['item']; + + foreach ($a_patches as $patch) { + /* Skip the patch if it should not be automatically applied. */ + if (!isset($patch['autoapply'])) + continue; + /* If the patch can be reverted it is already applied, so skip it. */ + if (!patch_test_revert($patch)) { + /* Only attempt to apply if it can be applied. */ + if (patch_test_apply($patch)) { + patch_apply($patch); + } + } + } +} + +function patch_add_shellcmd() { + global $config; + $a_earlyshellcmd = &$config['system']['earlyshellcmd']; + if (!is_array($a_earlyshellcmd)) + $a_earlyshellcmd = array(); + $found = false; + foreach ($a_earlyshellcmd as $idx => $cmd) + if (stristr($cmd, "apply_patches.php")) + $found = true; + if (!$found) { + $a_earlyshellcmd[] = "/usr/local/bin/php -f /usr/local/bin/apply_patches.php"; + write_config("System Patches package added a shellcmd"); + } +} + +function patch_remove_shellcmd() { + global $config; + $a_earlyshellcmd = &$config['system']['earlyshellcmd']; + if (!is_array($a_earlyshellcmd)) + $a_earlyshellcmd = array(); + $removed = false; + foreach ($a_earlyshellcmd as $idx => $cmd) { + if (stristr($cmd, "apply_patches.php")) { + unset($a_earlyshellcmd[$idx]); + $removed = true; + } + } + if ($removed) + write_config("System Patches package removed a shellcmd"); +} + +?> diff --git a/config/systempatches/system_patches.php b/config/systempatches/system_patches.php index 2cb6abf9..7fe860bd 100644 --- a/config/systempatches/system_patches.php +++ b/config/systempatches/system_patches.php @@ -71,10 +71,10 @@ if (($_GET['act'] == "fetch") && ($a_patches[$_GET['id']])) { } if (($_GET['act'] == "test") && ($a_patches[$_GET['id']])) { $savemsg = patch_test_apply($a_patches[$_GET['id']]) ? gettext("Patch can be applied cleanly") : gettext("Patch can NOT be applied cleanly"); - $savemsg .= " (<a href=\"system_patches.php?id={$_GET['id']}&fulltest=apply\">" . gettext("detail") . "</a>)"; + $savemsg .= " (<a href=\"system_patches.php?id={$_GET['id']}&fulltest=apply\">" . gettext("detail") . "</a>)"; $savemsg .= empty($savemsg) ? "" : "<br/>"; $savemsg .= patch_test_revert($a_patches[$_GET['id']]) ? gettext("Patch can be reverted cleanly") : gettext("Patch can NOT be reverted cleanly"); - $savemsg .= " (<a href=\"system_patches.php?id={$_GET['id']}&fulltest=revert\">" . gettext("detail") . "</a>)"; + $savemsg .= " (<a href=\"system_patches.php?id={$_GET['id']}&fulltest=revert\">" . gettext("detail") . "</a>)"; } if (($_GET['fulltest']) && ($a_patches[$_GET['id']])) { if ($_GET['fulltest'] == "apply") { @@ -144,24 +144,26 @@ if (isset($_POST['del_x'])) { } } +$closehead = false; $pgtitle = array(gettext("System"),gettext("Patches")); include("head.inc"); -echo "<script type=\"text/javascript\" language=\"javascript\" src=\"/javascript/domTT/domLib.js\"></script>"; -echo "<script type=\"text/javascript\" language=\"javascript\" src=\"/javascript/domTT/domTT.js\"></script>"; -echo "<script type=\"text/javascript\" language=\"javascript\" src=\"/javascript/domTT/behaviour.js\"></script>"; -echo "<script type=\"text/javascript\" language=\"javascript\" src=\"/javascript/domTT/fadomatic.js\"></script>"; - ?> -<link rel="stylesheet" href="/javascript/chosen/chosen.css" /> +<script type="text/javascript" src="/javascript/domTT/domLib.js"></script> +<script type="text/javascript" src="/javascript/domTT/domTT.js"></script> +<script type="text/javascript" src="/javascript/domTT/behaviour.js"></script> +<script type="text/javascript" src="/javascript/domTT/fadomatic.js"></script> + +<link type="text/css" rel="stylesheet" href="/javascript/chosen/chosen.css" /> +</head> <body link="#000000" vlink="#000000" alink="#000000"> <?php include("fbegin.inc"); ?> <form action="system_patches.php" method="post" name="iform"> <script type="text/javascript" language="javascript" src="/javascript/row_toggle.js"></script> <?php if ($savemsg) print_info_box($savemsg); ?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="system patches"> <tr><td><div id="mainarea"> -<table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> +<table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0" summary="main area"> <tr><td colspan="8" align="center"> <?php echo gettext("This page allows you to add patches, either from the official code repository or ones pasted in from e-mail or other sources."); ?> <br/><br/> @@ -177,21 +179,22 @@ echo "<script type=\"text/javascript\" language=\"javascript\" src=\"/javascript <tr id="frheader"> <td width="5%" class="list"> </td> <td width="5%" class="listhdrr"><?=gettext("Description");?></td> -<td width="65%" class="listhdrr"><?=gettext("URL/ID");?></td> +<td width="60%" class="listhdrr"><?=gettext("URL/ID");?></td> <td width="5%" class="listhdrr"><?=gettext("Fetch");?></td> <td width="5%" class="listhdrr"><?=gettext("Test");?></td> <td width="5%" class="listhdrr"><?=gettext("Apply");?></td> <td width="5%" class="listhdr"><?=gettext("Revert");?></td> +<td width="5%" class="listhdr"><?=gettext("Auto Apply");?></td> <td width="5%" class="list"> -<table border="0" cellspacing="0" cellpadding="1"> +<table border="0" cellspacing="0" cellpadding="1" summary="buttons"> <tr><td width="17"> <?php if (count($a_patches) == 0): ?> - <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" title="<?=gettext("delete selected patches");?>" border="0"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" title="<?=gettext("delete selected patches");?>" border="0" alt="delete" /> <?php else: ?> - <input name="del" type="image" src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" title="<?=gettext("delete selected patches"); ?>" onclick="return confirm('<?=gettext("Do you really want to delete the selected patches?");?>')"> + <input name="del" type="image" src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" title="<?=gettext("delete selected patches"); ?>" onclick="return confirm('<?=gettext("Do you really want to delete the selected patches?");?>')" /> <?php endif; ?> </td> - <td><a href="system_patches_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" title="<?=gettext("add new patch"); ?>"></a></td> + <td><a href="system_patches_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" title="<?=gettext("add new patch"); ?>" alt="add" /></a></td> </tr> </table> </td> @@ -205,11 +208,11 @@ foreach ($a_patches as $thispatch): ?> <tr valign="top" id="fr<?=$npatches;?>"> - <td class="listt"><input type="checkbox" id="frc<?=$npatches;?>" name="patch[]" value="<?=$i;?>" onClick="fr_bgcolor('<?=$npatches;?>')" style="margin: 0; padding: 0; width: 15px; height: 15px;"></td> - <td class="listlr" onClick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> + <td class="listt"><input type="checkbox" id="frc<?=$npatches;?>" name="patch[]" value="<?=$i;?>" onClick="fr_bgcolor('<?=$npatches;?>')" style="margin: 0; padding: 0; width: 15px; height: 15px;" /></td> + <td class="listlr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> <?=$thispatch['descr'];?> </td> - <td class="listr" onClick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> + <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> <?php if (!empty($thispatch['location'])) @@ -218,57 +221,60 @@ foreach ($a_patches as $thispatch): echo gettext("Saved Patch"); ?> </td> - <td class="listr" onClick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> + <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> <?php if (empty($thispatch['patch'])): ?> - <a href="system_patches.php?id=<?=$i;?>&act=fetch"><?php echo gettext("Fetch"); ?></a> + <a href="system_patches.php?id=<?=$i;?>&act=fetch"><?php echo gettext("Fetch"); ?></a> <?php elseif (!empty($thispatch['location'])): ?> - <a href="system_patches.php?id=<?=$i;?>&act=fetch"><?php echo gettext("Re-Fetch"); ?></a> + <a href="system_patches.php?id=<?=$i;?>&act=fetch"><?php echo gettext("Re-Fetch"); ?></a> <?php endif; ?> </td> - <td class="listr" onClick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> + <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> <?php if (!empty($thispatch['patch'])): ?> - <a href="system_patches.php?id=<?=$i;?>&act=test"><?php echo gettext("Test"); ?></a> + <a href="system_patches.php?id=<?=$i;?>&act=test"><?php echo gettext("Test"); ?></a> <?php endif; ?> </td> - <td class="listr" onClick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> + <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> <?php if ($can_apply): ?> - <a href="system_patches.php?id=<?=$i;?>&act=apply"><?php echo gettext("Apply"); ?></a> + <a href="system_patches.php?id=<?=$i;?>&act=apply"><?php echo gettext("Apply"); ?></a> <?php endif; ?> </td> - <td class="listr" onClick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> + <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> <?php if ($can_revert): ?> - <a href="system_patches.php?id=<?=$i;?>&act=revert"><?php echo gettext("Revert"); ?></a> + <a href="system_patches.php?id=<?=$i;?>&act=revert"><?php echo gettext("Revert"); ?></a> <?php endif; ?> </td> + <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> + <?= isset($thispatch['autoapply']) ? "Yes" : "No" ?> + </td> <td valign="middle" class="list" nowrap> - <table border="0" cellspacing="0" cellpadding="1"> + <table border="0" cellspacing="0" cellpadding="1" summary="edit"> <tr> - <td><input onmouseover="fr_insline(<?=$npatches;?>, true)" onmouseout="fr_insline(<?=$npatches;?>, false)" name="move_<?=$i;?>" src="/themes/<?= $g['theme']; ?>/images/icons/icon_left.gif" title="<?=gettext("move selected patches before this patch");?>" height="17" type="image" width="17" border="0"></td> - <td><a href="system_patches_edit.php?id=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" title="<?=gettext("edit patch"); ?>"></a></td> + <td><input onmouseover="fr_insline(<?=$npatches;?>, true)" onmouseout="fr_insline(<?=$npatches;?>, false)" name="move_<?=$i;?>" src="/themes/<?= $g['theme']; ?>/images/icons/icon_left.gif" title="<?=gettext("move selected patches before this patch");?>" height="17" type="image" width="17" border="0" /></td> + <td><a href="system_patches_edit.php?id=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" title="<?=gettext("edit patch"); ?>" alt="edit" /></a></td> </tr> <tr> - <td align="center" valign="middle"><a href="system_patches.php?act=del&id=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this patch?");?>')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" title="<?=gettext("delete patch");?>"></a></td> + <td align="center" valign="middle"><a href="system_patches.php?act=del&id=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this patch?");?>')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" title="<?=gettext("delete patch");?>" alt="delete" /></a></td> <td></td> </tr> </table> </td></tr> <?php $i++; $npatches++; endforeach; ?> <tr> - <td class="list" colspan="7"></td> + <td class="list" colspan="8"></td> <td class="list" valign="middle" nowrap> - <table border="0" cellspacing="0" cellpadding="1"> + <table border="0" cellspacing="0" cellpadding="1" summary="edit"> <tr> - <td><?php if ($npatches == 0): ?><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_left_d.gif" width="17" height="17" title="<?=gettext("move selected patches to end"); ?>" border="0"><?php else: ?><input name="move_<?=$i;?>" type="image" src="/themes/<?= $g['theme']; ?>/images/icons/icon_left.gif" width="17" height="17" title="<?=gettext("move selected patches to end");?>" border="0"><?php endif; ?></td> + <td><?php if ($npatches == 0): ?><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_left_d.gif" width="17" height="17" title="<?=gettext("move selected patches to end"); ?>" border="0" alt="move" /><?php else: ?><input name="move_<?=$i;?>" type="image" src="/themes/<?= $g['theme']; ?>/images/icons/icon_left.gif" width="17" height="17" title="<?=gettext("move selected patches to end");?>" border="0" alt="move" /><?php endif; ?></td> </tr> <tr> <td width="17"> <?php if (count($a_patches) == 0): ?> - <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" title="<?=gettext("delete selected patches");?>" border="0"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" title="<?=gettext("delete selected patches");?>" border="0" alt="delete" /> <?php else: ?> - <input name="del" type="image" src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" title="<?=gettext("delete selected patches"); ?>" onclick="return confirm('<?=gettext("Do you really want to delete the selected patches?");?>')"> + <input name="del" type="image" src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" title="<?=gettext("delete selected patches"); ?>" onclick="return confirm('<?=gettext("Do you really want to delete the selected patches?");?>')" /> <?php endif; ?> </td> - <td><a href="system_patches_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" title="<?=gettext("add new patch"); ?>"></a></td> + <td><a href="system_patches_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" title="<?=gettext("add new patch"); ?>" alt="add" /></a></td> </tr> </table> </td> diff --git a/config/systempatches/system_patches_edit.php b/config/systempatches/system_patches_edit.php index a4038b05..ffa2fe13 100644 --- a/config/systempatches/system_patches_edit.php +++ b/config/systempatches/system_patches_edit.php @@ -63,6 +63,10 @@ if (isset($id) && $a_patches[$id]) { $pconfig['ignorewhitespace'] = isset($a_patches[$id]['ignorewhitespace']); $pconfig['autoapply'] = isset($a_patches[$id]['autoapply']); $pconfig['uniqid'] = $a_patches[$id]['uniqid']; +} else { + $pconfig['pathstrip'] = 1; + $pconfig['basedir'] = "/"; + $pconfig['ignorewhitespace'] = true; } if (isset($_GET['dup'])) @@ -127,53 +131,55 @@ if ($_POST) { } write_config(); + if ($thispatch['autoapply']) + patch_add_shellcmd(); header("Location: system_patches.php"); return; } } +$closehead = false; $pgtitle = array(gettext("System"),gettext("Patches"), gettext("Edit")); include("head.inc"); ?> -<link rel="stylesheet" href="/pfCenter/javascript/chosen/chosen.css" /> +<link type="text/css" rel="stylesheet" href="/pfCenter/javascript/chosen/chosen.css" /> +<script src="/pfCenter/javascript/chosen/chosen.proto.js" type="text/javascript"></script> </head> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<script src="/pfCenter/javascript/chosen/chosen.proto.js" type="text/javascript"></script> -<?php -include("fbegin.inc"); ?> +<?php include("fbegin.inc"); ?> <?php if ($input_errors) print_input_errors($input_errors); ?> <form action="system_patches_edit.php" method="post" name="iform" id="iform"> -<table width="100%" border="0" cellpadding="6" cellspacing="0"> +<table width="100%" border="0" cellpadding="6" cellspacing="0" summary="system patches edit"> <tr> <td colspan="2" valign="top" class="listtopic"><?=gettext("Edit Patch Entry"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncellreq"><strong><?=gettext("Description"); ?></strong></td> <td width="78%" class="vtable"> - <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> - <br> <span class="vexpl"><?=gettext("Enter a description here for your reference."); ?></span></td> + <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>" /> + <br /> <span class="vexpl"><?=gettext("Enter a description here for your reference."); ?></span></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?=gettext("URL/Commit ID"); ?></td> <td width="78%" class="vtable"> - <input name="location" type="text" class="formfld unknown" id="location" size="40" value="<?=htmlspecialchars($pconfig['location']);?>"> - <br> <span class="vexpl"><?=gettext("Enter a URL to a patch, or a commit ID from the main github repository (NOT the tools or packages repos!)."); ?></span></td> + <input name="location" type="text" class="formfld unknown" id="location" size="40" value="<?=htmlspecialchars($pconfig['location']);?>" /> + <br /> <span class="vexpl"><?=gettext("Enter a URL to a patch, or a commit ID from the main github repository (NOT the tools or packages repos!)."); ?></span></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Patch Contents"); ?></td> <td width="78%" class="vtable"> - <textarea name="patch" class="" id="patch" ROWS="15" COLS="70" wrap="off"><?=base64_decode($pconfig['patch']);?></textarea> - <br> <span class="vexpl"><?=gettext("The contents of the patch. You can paste a patch here, or enter a URL/commit ID above, it can then be fetched into here automatically."); ?></span></td> + <textarea name="patch" class="" id="patch" rows="15" cols="70" wrap="off"><?=htmlspecialchars(base64_decode($pconfig['patch']));?></textarea> + <br /> <span class="vexpl"><?=gettext("The contents of the patch. You can paste a patch here, or enter a URL/commit ID above, it can then be fetched into here automatically."); ?></span></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Path Strip Count:"); ?></td> <td width="78%" class="vtable"> <select name="pathstrip" class="formselect" id="pathstrip"> <?php for ($i = 0; $i < 20; $i++): ?> - <option value="<?=$i;?>" <?php if ($i == $pconfig['pathstrip']) echo "selected"; ?>><?=$i;?></option> + <option value="<?=$i;?>" <?php if ($i == $pconfig['pathstrip']) echo "selected=\"selected\""; ?>><?=$i;?></option> <?php endfor; ?> </select> </td> @@ -181,27 +187,25 @@ include("fbegin.inc"); ?> <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Base Directory"); ?></td> <td width="78%" class="vtable"> - <input name="basedir" type="text" class="formfld unknown" id="basedir" size="40" value="<?=htmlspecialchars($pconfig['basedir']);?>"> - <br> <span class="vexpl"><?=gettext("Enter the base directory for the patch, default is /. Patches from github are all based in /. Custom patches may need a full path here such as /usr/local/www/"); ?></span></td> + <input name="basedir" type="text" class="formfld unknown" id="basedir" size="40" value="<?=htmlspecialchars($pconfig['basedir']);?>" /> + <br /> <span class="vexpl"><?=gettext("Enter the base directory for the patch, default is /. Patches from github are all based in /. Custom patches may need a full path here such as /usr/local/www/"); ?></span></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Ignore Whitespace"); ?></td> <td width="78%" class="vtable"> - <input name="ignorewhitespace" type="checkbox" id="ignorewhitespace" value="yes" <?php if ($pconfig['ignorewhitespace']) echo "checked"; ?>> + <input name="ignorewhitespace" type="checkbox" id="ignorewhitespace" value="yes" <?php if ($pconfig['ignorewhitespace']) echo "checked=\"checked\""; ?> /> <strong><?=gettext("Ignore Whitespace"); ?></strong><br /> <span class="vexpl"><?=gettext("Set this option to ignore whitespace in the patch."); ?></span> </td> </tr> -<!-- This isn't ready yet <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Auto Apply"); ?></td> <td width="78%" class="vtable"> - <input name="autoapply" type="checkbox" id="autoapply" value="yes" <?php if ($pconfig['autoapply']) echo "checked"; ?>> + <input name="autoapply" type="checkbox" id="autoapply" value="yes" <?php if ($pconfig['autoapply']) echo "checked=\"checked\""; ?> /> <strong><?=gettext("Auto-Apply Patch"); ?></strong><br /> <span class="vexpl"><?=gettext("Set this option to apply the patch automatically when possible, useful for patches to survive after firmware updates."); ?></span> </td> </tr> ---> <tr> <td width="22%" valign="top"> </td> <td width="78%">Patch id: <?php echo $pconfig['uniqid']; ?></td> @@ -209,10 +213,10 @@ include("fbegin.inc"); ?> <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>"> <input type="button" class="formbtn" value="<?=gettext("Cancel"); ?>" onclick="history.back()"> + <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel"); ?>" onclick="history.back()" /> <?php if (isset($id) && $a_patches[$id]): ?> - <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>"> - <input name="uniqid" type="hidden" value="<?=htmlspecialchars($pconfig['uniqid']);?>"> + <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> + <input name="uniqid" type="hidden" value="<?=htmlspecialchars($pconfig['uniqid']);?>" /> <?php endif; ?> </td> </tr> diff --git a/config/systempatches/systempatches.xml b/config/systempatches/systempatches.xml index 3730c84f..73974af0 100644 --- a/config/systempatches/systempatches.xml +++ b/config/systempatches/systempatches.xml @@ -40,8 +40,9 @@ <requirements>None</requirements> <faq>Applies patches supplied by the user to the firewall.</faq> <name>System Patches</name> - <version>0.5</version> + <version>1.0</version> <title>System: Patches</title> + <include_file>/usr/local/pkg/patches.inc</include_file> <menu> <name>Patches</name> <tooltiptext></tooltiptext> @@ -59,8 +60,19 @@ <item>http://www.pfsense.com/packages/config/systempatches/system_patches_edit.php</item> </additional_files_needed> <additional_files_needed> + <prefix>/usr/local/bin/</prefix> + <chmod>755</chmod> + <item>http://www.pfsense.com/packages/config/systempatches/apply_patches.php</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>644</chmod> <item>http://www.pfsense.com/packages/config/systempatches/patches.inc</item> </additional_files_needed> + <custom_php_install_command> + patch_package_install(); + </custom_php_install_command> + <custom_php_deinstall_command> + patch_package_deinstall(); + </custom_php_deinstall_command> </packagegui>
\ No newline at end of file diff --git a/config/tinc/tinc.inc b/config/tinc/tinc.inc index 697e2932..cdfb23e5 100644 --- a/config/tinc/tinc.inc +++ b/config/tinc/tinc.inc @@ -1,18 +1,24 @@ <?php function tinc_save() { + global $config; conf_mount_rw(); config_lock(); exec("/bin/mv -f /usr/local/etc/tinc /usr/local/etc/tinc.old"); safe_mkdir("/usr/local/etc/tinc"); safe_mkdir("/usr/local/etc/tinc/hosts"); exec("touch /usr/local/etc/tinc/WARNING-ENTIRE_DIRECTORY_ERASED_ON_SAVE_FROM_GUI"); - $tincconf = $GLOBALS['config']['installedpackages']['tinc']['config'][0]; + $tincconf = &$config['installedpackages']['tinc']['config'][0]; $fout = fopen("/usr/local/etc/tinc/tinc.conf","w"); + + // No proper config, bail out. + if (!isset($tincconf['name']) || empty($tincconf['name'])) + return; + fwrite($fout, "name=".$tincconf['name']."\n"); fwrite($fout, "AddressFamily=".$tincconf['addressfamily']."\n"); - if(!is_array($GLOBALS['config']['installedpackages']['tinchosts']['config'])) { $GLOBALS['config']['installedpackages']['tinchosts']['config']=Array(); } - foreach($GLOBALS['config']['installedpackages']['tinchosts']['config'] as $host) { + if(!is_array($config['installedpackages']['tinchosts']['config'])) { $config['installedpackages']['tinchosts']['config']=Array(); } + foreach($config['installedpackages']['tinchosts']['config'] as $host) { if($host['connect']) { fwrite($fout, "ConnectTo=" . $host['name'] . "\n"); @@ -85,6 +91,7 @@ function tinc_save() { } function tinc_install() { + global $config; safe_mkdir("/usr/local/etc/tinc"); safe_mkdir("/usr/local/etc/tinc/hosts"); $_rcfile['file']='tinc.sh'; @@ -98,10 +105,10 @@ function tinc_install() { config_lock(); /* Create Interface Group */ - if (!is_array($GLOBALS['config']['ifgroups']['ifgroupentry'])) - $GLOBALS['config']['ifgroups']['ifgroupentry'] = array(); + if (!is_array($config['ifgroups']['ifgroupentry'])) + $config['ifgroups']['ifgroupentry'] = array(); - $a_ifgroups = &$GLOBALS['config']['ifgroups']['ifgroupentry']; + $a_ifgroups = &$config['ifgroups']['ifgroupentry']; $ifgroupentry = array(); $ifgroupentry['members'] = ''; $ifgroupentry['descr'] = 'tinc mesh VPN interface group'; @@ -118,13 +125,14 @@ function tinc_install() { } function tinc_deinstall() { + global $config; /* Remove Interface Group */ conf_mount_rw(); config_lock(); - if (!is_array($GLOBALS['config']['ifgroups']['ifgroupentry'])) - $GLOBALS['config']['ifgroups']['ifgroupentry'] = array(); + if (!is_array($config['ifgroups']['ifgroupentry'])) + $config['ifgroups']['ifgroupentry'] = array(); - $a_ifgroups = &$GLOBALS['config']['ifgroups']['ifgroupentry']; + $a_ifgroups = &$config['ifgroups']['ifgroupentry']; $myid=-1; $i = 0; diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc index 6588c5c2..e53168eb 100644 --- a/config/unbound/unbound.inc +++ b/config/unbound/unbound.inc @@ -23,6 +23,12 @@ POSSIBILITY OF SUCH DAMAGE. */ +// Define basedir constant for unbound according to FreeBSD version (PBI support or no PBI) +if (floatval(php_uname("r")) >= 8.3) + define("UNBOUND_BASE", "/usr/pbi/unbound-" . php_uname("m")); +else + define("UNBOUND_BASE", "/usr/local"); + if(!function_exists("is_service_running")) require_once("service-utils.inc"); @@ -40,34 +46,35 @@ function unbound_initial_setup() { // Make sure read-write conf_mount_rw(); - + if (!is_array($config['installedpackages']['unbound']['config'])) $config['installedpackages']['unbound']['config'] = array(); $unbound_config = &$config['installedpackages']['unbound']['config'][0]; // Ensure Unbound user exists - exec("/usr/sbin/pw useradd unbound"); + mwexec("/usr/sbin/pw useradd unbound", true); // Setup unbound // Create and chown dirs - mwexec("/bin/mkdir -p /usr/local/etc/unbound /usr/local/etc/unbound/dev"); - @chown("/usr/local/etc/unbound/.", "unbound"); - @chown("/usr/local/etc/unbound/dev.", "unbound"); + mwexec("/bin/mkdir -p " . UNBOUND_BASE . "/etc/unbound/dev"); + @chown(UNBOUND_BASE . "/etc/unbound/.", "unbound"); + @chown(UNBOUND_BASE . "/etc/unbound/dev.", "unbound"); // Touch needed files - @touch("/usr/local/etc/unbound/root.hints"); - @touch("/usr/local/etc/unbound/root-trust-anchor"); + @touch(UNBOUND_BASE . "/etc/unbound/root.hints"); + @touch(UNBOUND_BASE . "/etc/unbound/root-trust-anchor"); // Ensure files and folders belong to unbound - @chown("/usr/local/etc/unbound/root-trust-anchor", "unbound"); - @chgrp("/usr/local/etc/unbound/root-trust-anchor", "wheel"); - @chmod("/usr/local/etc/unbound/root-trust-anchor", 0600); + @chown(UNBOUND_BASE . "/etc/unbound/root-trust-anchor", "unbound"); + @chgrp(UNBOUND_BASE . "/etc/unbound/root-trust-anchor", "wheel"); + @chmod(UNBOUND_BASE . "/etc/unbound/root-trust-anchor", 0600); // We do not need the sample conf or the default rc.d startup file - @unlink_if_exists("/usr/local/etc/unbound/unbound.conf.sample"); + @unlink_if_exists(UNBOUND_BASE . "/etc/unbound/unbound.conf.sample"); + @unlink_if_exists(UNBOUND_BASE . "/etc/rc.d/unbound"); @unlink_if_exists("/usr/local/etc/rc.d/unbound"); - + // Setup rc file for startup and shutdown. unbound_rc_setup(); - + /* Check to see if Set initial interfaces that are allowed to query to lan, if that does not exist set it to the wan * */ @@ -77,34 +84,34 @@ function unbound_initial_setup() { else $unbound_config['active_interface'] = "wan"; } - + unbound_anchor_setup(); unbound_resync_config(); unbound_keys_setup(); - exec("/usr/sbin/chown -R unbound:wheel /usr/local/etc/unbound/*"); + exec("/usr/sbin/chown -R unbound:wheel " . UNBOUND_BASE . "/etc/unbound/*"); // Write out the XML config write_config(); - + // Back to read-only conf_mount_ro(); } function unbound_anchor_setup() { - + $conf = <<<EOD . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 EOD; - file_put_contents("/usr/local/etc/unbound/root-trust-anchor", $conf); - + file_put_contents(UNBOUND_BASE . "/etc/unbound/root-trust-anchor", $conf); + } function unbound_keys_setup() { - + // Generate SSL Keys for controlling the unbound server - mwexec("/usr/local/sbin/unbound-control-setup"); + mwexec(UNBOUND_BASE . "/sbin/unbound-control-setup"); } @@ -148,25 +155,21 @@ ENDPHP\n"; } function unbound_install() { - - conf_mount_rw(); unbound_initial_setup(); - conf_mount_ro(); - } function unbound_control($action) { global $config, $g; - + $unbound_config = $config['installedpackages']['unbound']['config'][0]; $cache_dumpfile = "/var/tmp/unbound_cache"; - + switch ($action) { case "forward": /* Dont utilize forward cmd if Unbound is doing DNS queries directly * XXX: We could make this an option to then make pfSense use Unbound * as the recursive nameserver instead of upstream ones(?) - */ + */ if ($unbound_config['forwarding_mode'] == "on") { // Get configured DNS servers and add them as forwarders if (!isset($config['system']['dnsallowoverride'])) { @@ -182,7 +185,7 @@ function unbound_control($action) { $dns_servers .= " $nameserver"; } } - + if(is_service_running("unbound")) { unbound_ctl_exec("forward $dns_servers"); } else { @@ -192,7 +195,7 @@ function unbound_control($action) { } } break; - + case "start": //Start unbound if($unbound_config['unbound_status'] == "on") { @@ -203,28 +206,31 @@ function unbound_control($action) { @unlink("/var/run/dnsmasq.pid"); mwexec("/bin/ln -s /var/run/unbound.pid /var/run/dnsmasq.pid"); } + mwexec_bg("/usr/local/bin/unbound_monitor.sh"); fetch_root_hints(); } break; - + case "stop": //Stop unbound and unmount the file system if($unbound_config['unbound_status'] == "on") { - unbound_ctl_exec("stop"); + mwexec_bg("/usr/local/bin/unbound_monitor.sh stop"); + unbound_ctl_exec("stop"); } break; - + case "termstop": //Stop Unbound by sigkillbypid(); + mwexec_bg("/usr/local/bin/unbound_monitor.sh stop"); sigkillbypid("{$g['varrun_path']}/unbound.pid", "TERM"); break; - + case "dump_cache": //Dump Unbound's Cache if($unbound_config['dumpcache'] == "on") unbound_ctl_exec("dump_cache > $cache_dumpfile"); break; - + case "restore_cache": //Restore Unbound's Cache if ((is_service_running("unbound")) && ($unbound_config['dumpcache'] == "on")) { @@ -234,13 +240,13 @@ function unbound_control($action) { break; case "anchor_update": //Update the Root Trust Anchor - mwexec("/usr/local/sbin/unbound-anchor -a /usr/local/etc/unbound/root-trust-anchor", true); + mwexec(UNBOUND_BASE . "/sbin/unbound-anchor -a " . UNBOUND_BASE . "/etc/unbound/root-trust-anchor", true); break; default: break; - + } - + } function unbound_get_network_interface_addresses() { @@ -251,7 +257,7 @@ function unbound_get_network_interface_addresses() { $unboundint = explode(",", $unbound_config['active_interface']); $unbound_interfaces = array(); $i = 0; - + foreach ($unboundint as $unboundidx => $unboundif) { /* Configure IPv4 addresses */ if (is_ipaddr($interfaces[$unboundif]['ipaddr'])) { @@ -269,12 +275,14 @@ function unbound_get_network_interface_addresses() { log_error("Unbound DNS: There was a problem setting up the Virtual IP for the interface ".link_ip_to_carp_interface($vip['subnet'])); } else { $unbound_interfaces[$i]['virtual']['ipaddr'] = $virtual_ip; + $unbound_interfaces[$i]['virtual']['subnet'] = $vip['subnet_bits']; + $unbound_interfaces[$i]['virtual']['network'] = $virtual_ip; } } } } } - } else if(isset($interfaces[$unboundif]['ipaddr'])) { + } else if (isset($interfaces[$unboundif]['ipaddr'])) { /* Find the interface IP address for * XXX - this only works for IPv4 currently - the pfSense module needs IPv6 love */ @@ -283,7 +291,7 @@ function unbound_get_network_interface_addresses() { $unbound_interfaces[$i]['ipv4']['subnet'] = find_interface_subnet($unboundrealif); $unbound_interfaces[$i]['ipv4']['network'] = gen_subnet($unbound_interfaces[$i]['ipv4']['ipaddr'],$unbound_interfaces[$i]['ipv4']['subnet']); } - + /* Configure IPv6 addresses */ if(function_exists("is_ipaddrv6")) { if(is_ipaddrv6($interfaces[$unboundif]['ipaddrv6'])) { @@ -370,9 +378,9 @@ function unbound_get_query_interface_addresses() { function unbound_acls_config() { global $config; - + /* Configure the ACLs */ - if(is_array($config['installedpackages']['unboundacls']['config'])) { + if (is_array($config['installedpackages']['unboundacls']['config'])) { $unbound_acls = $config['installedpackages']['unboundacls']['config']; $unboundcfg = ""; foreach($unbound_acls as $unbound_acl){ @@ -381,7 +389,7 @@ function unbound_acls_config() { if ($unbound_acl['aclaction'] == "allow snoop") $unbound_acl['aclaction'] = "allow_snoop"; $unboundcfg .= "access-control: {$network['acl_network']}/{$network['mask']} {$unbound_acl['aclaction']}\n"; - } + } } return $unboundcfg; } else @@ -390,23 +398,22 @@ function unbound_acls_config() { function unbound_resync_config() { global $config, $g, $input_errors; - + + $unbound_base = UNBOUND_BASE; + if (!is_array($config['installedpackages']['unbound']['config'])) $config['installedpackages']['unbound']['config'] = array(); $unbound_config = &$config['installedpackages']['unbound']['config'][0]; - + // Interfaces to bind to and setup acls for nics $unbound_bind_interfaces = ""; $unbound_allowed_networks = ""; $unboundnetcfg = unbound_get_network_interface_addresses(); foreach($unboundnetcfg as $netent) { - foreach($netent as $entry) { - # If virtual interface then skip - if (!$entry['network'] && !$entry['subnet'] && ($entry['ipaddr'] != "127.0.0.1" && $entry['ipaddr'] != "::1")) - continue; + foreach($netent as $nettype => $entry) { $unbound_bind_interfaces .="interface: {$entry['ipaddr']}\n"; - if($entry['ipaddr'] != "127.0.0.1" && $entry['ipaddr'] != "::1") + if($entry['ipaddr'] != "127.0.0.1" && $entry['ipaddr'] != "::1" && $nettype != "virtual") $unbound_allowed_networks .= "access-control: {$entry['network']}/{$entry['subnet']} allow\n"; } } @@ -420,19 +427,19 @@ function unbound_resync_config() { /* Configure user configured ACLs */ $unbound_allowed_networks .= unbound_acls_config(); - + if($unbound_config['dnssec_status'] == "on") { $module_config = "validator iterator"; - $anchor_file = "auto-trust-anchor-file: /usr/local/etc/unbound/root-trust-anchor"; + $anchor_file = "auto-trust-anchor-file: " . UNBOUND_BASE . "/etc/unbound/root-trust-anchor"; } else $module_config = "iterator"; - + // Host entries $host_entries = unbound_add_host_entries(); - + // Domain Overrides $domain_overrides = unbound_add_domain_overrides(); - + // Unbound Statistics if($unbound_config['stats'] == "on") { $stats_interval = $unbound_config['stats_interval']; @@ -440,13 +447,13 @@ function unbound_resync_config() { if ($unbound_config['extended_stats'] == "on") $extended_stats = "yes"; else - $extended_stats = "no"; + $extended_stats = "no"; } else { $stats_interval = "0"; $cumulative_stats = "no"; $extended_stats = "no"; } - + // Private-address support for DNS Rebinding if($unbound_config['private_address'] == "on") { $pvt_addr = <<<EOF @@ -467,7 +474,7 @@ EOF; //Setup optimization $optimization = unbound_optimization(); - + $unbound_config = &$config['installedpackages']['unboundadvanced']['config'][0]; // Setup Advanced options $log_verbosity = (isset($unbound_config['unbound_verbosity'])) ? $unbound_config['unbound_verbosity'] : "1"; @@ -480,7 +487,7 @@ EOF; $outgoing_num_tcp = (!empty($unbound_config['outgoing_num_tcp'])) ? $unbound_config['outgoing_num_tcp'] : "10"; $incoming_num_tcp = (!empty($unbound_config['incoming_num_tcp'])) ? $unbound_config['incoming_num_tcp'] : "10"; $edns_buffer_size = (!empty($unbound_config['edns_buffer_size'])) ? $unbound_config['edns_buffer_size'] : "4096"; - $num_queries_per_thread = (!empty($unbound_config['num_queries_per_thread'])) ? $unbound_config['num_queries_per_thread'] : "1024"; + $num_queries_per_thread = (!empty($unbound_config['num_queries_per_thread'])) ? $unbound_config['num_queries_per_thread'] : "4096"; $jostle_timeout = (!empty($unbound_config['jostle_timeout'])) ? $unbound_config['jostle_timeout'] : "200"; $cache_max_ttl = (!empty($unbound_config['cache_max_ttl'])) ? $unbound_config['cache_max_ttl'] : "86400"; $cache_min_ttl = (!empty($unbound_config['cache_min_ttl'])) ? $unbound_config['cache_min_ttl'] : "0"; @@ -488,8 +495,7 @@ EOF; $infra_lame_ttl = (!empty($unbound_config['infra_lame_ttl'])) ? $unbound_config['infra_lame_ttl'] : "900"; $infra_cache_numhosts = (!empty($unbound_config['infra_cache_numhosts'])) ? $unbound_config['infra_cache_numhosts'] : "10000"; $unwanted_reply_threshold = (!empty($unbound_config['unwanted_reply_threshold'])) ? $unbound_config['unwanted_reply_threshold'] : "0"; - - + $unbound_conf = <<<EOD ######################### @@ -502,7 +508,7 @@ EOF; server: chroot: "" username: "unbound" -directory: "/usr/local/etc/unbound" +directory: "{$unbound_base}/etc/unbound" pidfile: "{$g['varrun_path']}/unbound.pid" root-hints: "root.hints" harden-referral-path: no @@ -539,7 +545,7 @@ harden-dnssec-stripped: {$harden_dnssec_stripped} {$optimization['key_cache_slabs']} {$optimization['msg_cache_size']} {$optimization['rrset_cache_size']} -{$optimization['outgoing_range']} +outgoing-range: 8192 {$optimization['so_rcvbuf']} # Interface IP(s) to bind to @@ -564,14 +570,14 @@ access-control: ::1 allow EOD; -# Handle custom options -if(!empty($unbound_config['custom_options'])) { - $custom_options = explode(";", ($unbound_config['custom_options'])); - $unbound_conf .= "# Unbound Custom options\n"; - foreach ($custom_options as $ent) { - $unbound_conf .= $ent."\n"; + # Handle custom options + if(!empty($unbound_config['custom_options'])) { + $custom_options = explode(";", ($unbound_config['custom_options'])); + $unbound_conf .= "# Unbound Custom options\n"; + foreach ($custom_options as $ent) { + $unbound_conf .= $ent."\n"; + } } -} $unbound_conf .= <<<EOD @@ -582,22 +588,24 @@ remote-control: control-enable: yes control-interface: 127.0.0.1 control-port: 953 -server-key-file: "/usr/local/etc/unbound/unbound_server.key" -server-cert-file: "/usr/local/etc/unbound/unbound_server.pem" -control-key-file: "/usr/local/etc/unbound/unbound_control.key" -control-cert-file: "/usr/local/etc/unbound/unbound_control.pem" +server-key-file: "{$unbound_base}/etc/unbound/unbound_server.key" +server-cert-file: "{$unbound_base}/etc/unbound/unbound_server.pem" +control-key-file: "{$unbound_base}/etc/unbound/unbound_control.key" +control-cert-file: "{$unbound_base}/etc/unbound/unbound_control.pem" EOD; - file_put_contents("/usr/local/etc/unbound/unbound.conf", $unbound_conf); - + conf_mount_rw(); + file_put_contents("{$unbound_base}/etc/unbound/unbound.conf", $unbound_conf); + conf_mount_ro(); + } function unbound_ctl_exec($cmd) { - - mwexec("/usr/local/sbin/unbound-control $cmd"); - + + mwexec(UNBOUND_BASE . "/sbin/unbound-control $cmd"); + } @@ -609,28 +617,24 @@ function unbound_optimization() { $unbound_config = $config['installedpackages']['unboundadvanced']['config'][0]; $optimization_settings = array(); - + // Set the number of threads equal to number of CPUs. // Use 1 (disable threading) if for some reason this sysctl fails. $numprocs = intval(trim(`/sbin/sysctl kern.smp.cpus | /usr/bin/cut -d" " -f2`)); - if($numprocs > 0) + if($numprocs > 1) { $optimization['number_threads'] = "num-threads: {$numprocs}"; - else - $optimization['number_threads'] = "num-threads: 1"; - - // Slabs to help reduce lock contention. - if ($numprocs > 4) { - $optimization['msg_cache_slabs'] = "msg-cache-slabs: {$numprocs}"; - $optimization['rrset_cache_slabs'] = "rrset-cache-slabs: {$numprocs}"; - $optimization['infra_cache_slabs'] = "infra-cache-slabs: {$numprocs}"; - $optimization['key_cache_slabs'] = "key-cache-slabs: {$numprocs}"; + $optimize_num = pow(2,floor(log($numprocs,2))); } else { - $optimization['msg_cache_slabs'] = "msg-cache-slabs: 4"; - $optimization['rrset_cache_slabs'] = "rrset-cache-slabs: 4"; - $optimization['infra_cache_slabs'] = "infra-cache-slabs: 4"; - $optimization['key_cache_slabs'] = "key-cache-slabs: 4"; + $optimization['number_threads'] = "num-threads: 1"; + $optimize_num = 4; } - + + // Slabs to help reduce lock contention. + $optimization['msg_cache_slabs'] = "msg-cache-slabs: {$optimize_num}"; + $optimization['rrset_cache_slabs'] = "rrset-cache-slabs: {$optimize_num}"; + $optimization['infra_cache_slabs'] = "infra-cache-slabs: {$optimize_num}"; + $optimization['key_cache_slabs'] = "key-cache-slabs: {$optimize_num}"; + // Memory usage - default is 4Mb if nothing has been selected if(isset($unbound_config['msg_cache_size'])) { $rr = $unbound_config['msg_cache_size']*2; @@ -640,14 +644,6 @@ function unbound_optimization() { $optimization['msg_cache_size'] = "msg-cache-size: 4m"; $optimization['rrset_cache_size'] = "rrset-cache-size: 8m"; } - - // More outgoing connections per thread otherwise assign a default of 4096 for a single thread - if($numprocs > 0) { - $or = (1024/$numprocs) - 50; - $optimization['outgoing_range'] = "outgoing-range: {$or}"; - } else { - $optimization['outgoing_range'] = "outgoing-range: {4096}"; - } // Larger socket buffer for busy servers // Check that it is set to 4MB (by default the OS has it configured to 4MB) @@ -659,7 +655,7 @@ function unbound_optimization() { $optimization['so_rcvbuf'] = "so-rcvbuf: {$so}m"; else unset($optimization['so_rcvbuf']); - + } } // Safety check in case kern.ipc.maxsockbuf is deleted. @@ -671,12 +667,12 @@ function unbound_optimization() { function fetch_root_hints() { - $destination_file = "/usr/local/etc/unbound/root.hints"; + $destination_file = UNBOUND_BASE . "/etc/unbound/root.hints"; if (filesize($destination_file) == 0 ) { conf_mount_rw(); $fout = fopen($destination_file, "w"); $url = "ftp://ftp.internic.net/domain/named.cache"; - + $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); @@ -688,7 +684,7 @@ function fetch_root_hints() { fwrite($fout, $data); fclose($fout); conf_mount_ro(); - + return ($http_code == 200) ? true : $http_code; } else { return false; @@ -700,18 +696,18 @@ function unbound_validate($post, $type=null) { if($post['unbound_status'] == "on" && isset($config['dnsmasq']['enable'])) $input_errors[] = "The system dns-forwarder is still active. Disable it before enabling the Unbound service."; - + /* Validate the access lists */ if($type == "acl") { $acls = $post; // Check to ensure values entered is an action that is in the list if ($acls['aclaction'] != 'refuse' && $acls['aclaction'] != 'allow' && $acls['aclaction'] != 'allow_snoop' && $acls['aclaction'] != 'deny') $input_errors[] = "{$acls['aclaction']} is not a valid ACL Action. Please select one of the four actions defined in the list."; - + // Make sure there is at least 1 network defined. - if (!isset($acls['acl_network0'])) + if (!isset($acls['acl_network0'])) $input_errors[] = "You need to specify at least one network to create a valid ACL."; - + $count = 0; // Get number of rows added, should be passed by the form - will look into that later for($i=0; $i<99; $i++) { @@ -719,7 +715,7 @@ function unbound_validate($post, $type=null) { // Check to ensure values entered are networks if(!is_ipaddr($acls['acl_network'.$i]) && !is_subnet($acls['mask'.$i])) $input_errors[] = "{$acls['acl_network'.$i]}/{$acls['mask'.$i]} is not a valid network."; - } + } } } else if($type == "advanced") { if(!is_numeric($post['cache_max_ttl'])) @@ -732,7 +728,7 @@ function unbound_validate($post, $type=null) { $input_errors[] = "You must enter a valid number in 'TTL for lame delegation'."; if(!is_numeric($post['infra_cache_numhosts'])) $input_errors[] = "You must enter a valid number in 'Number of Hosts to cache'."; - + } else if($type == "basic") { /* Validate settings */ if($post['active_interface'] == "") @@ -742,9 +738,9 @@ function unbound_validate($post, $type=null) { function unbound_reconfigure() { global $config; - + $unbound_config = $config['installedpackages']['unbound']['config'][0]; - + if ($unbound_config['unbound_status'] != "on") { if(is_service_running("unbound")) unbound_control("termstop"); @@ -759,7 +755,7 @@ function unbound_reconfigure() { unbound_control("forward"); unbound_control("restore_cache"); } - } + } } function unbound_uninstall() { @@ -769,20 +765,20 @@ function unbound_uninstall() { unbound_control("termstop"); // Remove pkg config directory and startup file - mwexec("rm -rf /usr/local/etc/unbound"); + mwexec("rm -rf " . UNBOUND_BASE . "/etc/unbound"); @unlink("/usr/local/etc/rc.d/unbound.sh"); @unlink("{$g['varlog_path']}/unbound.log"); @unlink("/var/tmp/unbound_cache"); - conf_mount_ro(); + conf_mount_ro(); } function read_hosts() { - + // Open /etc/hosts and extract the only dhcpleases info $etc_hosts = array(); - foreach (file('/etc/hosts') as $line) { + foreach (file('/etc/hosts') as $line) { $d = preg_split('/\s/', $line, -1, PREG_SPLIT_NO_EMPTY); if (empty($d) || substr(reset($d), 0, 1) == "#") continue; @@ -806,12 +802,12 @@ function read_hosts() { */ function unbound_add_host_entries() { global $config; - + /* XXX: break this out into a separate config file and make use of include */ $unboundcfg = $config['installedpackages']['unbound']['config'][0]; $syscfg = $config['system']; $dnsmasqcfg = $config['dnsmasq']; - + $unbound_entries = "local-zone: \"{$syscfg['domain']}\" transparent\n"; // IPv4 entries $unbound_entries .= "local-data-ptr: \"127.0.0.1 localhost\"\n"; @@ -823,7 +819,7 @@ function unbound_add_host_entries() { $unbound_entries .= "local-data: \"localhost AAAA ::1\"\n"; $unbound_entries .= "local-data: \"localhost.{$syscfg['domain']} AAAA ::1\"\n"; } - + if ($config['interfaces']['lan']) { $cfgip = get_interface_ip("lan"); if (is_ipaddr($cfgip)) { @@ -846,62 +842,135 @@ function unbound_add_host_entries() { } } + $added_item_v4 = array(); + $added_item_v6 = array(); // DNSMasq entries static host entries if (isset($dnsmasqcfg['hosts'])) { $hosts = $dnsmasqcfg['hosts']; - $host_entries = ""; + $host_entries = "# DNSMasq Host overrides\n"; $added_item = array(); foreach ($hosts as $host) { - $current_host = $host['host']; - if ($host['host'] != "") - $host['host'] = $host['host']."."; - if(!$added_item[$current_host]) { - $host_entries .= "local-data-ptr: \"{$host['ip']} {$host['host']}{$host['domain']}\"\n"; - if(function_exists("is_ipaddrv6")) { - if (is_ipaddrv6($host['ip'])) - $host_entries .= "local-data: \"{$host['host']}{$host['domain']} IN AAAA {$host['ip']}\"\n"; - else - $host_entries .= "local-data: \"{$host['host']}{$host['domain']} IN A {$host['ip']}\"\n"; - } else - $host_entries .= "local-data: \"{$host['host']}{$host['domain']} IN A {$host['ip']}\"\n"; - if (!empty($host['descr']) && $unboundcfg['txtsupport'] == 'on') - $host_entries .= "local-data: '{$host['host']}{$host['domain']} TXT \"".addslashes($host['descr'])."\"'\n"; - - // Do not add duplicate entries + $current_host = ($host['host'] != "") ? $host['host'].".".$host['domain'] : $host['domain']; + if (function_exists("is_ipaddrv6") && is_ipaddrv6($host['ip'])) { + if (!$added_item_v6[$curent_host]) { + $host_entries .= "local-data-ptr: \"{$host['ip']} {$current_host}\"\n"; + $host_entries .= "local-data: \"{$current_host} IN AAAA {$host['ip']}\"\n"; + $added_item_v6[$current_host] = true; + } + if ($host['aliases']['item'] && is_array($host['aliases']['item'])) + foreach ($host['aliases']['item'] as $alias) { + $current_alias = ($alias['host'] != "") ? $alias['host'].".".$alias['domain'] : $alias['domain']; + if (!$added_item_v6[$current_alias]) { + $host_entries .= "local-data: \"{$current_alias} IN AAAA {$host['ip']}\"\n"; + $added_item_v6[$current_alias] = true; + if ((!$added_item[$current_alias]) && (!empty($alias['description'])) && ($unboundcfg['txtsupport'] == 'on')) { + $host_entries .= "local-data: '{$current_alias} TXT \"".addslashes($alias['description'])."\"'\n"; + $added_item[$current_alias] = true; + } + } + } + } else { + if (!$added_item_v4[$current_host]) { + $host_entries .= "local-data-ptr: \"{$host['ip']} {$current_host}\"\n"; + $host_entries .= "local-data: \"{$current_host} IN A {$host['ip']}\"\n"; + $added_item_v4[$current_host] = true; + } + if ($host['aliases']['item'] && is_array($host['aliases']['item'])) + foreach ($host['aliases']['item'] as $alias) { + $current_alias = ($alias['host'] != "") ? $alias['host'].".".$alias['domain'] : $alias['domain']; + if (!$added_item_v4[$current_alias]) { + $host_entries .= "local-data: \"{$current_alias} IN A {$host['ip']}\"\n"; + $added_item_v4[$current_alias] = true; + if ((!$added_item[$current_alias]) && (!empty($alias['description'])) && ($unboundcfg['txtsupport'] == 'on')) { + $host_entries .= "local-data: '{$current_alias} TXT \"".addslashes($alias['description'])."\"'\n"; + $added_item[$current_alias] = true; + } + } + } + } + if ((!$added_item[$current_host]) && (!empty($host['descr'])) && ($unboundcfg['txtsupport'] == 'on')) { + $host_entries .= "local-data: '{$current_host} TXT \"".addslashes($host['descr'])."\"'\n"; $added_item[$current_host] = true; } } - $unbound_entries .= $host_entries; + $unbound_entries .= $host_entries; } + // Static DHCP entries - $host_entries = ""; + $host_entries = "# DHCP Reservations\n"; if (isset($unboundcfg['regdhcpstatic']) && is_array($config['dhcpd'])) { foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) if(is_array($dhcpifconf['staticmap']) && isset($dhcpifconf['enable'])) foreach ($dhcpifconf['staticmap'] as $host) if ($host['ipaddr'] && $host['hostname']) { - $host_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['hostname']}.{$syscfg['domain']}\"\n"; - $host_entries .= "local-data: \"{$host['hostname']}.{$syscfg['domain']} IN A {$host['ipaddr']}\"\n"; - if (!empty($host['descr']) && $unboundcfg['txtsupport'] == 'on') - $host_entries .= "local-data: '{$host['hostname']}.{$syscfg['domain']} TXT \"".addslashes($host['descr'])."\"'\n"; + $current_host = $host['hostname'].".".$syscfg['domain']; + if (!$added_item_v4[$current_host]) { + $host_entries .= "local-data-ptr: \"{$host['ipaddr']} {$current_host}\"\n"; + $host_entries .= "local-data: \"{$current_host} IN A {$host['ipaddr']}\"\n"; + $added_item_v4[$current_host] = true; + if ((!$added_item[$current_host]) && (!empty($host['descr'])) && ($unboundcfg['txtsupport'] == 'on')) { + $host_entries .= "local-data: '{$host['hostname']}.{$syscfg['domain']} TXT \"".addslashes($host['descr'])."\"'\n"; + $added_item[$current_host] = true; + } + } + } + $unbound_entries .= $host_entries; + } + + // Static DHCPv6 entries + $host_entries = "# DHCPv6 reservations\n"; + if (isset($unboundcfg['regdhcpstatic']) && is_array($config['dhcpdv6'])) { + foreach ($config['dhcpdv6'] as $dhcpif => $dhcpifconf) + if(is_array($dhcpifconf['staticmap']) && isset($dhcpifconf['enable'])) + foreach ($dhcpifconf['staticmap'] as $host) + if ($host['ipaddrv6'] && $host['hostname']) { + $current_host = $host['hostname'].".".$syscfg['domain']; + if (!$added_item_v6[$current_host]) { + $host_entries .= "local-data-ptr: \"{$host['ipaddrv6']} {$current_host}\"\n"; + $host_entries .= "local-data: \"{$current_host} IN AAAA {$host['ipaddrv6']}\"\n"; + $added_item_v6[$current_host] = true; + if ((!$added_item[$current_host]) && (!empty($host['descr'])) && ($unboundcfg['txtsupport'] == 'on')) { + $host_entries .= "local-data: '{$host['hostname']}.{$syscfg['domain']} TXT \"".addslashes($host['descr'])."\"'\n"; + $added_item[$current_host] = true; + } + } } $unbound_entries .= $host_entries; - } + } // Handle DHCPLeases added host entries $dhcplcfg = read_hosts(); - $host_entries = ""; + $host_entries = "# /etc/hosts entries\n"; if(is_array($dhcplcfg)) { foreach($dhcplcfg as $key=>$host) { - $host_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['fqdn']}\"\n"; - $host_entries .= "local-data: \"{$host['fqdn']} IN A {$host['ipaddr']}\"\n"; - if (!empty($host['name'])) { - $host_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['name']}\"\n"; - $host_entries .= "local-data: \"{$host['name']} IN A {$host['ipaddr']}\"\n"; + $current_host = $host['fqdn']; + if (function_exists("is_ipaddrv6") && is_ipaddrv6($host['ipaddr'])) { + if (!$added_item_v6[$current_host]) { + $host_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['fqdn']}\"\n"; + $host_entries .= "local-data: \"{$host['fqdn']} IN AAAA {$host['ipaddr']}\"\n"; + $added_item_v6[$current_host] = true; + if ((!empty($host['name'])) && (!$added_item_v6[$host['name']])) { + $host_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['name']}\"\n"; + $host_entries .= "local-data: \"{$host['name']} IN AAAA {$host['ipaddr']}\"\n"; + $added_item_v6[$host['name']] = true; + } + } + } else { + if (!$added_item_v4[$current_host]) { + $host_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['fqdn']}\"\n"; + $host_entries .= "local-data: \"{$host['fqdn']} IN A {$host['ipaddr']}\"\n"; + $added_item_v4[$current_host] = true; + if ((!empty($host['name'])) && (!$added_item_v4[$host['name']])) { + $host_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['name']}\"\n"; + $host_entries .= "local-data: \"{$host['name']} IN A {$host['ipaddr']}\"\n"; + $added_item_v4[$host['name']] = true; + } + } } } $unbound_entries .= $host_entries; } + return $unbound_entries; } @@ -915,7 +984,7 @@ function unbound_add_domain_overrides($pvt=false) { // Domain overrides that have multiple entries need multiple stub-addr: added $sorted_domains = msort($domains, "domain"); - $result = array(); + $result = array(); foreach($sorted_domains as $domain) { $domain_key = current($domain); if(!isset($result[$domain_key])) { @@ -923,7 +992,7 @@ function unbound_add_domain_overrides($pvt=false) { } $result[$domain_key][] = $domain['ip']; } - + $domain_entries = ""; foreach($result as $domain=>$ips) { if($pvt == true) { @@ -939,7 +1008,7 @@ function unbound_add_domain_overrides($pvt=false) { } } return $domain_entries; - } + } } function unbound_acl_id_used($id) { @@ -962,4 +1031,4 @@ function unbound_get_next_id() { return $aclid; } -?>
\ No newline at end of file +?> diff --git a/config/unbound/unbound.xml b/config/unbound/unbound.xml index 202e8451..10de1f97 100644 --- a/config/unbound/unbound.xml +++ b/config/unbound/unbound.xml @@ -9,7 +9,7 @@ part of the Unbound package for pfSense (http://www.pfSense.com) Copyright (C) 2011 Warren Baker All rights reserved. - */ + */ /* ========================================================================== */ /* Redistribution and use in source and binary forms, with or without @@ -34,13 +34,13 @@ POSSIBILITY OF SUCH DAMAGE. */ /* ========================================================================== */ - ]]> + ]]> </copyright> <description>Unbound is a validating, recursive, and caching DNS resolver.</description> <requirements/> <faq/> <name>unbound</name> - <version>1.4.14</version> + <version>1.4.20_5</version> <title>Services: Unbound DNS Forwarder: Basic Settings</title> <include_file>/usr/local/pkg/unbound.inc</include_file> <menu> @@ -76,7 +76,7 @@ <item>http://www.pfsense.org/packages/config/unbound/unbound_advanced.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/etc/rc.d/</prefix> + <prefix>/usr/local/bin/</prefix> <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/unbound/unbound_monitor.sh</item> </additional_files_needed> @@ -142,7 +142,7 @@ <fieldname>forwarding_mode</fieldname> <fielddescr>Enable forwarding mode</fielddescr> <description>Configure the server to make use of the DNS servers configured in <a href="system.php">System: General setup</a>. <br/> - <b>Note:</b> Disabling this will cause Unbound to perform DNS queries without + <b>Note:</b> Disabling this will cause Unbound to perform DNS queries without using the upstream configured DNS servers.</description> <type>checkbox</type> <default_value>on</default_value> diff --git a/config/unbound/unbound_acls.php b/config/unbound/unbound_acls.php index a7c3ea9e..59738aab 100644 --- a/config/unbound/unbound_acls.php +++ b/config/unbound/unbound_acls.php @@ -95,7 +95,7 @@ if ($_POST) { $input_errors[] = gettext("You must enter a valid IPv4 address for {$networkacl[$x]['acl_network']}."); } } - + if (!$input_errors) { if ($pconfig['Submit'] == gettext("Save")) { @@ -139,7 +139,8 @@ include("head.inc"); <script type="text/javascript"> function mask_field(fieldname, fieldsize, n) { return '<select name="' + fieldname + n + '" class="formselect" id="' + fieldname + n + '"><?php - for ($i = 128; $i >= 0; $i--) { + $start = 24; if (function_exists("is_ipaddrv6")) $start = "128"; + for ($i = $start; $i >= 0; $i--) { echo "<option value=\"$i\">$i</option>"; } ?></select>'; @@ -173,7 +174,7 @@ if (is_subsystem_dirty("unbound")) print_info_box_np(gettext("The settings for Unbound DNS has changed. You must apply the configuration to take affect.")); ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> + <tr> <td class="tabnavtbl"> <ul id="tabnav"> <?php @@ -186,7 +187,7 @@ if (is_subsystem_dirty("unbound")) ?> </ul> </td> - </tr> + </tr> <tr> <td class="tabcont"> @@ -221,10 +222,10 @@ if (is_subsystem_dirty("unbound")) <br/> <span class="vexpl"> <?=gettext("Choose what to do with DNS requests that match the criteria specified below.");?> <br/> - <?=gettext("<b>Deny:</b> This actions stops queries from hosts within the netblock defined below.");?> <br/> - <?=gettext("<b>Refuse:</b> This actions also stops queries from hosts within the netblock defined below, but sends back DNS rcode REFUSED error message back tot eh client.");?> <br/> - <?=gettext("<b>Allow:</b> This actions allows queries from hosts within the netblock defined below.");?> <br/> - <?=gettext("<b>Allow Snoop:</b> This actions allows recursive and nonrecursive access from hosts within the netblock defined below. Used for cache snooping and ideally should only be configured for your administrative host.");?> <br/> + <?=gettext("<b>Deny:</b> This action stops queries from hosts within the netblock defined below.");?> <br/> + <?=gettext("<b>Refuse:</b> This action also stops queries from hosts within the netblock defined below, but sends a DNS rcode REFUSED error message back to the client.");?> <br/> + <?=gettext("<b>Allow:</b> This action allows queries from hosts within the netblock defined below.");?> <br/> + <?=gettext("<b>Allow Snoop:</b> This action allows recursive and nonrecursive access from hosts within the netblock defined below. Used for cache snooping and ideally should only be configured for your administrative host.");?> <br/> </span> </td> </tr> @@ -375,4 +376,4 @@ if (is_subsystem_dirty("unbound")) </tr> </table> </body> -<?php include("fend.inc"); ?>
\ No newline at end of file +<?php include("fend.inc"); ?> diff --git a/config/unbound/unbound_acls.xml b/config/unbound/unbound_acls.xml index 7c6840ce..04319169 100644 --- a/config/unbound/unbound_acls.xml +++ b/config/unbound/unbound_acls.xml @@ -99,10 +99,10 @@ <fieldname>aclaction</fieldname> <fielddescr>Action</fielddescr> <description><br/>Choose an action:<br/><br/> - <b>Allow:</b> This actions allows queries from hosts within the netblock(s) defined below.<br/> - <b>Allow Snoop:</b> This actions allows recursive and nonrecursive access from hosts within the netblock(s) defined below. Used for cache snooping and ideally should only be configured for your administrative host.<br/> - <b>Deny:</b> This actions stops queries from hosts within the netblock(s) defined below.<br/> - <b>Refuse:</b> This actions also stops queries from hosts within the netblock(s) defined below, but sends back DNS rcode REFUSED error message back to the client.</description> + <b>Allow:</b> This action allows queries from hosts within the netblock(s) defined below.<br/> + <b>Allow Snoop:</b> This action allows recursive and nonrecursive access from hosts within the netblock(s) defined below. Used for cache snooping and ideally should only be configured for your administrative host.<br/> + <b>Deny:</b> This action stops queries from hosts within the netblock(s) defined below.<br/> + <b>Refuse:</b> This action also stops queries from hosts within the netblock(s) defined below, but sends a DNS rcode REFUSED error message back to the client.</description> <type>select</type> <options> <option><name>Allow</name><value>allow</value></option> diff --git a/config/unbound/unbound_advanced.xml b/config/unbound/unbound_advanced.xml index 30fca482..2da5b505 100644 --- a/config/unbound/unbound_advanced.xml +++ b/config/unbound/unbound_advanced.xml @@ -99,7 +99,7 @@ <field> <fieldname>prefetch</fieldname> <fielddescr>Prefetch Support</fielddescr> - <description>If enabled, the message cache elements are prefetched before they expire to keep the cache up to date. Enabling this option causes an increase of about 10 percent more traffic and load on the server, but popular items do not expire form the cache. Default is disabled.</description> + <description>If enabled, the message cache elements are prefetched before they expire to keep the cache up to date. Enabling this option causes an increase of about 10 percent more traffic and load on the server, but popular items do not expire from the cache. Default is disabled.</description> <type>checkbox</type> <default_value>off</default_value> <advancedfield/> @@ -123,7 +123,7 @@ <field> <fieldname>harden_dnssec_stripped</fieldname> <fielddescr>Harden DNSSEC data</fielddescr> - <description>If enabled, DNSSEC data is required for trust-anchored zones. If such data is absent, the zone is becomes bogus. If disabled then and no DNSSEC data is received, then the zone is made insecure. The default is enabled.</description> + <description>If enabled, DNSSEC data is required for trust-anchored zones. If such data is absent, the zone is considered bogus. If disabled and no DNSSEC data is received, then the zone is made insecure. The default is enabled.</description> <type>checkbox</type> <default_value>on</default_value> <advancedfield/> @@ -219,11 +219,12 @@ <fieldname>num_queries_per_thread</fieldname> <description>The number of queries that every thread will service simultaneously. If more queries arrive that need to be serviced, and no queries can be jostled, then these queries are dropped.</description> <type>select</type> - <default_value>1024</default_value> + <default_value>4096</default_value> <options> <option><name>512</name><value>512</value></option> <option><name>1024</name><value>1024</value></option> <option><name>2048</name><value>2048</value></option> + <option><name>4096</name><value>4096</value></option> </options> <advancedfield/> </field> @@ -305,7 +306,7 @@ <field> <fielddescr>Custom Options</fielddescr> <fieldname>custom_options</fieldname> - <description>You can put your own custom options here, separated by semi-colons (;). These configurations options will then be added to the configuration file. <br/> <b>Note:</b> They need to be Unbound native configuration options, otherwise Unbound will <b>not</b> work.</description> + <description>You can put your own custom options here, separated by semi-colons (;). These configuration options will then be added to the configuration file. <br/> <b>Note:</b> They need to be Unbound native configuration options, otherwise Unbound will <b>not</b> work.</description> <type>textarea</type> <cols>65</cols> <rows>5</rows> diff --git a/config/unbound/unbound_monitor.sh b/config/unbound/unbound_monitor.sh index 152a308e..91e5a2ed 100755 --- a/config/unbound/unbound_monitor.sh +++ b/config/unbound/unbound_monitor.sh @@ -27,37 +27,65 @@ # POSSIBILITY OF SUCH DAMAGE. # +export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin + set -e LOOP_SLEEP=5 +PIDFILE=/var/run/unbound_monitor.pid if [ -f /var/run/unbound_alarm ]; then rm /var/run/unbound_alarm fi +PID="" +if [ -f "${PIDFILE}" ]; then + PID=`head -n 1 ${PIDFILE}` +fi + +if [ "$1" = "stop" ]; then + if [ -n "${PID}" ] && ps -p ${PID} | grep -q unbound_monitor.sh; then + kill ${PID} + else + pkill -f unbound_monitor.sh + fi + exit 0 +fi + +if [ -n "${PID}" ] && ps -p ${PID} | grep -q unbound_monitor.sh; then + echo "There is another unbound monitor process running" + exit 0 +fi + +echo $$ > ${PIDFILE} + # Sleep 5 seconds on startup not to mangle with existing boot scripts. sleep 5 -while [ /bin/true ]; do - if [ ! -f /var/run/unbound_alarm ]; then - NUM_PROCS=`/bin/pgrep unbound | wc -l | awk '{print $1}'` - if [ $NUM_PROCS -lt 1 ]; then - # Unbound is not running - echo "Unbound has exited." | logger -p daemon.info -i -t Unbound_Alarm - echo "Attempting restart..." | logger -p daemon.info -i -t Unbound_Alarm - /usr/local/etc/rc.d/unbound.sh start - sleep 3 - touch /var/run/unbound_alarm - fi - fi - NUM_PROCS=`/bin/pgrep unbound | wc -l | awk '{print $1}'` - if [ $NUM_PROCS -gt 0 ]; then - if [ -f /var/run/unbound_alarm ]; then - echo "Unbound has resumed." | logger -p daemon.info -i -t Unbound_Alarm - rm /var/run/unbound_alarm - fi - fi - sleep $LOOP_SLEEP +while true; do + if [ ! -f "${PIDFILE}" ]; then + echo $$ > ${PIDFILE} + fi + + if [ ! -f /var/run/unbound_alarm ]; then + NUM_PROCS=`pgrep unbound | wc -l | awk '{print $1}'` + if [ $NUM_PROCS -lt 1 ]; then + # Unbound is not running + echo "Unbound has exited." | logger -p daemon.info -i -t Unbound_Alarm + echo "Attempting restart..." | logger -p daemon.info -i -t Unbound_Alarm + /usr/local/etc/rc.d/unbound.sh start + sleep 3 + touch /var/run/unbound_alarm + fi + fi + NUM_PROCS=`pgrep unbound | wc -l | awk '{print $1}'` + if [ $NUM_PROCS -gt 0 ]; then + if [ -f /var/run/unbound_alarm ]; then + echo "Unbound has resumed." | logger -p daemon.info -i -t Unbound_Alarm + rm /var/run/unbound_alarm + fi + fi + sleep $LOOP_SLEEP done if [ -f /var/run/unbound_alarm ]; then diff --git a/config/unbound/unbound_status.php b/config/unbound/unbound_status.php index d011b109..d7371f29 100644 --- a/config/unbound/unbound_status.php +++ b/config/unbound/unbound_status.php @@ -31,6 +31,12 @@ require("guiconfig.inc"); +// Define basedir constant for unbound according to FreeBSD version (PBI support or no PBI) +if (floatval(php_uname("r")) >= 8.3) + define("UNBOUND_BASE", "/usr/pbi/unbound-" . php_uname("m")); +else + define("UNBOUND_BASE", "/usr/local"); + if(!is_process_running("unbound")) { Header("Location: /pkg_edit.php?xml=unbound.xml&id=0"); exit; @@ -40,11 +46,11 @@ $pgtitle = "Services: Unbound DNS Forwarder: Status"; include("head.inc"); function doCmdT($title, $command, $rows) { - echo "<p>\n"; - echo "<a name=\"" . $title . "\">\n"; - echo "<table width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n"; - echo "<tr><td class=\"listtopic\">" . $title . "</td></tr>\n"; - echo "<tr><td class=\"listlr\"><textarea style=\"font-family:courier\"cols=\"101\" rows=\"$rows\">"; /* no newline after pre */ + echo "<p>\n"; + echo "<a name=\"" . $title . "\">\n"; + echo "<table width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n"; + echo "<tr><td class=\"listtopic\">" . $title . "</td></tr>\n"; + echo "<tr><td class=\"listlr\"><textarea style=\"font-family:courier\"cols=\"101\" rows=\"$rows\">"; /* no newline after pre */ if ($command == "dumpconfigxml") { $fd = @fopen("/conf/config.xml", "r"); @@ -71,46 +77,46 @@ function doCmdT($title, $command, $rows) { echo htmlspecialchars($execOutput[$i],ENT_NOQUOTES); } } - echo "</textarea></tr>\n"; - echo "</table>\n"; + echo "</textarea></tr>\n"; + echo "</table>\n"; } /* Execute a command, giving it a title which is the same as the command. */ function doCmd($command) { - doCmdT($command,$command); + doCmdT($command,$command); } /* Define a command, with a title, to be executed later. */ function defCmdT($title, $command, $rows = "20") { - global $commands; - $title = htmlspecialchars($title,ENT_NOQUOTES); - $commands[] = array($title, $command, $rows); + global $commands; + $title = htmlspecialchars($title,ENT_NOQUOTES); + $commands[] = array($title, $command, $rows); } /* Define a command, with a title which is the same as the command, * to be executed later. */ function defCmd($command) { - defCmdT($command,$command); + defCmdT($command,$command); } /* List all of the commands as an index. */ function listCmds() { - global $commands; - echo "<p>" . gettext("This status page includes the following information") . ":\n"; - echo "<ul width=\"100%\">\n"; - for ($i = 0; isset($commands[$i]); $i++ ) { - echo "<li><strong><a href=\"#" . $commands[$i][0] . "\">" . $commands[$i][0] . "</a></strong>\n"; - } - echo "</ul>\n"; + global $commands; + echo "<p>" . gettext("This status page includes the following information") . ":\n"; + echo "<ul width=\"100%\">\n"; + for ($i = 0; isset($commands[$i]); $i++ ) { + echo "<li><strong><a href=\"#" . $commands[$i][0] . "\">" . $commands[$i][0] . "</a></strong>\n"; + } + echo "</ul>\n"; } /* Execute all of the commands which were defined by a call to defCmd. */ function execCmds() { - global $commands; - for ($i = 0; isset($commands[$i]); $i++ ) { - doCmdT($commands[$i][0], $commands[$i][1], $commands[$i][2]); - } + global $commands; + for ($i = 0; isset($commands[$i]); $i++ ) { + doCmdT($commands[$i][0], $commands[$i][1], $commands[$i][2]); + } } ?> @@ -135,10 +141,10 @@ function execCmds() { </tr> </table> <table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td class="tabcont" width="100%"> + <tr> + <td class="tabcont" width="100%"> <?php - $entries = trim(exec("/usr/local/sbin/unbound-control dump_cache | wc -l")); + $entries = trim(exec(UNBOUND_BASE . "/sbin/unbound-control dump_cache | wc -l")); defCmdT("Unbound status", "unbound-control status", "6"); defCmdT("Unbound stats", "unbound-control stats_noreset"); defCmdT("Unbound stubs", "unbound-control list_stubs", "8"); @@ -146,12 +152,12 @@ function execCmds() { defCmdT("Unbound local zones", "unbound-control list_local_zones"); defCmdT("Unbound local data", "unbound-control list_local_data"); defCmdT("Unbound cache ($entries entries)", "unbound-control dump_cache", "60"); - defCmdT("Unbound configuration", "/bin/cat /usr/local/etc/unbound/unbound.conf", "60"); + defCmdT("Unbound configuration", "/bin/cat " . UNBOUND_BASE . "/etc/unbound/unbound.conf", "60"); listCmds(); execCmds(); ?> - </td> - </tr> + </td> + </tr> </table> </div> <?php include("fend.inc"); ?> diff --git a/config/varnish3/varnish.inc b/config/varnish3/varnish.inc index 9d38161e..3449c68b 100644 --- a/config/varnish3/varnish.inc +++ b/config/varnish3/varnish.inc @@ -34,7 +34,7 @@ /* ========================================================================== */ function varnish_settings_post_validate($post, $input_errors) { - if($post['storagesize'] && !is_numeric($post['storagesize'])) + if( !is_numeric($post['storagesize'])) $input_errors[] = "A valid number is required for the field 'Storage size'"; if($post['listeningport'] && !is_numeric($post['listeningport'])) $input_errors[] = "A valid number is required for the field 'Listening port'"; @@ -329,6 +329,22 @@ function get_backend_config_txt() { $probe_threshold = $backend['probe_threshold']; else $probe_threshold = "5"; + + + if ($backend['probe_disable']) { + $probe = ""; + } else { + $probe = <<<EOFPROBE + .probe = { + {$probe_url} + .interval = {$probe_interval}; + .timeout = {$probe_timeout}; + .window = {$probe_window}; + .threshold = {$probe_threshold}; + } +EOFPROBE; + } + if (isset($probe_threshold)){ #last parameter set ,so write conf if backend is in use if ($backends_in_use[$backend['backendname']] != ""){ @@ -340,13 +356,7 @@ backend {$backend['backendname']}BACKEND { .port = "{$backend['port']}"; .first_byte_timeout = {$first_byte_timeout}; .connect_timeout = {$connect_timeout}; - .probe = { - {$probe_url} - .interval = {$probe_interval}; - .timeout = {$probe_timeout}; - .window = {$probe_window}; - .threshold = {$probe_threshold}; - } +{$probe} } diff --git a/config/varnish3/varnish_backends.xml b/config/varnish3/varnish_backends.xml index e35ef07b..e480a8d6 100644 --- a/config/varnish3/varnish_backends.xml +++ b/config/varnish3/varnish_backends.xml @@ -11,7 +11,7 @@ Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> Copyright (C) 2011 Marcello Coutinho All rights reserved. -*/ +/*/ /* ========================================================================== */ /* Redistribution and use in source and binary forms, with or without @@ -221,6 +221,12 @@ <type>input</type> </field> <field> + <fielddescr>Disable Probe</fielddescr> + <fieldname>probe_disable</fieldname> + <description>Check to disable probing for this backend</description> + <type>checkbox</type> + </field> + <field> <fielddescr>Mappings</fielddescr> <fieldname>Mappings</fieldname> <type>listtopic</type> diff --git a/config/varnish3/varnish_lb_directors.xml b/config/varnish3/varnish_lb_directors.xml index 345dae51..0912e267 100644 --- a/config/varnish3/varnish_lb_directors.xml +++ b/config/varnish3/varnish_lb_directors.xml @@ -119,7 +119,7 @@ <fielddescr>Rewrite url</fielddescr> <fieldname>rewriteurl</fieldname> </columnitem> - + <columnitem> <fielddescr>Type</fielddescr> <fieldname>directortype</fieldname> @@ -176,13 +176,13 @@ <type>input</type> <size>40</size> </field> - <field> - <fielddescr>Rewrite Host</fielddescr> - <fieldname>rewritehost</fieldname> - <description>Hint image.mysite.com</description> - <type>input</type> - <size>40</size> - </field> + <field> + <fielddescr>Rewrite Host</fielddescr> + <fieldname>rewritehost</fieldname> + <description>Hint image.mysite.com</description> + <type>input</type> + <size>40</size> + </field> <field> <fielddescr>Rewrite URL</fielddescr> <fieldname>rewriteurl</fieldname> @@ -277,4 +277,4 @@ <custom_php_validation_command> varnish_lb_directors_post_validate($_POST, &$input_errors); </custom_php_validation_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/vhosts/vhosts.inc b/config/vhosts/vhosts.inc index a5b8c4e2..651b79b2 100644 --- a/config/vhosts/vhosts.inc +++ b/config/vhosts/vhosts.inc @@ -736,31 +736,31 @@ function vhosts_install_command() { if(stristr(php_uname('r'), '7.2') == TRUE) { if (!file_exists('/usr/local/php5')) { chdir('/usr/local/'); - exec ("fetch http://www.pfsense.com/packages/config/vhosts/freebsd7.2/php5.tar.gz"); + exec ("fetch http://files.pfsense.org/packages/7/vhosts/php5.tar.gz"); exec("tar zxvf /usr/local/php5.tar.gz -C /usr/local/"); exec("rm /usr/local/php5.tar.gz"); } if (!file_exists('/usr/local/lib/libxml2.so.5')) { chdir('/usr/local/lib/'); - exec ("fetch http://www.pfsense.com/packages/config/vhosts/freebsd7.2/usr.local.lib/libxml2.so.5"); + exec ("fetch http://files.pfsense.org/packages/7/vhosts/usr.local.lib/libxml2.so.5"); } if (!file_exists('/usr/local/lib/libxml2.so')) { chdir('/usr/local/lib/'); - exec ("fetch http://www.pfsense.com/packages/config/vhosts/freebsd7.2/usr.local.lib/libxml2.so"); + exec ("fetch http://files.pfsense.org/packages/7/vhosts/usr.local.lib/libxml2.so"); } if (!file_exists('/usr/local/lib/libxml2.la')) { chdir('/usr/local/lib/'); - exec ("fetch http://www.pfsense.com/packages/config/vhosts/freebsd7.2/usr.local.lib/libxml2.la"); + exec ("fetch http://files.pfsense.org/packages/7/vhosts/usr.local.lib/libxml2.la"); } if (!file_exists('/usr/local/lib/libxml2.a')) { chdir('/usr/local/lib/'); - exec ("fetch http://www.pfsense.com/packages/config/vhosts/freebsd7.2/usr.local.lib/lib/libxml2.a"); + exec ("fetch http://files.pfsense.org/packages/7/vhosts/usr.local.lib/lib/libxml2.a"); } } if(stristr(php_uname('r'), '8.1') == TRUE) { if (!file_exists('/usr/local/php5')) { chdir('/usr/local/'); - exec ("fetch http://www.pfsense.com/packages/config/vhosts/freebsd8.0/php5.tar.gz"); + exec ("fetch http://files.pfsense.org/packages/8/vhosts/php5.tar.gz"); exec("tar zxvf /usr/local/php5.tar.gz -C /usr/local/"); exec("rm /usr/local/php5.tar.gz"); } diff --git a/config/vnstat/vnstat.xml b/config/vnstat/vnstat.xml index 2a0c06f5..63a121a0 100644 --- a/config/vnstat/vnstat.xml +++ b/config/vnstat/vnstat.xml @@ -25,7 +25,7 @@ <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0644</chmod> - <item>http://www.pfsense.com/packages/config/vnstat/bin/vnstat_php_frontend-1.4.1.tar.gz</item> + <item>http://files.pfsense.org/packages/7/vnstat/vnstat_php_frontend-1.4.1.tar.gz</item> </additional_files_needed> <custom_php_resync_config_command></custom_php_resync_config_command> <custom_php_install_command>vnstat_install_config();</custom_php_install_command> diff --git a/config/vnstat2/vnstat2.xml b/config/vnstat2/vnstat2.xml index 08bfc91d..25cd0bcb 100644 --- a/config/vnstat2/vnstat2.xml +++ b/config/vnstat2/vnstat2.xml @@ -48,7 +48,7 @@ <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0644</chmod> - <item>http://www.pfsense.com/packages/config/vnstat2/bin/vnstat_php_frontend-1.4.1.tar.gz</item> + <item>http://files.pfsense.org/packages/8/vnstat/vnstat_php_frontend-1.4.1.tar.gz</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> @@ -68,22 +68,22 @@ <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0644</chmod> - <item>http://www.pfsense.com/packages/config/vnstat2/bin/diag_vnstat.abc</item> + <item>http://files.pfsense.org/packages/8/vnstat/diag_vnstat.abc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0644</chmod> - <item>http://www.pfsense.com/packages/config/vnstat2/bin/diag_vnstat2.abc</item> + <item>http://files.pfsense.org/packages/8/vnstat/diag_vnstat2.abc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0644</chmod> - <item>http://www.pfsense.com/packages/config/vnstat2/bin/vnstat2_img.abc</item> + <item>http://files.pfsense.org/packages/8/vnstat/vnstat2_img.abc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0644</chmod> - <item>http://www.pfsense.com/packages/config/vnstat2/bin/vnstati.abc</item> + <item>http://files.pfsense.org/packages/8/vnstat/vnstati.abc</item> </additional_files_needed> <fields> <field> diff --git a/config/widget-snort/snort_alerts.widget.php b/config/widget-snort/snort_alerts.widget.php index 6d6193d8..e488bc49 100644 --- a/config/widget-snort/snort_alerts.widget.php +++ b/config/widget-snort/snort_alerts.widget.php @@ -29,10 +29,14 @@ global $config, $g; /* array sorting */ function sksort(&$array, $subkey="id", $sort_ascending=false) { + /* an empty array causes sksort to fail - this test alleviates the error */ + if(empty($array)) + { + return false; + } if (count($array)) { $temp_array[key($array)] = array_shift($array); }; - foreach ($array as $key => $val){ $offset = 0; $found = false; @@ -49,60 +53,68 @@ function sksort(&$array, $subkey="id", $sort_ascending=false) { if ($sort_ascending) { $array = array_reverse($temp_array); } else $array = $temp_array; + /* below is the complement for empty array test */ + return true; }; /* check if firewall widget variable is set */ if (!isset($nentries)) $nentries = 5; -/* retrieve snort variables */ -require_once("/usr/local/pkg/snort/snort.inc"); -if (!is_array($config['installedpackages']['snortglobal']['rule'])) - $config['installedpackages']['snortglobal']['rule'] = array(); -$a_instance = &$config['installedpackages']['snortglobal']['rule']; +/* check if Snort include file exists before we use it */ +if (file_exists("/usr/local/pkg/snort/snort.inc")) { + require_once("/usr/local/pkg/snort/snort.inc"); -/* read log file(s) */ -$counter=0; -foreach ($a_instance as $instanceid => $instance) { - $snort_uuid = $a_instance[$instanceid]['uuid']; - $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']); + /* retrieve snort variables */ + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); + $a_instance = &$config['installedpackages']['snortglobal']['rule']; + + /* read log file(s) */ + $counter=0; + foreach ($a_instance as $instanceid => $instance) { + $snort_uuid = $a_instance[$instanceid]['uuid']; + $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']); - /* make sure alert file exists */ - if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { - exec("tail -n{$nentries} /var/log/snort/snort_{$if_real}{$snort_uuid}/alert > /tmp/alert_{$snort_uuid}"); - if (file_exists("/tmp/alert_{$snort_uuid}")) { - $tmpblocked = array_flip(snort_get_blocked_ips()); + /* make sure alert file exists */ + if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { + exec("tail -n{$nentries} /var/log/snort/snort_{$if_real}{$snort_uuid}/alert > /tmp/alert_{$snort_uuid}"); + if (file_exists("/tmp/alert_{$snort_uuid}")) { + $tmpblocked = array_flip(snort_get_blocked_ips()); - /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ - /* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */ - $fd = fopen("/tmp/alert_{$snort_uuid}", "r"); - while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { - if(count($fields) < 11) - continue; + /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ + /* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */ + $fd = fopen("/tmp/alert_{$snort_uuid}", "r"); + while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { + if(count($fields) < 11) + continue; - $snort_alerts[$counter]['instanceid'] = $a_instance[$instanceid]['interface']; - $snort_alerts[$counter]['timestamp'] = $fields[0]; - $snort_alerts[$counter]['timeonly'] = substr($fields[0], 6, -8); - $snort_alerts[$counter]['dateonly'] = substr($fields[0], 0, -17); - $snort_alerts[$counter]['src'] = $fields[6]; - $snort_alerts[$counter]['srcport'] = $fields[7]; - $snort_alerts[$counter]['dst'] = $fields[8]; - $snort_alerts[$counter]['dstport'] = $fields[9]; - $snort_alerts[$counter]['priority'] = $fields[12]; - $snort_alerts[$counter]['category'] = $fields[11]; - $counter++; + $snort_alerts[$counter]['instanceid'] = $a_instance[$instanceid]['interface']; + $snort_alerts[$counter]['timestamp'] = $fields[0]; + $snort_alerts[$counter]['timeonly'] = substr($fields[0], strpos($fields[0], '-')+1, -8); + $snort_alerts[$counter]['dateonly'] = substr($fields[0], 0, strpos($fields[0], '-')); + $snort_alerts[$counter]['src'] = $fields[6]; + $snort_alerts[$counter]['srcport'] = $fields[7]; + $snort_alerts[$counter]['dst'] = $fields[8]; + $snort_alerts[$counter]['dstport'] = $fields[9]; + $snort_alerts[$counter]['priority'] = $fields[12]; + $snort_alerts[$counter]['category'] = $fields[11]; + $counter++; + }; + fclose($fd); + @unlink("/tmp/alert_{$snort_uuid}"); }; - fclose($fd); - @unlink("/tmp/alert_{$snort_uuid}"); }; }; -}; -/* sort the array */ -if (isset($config['syslog']['reverse'])) { - sksort($snort_alerts, 'timestamp', false); + /* sort the array */ + if (isset($config['syslog']['reverse'])) { + sksort($snort_alerts, 'timestamp', false); + } else { + sksort($snort_alerts, 'timestamp', true); + }; } else { - sksort($snort_alerts, 'timestamp', true); -}; + $msg = gettext("The Snort package is not installed."); +} /* display the result */ ?> @@ -125,7 +137,13 @@ if (is_array($snort_alerts)) { $counter++; if($counter >= $nentries) break; } -}; +} else { + if (!empty($msg)) { + echo (" <tr class=\"snort-alert-entry\"> + <td colspan=\"3\" align=\"center\"><br>{$msg}</br></td> + </tr>"); + } +} ?> </tbody> -</table>
\ No newline at end of file +</table> diff --git a/config/widget-snort/widget-snort.inc b/config/widget-snort/widget-snort.inc new file mode 100644 index 00000000..105dd1e7 --- /dev/null +++ b/config/widget-snort/widget-snort.inc @@ -0,0 +1,24 @@ +<?php +require_once("config.inc"); +function widget_snort_uninstall() { + + global $config; + + /* Remove the Snort widget from the Dashboard display list */ + $widgets = $config['widgets']['sequence']; + if (!empty($widgets)) { + $widgetlist = explode(",", $widgets); + foreach ($widgetlist as $key => $widget) { + if (strstr($widget, "snort_alerts-container")) + unset($widgetlist[$key]); + } + $config['widgets']['sequence'] = implode(",", $widgetlist); + write_config(); + } + + /* Remove our associated files */ + unlink("/usr/local/www/widgets/include/widget-snort.inc"); + unlink("/usr/local/www/widgets/widgets/snort_alerts.widget.php"); + unlink("/usr/local/www/widgets/javascript/snort_alerts.js"); +} +?> diff --git a/config/widget-snort/widget-snort.xml b/config/widget-snort/widget-snort.xml index 785ac5b1..b415bd12 100644 --- a/config/widget-snort/widget-snort.xml +++ b/config/widget-snort/widget-snort.xml @@ -46,8 +46,15 @@ <requirements>Dashboard package and Snort</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>widget-snort</name> - <version>0.5</version> + <version>0.3.4</version> <title>Widget - Snort</title> + <include_file>/usr/local/www/widgets/include/widget-snort.inc</include_file> + <menu> + </menu> + <service> + </service> + <tabs> + </tabs> <additional_files_needed> <prefix>/usr/local/www/widgets/javascript/</prefix> <chmod>0644</chmod> @@ -58,4 +65,20 @@ <chmod>0644</chmod> <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.widget.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/widgets/include/</prefix> + <chmod>0644</chmod> + <item>http://www.pfsense.com/packages/config/widget-snort/widget-snort.inc</item> + </additional_files_needed> + <fields> + </fields> + <custom_add_php_command> + </custom_add_php_command> + <custom_php_resync_config_command> + </custom_php_resync_config_command> + <custom_php_install_command> + </custom_php_install_command> + <custom_php_deinstall_command> + widget_snort_uninstall(); + </custom_php_deinstall_command> </packagegui> diff --git a/config/zabbix-agent/zabbix-agent.xml b/config/zabbix-agent/zabbix-agent.xml index ce0e2339..02147989 100644 --- a/config/zabbix-agent/zabbix-agent.xml +++ b/config/zabbix-agent/zabbix-agent.xml @@ -111,7 +111,7 @@ <rows>5</rows> <cols>50</cols> <required>false</required> - <description>User-defined parameter to monitor. There can be several user-defined parameters. Value has form, example: UserParameter=users,who|wc -l</description> + <description>User-defined parameter to monitor. There can be several user-defined parameters. Value has form, example: UserParameter=users,who|wc -l <br><a href="https://www.zabbix.com/documentation/1.8/manual/tutorials/extending_agent" target="_new">See zabbix documentation for more information<a></description> </field> </fields> <custom_php_install_command> @@ -183,7 +183,7 @@ $ListenIP=$_POST['listenip']; if (!preg_match("/^(?:\d{1,3}\.){3}\d{1,3}$/", $ListenIP)) { - $input_errors[]='Listen IP is not ip-adress.'; + $input_errors[]='Listen IP is not an IP address.'; } $ListenPort=$_POST['listenport']; @@ -260,4 +260,4 @@ exec("/bin/rm -r /var/run/zabbix/"); ]]> </custom_php_deinstall_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/zabbix2/zabbix2-agent.xml b/config/zabbix2/zabbix2-agent.xml new file mode 100644 index 00000000..41ba26fb --- /dev/null +++ b/config/zabbix2/zabbix2-agent.xml @@ -0,0 +1,183 @@ +<?xml version="1.0" encoding="utf-8"?> +<packagegui> +<copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + zabbix2-agent.xml + part of the Zebedee package for pfSense + Copyright (C) 2013 Danilo G. Baio + Copyright (C) 2013 Marcello Coutinho + + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <name>zabbixagent</name> + <title>Services: Zabbix-2 Agent</title> + <category>Monitoring</category> + <version>0.7</version> + <include_file>/usr/local/pkg/zabbix2.inc</include_file> + <addedit_string>Zabbix Agent has been created/modified.</addedit_string> + <delete_string>Zabbix Agent has been deleted.</delete_string> + <restart_command>/usr/local/etc/rc.d/zabbix2_agentd.sh restart</restart_command> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/zabbix2/zabbix2.inc</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <menu> + <name>Zabbix-2 Agent</name> + <tooltiptext>Setup Zabbix Agent specific settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=zabbix2-agent.xml&id=0</url> + </menu> + <service> + <name>zabbix_agentd</name> + <rcfile>zabbix2_agentd.sh</rcfile> + <executable>zabbix_agentd</executable> + <description>Zabbix Agent runs on a host being monitored. The agent provides host's performance and availability information for Zabbix Server.</description> + </service> + <tabs> + <tab> + <text>Agent</text> + <url>/pkg_edit.php?xml=zabbix2-agent.xml&id=0</url> + <active /> + </tab> + </tabs> + <fields> + <field> + <name>Zabbix2 Agent Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable</fielddescr> + <fieldname>agentenabled</fieldname> + <description>Enable Zabbix2 Agent service</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Server</fielddescr> + <fieldname>server</fieldname> + <description>List of comma delimited IP addresses (or hostnames) of ZABBIX servers</description> + <value>127.0.0.1</value> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Server Active</fielddescr> + <fieldname>serveractive</fieldname> + <description>List of comma delimited IP:port (or hostname:port) pairs of Zabbix servers for active checks</description> + <value></value> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Hostname</fielddescr> + <fieldname>hostname</fieldname> + <description>Unique hostname. Required for active checks and must match hostname as configured on the Zabbix server (case sensitive).</description> + <value>localhost</value> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Listen IP</fielddescr> + <fieldname>listenip</fieldname> + <value>0.0.0.0</value> + <type>input</type> + <size>60</size> + <description>Listen IP for connections from the server (generally 0.0.0.0 for all interfaces)</description> + </field> + <field> + <fielddescr>Listen Port</fielddescr> + <fieldname>listenport</fieldname> + <value>10050</value> + <type>input</type> + <size>5</size> + <description>Listen port for connections from the server (generally 10050)</description> + </field> + <field> + <fielddescr>Refresh Active Checks</fielddescr> + <fieldname>refreshactchecks</fieldname> + <value>120</value> + <type>input</type> + <size>5</size> + <description>The agent will refresh list of active checks once per 120 (default) seconds.</description> + </field> + <field> + <fielddescr>Timeout</fielddescr> + <fieldname>timeout</fieldname> + <value>3</value> + <type>input</type> + <size>5</size> + <description>Timeout (default 3). Do not spend more that Timeout seconds on getting requested value (1-255). The agent does not kill timeouted User Parameters processes!</description> + </field> + <field> + <fielddescr>Buffer Send</fielddescr> + <fieldname>buffersend</fieldname> + <value>5</value> + <type>input</type> + <size>5</size> + <description>Buffer Send (default 5). Do not keep data longer than N seconds in buffer (1-3600).</description> + </field> + <field> + <fielddescr>Buffer Size</fielddescr> + <fieldname>buffersize</fieldname> + <value>100</value> + <type>input</type> + <size>5</size> + <description>Buffer Size (default 100). Maximum number of values in a memory buffer (2-65535). The agent will send all collected data to Zabbix server or proxy if the buffer is full.</description> + </field> + <field> + <fielddescr>Start Agents</fielddescr> + <fieldname>startagents</fieldname> + <value>3</value> + <type>input</type> + <size>5</size> + <description>Start Agents (default 3). Number of pre-forked instances of zabbix_agentd that process passive checks (0-100).If set to 0, disables passive checks and the agent will not listen on any TCP port.</description> + </field> + <field> + <fielddescr>User Parameters</fielddescr> + <fieldname>userparams</fieldname> + <encoding>base64</encoding> + <value></value> + <type>textarea</type> + <rows>5</rows> + <cols>50</cols> + <description>User-defined parameter to monitor. There can be several user-defined parameters. Value has form, example: UserParameter=users,who|wc -l</description> + </field> + </fields> + <custom_php_install_command>sync_package_zabbix2();</custom_php_install_command> + <custom_php_command_before_form></custom_php_command_before_form> + <custom_php_after_head_command></custom_php_after_head_command> + <custom_php_after_form_command></custom_php_after_form_command> + <custom_php_validation_command>validate_input_zabbix2($_POST, &$input_errors);</custom_php_validation_command> + <custom_add_php_command></custom_add_php_command> + <custom_php_resync_config_command>sync_package_zabbix2();</custom_php_resync_config_command> + <custom_php_deinstall_command>php_deinstall_zabbix2();</custom_php_deinstall_command> +</packagegui> diff --git a/config/zabbix2/zabbix2-proxy.xml b/config/zabbix2/zabbix2-proxy.xml new file mode 100644 index 00000000..4441df99 --- /dev/null +++ b/config/zabbix2/zabbix2-proxy.xml @@ -0,0 +1,141 @@ +<?xml version="1.0" encoding="utf-8"?> +<packagegui> +<copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + zabbix2-proxy.xml + part of the Zebedee package for pfSense + Copyright (C) 2013 Danilo G. Baio + Copyright (C) 2013 Marcello Coutinho + + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <name>zabbixproxy</name> + <title>Services: Zabbix-2 Proxy</title> + <category>Monitoring</category> + <version>0.7</version> + <include_file>/usr/local/pkg/zabbix2.inc</include_file> + <addedit_string>Zabbix Proxy has been created/modified.</addedit_string> + <delete_string>Zabbix Proxy has been deleted.</delete_string> + <restart_command>/usr/local/etc/rc.d/zabbix2_proxy.sh restart</restart_command> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/zabbix2/zabbix2.inc</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <menu> + <name>Zabbix-2 Proxy</name> + <tooltiptext>Setup Zabbix Proxy specific settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=zabbix2-proxy.xml&id=0</url> + </menu> + <service> + <name>zabbix-proxy</name> + <rcfile>zabbix2_proxy.sh</rcfile> + <executable>zabbix_proxy</executable> + <description>Zabbix proxy is a process which collects performance and availability data from one or more monitored devices and sends the information to a Zabbix server</description> + </service> + <tabs> + <tab> + <text>Proxy</text> + <url>/pkg_edit.php?xml=zabbix2-proxy.xml&id=0</url> + <active /> + </tab> + </tabs> + <fields> + <field> + <name>Zabbix2 Proxy Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable</fielddescr> + <fieldname>proxyenabled</fieldname> + <description>Enable Zabbix2 Proxy service</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Server</fielddescr> + <fieldname>server</fieldname> + <description>List of comma delimited IP addresses (or hostnames) of ZABBIX servers</description> + <default_value>127.0.0.1</default_value> + <type>input</type> + <size>60</size> + <required>true</required> + </field> + <field> + <fielddescr>Server Port</fielddescr> + <fieldname>serverport</fieldname> + <description>Port of Zabbix trapper on Zabbix server. default value 10051</description> + <default_value>10051</default_value> + <type>input</type> + <size>6</size> + <required>true</required> + </field> + <field> + <fielddescr>Hostname</fielddescr> + <fieldname>hostname</fieldname> + <description>Unique, case-sensitive proxy name. Make sure the proxy name is known to the server</description> + <default_value>localhost</default_value> + <type>input</type> + <size>50</size> + <required>true</required> + </field> + <field> + <fielddescr>Proxy Mode</fielddescr> + <fieldname>proxymode</fieldname> + <description>Select Zabbix proxy mode (Active is default)</description> + <type>select</type> + <default_value>0</default_value> + <options> + <option><name>Active</name><value>0</value></option> + <option><name>Passive</name><value>1</value></option> + </options> + <required>true</required> + </field> + <field> + <fielddescr>Config Frequency</fielddescr> + <fieldname>configfrequency</fieldname> + <description>How often the proxy retrieves configuration data from the Zabbix server in seconds. Ignored if the proxy runs in passive mode.</description> + <default_value>3600</default_value> + <type>input</type> + <size>10</size> + <required>true</required> + </field> + </fields> + <custom_php_install_command>sync_package_zabbix2();</custom_php_install_command> + <custom_php_command_before_form></custom_php_command_before_form> + <custom_php_after_head_command></custom_php_after_head_command> + <custom_php_after_form_command></custom_php_after_form_command> + <custom_php_validation_command>validate_input_zabbix2($_POST, &$input_errors);</custom_php_validation_command> + <custom_add_php_command></custom_add_php_command> + <custom_php_resync_config_command>sync_package_zabbix2();</custom_php_resync_config_command> + <custom_php_deinstall_command>php_deinstall_zabbix2();</custom_php_deinstall_command> +</packagegui> diff --git a/config/zabbix2/zabbix2.inc b/config/zabbix2/zabbix2.inc new file mode 100644 index 00000000..730ef873 --- /dev/null +++ b/config/zabbix2/zabbix2.inc @@ -0,0 +1,340 @@ +<?php +/* $Id$ */ +/* ========================================================================== */ +/* + zabbix2-proxy.inc + part of the Zebedee package for pfSense + Copyright (C) 2013 Danilo G. Baio + Copyright (C) 2013 Marcello Coutinho + + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ +require_once("util.inc"); +require_once("functions.inc"); +require_once("pkg-utils.inc"); +require_once("globals.inc"); + +function php_install_zabbix2(){ + sync_package_zabbix2(); +} + +function php_deinstall_zabbix2(){ + global $config, $g; + + conf_mount_rw(); + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); + if ($pfs_version > 2.0){ + define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix2-agent-' . php_uname("m")); + define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix2-proxy-' . php_uname("m")); + } else { + define('ZABBIX_AGENT_BASE', '/usr/local'); + define('ZABBIX_PROXY_BASE', '/usr/local'); + } + + exec("/usr/bin/killall zabbix_proxy"); + unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/rc.d/zabbix2_proxy.sh"); + unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix2/zabbix_proxy.conf"); + unlink_if_exists("/var/log/zabbix2/zabbix_proxy.log"); + unlink_if_exists("/var/run/zabbix2/zabbix2_proxy.pid"); + + exec("/usr/bin/killall zabbix_agentd"); + unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/rc.d/zabbix2_agentd.sh"); + unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix2/zabbix_agentd.conf"); + unlink_if_exists("/var/log/zabbix2/zabbix2_agentd.log"); + unlink_if_exists("/var/run/zabbix2/zabbix2_agentd.pid"); + + if (is_dir("/var/log/zabbix2")) + exec("/bin/rm -r /var/log/zabbix2/"); + if (is_dir("/var/run/zabbix2")) + exec("/bin/rm -r /var/run/zabbix2/"); + if (is_dir("/var/db/zabbix2")) + exec("/bin/rm -r /var/db/zabbix2/"); + conf_mount_ro(); +} + +function validate_input_zabbix2($post,&$input_errors){ + + if (isset($post['proxyenabled'])){ + if (!is_numericint($post['serverport'])) { + $input_errors[]='Server Port is not numeric.'.$ServerPort; + } + + if (!is_numericint($post['configfrequency'])) { + $input_errors[]='Config Frequency is not numeric.'; + } + } + if (isset($post['agentenabled'])){ + if (!preg_match("/\w+/", $post['server'])) { + $input_errors[]='Server field is required.'; + } + + if (!preg_match("/\w+/", $post['hostname'])) { + $input_errors[]='Hostname field is required.'; + } + + if (!is_ipaddr_configured($post['listenip']) && !preg_match("/(127.0.0.1|0.0.0.0)/",$post['listenip'])) { + $input_errors[]='Listen IP is not a configured IP address.'; + } + + if (!preg_match("/^\d+$/", $post['listenport'])) { + $input_errors[]='Listen Port is not numeric.'; + } + + if ($post['refreshactchecks'] != '') { + if (!preg_match("/^\d+$/", $post['refreshactchecks'])) { + $input_errors[]='Refresh Active Checks is not numeric.'; + } elseif ( $post['refreshactchecks'] < 60 || $post['refreshactchecks'] > 3600 ) { + $input_errors[]='You must enter a valid value for \'Refresh Active Checks\''; + } + } + + if (!is_numericint($post['timeout'])) { + $input_errors[]='Timeout is not numeric.'; + } elseif ( $post['timeout'] < 1 || $post['timeout'] > 255 ) { + $input_errors[]='You must enter a valid value for \'Timeout\''; + } + + if ($post['buffersend'] != '') { + if (!is_numericint($post['buffersend'])) { + $input_errors[]='Buffer Send is not numeric.'; + } elseif ( $post['buffersend'] < 1 || $post['buffersend'] > 3600 ) { + $input_errors[]='You must enter a valid value for \'Buffer Send\''; + } + } + + if ($post['buffersize'] != '') { + if (!is_numericint($post['buffersize'])) { + $input_errors[]='Bufer Size is not numeric.'; + } elseif ( $post['buffersize'] < 2 || $post['buffersize'] > 65535 ) { + $input_errors[]='You must enter a valid value for \'Buffer Size\''; + } + } + + if ($post['startagents'] != '') { + if (!is_numericint($post['startagents'])) { + $input_errors[]='Start Agents is not numeric.'; + } elseif ( $post['startagents'] < 0 || $post['startagents'] > 100 ) { + $input_errors[]='You must enter a valid value for \'Start Agents\''; + } + } + } +} + +function sync_package_zabbix2(){ + global $config, $g; + + conf_mount_rw(); + #check pfsense version + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); + if ($pfs_version > 2.0){ + define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix2-agent-' . php_uname("m")); + define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix2-proxy-' . php_uname("m")); + } + else { + define('ZABBIX_AGENT_BASE', '/usr/local'); + define('ZABBIX_PROXY_BASE', '/usr/local'); + } + + #check zabbix proxy config + if (is_array($config['installedpackages']['zabbixproxy'])){ + $zbproxy_config = $config['installedpackages']['zabbixproxy']['config'][0]; + if ($zbproxy_config['proxyenabled']=="on"){ + $Mode=(is_numericint($zbproxy_config['proxymode'])?$zbproxy_config['proxymode'] : 0); + + $zbproxy_conf_file = <<< EOF +Server={$zbproxy_config['server']} +ServerPort={$zbproxy_config['serverport']} +Hostname={$zbproxy_config['hostname']} +PidFile=/var/run/zabbix2/zabbix2_proxy.pid +DBName=/var/db/zabbix2/proxy.db +LogFile=/var/log/zabbix2/zabbix_proxy.log +ConfigFrequency={$zbproxy_config['configfrequency']} +FpingLocation=/usr/local/sbin/fping +#there's currently no fping6 (IPv6) dependency in the package, but if there was, the binary would likely also be in /usr/local/sbin +Fping6Location=/usr/local/sbin/fping6 +ProxyMode={$Mode} + +EOF; + file_put_contents(ZABBIX_PROXY_BASE . "/etc/zabbix2/zabbix_proxy.conf", strtr($zbproxy_conf_file, array("\r" => ""))); + } + } + /* check zabbix agent settings*/ + if (is_array($config['installedpackages']['zabbixagent'])){ + $zbagent_config = $config['installedpackages']['zabbixagent']['config'][0]; + if ($zbagent_config['agentenabled']=="on"){ + $RefreshActChecks=(preg_match("/(\d+)/",$zbagent_config['refreshactchecks'],$matches)? $matches[1] : "120"); + $BufferSend=(preg_match("/(\d+)/",$zbagent_config['buffersend'],$matches)? $matches[1] : "5" ); + $BufferSize=(preg_match("/(\d+)/",$zbagent_config['buffersize'],$matches)? $matches[1] : "100"); + $StartAgents=(preg_match("/(\d+)/",$zbagent_config['startagents'],$matches)? $matches[1] :"3" ); + $UserParams=base64_decode($zbagent_config['userparams']); + + $zbagent_conf_file = <<< EOF +Server={$zbagent_config['server']} +ServerActive={$zbagent_config['serveractive']} +Hostname={$zbagent_config['hostname']} +ListenIP={$zbagent_config['listenip']} +ListenPort={$zbagent_config['listenport']} +RefreshActiveChecks={$RefreshActChecks} +DebugLevel=3 +PidFile=/var/run/zabbix2/zabbix2_agentd.pid +LogFile=/var/log/zabbix2/zabbix2_agentd.log +LogFileSize=1 +Timeout={$zbagent_config['timeout']} +BufferSend={$BufferSend} +BufferSize={$BufferSize} +StartAgents={$StartAgents} +{$UserParams} + +EOF; + file_put_contents(ZABBIX_AGENT_BASE . "/etc/zabbix2/zabbix_agentd.conf", strtr($zbagent_conf_file, array("\r" => ""))); + } + } + $want_sysctls = array( + 'kern.ipc.shmall' => '2097152', + 'kern.ipc.shmmax' => '2147483648', + 'kern.ipc.semmsl' => '250' + ); + $sysctls = array(); + #check sysctl file values + $sc_file=""; + if (file_exists("/etc/sysctl.conf")) { + $sc = file("/etc/sysctl.conf"); + foreach ($sc as $line) { + list($sysk, $sysv) = explode("=", $line, 2); + if (preg_match("/\w/",$line) && !array_key_exists($sysk, $want_sysctls)) + $sc_file.=$line; + } + } + foreach ($want_sysctls as $ws=> $wv) { + $sc_file .= "{$ws}={$wv}\n"; + exec("/sbin/sysctl {$ws}={$wv}"); + } + file_put_contents("/etc/sysctl.conf", $sc_file); + + #check bootloader values + $lt_file=""; + $want_tunables = array( + 'kern.ipc.semopm' => '100', + 'kern.ipc.semmni' => '128', + 'kern.ipc.semmns' => '32000', + 'kern.ipc.shmmni' => '4096' + ); + $tunables = array(); + if (file_exists("/boot/loader.conf")) { + $lt = file("/boot/loader.conf"); + foreach ($lt as $line) { + list($tunable, $val) = explode("=", $line, 2); + if (preg_match("/\w/",$line) && !array_key_exists($tunable, $want_tunables)) + $lt_file.=$line; + } + } + foreach ($want_tunables as $wt => $wv) { + $lt_file.= "{$wt}={$wv}\n"; + } + file_put_contents("/boot/loader.conf", $lt_file); + + /*check startup script files*/ + /* create a few directories and ensure the sample files are in place */ + if (!is_dir(ZABBIX_PROXY_BASE . "/etc/zabbix2")) + exec("/bin/mkdir -p " . ZABBIX_PROXY_BASE . "/etc/zabbix2"); + + $dir_checks = <<< EOF +if [ ! -d /var/log/zabbix2 ] + then + /bin/mkdir -p /var/log/zabbix2 + /usr/sbin/chmod 755 /var/log/zabbix2 + fi +/usr/sbin/chown -R zabbix:zabbix /var/log/zabbix2 + +if [ ! -d /var/run/zabbix2 ] + then + /bin/mkdir -p /var/run/zabbix2 + /usr/sbin/chmod 755 /var/run/zabbix2 + fi +/usr/sbin/chown -R zabbix:zabbix /var/run/zabbix2 + +if [ ! -d /var/db/zabbix2 ] + then + /bin/mkdir -p /var/db/zabbix2 + /usr/sbin/chmod 755 /var/db/zabbix2 + fi +/usr/sbin/chown -R zabbix:zabbix /var/db/zabbix2 + +EOF; + + $zproxy_rcfile="/usr/local/etc/rc.d/zabbix2_proxy.sh"; + if (is_array($zbproxy_config) && $zbproxy_config['proxyenabled']=="on"){ + $zproxy_start= strtr($dir_checks, array("\r" => "")). "\necho \"Starting Zabbix Proxy\"...\n"; + /* start zabbix proxy */ + $zproxy_start .= ZABBIX_PROXY_BASE . "/sbin/zabbix_proxy\n"; + + $zproxy_stop = "echo \"Stopping Zabbix Proxy\"\n"; + $zproxy_stop .= "/usr/bin/killall zabbix_proxy\n"; + $zproxy_stop .= "/bin/sleep 5\n"; + + /* write out rc.d start/stop file */ + write_rcfile(array( + "file" => "zabbix2_proxy.sh", + "start" => $zproxy_start, + "stop" => $zproxy_stop + ) + ); + mwexec("{$zproxy_rcfile} restart"); + }else{ + if (file_exists($zproxy_rcfile)){ + mwexec("{$zproxy_rcfile} stop"); + unlink($zproxy_rcfile); + } + } + + $zagent_rcfile="/usr/local/etc/rc.d/zabbix2_agentd.sh"; + if (is_array($zbagent_config) && $zbagent_config['agentenabled']=="on"){ + $zagent_start .= strtr($dir_checks, array("\r" => "")). "\necho \"Starting Zabbix Agent...\"\n"; + $zagent_start .= ZABBIX_AGENT_BASE . "/sbin/zabbix_agentd\n"; + + $zagent_stop = "echo \"Stopping Zabbix Agent...\"\n"; + $zagent_stop .= "/usr/bin/killall zabbix_agentd\n"; + $zagent_stop .= "/bin/sleep 5\n"; + + /* write out rc.d start/stop file */ + write_rcfile(array( + "file" => "zabbix2_agentd.sh", + "start" => "$zagent_start", + "stop" => "$zagent_stop" + ) + ); + mwexec("{$zagent_rcfile} restart"); + }else{ + if (file_exists($zagent_rcfile)){ + mwexec("{$zagent_rcfile} stop"); + unlink($zagent_rcfile); + } + } + + conf_mount_ro(); +} +?> diff --git a/config/zebedee/zebedee_del_key.php b/config/zebedee/zebedee_del_key.php index ae9522b7..e6cfa955 100644 --- a/config/zebedee/zebedee_del_key.php +++ b/config/zebedee/zebedee_del_key.php @@ -1,54 +1,54 @@ -<?php
-/*
- zebedee_del_key.php
- part of pfSense (http://www.pfsense.com/)
- Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com>
- Copyright (C) 2010 Marcello Coutinho
- Copyright (C) 2010 Jorge Lustosa
-
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-
-require("guiconfig.inc");
-
-$pfSversion = str_replace("\n", "", file_get_contents("/etc/version"));
-if(strstr($pfSversion, "1.2"))
- $one_two = true;
-
-$zebede_keys = $config['installedpackages']['zebedeekeys']['config'] ;
-
-// remove item
-unset($zebede_keys[$_REQUEST['id']]) ;
-
-$config['installedpackages']['zebedeekeys']['config'] = $zebede_keys ;
-write_config() ;
-
-
-// redirect
-header("Location: zebedee_keys.php");
-
-
-?>
-
-
+<?php +/* + zebedee_del_key.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> + Copyright (C) 2010 Marcello Coutinho + Copyright (C) 2010 Jorge Lustosa + + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$zebede_keys = $config['installedpackages']['zebedeekeys']['config'] ; + +// remove item +unset($zebede_keys[$_REQUEST['id']]) ; + +$config['installedpackages']['zebedeekeys']['config'] = $zebede_keys ; +write_config() ; + + +// redirect +header("Location: zebedee_keys.php"); + + +?> + + diff --git a/config/zebedee/zebedee_get_key.php b/config/zebedee/zebedee_get_key.php index f0af0b8a..ce54f954 100644 --- a/config/zebedee/zebedee_get_key.php +++ b/config/zebedee/zebedee_get_key.php @@ -1,44 +1,44 @@ -<?
-
-require_once("pkg-utils.inc");
-
-$id= $_REQUEST['id'] ;
-//echo "<pre>" ;
-$external = $config['installedpackages']['zebedee']['config'][0]['external_address'] ;
-$chave = $config['installedpackages']['zebedeekeys']["config"][$id] ;
-
-//print_r($chave['row']) ;
-
-
-
-foreach ($chave['row'] as $k => $v)
-{
- // especify only one port for this host
-// if($v['port']=="") $end=" " ; else $end = ":".$v['port'] ;
- $tunnels .= "tunnel ".$v['loc_port'].":".$v['ipaddress'].":".$v['rmt_port']."\r\n" ;
-}
-
-
-header('Content-Type: application/download');
-header('Content-Disposition: filename=client.txt');
-
-$chave_result = <<<EOF
-verbosity 2
-server false
-message {$chave["ident"]}
-detached true
-privatekey "{$chave["private_key"]}"
-ipmode both
-compression zlib:9
-
-serverhost {$external}
-
-{$tunnels}
-
-EOF;
-
-
-echo $chave_result ;
-
-
+<? + +require_once("pkg-utils.inc"); + +$id= $_REQUEST['id'] ; +//echo "<pre>" ; +$external = $config['installedpackages']['zebedee']['config'][0]['external_address'] ; +$chave = $config['installedpackages']['zebedeekeys']["config"][$id] ; + +//print_r($chave['row']) ; + + + +foreach ($chave['row'] as $k => $v) +{ + // especify only one port for this host +// if($v['port']=="") $end=" " ; else $end = ":".$v['port'] ; + $tunnels .= "tunnel ".$v['loc_port'].":".$v['ipaddress'].":".$v['rmt_port']."\r\n" ; +} + + +header('Content-Type: application/download'); +header('Content-Disposition: filename=client.txt'); + +$chave_result = <<<EOF +verbosity 2 +server false +message {$chave["ident"]} +detached true +privatekey "{$chave["private_key"]}" +ipmode both +compression zlib:9 + +serverhost {$external} + +{$tunnels} + +EOF; + + +echo $chave_result ; + + ?>
\ No newline at end of file diff --git a/config/zebedee/zebedee_keys.php b/config/zebedee/zebedee_keys.php index f762c7cc..14b39078 100644 --- a/config/zebedee/zebedee_keys.php +++ b/config/zebedee/zebedee_keys.php @@ -1,145 +1,145 @@ -<?php
-/*
- zebedee_keys.php
- part of pfSense (http://www.pfsense.com/)
- Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com>
- Copyright (C) 2010 Marcello Coutinho
- Copyright (C) 2010 Jorge Lustosa
-
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-
-
-
-require("guiconfig.inc");
-
-$pfSversion = str_replace("\n", "", file_get_contents("/etc/version"));
-if(strstr($pfSversion, "1.2"))
- $one_two = true;
-
-$pgtitle = "Zebedee Tunneling";
-include("head.inc");
-
-error_reporting(0);
-?>
-<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
-<?php include("fbegin.inc"); ?>
-
-<?php if($one_two): ?>
-<p class="pgtitle"><?=$pgtitle?></font></p>
-<?php endif; ?>
-
-<?php if ($savemsg) print_info_box($savemsg); ?>
-
-<form action="varnishstat_view_config.php" method="post">
-
-<div id="mainlevel">
- <table width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr><td>
-
-
-
-<?php
- $tab_array = array();
- $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=zebedee.xml&id=0");
- $tab_array[] = array(gettext("Tunnels"), false, "/pkg_edit.php?xml=zebedee_tunnels.xml&id=0");
- $tab_array[] = array(gettext("Keys"), true, "/zebedee_keys.php");
- $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=zebedee_sync.xml&id=0");
- $tab_array[] = array(gettext("View Configuration"), false, "/zebedee_view_config.php");
- $tab_array[] = array(gettext("View log files"), false, "/zebedee_log.php");
- display_top_tabs($tab_array);
-
- $zebede_keys = $config['installedpackages']['zebedeekeys']['config'] ;
- $next_row = sizeof($zebede_keys) ;
- if($next_row == 1 && !array_key_exists("config", $config['installedpackages']["zebedeekeys"]))$next_row =0 ;
-
- //echo "<pre>" ;
- //print_r($config['installedpackages']);
-?>
- </td>
- </tr>
- <tr>
- <td>
- <div id="mainarea">
-
- <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr>
- <td class="listhdrr"><?=gettext("Identifier"); ?></td>
- <td class="listhdr"><?=gettext("Public key"); ?></td>
- <td class="list">
- <table border="0" cellspacing="0" cellpadding="1">
- <tr>
- <td width="20" heigth="17"></td>
- <td width="20" heigth="17"></td>
- <td width="20" heigth="17"></td>
-
- <td align="left"><a href="pkg_edit.php?xml=zebedee_key_details.xml&id=<?php echo $next_row?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add key"); ?>" width="17" height="17" border="0"></a></td>
- </tr>
- </table>
- </td>
- </tr>
- <?php $i = 0; foreach ($zebede_keys as $key): ?>
- <tr>
- <td class="listlr">
- <?=htmlspecialchars($key['ident']);?>
- </td>
- <td class="listr">
- <?=htmlspecialchars($key['public_key']);?>
- </td>
- <td class="list" nowrap>
- <a href="pkg_edit.php?xml=zebedee_key_details.xml&id=<?php echo $i?>">
- <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="<?=gettext("edit key"); ?>" width="17" height="17" border="0"></a>
- <a href="/zebedee_del_key.php?id=<?php echo $i?>"><img height="17" border="0" width="17" src="./themes/pfsense_ng/images/icons/icon_x.gif"></a>
- <a alt="Download client.zbd file" href="/zebedee_get_key.php?id=<?php echo $i?>" target="_blank"><img height="17" border="0" width="17" src="./themes/pfsense_ng/images/icons/icon_right.gif" alt="Download client.zbd file"></a>
- </td>
- </tr>
- <?php $i++; endforeach; ?>
-
-
- <tr>
- <td class="list" colspan="2"></td>
- <td class="list">
- <table border="0" cellspacing="0" cellpadding="1">
- <tr>
- <td width="20" heigth="17"></td>
- <td width="20" heigth="17"></td>
- <td width="20" heigth="17"></td>
-
- <td><a href="pkg_edit.php?xml=zebedee_key_details.xml&id=<?php echo $next_row?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add key"); ?>" width="17" height="17" border="0"></a></td>
- </tr>
- </table>
- </td>
- </tr>
- </table>
-
-
- </div>
- </td>
- </tr>
- </table>
-</div>
-</form>
-<?php include("fend.inc"); ?>
-</body>
-</html>
+<?php +/* + zebedee_keys.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> + Copyright (C) 2010 Marcello Coutinho + Copyright (C) 2010 Jorge Lustosa + + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + + +require("guiconfig.inc"); + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Zebedee Tunneling"; +include("head.inc"); + +error_reporting(0); +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> + +<?php if($one_two): ?> +<p class="pgtitle"><?=$pgtitle?></font></p> +<?php endif; ?> + +<?php if ($savemsg) print_info_box($savemsg); ?> + +<form action="varnishstat_view_config.php" method="post"> + +<div id="mainlevel"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td> + + + +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=zebedee.xml&id=0"); + $tab_array[] = array(gettext("Tunnels"), false, "/pkg_edit.php?xml=zebedee_tunnels.xml&id=0"); + $tab_array[] = array(gettext("Keys"), true, "/zebedee_keys.php"); + $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=zebedee_sync.xml&id=0"); + $tab_array[] = array(gettext("View Configuration"), false, "/zebedee_view_config.php"); + $tab_array[] = array(gettext("View log files"), false, "/zebedee_log.php"); + display_top_tabs($tab_array); + + $zebede_keys = $config['installedpackages']['zebedeekeys']['config'] ; + $next_row = sizeof($zebede_keys) ; + if($next_row == 1 && !array_key_exists("config", $config['installedpackages']["zebedeekeys"]))$next_row =0 ; + + //echo "<pre>" ; + //print_r($config['installedpackages']); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="listhdrr"><?=gettext("Identifier"); ?></td> + <td class="listhdr"><?=gettext("Public key"); ?></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td width="20" heigth="17"></td> + <td width="20" heigth="17"></td> + <td width="20" heigth="17"></td> + + <td align="left"><a href="pkg_edit.php?xml=zebedee_key_details.xml&id=<?php echo $next_row?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add key"); ?>" width="17" height="17" border="0"></a></td> + </tr> + </table> + </td> + </tr> + <?php $i = 0; foreach ($zebede_keys as $key): ?> + <tr> + <td class="listlr"> + <?=htmlspecialchars($key['ident']);?> + </td> + <td class="listr"> + <?=htmlspecialchars($key['public_key']);?> + </td> + <td class="list" nowrap> + <a href="pkg_edit.php?xml=zebedee_key_details.xml&id=<?php echo $i?>"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="<?=gettext("edit key"); ?>" width="17" height="17" border="0"></a> + <a href="/zebedee_del_key.php?id=<?php echo $i?>"><img height="17" border="0" width="17" src="./themes/pfsense_ng/images/icons/icon_x.gif"></a> + <a alt="Download client.zbd file" href="/zebedee_get_key.php?id=<?php echo $i?>" target="_blank"><img height="17" border="0" width="17" src="./themes/pfsense_ng/images/icons/icon_right.gif" alt="Download client.zbd file"></a> + </td> + </tr> + <?php $i++; endforeach; ?> + + + <tr> + <td class="list" colspan="2"></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td width="20" heigth="17"></td> + <td width="20" heigth="17"></td> + <td width="20" heigth="17"></td> + + <td><a href="pkg_edit.php?xml=zebedee_key_details.xml&id=<?php echo $next_row?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add key"); ?>" width="17" height="17" border="0"></a></td> + </tr> + </table> + </td> + </tr> + </table> + + + </div> + </td> + </tr> + </table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/zebedee/zebedee_log.php b/config/zebedee/zebedee_log.php index 3e1ac98d..e397ca08 100644 --- a/config/zebedee/zebedee_log.php +++ b/config/zebedee/zebedee_log.php @@ -1,112 +1,112 @@ -<?php
-/*
- varnishstat_view_logs.php
- part of pfSense (http://www.pfsense.com/)
- Copyright (C) 2006 Scott Ullrich <sullrich@gmail.com>
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-
-require("guiconfig.inc");
-
-if($_REQUEST['getactivity']) {
- $varnishstatlogs = `tail -n 100 /var/log/zebedee.log`;
- echo "<h2>Zebedee Server logs as of " . date("D M j G:i:s T Y") . "</h2>";
- echo $varnishstatlogs;
- exit;
-}
-
-$pfSversion = str_replace("\n", "", file_get_contents("/etc/version"));
-if(strstr($pfSversion, "1.2"))
- $one_two = true;
-
-$pgtitle = "Zebedee: Logs";
-include("head.inc");
-
-?>
-<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
-<script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script>
- <script type="text/javascript">
- function getlogactivity() {
- var url = "/zebedee_log.php";
- var pars = 'getactivity=yes';
- var myAjax = new Ajax.Request(
- url,
- {
- method: 'post',
- parameters: pars,
- onComplete: activitycallback
- });
- }
- function activitycallback(transport) {
- $('varnishstatlogs').innerHTML = '<font face="Courier"><pre>' + transport.responseText + '</pre></font>';
- setTimeout('getlogactivity()', 2500);
- }
- setTimeout('getlogactivity()', 1000);
- </script>
-<?php include("fbegin.inc"); ?>
-
-<?php if($one_two): ?>
-<p class="pgtitle"><?=$pgtitle?></font></p>
-<?php endif; ?>
-
-<?php if ($savemsg) print_info_box($savemsg); ?>
-
-<div id="mainlevel">
- <table width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr><td>
-<?php
-
-$tab_array = array();
- $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=zebedee.xml&id=0");
- $tab_array[] = array(gettext("Tunnels"), false, "/pkg_edit.php?xml=zebedee_tunnels.xml&id=0");
- $tab_array[] = array(gettext("Keys"), false, "/zebedee_keys.php");
- $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=zebedee_sync.xml&id=0");
- $tab_array[] = array(gettext("View Configuration"), false, "/zebedee_view_config.php");
- $tab_array[] = array(gettext("View log files"), true, "/zebedee_log.php");
- display_top_tabs($tab_array);
-
-?>
- </td></tr>
- <tr>
- <td>
- <div id="mainarea">
- <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr>
- <td class="tabcont" >
- <form action="zebedee_log.php" method="post">
- <div id="varnishstatlogs">
- <pre>One moment please, loading logs...</pre>
- </div>
- </td>
- </tr>
- </table>
- </div>
- </td>
- </tr>
- </table>
-</div>
-</form>
-<?php include("fend.inc"); ?>
-</body>
-</html>
+<?php +/* + varnishstat_view_logs.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2006 Scott Ullrich <sullrich@gmail.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if($_REQUEST['getactivity']) { + $varnishstatlogs = `tail -n 100 /var/log/zebedee.log`; + echo "<h2>Zebedee Server logs as of " . date("D M j G:i:s T Y") . "</h2>"; + echo $varnishstatlogs; + exit; +} + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Zebedee: Logs"; +include("head.inc"); + +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script> + <script type="text/javascript"> + function getlogactivity() { + var url = "/zebedee_log.php"; + var pars = 'getactivity=yes'; + var myAjax = new Ajax.Request( + url, + { + method: 'post', + parameters: pars, + onComplete: activitycallback + }); + } + function activitycallback(transport) { + $('varnishstatlogs').innerHTML = '<font face="Courier"><pre>' + transport.responseText + '</pre></font>'; + setTimeout('getlogactivity()', 2500); + } + setTimeout('getlogactivity()', 1000); + </script> +<?php include("fbegin.inc"); ?> + +<?php if($one_two): ?> +<p class="pgtitle"><?=$pgtitle?></font></p> +<?php endif; ?> + +<?php if ($savemsg) print_info_box($savemsg); ?> + +<div id="mainlevel"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td> +<?php + +$tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=zebedee.xml&id=0"); + $tab_array[] = array(gettext("Tunnels"), false, "/pkg_edit.php?xml=zebedee_tunnels.xml&id=0"); + $tab_array[] = array(gettext("Keys"), false, "/zebedee_keys.php"); + $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=zebedee_sync.xml&id=0"); + $tab_array[] = array(gettext("View Configuration"), false, "/zebedee_view_config.php"); + $tab_array[] = array(gettext("View log files"), true, "/zebedee_log.php"); + display_top_tabs($tab_array); + +?> + </td></tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabcont" > + <form action="zebedee_log.php" method="post"> + <div id="varnishstatlogs"> + <pre>One moment please, loading logs...</pre> + </div> + </td> + </tr> + </table> + </div> + </td> + </tr> + </table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/zebedee/zebedee_view_config.php b/config/zebedee/zebedee_view_config.php index 57cecc7e..78a0bca9 100644 --- a/config/zebedee/zebedee_view_config.php +++ b/config/zebedee/zebedee_view_config.php @@ -1,97 +1,97 @@ -<?php
-/*
- varnish_view_config.php
- part of pfSense (http://www.pfsense.com/)
- Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com>
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-
-require("guiconfig.inc");
-
-$pfSversion = str_replace("\n", "", file_get_contents("/etc/version"));
-if(strstr($pfSversion, "1.2"))
- $one_two = true;
-
-$pgtitle = "Zebedee: View Configuration";
-include("head.inc");
-
-?>
-<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
-<?php include("fbegin.inc"); ?>
-
-<?php if($one_two): ?>
-<p class="pgtitle"><?=$pgtitle?></font></p>
-<?php endif; ?>
-
-<?php if ($savemsg) print_info_box($savemsg); ?>
-
-<form action="zebedee_view_config.php" method="post">
-
-<div id="mainlevel">
- <table width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr><td>
-<?php
- $tab_array = array();
- $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=zebedee.xml&id=0");
- $tab_array[] = array(gettext("Tunnels"), false, "/pkg_edit.php?xml=zebedee_tunnels.xml&id=0");
- $tab_array[] = array(gettext("Keys"), false, "/zebedee_keys.php");
- $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=zebedee_sync.xml&id=0");
- $tab_array[] = array(gettext("View Configuration"), true, "/zebedee_view_config.php");
- $tab_array[] = array(gettext("View log files"), false, "/zebedee_log.php");
- display_top_tabs($tab_array);
-?>
- </td></tr>
- <tr>
- <td>
- <div id="mainarea">
- <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr>
- <td class="tabcont" >
- <p class="pgtitle">/usr/local/etc/server.zbd</font></p>
- <textarea id="zebedeetext" rows="20" cols="80">
-<?php
- $config_file = file_get_contents("/usr/local/etc/server.zbd");
- echo $config_file;
-?>
- </textarea>
- <p class="pgtitle">/usr/local/etc/tunnels.zbd</font></p>
- <textarea id="zebedeetext" rows="20" cols="80">
-<?php
- $config_file = file_get_contents("/usr/local/etc/tunnels.zbd");
- echo $config_file;
-?>
- </textarea>
-
- </td>
- </tr>
- </table>
- </div>
- </td>
- </tr>
- </table>
-</div>
-</form>
-<?php include("fend.inc"); ?>
-</body>
-</html>
+<?php +/* + varnish_view_config.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Zebedee: View Configuration"; +include("head.inc"); + +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> + +<?php if($one_two): ?> +<p class="pgtitle"><?=$pgtitle?></font></p> +<?php endif; ?> + +<?php if ($savemsg) print_info_box($savemsg); ?> + +<form action="zebedee_view_config.php" method="post"> + +<div id="mainlevel"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=zebedee.xml&id=0"); + $tab_array[] = array(gettext("Tunnels"), false, "/pkg_edit.php?xml=zebedee_tunnels.xml&id=0"); + $tab_array[] = array(gettext("Keys"), false, "/zebedee_keys.php"); + $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=zebedee_sync.xml&id=0"); + $tab_array[] = array(gettext("View Configuration"), true, "/zebedee_view_config.php"); + $tab_array[] = array(gettext("View log files"), false, "/zebedee_log.php"); + display_top_tabs($tab_array); +?> + </td></tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabcont" > + <p class="pgtitle">/usr/local/etc/server.zbd</font></p> + <textarea id="zebedeetext" rows="20" cols="80"> +<?php + $config_file = file_get_contents("/usr/local/etc/server.zbd"); + echo $config_file; +?> + </textarea> + <p class="pgtitle">/usr/local/etc/tunnels.zbd</font></p> + <textarea id="zebedeetext" rows="20" cols="80"> +<?php + $config_file = file_get_contents("/usr/local/etc/tunnels.zbd"); + echo $config_file; +?> + </textarea> + + </td> + </tr> + </table> + </div> + </td> + </tr> + </table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/pkg_config.7.xml b/pkg_config.7.xml index 59bb8374..30316a74 100755 --- a/pkg_config.7.xml +++ b/pkg_config.7.xml @@ -22,7 +22,7 @@ <category>Diagnostics</category> <pkginfolink>http://forum.pfsense.org/index.php/topic,26974.0.html</pkginfolink> <config_file>http://pfsense.org/packages/config/filemgr/filemgr.xml</config_file> - <version>0.1.1</version> + <version>0.1.3</version> <status>Beta</status> <required_version>1.2.2</required_version> <maintainer>tom@tomschaefer.org</maintainer> @@ -306,7 +306,7 @@ <pkginfolink></pkginfolink> <config_file>http://www.pfsense.com/packages/config/cron/cron.xml</config_file> <depends_on_package_base_url>http://files.pfsense.org/packages/7/All/</depends_on_package_base_url> - <version>0.2</version> + <version>0.2.2</version> <status>Beta</status> <required_version>1.2</required_version> <maintainer>markjcrane@gmail.com</maintainer> @@ -452,7 +452,7 @@ <descr>A console-based network traffic monitor + vnstat PHP frontend</descr> <pkginfolink>http://forum.pfsense.org/index.php/topic,14179.0.html</pkginfolink> <category>Network Management</category> - <depends_on_package_base_url>http://www.pfsense.com/packages/config/vnstat/bin/</depends_on_package_base_url> + <depends_on_package_base_url>http://files.pfsense.org/packages/7/All/</depends_on_package_base_url> <depends_on_package>vnstat-1.6_3.tbz</depends_on_package> <version>1.6.3</version> <status>Stable</status> @@ -470,7 +470,7 @@ <version>2.5.4</version> <status>Beta</status> <required_version>1.0</required_version> - <depends_on_package_base_url>http://www.pfsense.com/packages/config/phpsysinfo/bin/</depends_on_package_base_url> + <depends_on_package_base_url>http://files.pfsense.org/packages/7/All/</depends_on_package_base_url> <depends_on_package>mbmon-205_4.tbz</depends_on_package> <config_file>http://www.pfsense.com/packages/config/phpsysinfo/phpsysinfo.xml</config_file> <configurationfile>phpsysinfo.xml</configurationfile> @@ -632,7 +632,7 @@ <website>http://dmr.ath.cx/net/darkstat/</website> <descr>darkstat is a network statistics gatherer. It's a packet sniffer that runs as a background process on a cable/DSL router, gathers all sorts of statistics about network usage, and serves them over HTTP.</descr> <category>Network Management</category> - <depends_on_package_base_url>http://www.pfsense.com/packages/config/darkstat/bin/</depends_on_package_base_url> + <depends_on_package_base_url>http://files.pfsense.org/packages/7/All/</depends_on_package_base_url> <depends_on_package>darkstat-3.0.712.tbz</depends_on_package> <depends_on_package>gettext-0.17_1.tbz</depends_on_package> <version>3.0.712</version> @@ -772,23 +772,6 @@ <configurationfile>squid.xml</configurationfile> </package> <package> - <name>squid3</name> - <descr>DISCONTINUED on pfSense 1.2.x [EXPERIMENTAL! Not all directives are ported yet! High performance web proxy cache.]</descr> - <website>http://www.squid-cache.org/</website> - <category>Network</category> - <version>3.1.14_0.1</version> - <status>DISCONTINUED on pfSense 1.2.x</status> - <required_version>1.2.1</required_version> - <maintainer>fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com</maintainer> - <depends_on_package_base_url>http://files.pfsense.org/packages/7/All/</depends_on_package_base_url> - <depends_on_package>squid-3.1.14.tbz</depends_on_package> - <depends_on_package>squid_radius_auth-1.10.tbz</depends_on_package> - <depends_on_package>openldap-client-2.4.10.tbz</depends_on_package> - <config_file>http://www.pfsense.org/packages/config/squid3/squid.xml</config_file> - <configurationfile>squid.xml</configurationfile> - <noembedded>true</noembedded> - </package> - <package> <name>LCDproc</name> <descr>LCD display driver</descr> <website>http://www.lcdproc.org/</website> diff --git a/pkg_config.8.xml b/pkg_config.8.xml index 5e511811..1667ab5a 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -8,6 +8,7 @@ <!-- <package> <name>someprogram</name> + <internal_name>someprogram</internal_name> <pkginfolink>http://forum.pfsense.org/</pkginfolink> <descr><![CDATA[Some cool program]]></descr> <website>http://www.example.org/someprogram</website> @@ -30,7 +31,7 @@ <package> <name>Asterisk</name> <pkginfolink>http://forum.pfsense.org/index.php/topic,47210.0.html</pkginfolink> - <descr><![CDATA[Asterisk is an open source framework for building communications applications.<br>Asterisk turns an ordinary computer into a communications server.]]></descr> + <descr><![CDATA[Asterisk is an open source framework for building communications applications.<br />Asterisk turns an ordinary computer into a communications server.]]></descr> <website>http://www.asterisk.org/</website> <category>Services</category> <version>1.8.8.1 pkg v 0.1</version> @@ -40,7 +41,7 @@ <depends_on_package_base_url>http://e-sac.siteseguro.ws/packages/8/All/</depends_on_package_base_url> <depends_on_package>asterisk18-1.8.8.1.tbz</depends_on_package> <depends_on_package>openldap-sasl-client-2.4.26.tbz</depends_on_package> - <depends_on_package_pbi>asterisk-1.8.13.0-i386.pbi</depends_on_package_pbi> + <depends_on_package_pbi>asterisk-1.8.19.0-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/net/asterisk</build_port_path> <maintainer>marcellocoutinho@gmail.com robreg@zsurob.hu</maintainer> <configurationfile>asterisk.xml</configurationfile> @@ -60,20 +61,6 @@ <configurationfile>filer.xml</configurationfile> </package> <package> - <name>IP-Blocklist</name> - <website/> - <descr>IP-Blocklist is PeerGuardian2 but on pfsense. This package has been replaced by pfblocker. <u>This is a legacy app</u></descr> - <category>Firewall</category> - <pkginfolink>http://forum.pfsense.org/index.php/topic,24769.0.html</pkginfolink> - <config_file>http://www.pfsense.com/packages/config/ipblocklist/8/ipblocklist.xml</config_file> - <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <version>0.3.5</version> - <status>Beta</status> - <required_version>1.2.2</required_version> - <maintainer>tom@tomschaefer.org</maintainer> - <configurationfile>ipblocklist.xml</configurationfile> - </package> - <package> <name>Country Block</name> <website/> <descr>Block countries - This has been replaced by pfblocker. <u>This is a legacy app</u></descr> @@ -107,7 +94,7 @@ <category>Diagnostics</category> <pkginfolink>http://forum.pfsense.org/index.php/topic,26974.0.html</pkginfolink> <config_file>http://pfsense.org/packages/config/filemgr/filemgr.xml</config_file> - <version>0.1.1</version> + <version>0.1.3</version> <status>Beta</status> <required_version>2.0</required_version> <maintainer>tom@tomschaefer.org</maintainer> @@ -116,9 +103,9 @@ <package> <name>pfBlocker</name> <website/> - <descr><![CDATA[Introduce Enhanced Aliastable Feature to pfsense.<br> - Assign many IP urls lists from sites like I-blocklist to a single alias and then choose rule action to take.<br> - This package also Block countries and IP ranges.<br> + <descr><![CDATA[Introduce Enhanced Aliastable Feature to pfsense.<br /> + Assign many IP urls lists from sites like I-blocklist to a single alias and then choose rule action to take.<br /> + This package also Block countries and IP ranges.<br /> pfBlocker replaces Countryblock and IPblocklist.]]></descr> <category>Firewall</category> <pkginfolink>http://forum.pfsense.org/index.php/topic,42543.0.html</pkginfolink> @@ -145,35 +132,61 @@ <package> <name>haproxy</name> <pkginfolink>http://doc.pfsense.org/index.php/haproxy_package</pkginfolink> - <descr><![CDATA[The Reliable, High Performance HTTP Load Balancer<br> - This package implements HTTP balance features from Haproxy.]]></descr> + <descr><![CDATA[The Reliable, High Performance TCP/HTTP Load Balancer<br /> + This package implements both TCP and HTTP balance features from Haproxy.<br /> + Supports acl's for smart backend switching.]]></descr> <website>http://haproxy.1wt.eu/</website> <category>Services</category> - <version>1.4.21 pkg v 1.2</version> + <version>1.4.24 pkg v 1.2.3</version> <status>Release</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/haproxy/haproxy.xml</config_file> <configurationfile>haproxy.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package>haproxy-1.4.21.tbz</depends_on_package> - <depends_on_package_pbi>haproxy-1.4.21-i386.pbi</depends_on_package_pbi> + <depends_on_package>haproxy-1.4.24.tbz</depends_on_package> + <depends_on_package_pbi>haproxy-1.4.24-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/net/haproxy</build_port_path> </package> <package> <name>haproxy-full</name> <pkginfolink>http://doc.pfsense.org/index.php/haproxy_package</pkginfolink> - <descr><![CDATA[The Reliable, High Performance TCP/HTTP Load Balancer<br> - This package implements both TCP and HTTP balance features from Haproxy.]]></descr> + <descr><![CDATA[The Reliable, High Performance TCP/HTTP Load Balancer<br /> + This package implements both TCP and HTTP balance features from Haproxy.<br /> + (Legacy version)]]></descr> <website>http://haproxy.1wt.eu/</website> <category>Services</category> - <version>1.4.21 pkg v 1.0</version> + <version>1.4.23 pkg v 1.0</version> <status>Release</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/haproxy-legacy/haproxy.xml</config_file> <configurationfile>haproxy.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> + <depends_on_package>haproxy-1.4.24.tbz</depends_on_package> + <depends_on_package_pbi>haproxy-1.4.24-i386.pbi</depends_on_package_pbi> + </package> + <package> + <name>haproxy-devel</name> + <pkginfolink>http://doc.pfsense.org/index.php/haproxy_package</pkginfolink> + <descr><![CDATA[The Reliable, High Performance TCP/HTTP(s) Load Balancer<br /> + This package implements TCP, HTTP and HTTPS balance features from Haproxy.<br /> + Supports acl's for smart backend switching.]]></descr> + <website>http://haproxy.1wt.eu/</website> + <category>Services</category> + <version>1.5-dev19 pkg v 0.3</version> + <status>Release</status> + <required_version>2.1</required_version> + <config_file>http://www.pfsense.com/packages/config/haproxy-devel/haproxy.xml</config_file> + <configurationfile>haproxy.xml</configurationfile> + <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <depends_on_package>haproxy-1.4.21.tbz</depends_on_package> - <depends_on_package_pbi>haproxy-1.4.21-i386.pbi</depends_on_package_pbi> + <depends_on_package_pbi>haproxy-devel-1.5-dev19-i386.pbi</depends_on_package_pbi> + <build_port_path>/usr/ports/net/haproxy-devel</build_port_path> + <build_pbi> + <ports_before>security/openssl</ports_before> + <custom_name>haproxy-devel</custom_name> + <port>/usr/ports/net/haproxy-devel</port> + </build_pbi> + <build_options>WITH_OPENSSL_PORT=yes;OPTIONS_UNSET=PCRE DPCRE;OPTIONS_SET=OPENSSL SPCRE</build_options> </package> <package> <name>Apache with mod_security-dev</name> @@ -218,7 +231,7 @@ <port>www/apache22-worker-mpm</port> <ports_after>www/mod_security www/mod_memcache</ports_after> </build_pbi> - <build_options>WITH_MPM=worker WITH_THREADS=yes WITHOUT_MYSQL=yes WITHOUT_PGSQL=yes WITH_SQLITE=yes WITH_IPV6=yes WITHOUT_BDB=yes WITH_AUTH_BASIC=yes WITH_AUTH_DIGEST=yes WITH_AUTHN_FILE=yes WITHOUT_AUTHN_DBD=yes WITH_AUTHN_DBM=yes WITH_AUTHN_ANON=yes WITH_AUTHN_DEFAULT=yes WITH_AUTHN_ALIAS=yes WITH_AUTHZ_HOST=yes WITH_AUTHZ_GROUPFILE=yes WITH_AUTHZ_USER=yes WITH_AUTHZ_DBM=yes WITH_AUTHZ_OWNER=yes WITH_AUTHZ_DEFAULT=yes WITH_CACHE=yes WITH_DISK_CACHE=yes WITH_FILE_CACHE=yes WITH_MEM_CACHE=yes WITH_DAV=yes WITH_DAV_FS=yes WITHOUT_BUCKETEER=yes WITHOUT_CASE_FILTER=yes WITHOUT_CASE_FILTER_IN=yes WITHOUT_EXT_FILTER=yes WITHOUT_LOG_FORENSIC=yes WITHOUT_OPTIONAL_HOOK_EXPORT=yes WITHOUT_OPTIONAL_HOOK_IMPORT=yes WITHOUT_OPTIONAL_FN_IMPORT=yes WITHOUT_OPTIONAL_FN_EXPORT=yes WITHOUT_LDAP=yes WITHOUT_AUTHNZ_LDAP=yes WITH_ACTIONS=yes WITH_ALIAS=yes WITH_ASIS=yes WITH_AUTOINDEX=yes WITH_CERN_META=yes WITH_CGI=yes WITH_CHARSET_LITE=yes WITHOUT_DBD=yes WITH_DEFLATE=yes WITH_DIR=yes WITH_DUMPIO=yes WITH_ENV=yes WITH_EXPIRES=yes WITH_HEADERS=yes WITH_IMAGEMAP=yes WITH_INCLUDE=yes WITH_INFO=yes WITH_LOG_CONFIG=yes WITH_LOGIO=yes WITH_MIME=yes WITH_MIME_MAGIC=yes WITH_NEGOTIATION=yes WITH_REWRITE=yes WITH_SETENVIF=yes WITH_SPELING=yes WITH_STATUS=yes WITH_UNIQUE_ID=yes WITH_USERDIR=yes WITH_USERTRACK=yes WITH_VHOST_ALIAS=yes WITH_FILTER=yes WITHOUT_SUBSTITUTE=yes WITH_VERSION=yes WITH_PROXY=yes WITH_PROXY_CONNECT=yes WITH_PROXY_FTP=yes WITH_PROXY_HTTP=yes WITH_PROXY_AJP=yes WITH_PROXY_BALANCER=yes WITH_PROXY_SCGI=yes WITH_SSL=yes WITHOUT_SUEXEC=yes WITHOUT_SUEXEC_RSRCLIMIT=yes WITH_REQTIMEOUT=yes WITHOUT_CGID=yes</build_options> + <build_options>OPTIONS_UNSET=BDB MYSQL PGSQL;OPTIONS_SET=SQLITE THREADS IPV6 SSL;WITH_MPM=worker;apache22-worker-mpm_UNSET=AUTHNZ_LDAP AUTHN_DBD BUCKETEER CASE_FILTER CASE_FILTER_IN CGID DBD EXT_FILTER LDAP LOG_FORENSIC OPTIONAL_FN_EXPORT OPTIONAL_FN_IMPORT OPTIONAL_HOOK_EXPORT OPTIONAL_HOOK_IMPORT SUBSTITUTE SUEXEC SUEXEC_RSRCLIMIT;apache22-worker-mpm_SET=ACTIONS ALIAS AUTHN_ALIAS VHOST_ALIAS ASIS AUTHN_ANON AUTHN_DBM AUTHN_DEFAULT AUTHN_FILE AUTHZ_DBM AUTHZ_DEFAULT AUTHZ_GROUPFILE AUTHZ_HOST AUTHZ_OWNER AUTHZ_USER AUTH_BASIC AUTH_DIGEST AUTOINDEX CACHE DISK_CACHE FILE_CACHE MEM_CACHE CERN_META CGI CHARSET_LITE DAV DAV_FS DEFLATE DIR DUMPIO ENV EXPIRES FILTER HEADERS IMAGEMAP INCLUDE INFO LOGIO LOG_CONFIG MIME MIME_MAGIC NEGOTIATION PROXY PROXY_AJP PROXY_BALANCER PROXY_CONNECT PROXY_FTP PROXY_HTTP PROXY_SCGI REQTIMEOUT REWRITE SETENVIF SPELING STATUS THREADS UNIQUE_ID USERDIR USERTRACK VERSION</build_options> <after_install_info>Please visit the ProxyServer settings tab and set the service up so that it may be started.</after_install_info> </package> <package> @@ -238,7 +251,7 @@ <depends_on_package>ap22-mod_memcache-0.1.0_4.tbz</depends_on_package> <depends_on_package>apache-2.2.22_5.tbz</depends_on_package> <depends_on_package>ap22-mod_security-2.6.5_1.tbz</depends_on_package> - <depends_on_package_pbi>proxy_mod_security-2.2.22_6-i386.pbi</depends_on_package_pbi> + <depends_on_package_pbi>proxy_mod_security-2.2.23_3-i386.pbi</depends_on_package_pbi> <configurationfile>apache_mod_security.xml</configurationfile> <build_port_path>/usr/ports/devel/gettext</build_port_path> <build_port_path>/usr/ports/misc/help2man</build_port_path> @@ -264,7 +277,7 @@ <port>www/apache22-worker-mpm</port> <ports_after>www/mod_security www/mod_memcache</ports_after> </build_pbi> - <build_options>WITH_MPM=worker WITH_THREADS=yes WITHOUT_MYSQL=yes WITHOUT_PGSQL=yes WITH_SQLITE=yes WITH_IPV6=yes WITHOUT_BDB=yes WITH_AUTH_BASIC=yes WITH_AUTH_DIGEST=yes WITH_AUTHN_FILE=yes WITHOUT_AUTHN_DBD=yes WITH_AUTHN_DBM=yes WITH_AUTHN_ANON=yes WITH_AUTHN_DEFAULT=yes WITH_AUTHN_ALIAS=yes WITH_AUTHZ_HOST=yes WITH_AUTHZ_GROUPFILE=yes WITH_AUTHZ_USER=yes WITH_AUTHZ_DBM=yes WITH_AUTHZ_OWNER=yes WITH_AUTHZ_DEFAULT=yes WITH_CACHE=yes WITH_DISK_CACHE=yes WITH_FILE_CACHE=yes WITH_MEM_CACHE=yes WITH_DAV=yes WITH_DAV_FS=yes WITHOUT_BUCKETEER=yes WITHOUT_CASE_FILTER=yes WITHOUT_CASE_FILTER_IN=yes WITHOUT_EXT_FILTER=yes WITHOUT_LOG_FORENSIC=yes WITHOUT_OPTIONAL_HOOK_EXPORT=yes WITHOUT_OPTIONAL_HOOK_IMPORT=yes WITHOUT_OPTIONAL_FN_IMPORT=yes WITHOUT_OPTIONAL_FN_EXPORT=yes WITHOUT_LDAP=yes WITHOUT_AUTHNZ_LDAP=yes WITH_ACTIONS=yes WITH_ALIAS=yes WITH_ASIS=yes WITH_AUTOINDEX=yes WITH_CERN_META=yes WITH_CGI=yes WITH_CHARSET_LITE=yes WITHOUT_DBD=yes WITH_DEFLATE=yes WITH_DIR=yes WITH_DUMPIO=yes WITH_ENV=yes WITH_EXPIRES=yes WITH_HEADERS=yes WITH_IMAGEMAP=yes WITH_INCLUDE=yes WITH_INFO=yes WITH_LOG_CONFIG=yes WITH_LOGIO=yes WITH_MIME=yes WITH_MIME_MAGIC=yes WITH_NEGOTIATION=yes WITH_REWRITE=yes WITH_SETENVIF=yes WITH_SPELING=yes WITH_STATUS=yes WITH_UNIQUE_ID=yes WITH_USERDIR=yes WITH_USERTRACK=yes WITH_VHOST_ALIAS=yes WITH_FILTER=yes WITHOUT_SUBSTITUTE=yes WITH_VERSION=yes WITH_PROXY=yes WITH_PROXY_CONNECT=yes WITH_PROXY_FTP=yes WITH_PROXY_HTTP=yes WITH_PROXY_AJP=yes WITH_PROXY_BALANCER=yes WITH_PROXY_SCGI=yes WITH_SSL=yes WITHOUT_SUEXEC=yes WITHOUT_SUEXEC_RSRCLIMIT=yes WITH_REQTIMEOUT=yes WITHOUT_CGID=yes</build_options> + <build_options>OPTIONS_UNSET=BDB MYSQL PGSQL;OPTIONS_SET=SQLITE THREADS IPV6 SSL;WITH_MPM=worker;apache22-worker-mpm_UNSET=AUTHNZ_LDAP AUTHN_DBD BUCKETEER CASE_FILTER CASE_FILTER_IN CGID DBD EXT_FILTER LDAP LOG_FORENSIC OPTIONAL_FN_EXPORT OPTIONAL_FN_IMPORT OPTIONAL_HOOK_EXPORT OPTIONAL_HOOK_IMPORT SUBSTITUTE SUEXEC SUEXEC_RSRCLIMIT;apache22-worker-mpm_SET=ACTIONS ALIAS AUTHN_ALIAS VHOST_ALIAS ASIS AUTHN_ANON AUTHN_DBM AUTHN_DEFAULT AUTHN_FILE AUTHZ_DBM AUTHZ_DEFAULT AUTHZ_GROUPFILE AUTHZ_HOST AUTHZ_OWNER AUTHZ_USER AUTH_BASIC AUTH_DIGEST AUTOINDEX CACHE DISK_CACHE FILE_CACHE MEM_CACHE CERN_META CGI CHARSET_LITE DAV DAV_FS DEFLATE DIR DUMPIO ENV EXPIRES FILTER HEADERS IMAGEMAP INCLUDE INFO LOGIO LOG_CONFIG MIME MIME_MAGIC NEGOTIATION PROXY PROXY_AJP PROXY_BALANCER PROXY_CONNECT PROXY_FTP PROXY_HTTP PROXY_SCGI REQTIMEOUT REWRITE SETENVIF SPELING STATUS THREADS UNIQUE_ID USERDIR USERTRACK VERSION</build_options> <after_install_info>Please visit the ProxyServer settings tab and set the service up so that it may be started.</after_install_info> </package> <package> @@ -315,15 +328,15 @@ <descr>ntop is a network probe that shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user's terminal. In Web mode it acts as a Web server, creating an HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics.</descr> <category>Network Management</category> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package_pbi>ntop-4.1.0_5-i386.pbi</depends_on_package_pbi> - <depends_on_package>rrdtool-1.2.30_1.tbz</depends_on_package> + <depends_on_package_pbi>ntop-5.0.1-i386.pbi</depends_on_package_pbi> + <depends_on_package>rrdtool-1.2.30_2.tbz</depends_on_package> <depends_on_package>gdbm-1.9.1.tbz</depends_on_package> - <depends_on_package>perl-5.12.4_4.tbz</depends_on_package> - <depends_on_package>libpcap-1.1.1_1.tbz</depends_on_package> - <depends_on_package>GeoIP-1.4.8_1.tbz</depends_on_package> + <depends_on_package>perl-5.14.2_2.tbz</depends_on_package> + <depends_on_package>libpcap-1.3.0.tbz</depends_on_package> + <depends_on_package>GeoIP-1.4.8_3.tbz</depends_on_package> <depends_on_package>font-util-1.2.0.tbz</depends_on_package> <depends_on_package>webfonts-0.30_6.tbz</depends_on_package> - <depends_on_package>ntop-4.1.0_3.tbz</depends_on_package> + <depends_on_package>ntop-5.0.1.tbz</depends_on_package> <build_port_path>/usr/ports/net/GeoIP</build_port_path> <build_port_path>/usr/ports/databases/gdbm</build_port_path> <build_port_path>/usr/ports/databases/rrdtool12</build_port_path> @@ -335,8 +348,8 @@ <ports_before>databases/gdbm net/GeoIP x11-fonts/font-util x11-fonts/webfonts graphics/graphviz</ports_before> <port>net/ntop</port> </build_pbi> - <build_options>WITH_PCAP_PORT=true WITH_XMLDUMP=true WITHOUT_JUMBO_FRAMES=true WITH_MAKO=true WITHOUT_DEJAVU=true WITH_JSON=true WITH_MMAP=true WITHOUT_PERL_MODULE=true WITHOUT_PYTHON_MODULE=true WITHOUT_RUBY_MODULE=true WITHOUT_EXAMPLES=true WITHOUT_FPECTL=true WITH_IPV6=true WITH_NLS=true WITHOUT_PTH=true WITH_PYMALLOC=true WITHOUT_SEM=true WITH_THREADS=true WITHOUT_UCS2=true WITH_UCS4=true WITH_FONTCONFIG=true WITH_ICONV=true WITHOUT_XPM=true WITHOUT_DAG=true WITHOUT_DIGCOLA=true WITHOUT_IPSEPCOLA=true WITHOUT_PANGOCAIRO=true WITHOUT_GTK=true WITHOUT_XCB=true</build_options> - <version>4.1.0_3 v2.3</version> + <build_options>WITH_PCAP_PORT=true;WITH_XMLDUMP=true;WITHOUT_JUMBO_FRAMES=true;WITH_MAKO=true;WITHOUT_DEJAVU=true;WITH_JSON=true;WITH_MMAP=true;WITHOUT_PERL_MODULE=true;WITHOUT_PYTHON_MODULE=true;WITHOUT_RUBY_MODULE=true;WITHOUT_EXAMPLES=true;WITHOUT_FPECTL=true;WITH_IPV6=true;WITH_NLS=true;WITHOUT_PTH=true;WITH_PYMALLOC=true;WITHOUT_SEM=true;WITH_THREADS=true;WITHOUT_UCS2=true;WITH_UCS4=true;WITH_FONTCONFIG=true;WITH_ICONV=true;WITHOUT_XPM=true;WITHOUT_DAG=true;WITHOUT_DIGCOLA=true;WITHOUT_IPSEPCOLA=true;WITHOUT_PANGOCAIRO=true;WITHOUT_GTK=true;WITHOUT_XCB=true</build_options> + <version>5.0.1 v2.3</version> <status>BETA</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/ntop2/ntop.xml</config_file> @@ -362,6 +375,7 @@ </package> <package> <name>FreeSWITCH Dev</name> + <internal_name>FreeSWITCH</internal_name> <website>http://www.freeswitch.org/</website> <descr>FreeSWITCH package development version.</descr> <category>Services</category> @@ -439,7 +453,7 @@ <pkginfolink></pkginfolink> <config_file>http://www.pfsense.com/packages/config/cron/cron.xml</config_file> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <version>0.1.5</version> + <version>0.1.7</version> <status>Beta</status> <required_version>1.2</required_version> <maintainer>markjcrane@gmail.com</maintainer> @@ -466,69 +480,35 @@ <descr>Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection.</descr> <category>Security</category> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package>mysql-client-5.1.53.tbz</depends_on_package> - <depends_on_package>barnyard2-1.9_2.tbz</depends_on_package> - <depends_on_package>libnet11-1.1.2.1_3,1.tbz</depends_on_package> + <depends_on_package>mysql-client-5.5.30.tbz</depends_on_package> + <depends_on_package>barnyard2-1.12.tbz</depends_on_package> + <depends_on_package>libnet11-1.1.6,1.tbz</depends_on_package> <depends_on_package>libdnet-1.11_3.tbz</depends_on_package> - <depends_on_package>libpcap-1.1.1_1.tbz</depends_on_package> - <depends_on_package>daq-0.6.2.tbz</depends_on_package> - <depends_on_package>snort-2.9.2.3.tbz</depends_on_package> - <depends_on_package_pbi>snort-2.9.2.3-i386.pbi</depends_on_package_pbi> + <depends_on_package>libpcap-1.3.0.tbz</depends_on_package> + <depends_on_package>daq-2.0.0.tbz</depends_on_package> + <depends_on_package>snort-2.9.4.6.tbz</depends_on_package> + <depends_on_package_pbi>snort-2.9.4.6-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/devel/pcre</build_port_path> <build_port_path>/usr/ports/net/daq</build_port_path> <build_port_path>/usr/ports/net/libnet</build_port_path> + <build_port_path>/usr/ports/net/libpcap</build_port_path> <build_port_path>/usr/ports/security/barnyard2</build_port_path> - <build_port_path>/usr/ports/databases/mysql51-client</build_port_path> + <build_port_path>/usr/ports/databases/mysql55-client</build_port_path> <build_port_path>/usr/ports/security/snort</build_port_path> <build_pbi> <port>security/snort</port> <ports_after>security/barnyard2</ports_after> </build_pbi> - <build_options>WITH_THREADS=yes WITH_IPV6=true WITH_MPLS=true WITH_GRE=true WITHOUT_TARGETBASED=true WITH_DECODERPRE=true WITH_ZLIB=true WITH_NORMALIZER=true WITH_REACT=true WITH_PERFPROFILE=true WITH_FLEXRESP3=true WITH_MYSQL=true WITHOUT_ODBC=true WITHOUT_POSTGRESQL=true WITHOUT_PRELUDE=true WITH_SNORTSAM=true NOPORTDOCS=true</build_options> + <!-- Use both styles for now, since our snort port isn't yet optionsng, but barnyard2 and others are. --> + <build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL;snort_UNSET=REACT;snort_SET=TARGETBASED PERFPROFILE DECODERPRE FLEXRESP3 GRE IPV6 MPLS NORMALIZER ZLIB;perl_SET=THREADS;WITH_THREADS=yes;WITH_IPV6=true;WITH_MPLS=true;WITH_GRE=true;WITH_TARGETBASED=true;WITH_PERFPROFILE=true;WITH_DECODERPRE=true;WITH_ZLIB=true;WITH_NORMALIZER=true;WITHOUT_REACT=true;WITH_FLEXRESP3=true;WITHOUT_ODBC=true;WITHOUT_POSTGRESQL=true;WITHOUT_PRELUDE=true;NOPORTDOCS=true</build_options> <config_file>http://www.pfsense.com/packages/config/snort/snort.xml</config_file> - <version>2.9.2.3 pkg v. 2.5.2</version> + <version>2.9.4.6 pkg v. 2.5.9</version> <required_version>2.0</required_version> <status>Stable</status> <configurationfile>/snort.xml</configurationfile> <after_install_info>Please visit the Snort settings tab and enter your oinkid code. Afterwards visit the update rules tab to download the snort rules.</after_install_info> </package> <package> - <name>snort-dev</name> - <pkginfolink>http://forum.pfsense.org/index.php/topic,16847.0.html</pkginfolink> - <website>http://www.snort.org</website> - <descr>Snort-dev is a development branch.</descr> - <category>Security</category> - <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package_pbi>snort-2.9.2.3-i386.pbi</depends_on_package_pbi> - <depends_on_package>mysql-client-5.1.53.tbz</depends_on_package> - <depends_on_package>barnyard2-1.9_2.tbz</depends_on_package> - <depends_on_package>libnet11-1.1.2.1_3,1.tbz</depends_on_package> - <depends_on_package>libdnet-1.11_3.tbz</depends_on_package> - <depends_on_package>libpcap-1.1.1_1.tbz</depends_on_package> - <depends_on_package>daq-0.6.2.tbz</depends_on_package> - <depends_on_package>snort-2.9.2.3.tbz</depends_on_package> - <depends_on_package>perl-threaded-5.12.4_4.tbz</depends_on_package> - <build_port_path>/usr/ports/devel/pcre</build_port_path> - <build_port_path>/usr/ports/net/daq</build_port_path> - <build_port_path>/usr/ports/net/libnet</build_port_path> - <build_port_path>/usr/ports/lang/perl5.12</build_port_path> - <build_port_path>/usr/ports/security/barnyard2</build_port_path> - <build_port_path>/usr/ports/databases/mysql51-client</build_port_path> - <build_port_path>/usr/ports/security/snort</build_port_path> - <build_pbi> - <custom_name>snort-dev</custom_name> - <port>security/snort</port> - <ports_after>security/barnyard2</ports_after> - </build_pbi> - <build_options>WITH_THREADS=yes WITH_IPV6=true WITH_MPLS=true WITH_GRE=true WITHOUT_TARGETBASED=true WITH_DECODERPRE=true WITH_ZLIB=true WITH_NORMALIZER=true WITH_REACT=true WITH_PERFPROFILE=true WITH_FLEXRESP3=true WITH_MYSQL=true WITHOUT_ODBC=true WITHOUT_POSTGRESQL=true WITHOUT_PRELUDE=true WITH_SNORTSAM=true NOPORTDOCS=true</build_options> - <config_file>http://www.pfsense.com/packages/config/snort-dev/snort.xml</config_file> - <version>2.9.2.3 pkg v. 3.0</version> - <required_version>2.0</required_version> - <status>Stable</status> - <configurationfile>/snort.xml</configurationfile> - <after_install_info>Please visit the Snort settings tab and enter your oinkid code. Afterwards visit the update rules tab to download the snort rules.</after_install_info> - </package> - <package> <name>olsrd</name> <website>http://www.olsr.org/</website> <descr>The olsr.org OLSR daemon is an implementation of the Optimized Link State Routing protocol. OLSR is a routing protocol for mobile ad-hoc networks. The protocol is pro-active, table driven and utilizes a technique called multipoint relaying for message flooding.</descr> @@ -544,6 +524,17 @@ <configurationfile>olsrd.xml</configurationfile> </package> <package> + <name>routed</name> + <website>http://www.pfsense.com/</website> + <descr>RIP v1 and v2 daemon.</descr> + <category>Network Management</category> + <config_file>http://www.pfsense.com/packages/config/routed/routed.xml</config_file> + <version>1.1</version> + <status>Stable</status> + <required_version>2.1</required_version> + <configurationfile>routed.xml</configurationfile> + </package> + <package> <name>spamd</name> <website>http://www.openbsd.org/spamd/</website> <descr>Tarpits like spamd are fake SMTP servers, which accept connections but don't deliver mail. Instead, they keep the connections open and reply very slowly. If the peer is patient enough to actually complete the SMTP dialogue (which will take ten minutes or more), the tarpit returns a 'temporary error' code (4xx), which indicates that the mail could not be delivered successfully and that the sender should keep the mail in their queue and retry again later.</descr> @@ -565,68 +556,72 @@ <package> <name>Postfix Forwarder</name> <website>http://www.postfix.org/</website> - <descr><![CDATA[Postfix mail forwarder acts as a relay server for your domain.<br> - It can do first and second line antispam combat before sending incoming mail to local mail servers.<br> + <descr><![CDATA[Postfix mail forwarder acts as a relay server for your domain.<br /> + It can do first and second line antispam combat before sending incoming mail to local mail servers.<br /> Postfix can also detect zombies, check RBLS, SPF, seach ldap for valid recipients and use third part antispam engines like policyd and mailscanner for better antispam solution.]]></descr> <category>Services</category> <pkginfolink>http://forum.pfsense.org/index.php/topic,40622.0.html</pkginfolink> <config_file>http://www.pfsense.com/packages/config/postfix/postfix.xml</config_file> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package>postfix-2.8.7,1.tbz</depends_on_package> + <depends_on_package>postfix-2.10.0,1.tbz</depends_on_package> <depends_on_package>perl-5.12.4_3.tbz</depends_on_package> - <depends_on_package_pbi>postfix-2.9.4-i386.pbi</depends_on_package_pbi> - <version>2.8.7,1 pkg v.2.3.4_1</version> + <depends_on_package_pbi>postfix-2.10.0-i386.pbi</depends_on_package_pbi> + <version>2.10.0 pkg v.2.3.5</version> <status>RC1</status> <required_version>2.0</required_version> <configurationfile>postfix.xml</configurationfile> <build_port_path>/usr/ports/mail/postfix</build_port_path> - <build_options>WITH_PCRE=true WITH_SPF=true WITH_SASL2=true WITH_TLS=true</build_options> + <build_options>WITH_PCRE=true;WITH_SPF=true;WITH_SASL2=true;WITH_TLS=true</build_options> </package> <package> <name>Dansguardian</name> <website>http://www.dansguardian.org/</website> - <descr><![CDATA[DansGuardian is an award winning Open Source web content filter.<br> - It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering.<br> - It does not purely filter based on a banned list of sites like lesser totally commercial filters.<br> - For all non-commercial it's free, without cost.<br> + <descr><![CDATA[DansGuardian is an award winning Open Source web content filter.<br /> + It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering.<br /> + It does not purely filter based on a banned list of sites like lesser totally commercial filters.<br /> + For all non-commercial it's free, without cost.<br /> For all commercial use visit dansguardian website to get a licence.]]></descr> <category>Services</category> <config_file>http://www.pfsense.com/packages/config/dansguardian/dansguardian.xml</config_file> <pkginfolink>http://forum.pfsense.org/index.php/topic,43786.0.html</pkginfolink> - <depends_on_package_base_url>http://e-sac.siteseguro.ws/packages/8/All/</depends_on_package_base_url> - <depends_on_package>dansguardian-2.12.0.0.tbz</depends_on_package> - <depends_on_package>clamav-0.97.3_1.tbz</depends_on_package> - <depends_on_package>ca_root_nss-3.13.3.tbz</depends_on_package> - <depends_on_package_pbi>dansguardian-2.12.0.0_1-i386.pbi</depends_on_package_pbi> - <version>2.12.0.0 pkg v.0.1.6_1</version> + <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> + <depends_on_package>dansguardian-2.12.0.3.tbz</depends_on_package> + <depends_on_package>ca_root_nss-3.14.1.tbz</depends_on_package> + <depends_on_package_pbi>dansguardian-2.12.0.3-i386.pbi</depends_on_package_pbi> + <version>2.12.0.3 pkg v.0.1.8</version> <status>beta</status> <required_version>2.0</required_version> <configurationfile>dansguardian.xml</configurationfile> <build_port_path>/usr/ports/www/dansguardian-devel</build_port_path> - <build_options>WITHOUT_APACHE=true WITH_TRICKLE=true WITH_CLAMD=true WITH_ICAP=true WITH_NTLM=true WITH_SSL=true</build_options> + <build_port_path>/usr/ports/security/ca_root_nss</build_port_path> + <build_options>dansguardian-devel_UNSET=APACHE;dansguardian-devel_SET=TRICKLE CLAMD ICAP NTLM SSL</build_options> <!-- NOTE: Distfile must be fetched manually from http://dansguardian.org/downloads/2/Alpha/dansguardian-2.12.0.0.tar.gz --> </package> <package> - <name>mailscanner-dev</name> + <name>mailscanner</name> + <internal_name>mailscanner</internal_name> <website>www.mailscanner.info</website> - <descr><![CDATA[MailScanner is an e-mail security and anti-spam package for e-mail gateway systems.<br> + <descr><![CDATA[MailScanner is an e-mail security and anti-spam package for e-mail gateway systems.<br /> This is a level3 mail scanning tool with high CPU load.]]></descr> <category>Services</category> <config_file>http://www.pfsense.com/packages/config/mailscanner/mailscanner.xml</config_file> <pkginfolink>http://forum.pfsense.org/index.php/topic,43687.0.html</pkginfolink> <depends_on_package_base_url>http://e-sac.siteseguro.ws/pfsense/8/All/</depends_on_package_base_url> - <depends_on_package>MailScanner-4.83.5.tbz</depends_on_package> + <depends_on_package>MailScanner-4.84.5_3.tbz</depends_on_package> <depends_on_package>perl-5.12.4_3.tbz</depends_on_package> - <depends_on_package>pyzor-0.5.0_1.tbz</depends_on_package> + <depends_on_package>pyzor-0.5.0_2.tbz</depends_on_package> <depends_on_package>p5-Mail-SPF-2.007.tbz</depends_on_package> <depends_on_package>p5-IP-Country-2.27.tbz</depends_on_package> <depends_on_package_pbi>mailscanner-4.84.5_3-i386.pbi</depends_on_package_pbi> - <version>4.83.5 pkg v.0.2.1</version> + <version>4.84.5_3 pkg v.0.2.2</version> <status>beta</status> <required_version>2.0</required_version> <configurationfile>mailscanner.xml</configurationfile> <build_port_path>/usr/ports/mail/mailscanner</build_port_path> - <build_options></build_options> + <build_port_path>/usr/ports/mail/p5-Mail-SPF</build_port_path> + <build_port_path>/usr/ports/mail/pyzor</build_port_path> + <build_port_path>/usr/ports/net/p5-IP-Country</build_port_path> + <build_options>mailscanner_UNSET=BDC CLAMAVMODULE;mailscanner_SET=SPAMASSASSIN CLAMAV</build_options> </package> <package> <name>siproxd</name> @@ -646,18 +641,21 @@ </package> <package> <name>OpenBGPD</name> - <descr>OpenBGPD is a FREE implementation of the Border Gateway Protocol, Version 4. It allows ordinary machines to be used as routers exchanging routes with other systems speaking the BGP protocol.</descr> + <descr>OpenBGPD is a FREE implementation of the Border Gateway Protocol, Version 4. It allows ordinary machines to be used as routers exchanging routes with other systems speaking the BGP protocol. -- WARNING! Installs files to the same place as Quagga OSPF. Installing both will result in a broken state, remove this package before installing Quagga OSPF.</descr> <category>NET</category> <config_file>http://www.pfsense.com/packages/config/openbgpd/openbgpd.xml</config_file> <build_port_path>/usr/ports/net/openbgpd</build_port_path> - <version>0.5.6</version> + <build_pbi> + <port>net/openbgpd</port> + </build_pbi> + <version>0.9</version> <status>STABLE</status> <pkginfolink>http://doc.pfsense.org/index.php/OpenBGPD_package</pkginfolink> <required_version>1.3</required_version> <configurationfile>openbgpd.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package>openbgpd-4.9.20110612_1.tbz</depends_on_package> - <depends_on_package_pbi>openbgpd-4.9.20110612_1-i386.pbi</depends_on_package_pbi> + <depends_on_package>openbgpd-5.2.20121209.tbz</depends_on_package> + <depends_on_package_pbi>openbgpd-5.2.20121209-i386.pbi</depends_on_package_pbi> </package> <package> <name>OpenOSPFD</name> @@ -690,15 +688,14 @@ <maintainer>dv_serg@mail.ru</maintainer> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <depends_on_package>lightsquid-1.8_2.tbz</depends_on_package> - <depends_on_package>perl-5.12.4_3.tbz</depends_on_package> + <depends_on_package>perl-5.14.2_2.tbz</depends_on_package> <depends_on_package_pbi>lightsquid-1.8_2-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/www/lightsquid</build_port_path> - <build_port_path>/usr/ports/lang/perl5.12</build_port_path> <build_pbi> - <ports_before>lang/perl5.12</ports_before> + <ports_before>lang/perl5.14 graphics/gd graphics/p5-GD</ports_before> <port>www/lightsquid</port> </build_pbi> - <build_options>WITHOUT_DEBUGGING=true WITHOUT_GDBM=true WITHOUT_PERL_MALLOC=true WITH_PERL_64BITINT=true WITHOUT_THREADS=true WITHOUT_MULTIPLICITY=true WITHOUT_SUIDPERL=true WITHOUT_SITECUSTOMIZE=true WITH_USE_PERL=true</build_options> + <build_options>WITHOUT_DEBUGGING=true;WITHOUT_GDBM=true;WITHOUT_PERL_MALLOC=true;WITH_PERL_64BITINT=true;WITHOUT_THREADS=true;WITHOUT_MULTIPLICITY=true;WITHOUT_SUIDPERL=true;WITHOUT_SITECUSTOMIZE=true;WITH_USE_PERL=true;WITH_GDSUPPORT=true</build_options> <status>RC1</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/lightsquid/lightsquid.xml</config_file> @@ -709,28 +706,29 @@ <package> <name>Sarg</name> <website>http://www.dansguardian.org/</website> - <descr><![CDATA[Sarg - Squid Analysis Report Generator is a tool that allow you to view "where" your users are going to on the Internet.<br> + <descr><![CDATA[Sarg - Squid Analysis Report Generator is a tool that allow you to view "where" your users are going to on the Internet.<br /> Sarg provides many informations about Proxy(squid,squidguard or dansguardian) users activities: times, bytes, sites, etc...]]></descr> <category>Network Report</category> <config_file>http://www.pfsense.com/packages/config/sarg/sarg.xml</config_file> <pkginfolink>http://forum.pfsense.org/index.php/topic,47765.0.html</pkginfolink> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package>sarg-2.3.2_2.tbz</depends_on_package> - <depends_on_package>gd-2.0.35_7,1.tbz</depends_on_package> - <depends_on_package_pbi>sarg-2.3.2_5-i386.pbi</depends_on_package_pbi> - <version>2.3.2 pkg v.0.6.1</version> - <status>RC2</status> + <depends_on_package>sarg-2.3.6.tbz</depends_on_package> + <depends_on_package>gd-2.0.35_8,1.tbz</depends_on_package> + <depends_on_package_pbi>sarg-2.3.6-i386.pbi</depends_on_package_pbi> + <version>2.3.6 pkg v.0.6.1</version> + <status>Release</status> <required_version>2.0</required_version> <configurationfile>sarg.xml</configurationfile> <build_port_path>/usr/ports/www/sarg</build_port_path> - <build_options>WITHOUT_GD=false WITHOUT_PHP=true</build_options> + <build_options>sarg_UNSET=GD PHP</build_options> <after_install_info>Please visit sarg settings on Status Menu to configure sarg.</after_install_info> </package> <package> <name>Ipguard-dev</name> + <internal_name>ipguard</internal_name> <website>http://ipguard.deep.perm.ru/</website> - <descr><![CDATA[Ipguard listens network for ARP packets. All permitted MAC-IP pairs listed in config files.<br> - If it recieves one with MAC-IP pair, which is not listed in 'ethers' file, it will send ARP reply with configured fake address.<br> + <descr><![CDATA[Ipguard listens network for ARP packets. All permitted MAC-IP pairs listed in config files.<br /> + If it receives one with MAC-IP pair, which is not listed in 'ethers' file, it will send ARP reply with configured fake address.<br /> This will prevent not permitted host to work properly in local ethernet segment.]]></descr> <category>Security</category> <config_file>http://www.pfsense.com/packages/config/ipguard/ipguard.xml</config_file> @@ -743,11 +741,11 @@ <required_version>2.0</required_version> <configurationfile>ipguard.xml</configurationfile> <build_port_path>/usr/ports/security/ipguard</build_port_path> - <after_install_info>Please visit ipguard settings on Services Menu to configure.</after_install_info> + <after_install_info>Please visit ipguard settings on the Firewall Menu to configure.</after_install_info> </package> <package> <name>Varnish</name> - <descr><![CDATA[Varnish is a state-of-the-art, high-performance HTTP accelerator.<br> + <descr><![CDATA[Varnish is a state-of-the-art, high-performance HTTP accelerator.<br /> It uses the advanced features in FreeBSD 6/7/8 to achieve its high performance.]]></descr> <website>http://varnish-cache.org</website> <pkginfolink>http://doc.pfsense.org/index.php/Varnish_package</pkginfolink> @@ -758,7 +756,7 @@ <config_file>http://www.pfsense.com/packages/config/varnish64/varnish_backends.xml</config_file> <configurationfile>varnish_backends.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package_pbi>varnish-2.1.5_1-i386.pbi gcc-4.2.5.20090325_5-i386.pbi</depends_on_package_pbi> + <depends_on_package_pbi>varnish-2.1.5_2-i386.pbi gcc-4.2.5.20090325_5-i386.pbi</depends_on_package_pbi> <depends_on_package>varnish-2.1.5.tbz</depends_on_package> <depends_on_package>gcc-4.2.5.20090325_5.tbz</depends_on_package> <build_port_path>/usr/ports/www/varnish2</build_port_path> @@ -766,8 +764,9 @@ </package> <package> <name>Varnish3</name> - <descr><![CDATA[Varnish is a state-of-the-art, high-performance HTTP accelerator.<br> - It uses the advanced features in FreeBSD 6/7/8 to achieve its high performance.<br> + <internal_name>varnish</internal_name> + <descr><![CDATA[Varnish is a state-of-the-art, high-performance HTTP accelerator.<br /> + It uses the advanced features in FreeBSD 6/7/8 to achieve its high performance.<br /> Version 3.0.2 includes streaming support]]></descr> <website>http://varnish-cache.org</website> <pkginfolink>http://doc.pfsense.org/index.php/Varnish_package</pkginfolink> @@ -778,7 +777,7 @@ <config_file>http://www.pfsense.com/packages/config/varnish3/varnish_backends.xml</config_file> <configurationfile>varnish_backends.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package_pbi>gcc-4.2.5.20090325_5-i386.pbi varnish-3.0.2_1-i386.pbi</depends_on_package_pbi> + <depends_on_package_pbi>gcc-4.2.5.20090325_5-i386.pbi varnish-3.0.3_2-i386.pbi</depends_on_package_pbi> <depends_on_package>varnish-3.0.2.tbz</depends_on_package> <depends_on_package>pcre-8.21_1.tbz</depends_on_package> <build_port_path>/usr/ports/www/varnish</build_port_path> @@ -812,7 +811,7 @@ <required_version>1.0</required_version> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <depends_on_package>mbmon-205_5.tbz</depends_on_package> - <depends_on_package_pbi>mbmon-205_5-i386.pbi</depends_on_package_pbi> + <depends_on_package_pbi>mbmon-205_6-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/sysutils/mbmon</build_port_path> <config_file>http://www.pfsense.com/packages/config/phpsysinfo/phpsysinfo.xml</config_file> <configurationfile>phpsysinfo.xml</configurationfile> @@ -823,7 +822,7 @@ <descr>pfSense version of TinyDNS which features failover host support</descr> <website>http://cr.yp.to/djbdns.html</website> <category>Services</category> - <version>1.0.6.17</version> + <version>1.0.6.18</version> <status>Beta</status> <pkginfolink>http://doc.pfsense.org/index.php/Tinydns_package</pkginfolink> <required_version>2.0</required_version> @@ -841,7 +840,7 @@ <ports_before>sysutils/ucspi-tcp sysutils/daemontools</ports_before> <port>dns/djbdns</port> </build_pbi> - <build_options>WITH_IPV6=true WITH_SRV=true WITHOUT_DUMPCACHE=true WITHOUT_IGNOREIP=true WITHOUT_JUMBO=true WITHOUT_MAN=true WITHOUT_PERSISTENT_MMAP=true</build_options> + <build_options>WITH_IPV6=true;WITH_SRV=true;WITHOUT_DUMPCACHE=true;WITHOUT_IGNOREIP=true;WITHOUT_JUMBO=true;WITHOUT_MAN=true;WITHOUT_PERSISTENT_MMAP=true</build_options> <supportedbybsdperimeter>YES</supportedbybsdperimeter> </package> <package> @@ -849,7 +848,7 @@ <descr>VMware Tools</descr> <website>http://open-vm-tools.sourceforge.net/</website> <category>Services</category> - <version>8.7.0.3046 (build-313025)</version> + <version>8.7.0.3046 (build-425873)</version> <status>Stable</status> <pkginfolink>http://doc.pfsense.org/index.php/Open_VM_Tools_package</pkginfolink> <required_version>2.0</required_version> @@ -857,27 +856,27 @@ <configurationfile>open-vm-tools.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <build_port_path>/usr/ports/emulators/open-vm-tools-nox11/</build_port_path> - <depends_on_package>open-vm-tools-nox11-313025_2.tbz</depends_on_package> - <depends_on_package>icu-4.8.1.1_1.tbz</depends_on_package> + <depends_on_package>open-vm-tools-nox11-425873_3,1.tbz</depends_on_package> + <depends_on_package>icu-50.1.2.tbz</depends_on_package> <build_port_path>/usr/ports/devel/icu</build_port_path> - <depends_on_package>fusefs-kmod-0.3.9.p1.20080208_7.tbz</depends_on_package> + <depends_on_package>fusefs-kmod-0.3.9.p1.20080208_11.tbz</depends_on_package> <build_port_path>/usr/ports/sysutils/fusefs-kmod</build_port_path> - <depends_on_package>fusefs-libs-2.7.4.tbz</depends_on_package> + <depends_on_package>fusefs-libs-2.9.2.tbz</depends_on_package> <build_port_path>/usr/ports/sysutils/fusefs-libs</build_port_path> - <depends_on_package>glib-2.28.8_3.tbz</depends_on_package> + <depends_on_package>glib-2.28.8_5.tbz</depends_on_package> <build_port_path>/usr/ports/devel/glib20</build_port_path> <depends_on_package>libdnet-1.11_3.tbz</depends_on_package> <build_port_path>/usr/ports/net/libdnet</build_port_path> - <depends_on_package>libiconv-1.13.1_1.tbz</depends_on_package> + <depends_on_package>libiconv-1.14.tbz</depends_on_package> <build_port_path>/usr/ports/converters/libiconv</build_port_path> - <depends_on_package>pcre-8.21_1.tbz</depends_on_package> + <depends_on_package>pcre-8.32.tbz</depends_on_package> <build_port_path>/usr/ports/devel/pcre</build_port_path> - <depends_on_package>perl-5.12.3.tbz</depends_on_package> - <build_port_path>/usr/ports/lang/perl5.12</build_port_path> - <depends_on_package>pkg-config-0.25_1.tbz</depends_on_package> + <depends_on_package>perl-5.14.2_2.tbz</depends_on_package> + <build_port_path>/usr/ports/lang/perl5.14</build_port_path> + <depends_on_package>pkgconf-0.8.9.tbz</depends_on_package> <build_port_path>/usr/ports/devel/pkg-config</build_port_path> <depends_on_package>python27-2.7.2_3.tbz</depends_on_package> - <build_port_path>/usr/ports/lang/python27</build_port_path> + <build_port_path>python27-2.7.3_6.tbz</build_port_path> <build_pbi> <port>emulators/open-vm-tools-nox11</port> </build_pbi> @@ -936,10 +935,10 @@ <category>Security</category> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <depends_on_package>lua-5.1.5_4.tbz</depends_on_package> - <depends_on_package>nmap-6.01.tbz</depends_on_package> - <depends_on_package_pbi>nmap-6.01-i386.pbi</depends_on_package_pbi> + <depends_on_package>nmap-6.25_1.tbz</depends_on_package> + <depends_on_package_pbi>nmap-6.25_1-i386.pbi</depends_on_package_pbi> <config_file>http://www.pfsense.com/packages/config/nmap/nmap.xml</config_file> - <version>nmap-6.01 pkg v1.2</version> + <version>nmap-6.25_1 pkg v1.2</version> <status>Stable</status> <pkginfolink>http://doc.pfsense.org/index.php/Nmap_package</pkginfolink> <required_version>2.0</required_version> @@ -967,6 +966,7 @@ </package> <package> <name>imspector-dev</name> + <internal_name>imspector</internal_name> <descr>IMSpector is an Instant Messenger transparent proxy with logging capabilities. Currently it supports MSN, AIM, ICQ, Yahoo and IRC to different degrees.</descr> <website>http://www.imspector.org/</website> <category>Network Management</category> @@ -995,7 +995,7 @@ <configurationfile>nut.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <depends_on_package>nut-2.6.4.tbz</depends_on_package> - <depends_on_package_pbi>nut-2.6.4-i386.pbi</depends_on_package_pbi> + <depends_on_package_pbi>nut-2.6.5_1-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/sysutils/nut</build_port_path> <pkginfolink>http://doc.pfsense.org/index.php/Nut_package</pkginfolink> </package> @@ -1085,19 +1085,19 @@ <package> <name>freeradius2</name> <website>http://www.freeradius.org/</website> - <descr><![CDATA[A free implementation of the RADIUS protocol.<br> - Support: MySQL, PostgreSQL, LDAP, Kerberos<br> - FreeRADIUS and FreeRADIUS2 settings are not compatible so don't use them together or try to update<br> + <descr><![CDATA[A free implementation of the RADIUS protocol.<br /> + Support: MySQL, PostgreSQL, LDAP, Kerberos<br /> + FreeRADIUS and FreeRADIUS2 settings are not compatible so don't use them together or try to update<br /> On pfSense docs there is a how-to which could help you on porting users.]]></descr> <pkginfolink>http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package</pkginfolink> <category>System</category> - <version>2.1.12_1 pkg v1.6.6_4</version> + <version>2.1.12_1/2.2.0 pkg v1.6.7_2</version> <status>RC1</status> <required_version>2.0</required_version> <maintainer>nachtfalkeaw@web.de</maintainer> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <depends_on_package>freeradius-2.1.12_1.tbz</depends_on_package> - <depends_on_package_pbi>freeradius-2.1.12_1-i386.pbi</depends_on_package_pbi> + <depends_on_package_pbi>freeradius-2.2.0-i386.pbi</depends_on_package_pbi> <depends_on_package>mysql-client-5.1.63.tbz</depends_on_package> <depends_on_package>postgresql-client-8.4.12.tbz</depends_on_package> <depends_on_package>openldap-sasl-client-2.4.23.tbz</depends_on_package> @@ -1109,18 +1109,18 @@ <ports_before>security/krb5</ports_before> <port>net/freeradius2</port> </build_pbi> - <build_options>WITH_KERBEROS=yes WITH_MYSQL=yes WITH_PGSQL=yes WITH_PERL=yes WITH_PYTHON=yes WITH_LDAP=yes</build_options> + <build_options>freeradius_SET=KERBEROS MYSQL PGSQL PERL PYTHON LDAP</build_options> </package> <package> <name>bandwidthd</name> <website>http://bandwidthd.sourceforge.net/</website> <descr>BandwidthD tracks usage of TCP/IP network subnets and builds html files with graphs to display utilization. Charts are built by individual IPs, and by default display utilization over 2 day, 8 day, 40 day, and 400 day periods. Furthermore, each ip address's utilization can be logged out at intervals of 3.3 minutes, 10 minutes, 1 hour or 12 hours in cdf format, or to a backend database server. HTTP, TCP, UDP, ICMP, VPN, and P2P traffic are color coded.</descr> <category>System</category> - <version>2.0.1.3</version> + <version>2.0.1_5 pkg v.0.1</version> <status>BETA</status> <required_version>1.2.1</required_version> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package>bandwidthd-2.0.1_4.tbz</depends_on_package> + <depends_on_package>bandwidthd-2.0.1_5.tbz</depends_on_package> <depends_on_package>libpcap-1.1.1.tbz</depends_on_package> <depends_on_package>postgresql-client-8.4.12.tbz</depends_on_package> <depends_on_package_pbi>bandwidthd-2.0.1_5-i386.pbi</depends_on_package_pbi> @@ -1133,7 +1133,7 @@ <ports_before>net/libpcap databases/postgresql91-client graphics/gd</ports_before> <port>net-mgmt/bandwidthd</port> </build_pbi> - <build_options>WITH_NLS=true WITHOUT_PAM=true WITHOUT_LDAP=true WITHOUT_MIT_KRB5=true WITHOUT_HEIMDAL_KRB5=true WITHOUT_OPTIMIZED_CFLAGS=true WITHOUT_XML=true WITHOUT_TZDATA=true WITHOUT_DEBUG=true WITHOUT_GSSAPI=true WITHOUT_ICU=true WITH_INTDATE=true</build_options> + <build_options>WITH_NLS=true;WITHOUT_PAM=true;WITHOUT_LDAP=true;WITHOUT_MIT_KRB5=true;WITHOUT_HEIMDAL_KRB5=true;WITHOUT_OPTIMIZED_CFLAGS=true;WITHOUT_XML=true;WITHOUT_TZDATA=true;WITHOUT_DEBUG=true;WITHOUT_GSSAPI=true;WITHOUT_ICU=true;WITH_INTDATE=true</build_options> </package> <package> <name>stunnel</name> @@ -1142,7 +1142,7 @@ <category>Network Management</category> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <depends_on_package>stunnel-4.43.tbz</depends_on_package> - <depends_on_package_pbi>stunnel-4.53-i386.pbi</depends_on_package_pbi> + <depends_on_package_pbi>stunnel-4.54-i386.pbi</depends_on_package_pbi> <version>4.43.0</version> <status>Stable</status> <pkginfolink>http://doc.pfsense.org/index.php/Stunnel_package</pkginfolink> @@ -1150,7 +1150,7 @@ <config_file>http://www.pfsense.com/packages/config/stunnel.xml</config_file> <configurationfile>stunnel.xml</configurationfile> <build_port_path>/usr/ports/security/stunnel</build_port_path> - <build_options>WITHOUT_FORK=true WITH_PTHREAD=true WITHOUT_UCONTEXT=true WITHOUT_IPV6=true WITH_LIBWRAP=true WITHOUT_SSL_PORT=true</build_options> + <build_options>WITHOUT_FORK=true;WITH_PTHREAD=true;WITHOUT_UCONTEXT=true;WITHOUT_IPV6=true;WITH_LIBWRAP=true;WITHOUT_SSL_PORT=true</build_options> </package> <package> <name>iperf</name> @@ -1198,21 +1198,22 @@ <config_file>http://www.pfsense.com/packages/config/mtr-nox11.xml</config_file> <configurationfile>mtr-nox11.xml</configurationfile> <build_port_path>/usr/ports/net/mtr</build_port_path> + <build_options>mtr_UNSET=X11</build_options> </package> <package> <name>squid</name> <descr>High performance web proxy cache.</descr> <website>http://www.squid-cache.org/</website> <category>Network</category> - <version>2.7.9 pkg v.4.3.1</version> + <version>2.7.9 pkg v.4.3.3</version> <status>Stable</status> <required_version>2</required_version> <maintainer>fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package>squid-2.7.9_1.tbz</depends_on_package> + <depends_on_package>squid-2.7.9_3.tbz</depends_on_package> <depends_on_package>squid_radius_auth-1.10.tbz</depends_on_package> <depends_on_package>libwww-5.4.0_4.tbz</depends_on_package> - <depends_on_package_pbi>squid-2.7.9_1-i386.pbi</depends_on_package_pbi> + <depends_on_package_pbi>squid-2.7.9_3-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/www/squid</build_port_path> <build_port_path>/usr/ports/www/squid_radius_auth</build_port_path> <build_port_path>/usr/ports/www/libwww</build_port_path> @@ -1221,19 +1222,20 @@ <port>www/squid</port> <ports_after>www/squid_radius_auth</ports_after> </build_pbi> - <build_options>WITH_SQUID_KERB_AUTH=true WITH_SQUID_LDAP_AUTH=true WITH_SQUID_NIS_AUTH=true WITH_SQUID_SASL_AUTH=true WITH_SQUID_DELAY_POOLS=true WITH_SQUID_SNMP=true WITH_SQUID_CARP=true WITH_SQUID_SSL=true WITHOUT_SQUID_PINGER=true WITHOUT_SQUID_DNS_HELPER=true WITH_SQUID_HTCP=true WITH_SQUID_VIA_DB=true WITH_SQUID_CACHE_DIGESTS=true WITH_SQUID_WCCP=true WITHOUT_SQUID_WCCPV2=true WITHOUT_SQUID_STRICT_HTTP=true WITH_SQUID_IDENT=true WITH_SQUID_REFERER_LOG=true WITHOUT_SQUID_USERAGENT_LOG=true WITH_SQUID_ARP_ACL=true WITH_SQUID_PF=true WITHOUT_SQUID_IPFILTER=true WITH_SQUID_FOLLOW_XFF=true WITH_SQUID_AUFS=true WITH_SQUID_COSS=true WITH_SQUID_KQUEUE=true WITH_SQUID_LARGEFILE=true WITHOUT_SQUID_STACKTRACES=true SQUID_UID=proxy SQUID_GID=proxy</build_options> + <build_options>squid_UNSET=DNS_HELPER IPFILTER PINGER STACKTRACES STRICT_HTTP_DESC USERAGENT_LOG WCCPV2;squid_SET=PF LDAP_AUTH NIS_AUTH SASL_AUTH ARP_ACL AUFS CACHE_DIGESTS CARP COSS DELAY_POOLS FOLLOW_XFF HTCP IDENT KERB_AUTH KQUEUE LARGEFILE REFERER_LOG SNMP SSL VIA_DB WCCP;SQUID_UID=proxy;SQUID_GID=proxy</build_options> <config_file>http://www.pfsense.org/packages/config/squid/squid.xml</config_file> <configurationfile>squid.xml</configurationfile> </package> <package> <name>squid3</name> - <descr><![CDATA[High performance web proxy cache.<br> - It combines squid as a proxy server with it's capabilities of acting as a HTTP / HTTPS reverse proxy.<br> + <internal_name>squid</internal_name> + <descr><![CDATA[High performance web proxy cache.<br /> + It combines squid as a proxy server with it's capabilities of acting as a HTTP / HTTPS reverse proxy.<br /> It includes an Exchange-Web-Access (OWA) Assistant.]]></descr> <pkginfolink>http://forum.pfsense.org/index.php/topic,48347.0.html</pkginfolink> <website>http://www.squid-cache.org/</website> <category>Network</category> - <version>3.1.20 pkg 2.0.5_5</version> + <version>3.1.20 pkg 2.0.6</version> <status>beta</status> <required_version>2.0</required_version> <maintainer>marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer> @@ -1245,10 +1247,42 @@ <port>www/squid31</port> <ports_after>www/squid_radius_auth</ports_after> </build_pbi> - <build_options>WITH_SQUID_KERB_AUTH=true WITH_SQUID_LDAP_AUTH=true WITH_SQUID_NIS_AUTH=true WITH_SQUID_SASL_AUTH=true WITH_SQUID_IPV6=true WITH_SQUID_DELAY_POOLS=true WITH_SQUID_SNMP=true WITH_SQUID_SSL=true WITH_SQUID_SSL_CRTD=true WITH_SQUID_PINGER=true WITH_SQUID_DNS_HELPER=true WITH_SQUID_HTCP=true WITH_SQUID_VIA_DB=true WITH_SQUID_CACHE_DIGESTS=true WITHOUT_SQUID_WCCP=true WITH_SQUID_WCCPV2=true WITHOUT_SQUID_STRICT_HTTP=true WITH_SQUID_IDENT=true WITH_SQUID_REFERER_LOG=true WITH_SQUID_USERAGENT_LOG=true WITH_SQUID_ARP_ACL=true WITH_SQUID_IPFW=true WITH_SQUID_PF=true WITHOUT_SQUID_IPFILTER=true WITH_SQUID_FOLLOW_XFF=true WITHOUT_SQUID_ECAP=true WITHOUT_SQUID_ICAP=true WITHOUT_SQUID_ESI=true WITH_SQUID_AUFS=true WITHOUT_SQUID_COSS=true WITHOUT_SQUID_KQUEUE=true WITH_SQUID_LARGEFILE=true WITHOUT_SQUID_STACKTRACES=true WITHOUT_SQUID_DEBUG=true</build_options> - <config_file>http://www.pfsense.org/packages/config/squid-reverse/squid.xml</config_file> + <build_options>c-icap_UNSET=IPV6 squid33_UNSET=AUTH_SMB AUTH_SQL DNS_HELPER FS_COSS ESI SNMP ECAP STACKTRACES STRICT_HTTP TP_IPF TP_IPFW VIA_DB DEBUG DOCS EXAMPLES;squid33_SET=ARP_ACL AUTH_KERB AUTH_LDAP AUTH_NIS AUTH_SASL CACHE_DIGESTS DELAY_POOLS FOLLOW_XFF TP_PF MSSL_CRTD WCCP WCCPV2 FS_AUFS HTCP ICAP ICMP IDENT IPV6 KQUEUE LARGEFILE SSL SSL_CRTD</build_options> + <!--<build_options>WITH_SQUID_KERB_AUTH=true;WITH_SQUID_LDAP_AUTH=true;WITH_SQUID_NIS_AUTH=true;WITH_SQUID_SASL_AUTH=true;WITH_SQUID_IPV6=true;WITH_SQUID_DELAY_POOLS=true;WITH_SQUID_SNMP=true;WITH_SQUID_SSL=true;WITH_SQUID_SSL_CRTD=true;WITH_SQUID_PINGER=true;WITHOUT_SQUID_DNS_HELPER=true;WITH_SQUID_HTCP=true;WITH_SQUID_VIA_DB=true;WITH_SQUID_CACHE_DIGESTS=true;WITHOUT_SQUID_WCCP=true;WITH_SQUID_WCCPV2=true;WITHOUT_SQUID_STRICT_HTTP=true;WITH_SQUID_IDENT=true;WITH_SQUID_REFERER_LOG=true;WITH_SQUID_USERAGENT_LOG=true;WITH_SQUID_ARP_ACL=true;WITH_SQUID_IPFW=true;WITH_SQUID_PF=true;WITHOUT_SQUID_IPFILTER=true;WITH_SQUID_FOLLOW_XFF=true;WITHOUT_SQUID_ECAP=true;WITHOUT_SQUID_ICAP=true;WITHOUT_SQUID_ESI=true;WITH_SQUID_AUFS=true;WITHOUT_SQUID_COSS=true;WITHOUT_SQUID_KQUEUE=true;WITH_SQUID_LARGEFILE=true;WITHOUT_SQUID_STACKTRACES=true;WITHOUT_SQUID_DEBUG=true</build_options>--> + <config_file>http://www.pfsense.org/packages/config/squid3/31/squid.xml</config_file> + <configurationfile>squid.xml</configurationfile> + <depends_on_package_pbi>squid-3.1.22_1-i386.pbi</depends_on_package_pbi> + </package> + <package> + <name>squid3-dev</name> + <internal_name>squid</internal_name> + <descr><![CDATA[High performance web proxy cache.<br /> + It combines squid as a proxy server with it's capabilities of acting as a HTTP / HTTPS reverse proxy.<br /> + It includes an Exchange-Web-Access (OWA) Assistant, ssl filtering and antivirus integration via i-cap]]></descr> + <pkginfolink>http://forum.pfsense.org/index.php/topic,48347.0.html</pkginfolink> + <website>http://www.squid-cache.org/</website> + <category>Network</category> + <version>3.3.8 pkg 2.1.2</version> + <status>beta</status> + <required_version>2.0</required_version> + <maintainer>marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer> + <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> + <depends_on_package>squid-3.3.5.tbz</depends_on_package> + <depends_on_package>libltdl-2.4.2.tbz</depends_on_package> + <depends_on_package>libwww-5.4.0_4.tbz</depends_on_package> + <depends_on_package>squidclamav-6.10_1.tbz</depends_on_package> + <depends_on_package>clamav-0.97.8.tbz</depends_on_package> + <depends_on_package>cyrus-sasl-2.1.26_2.tbz</depends_on_package> + <depends_on_package>ca_root_nss-3.14.1.tbz</depends_on_package> + <build_pbi> + <ports_before>www/libwww security/cyrus-sasl2</ports_before> + <port>www/squid33</port> + <ports_after>www/squid_radius_auth security/clamav www/squidclamav security/ca_root_nss www/c-icap-modules</ports_after> + </build_pbi> + <build_options>c-icap_UNSET=IPV6 squid33_UNSET=AUTH_SMB AUTH_SQL DNS_HELPER FS_COSS ESI SNMP ECAP STACKTRACES STRICT_HTTP TP_IPF TP_IPFW VIA_DB DEBUG DOCS EXAMPLES;squid33_SET=ARP_ACL AUTH_KERB AUTH_LDAP AUTH_NIS AUTH_SASL CACHE_DIGESTS DELAY_POOLS FOLLOW_XFF TP_PF MSSL_CRTD WCCP WCCPV2 FS_AUFS HTCP ICAP ICMP IDENT IPV6 KQUEUE LARGEFILE SSL SSL_CRTD</build_options> + <config_file>http://www.pfsense.org/packages/config/squid3/33/squid.xml</config_file> <configurationfile>squid.xml</configurationfile> - <depends_on_package_pbi>squid-3.1.20-i386.pbi</depends_on_package_pbi> + <depends_on_package_pbi>squid-3.3.8-i386.pbi</depends_on_package_pbi> </package> <package> <name>LCDproc</name> @@ -1261,25 +1295,26 @@ <maintainer>seth.mos@dds.nl</maintainer> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <depends_on_package>lcdproc-0.5.5.tbz</depends_on_package> - <depends_on_package_pbi>lcdproc-0.5.5-i386.pbi</depends_on_package_pbi> + <depends_on_package_pbi>lcdproc-0.5.6-i386.pbi</depends_on_package_pbi> <config_file>http://www.pfsense.org/packages/config/lcdproc/lcdproc.xml</config_file> <configurationfile>lcdproc.xml</configurationfile> <build_port_path>/usr/ports/sysutils/lcdproc</build_port_path> - <build_options>WITH_USB=true</build_options> + <build_options>WITH_USB=true;lcdproc_SET=USB</build_options> </package> <package> <name>LCDproc-dev</name> + <internal_name>lcdproc</internal_name> <descr>LCD display driver - Development version</descr> <website>http://www.lcdproc.org/</website> <category>Utility</category> - <version>lcdproc-0.5.5 pkg v. 0.9.4</version> + <version>lcdproc-0.5.6 pkg v. 0.9.5</version> <status>BETA</status> <required_version>2.0</required_version> <maintainer>michele@nt2.it</maintainer> <pkginfolink>http://forum.pfsense.org/index.php/topic,44034.0.html</pkginfolink> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package>lcdproc-0.5.5.tbz</depends_on_package> - <depends_on_package_pbi>lcdproc-0.5.5-i386.pbi</depends_on_package_pbi> + <depends_on_package>lcdproc-0.5.6.tbz</depends_on_package> + <depends_on_package_pbi>lcdproc-0.5.6-i386.pbi</depends_on_package_pbi> <config_file>http://www.pfsense.org/packages/config/lcdproc-dev/lcdproc.xml</config_file> <configurationfile>lcdproc.xml</configurationfile> <build_port_path>/usr/ports/sysutils/lcdproc</build_port_path> @@ -1307,18 +1342,17 @@ </package> <package> <name>squidGuard</name> - <descr>High perfomance web proxy URL filter. Requires proxy Squid package.</descr> + <descr>High perfomance web proxy URL filter. Requires proxy Squid 2.x package.</descr> <website>http://www.squidGuard.org/</website> <maintainer>dv_serg@mail.ru</maintainer> <category>Network Management</category> - <version>1.4_2 pkg v.1.9.1</version> + <version>1.4_4 pkg v.1.9.5</version> <status>Beta</status> <required_version>1.1</required_version> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <depends_on_package>squidGuard-1.4_4.tbz</depends_on_package> <depends_on_package>db41-4.1.25_4.tbz</depends_on_package> - <depends_on_package>db3-3.3.11_3,1.tbz</depends_on_package> - <depends_on_package>cyrus-sasl-2.1.25_1.tbz</depends_on_package> + <depends_on_package>cyrus-sasl-2.1.26_2.tbz</depends_on_package> <depends_on_package_pbi>squidguard-1.4_4-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/www/squidguard</build_port_path> <build_port_path>/usr/ports/databases/db41</build_port_path> @@ -1327,7 +1361,27 @@ <ports_before>databases/db41 security/cyrus-sasl2</ports_before> <port>www/squidguard</port> </build_pbi> - <build_options>WITH_SQUID_KERB_AUTH=true WITH_SQUID_LDAP_AUTH=true WITH_SQUID_NIS_AUTH=true WITH_SQUID_SASL_AUTH=true WITH_SQUID_DELAY_POOLS=true WITH_SQUID_SNMP=true WITH_SQUID_CARP=true WITH_SQUID_SSL=true WITHOUT_SQUID_PINGER=true WITHOUT_SQUID_DNS_HELPER=true WITH_SQUID_HTCP=true WITH_SQUID_VIA_DB=true WITH_SQUID_CACHE_DIGESTS=true WITH_SQUID_WCCP=true WITHOUT_SQUID_WCCPV2=true WITHOUT_SQUID_STRICT_HTTP=true WITH_SQUID_IDENT=true WITH_SQUID_REFERER_LOG=true WITHOUT_SQUID_USERAGENT_LOG=true WITH_SQUID_ARP_ACL=true WITH_SQUID_PF=true WITHOUT_SQUID_IPFILTER=true WITH_SQUID_FOLLOW_XFF=true WITH_SQUID_AUFS=true WITH_SQUID_COSS=true WITH_SQUID_KQUEUE=true WITH_SQUID_LARGEFILE=true WITHOUT_SQUID_STACKTRACES=true WITH_SAMPLE_BL=true WITH_LDAP=true WITH_SASL=true WITH_FETCH=true</build_options> + <build_options>squidGuard_UNSET=SQUID32 SQUID33;squidGuard_SET=SAMPLE_BL SASL LDAP SQUID27;squid_UNSET=DNS_HELPER IPFILTER PINGER STACKTRACES STRICT_HTTP_DESC USERAGENT_LOG WCCPV2;squid_SET=PF LDAP_AUTH NIS_AUTH SASL_AUTH ARP_ACL AUFS CACHE_DIGESTS CARP COSS DELAY_POOLS FOLLOW_XFF HTCP IDENT KERB_AUTH KQUEUE LARGEFILE REFERER_LOG SNMP SSL VIA_DB WCCP;SQUID_UID=proxy;SQUID_GID=proxy</build_options> + <config_file>http://www.pfsense.org/packages/config/squidGuard/squidguard.xml</config_file> + <configurationfile>squidguard.xml</configurationfile> + </package> + <package> + <name>squidGuard-squid3</name> + <descr>High perfomance web proxy URL filter. Requires proxy Squid 3.x package.</descr> + <website>http://www.squidGuard.org/</website> + <maintainer>dv_serg@mail.ru</maintainer> + <category>Network Management</category> + <version>1.4_4 pkg v.1.9.5</version> + <status>Experimental</status> + <required_version>2.1</required_version> + <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> + <depends_on_package_pbi>squidguard-squid3-1.4_4-i386.pbi</depends_on_package_pbi> + <build_pbi> + <ports_before>www/squid33 databases/db41 security/cyrus-sasl2</ports_before> + <port>www/squidguard</port> + <custom_name>squidguard-squid3</custom_name> + </build_pbi> + <build_options>OPTIONS_SET=FETCH LDAP;squidGuard_UNSET=SQUID27;squidGuard_SET=SAMPLE_BL SASL SQUID33;c-icap_UNSET=IPV6 squid33_UNSET=AUTH_SMB AUTH_SQL DNS_HELPER FS_COSS ESI SNMP ECAP STACKTRACES STRICT_HTTP TP_IPF TP_IPFW VIA_DB DEBUG DOCS EXAMPLES;squid33_SET=ARP_ACL AUTH_KERB AUTH_LDAP AUTH_NIS AUTH_SASL CACHE_DIGESTS DELAY_POOLS FOLLOW_XFF TP_PF MSSL_CRTD WCCP WCCPV2 FS_AUFS HTCP ICAP ICMP IDENT IPV6 KQUEUE LARGEFILE SSL SSL_CRTD</build_options> <config_file>http://www.pfsense.org/packages/config/squidGuard/squidguard.xml</config_file> <configurationfile>squidguard.xml</configurationfile> </package> @@ -1346,7 +1400,7 @@ <custom_name>zabbix-agent</custom_name> <port>net-mgmt/zabbix-agent</port> </build_pbi> - <build_options>WITHOUT_CARES=true WITHOUT_CURL_DEBUG=true WITHOUT_DEBUGGING=true WITHOUT_DMALLOC=true WITHOUT_ETCSYMLINK=true WITHOUT_EXTRA_PATCHES=true WITHOUT_GDBM=true WITHOUT_GNUTLS=true WITHOUT_IODBC=true WITHOUT_IPMI=true WITHOUT_KERBEROS4=true WITHOUT_LDAP=true WITHOUT_LDAPS=true WITHOUT_LIBIDN=true WITHOUT_LIBSIGSEGV=true WITHOUT_LIBSSH2=true WITHOUT_MFD_REWRITES=true WITHOUT_MULTIPLICITY=true WITHOUT_MYSQL=true WITHOUT_NTLM=true WITHOUT_PERL_MALLOC=true WITHOUT_PGSQL=true WITHOUT_RTMP=true WITHOUT_SITECUSTOMIZE=true WITHOUT_SSH=true WITHOUT_SUIDPERL=true WITHOUT_THREADS=true WITHOUT_TKMIB=true WITHOUT_TRACKMEMORY=true WITHOUT_UNIXODBC=true WITH_CA_BUNDLE=true WITH_CURL=true WITH_DUMMY=true WITH_EXTRA_ENCODINGS=true WITH_FETCH=true WITH_FPING=true WITH_IPV6=true WITH_JABBER=true WITH_LDAP=true WITH_OPENSSL=true WITH_PERL=true WITH_PERL_64BITINT=true WITH_PERL_EMBEDDED=true WITH_PROXY=true WITH_SASL=true WITH_SQLITE=true WITH_USE_PERL=true WITH_WERROR=true</build_options> + <build_options>WITHOUT_CARES=true;WITHOUT_CURL_DEBUG=true;WITHOUT_DEBUGGING=true;WITHOUT_DMALLOC=true;WITHOUT_ETCSYMLINK=true;WITHOUT_EXTRA_PATCHES=true;WITHOUT_GDBM=true;WITHOUT_GNUTLS=true;WITHOUT_IODBC=true;WITHOUT_IPMI=true;WITHOUT_KERBEROS4=true;WITHOUT_LDAP=true;WITHOUT_LDAPS=true;WITHOUT_LIBIDN=true;WITHOUT_LIBSIGSEGV=true;WITHOUT_LIBSSH2=true;WITHOUT_MFD_REWRITES=true;WITHOUT_MULTIPLICITY=true;WITHOUT_MYSQL=true;WITHOUT_NTLM=true;WITHOUT_PERL_MALLOC=true;WITHOUT_PGSQL=true;WITHOUT_RTMP=true;WITHOUT_SITECUSTOMIZE=true;WITHOUT_SSH=true;WITHOUT_SUIDPERL=true;WITHOUT_THREADS=true;WITHOUT_TKMIB=true;WITHOUT_TRACKMEMORY=true;WITHOUT_UNIXODBC=true;WITH_CA_BUNDLE=true;WITH_CURL=true;WITH_DUMMY=true;WITH_EXTRA_ENCODINGS=true;WITH_FETCH=true;WITH_FPING=true;WITH_IPV6=true;WITH_JABBER=true;WITH_LDAP=true;WITH_OPENSSL=true;WITH_PERL=true;WITH_PERL_64BITINT=true;WITH_PERL_EMBEDDED=true;WITH_PROXY=true;WITH_SASL=true;WITH_SQLITE=true;WITH_USE_PERL=true;WITH_WERROR=true</build_options> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <depends_on_package>zabbix-agent-1.8.10,2.tbz</depends_on_package> <depends_on_package_pbi>zabbix-agent-1.8.13-i386.pbi</depends_on_package_pbi> @@ -1366,14 +1420,14 @@ <custom_name>zabbix-proxy</custom_name> <port>net-mgmt/zabbix-proxy</port> </build_pbi> - <build_options>WITHOUT_CARES=true WITHOUT_CURL_DEBUG=true WITHOUT_DEBUGGING=true WITHOUT_DMALLOC=true WITHOUT_ETCSYMLINK=true WITHOUT_EXTRA_PATCHES=true WITHOUT_GDBM=true WITHOUT_GNUTLS=true WITHOUT_IODBC=true WITHOUT_IPMI=true WITHOUT_KERBEROS4=true WITHOUT_LDAP=true WITHOUT_LDAPS=true WITHOUT_LIBIDN=true WITHOUT_LIBSIGSEGV=true WITHOUT_LIBSSH2=true WITHOUT_MFD_REWRITES=true WITHOUT_MULTIPLICITY=true WITHOUT_MYSQL=true WITHOUT_NTLM=true WITHOUT_PERL_MALLOC=true WITHOUT_PGSQL=true WITHOUT_RTMP=true WITHOUT_SITECUSTOMIZE=true WITHOUT_SSH=true WITHOUT_SUIDPERL=true WITHOUT_THREADS=true WITHOUT_TKMIB=true WITHOUT_TRACKMEMORY=true WITHOUT_UNIXODBC=true WITH_CA_BUNDLE=true WITH_CURL=true WITH_DUMMY=true WITH_EXTRA_ENCODINGS=true WITH_FETCH=true WITH_FPING=true WITH_IPV6=true WITH_JABBER=true WITH_LDAP=true WITH_OPENSSL=true WITH_PERL=true WITH_PERL_64BITINT=true WITH_PERL_EMBEDDED=true WITH_PROXY=true WITH_SASL=true WITH_SQLITE=true WITH_USE_PERL=true WITH_WERROR=true</build_options> + <build_options>WITHOUT_CARES=true;WITHOUT_CURL_DEBUG=true;WITHOUT_DEBUGGING=true;WITHOUT_DMALLOC=true;WITHOUT_ETCSYMLINK=true;WITHOUT_EXTRA_PATCHES=true;WITHOUT_GDBM=true;WITHOUT_GNUTLS=true;WITHOUT_IODBC=true;WITHOUT_IPMI=true;WITHOUT_KERBEROS4=true;WITHOUT_LDAP=true;WITHOUT_LDAPS=true;WITHOUT_LIBIDN=true;WITHOUT_LIBSIGSEGV=true;WITHOUT_LIBSSH2=true;WITHOUT_MFD_REWRITES=true;WITHOUT_MULTIPLICITY=true;WITHOUT_MYSQL=true;WITHOUT_NTLM=true;WITHOUT_PERL_MALLOC=true;WITHOUT_PGSQL=true;WITHOUT_RTMP=true;WITHOUT_SITECUSTOMIZE=true;WITHOUT_SSH=true;WITHOUT_SUIDPERL=true;WITHOUT_THREADS=true;WITHOUT_TKMIB=true;WITHOUT_TRACKMEMORY=true;WITHOUT_UNIXODBC=true;WITH_CA_BUNDLE=true;WITH_CURL=true;WITH_DUMMY=true;WITH_EXTRA_ENCODINGS=true;WITH_FETCH=true;WITH_FPING=true;WITH_IPV6=true;WITH_JABBER=true;WITH_LDAP=true;WITH_OPENSSL=true;WITH_PERL=true;WITH_PERL_64BITINT=true;WITH_PERL_EMBEDDED=true;WITH_PROXY=true;WITH_SASL=true;WITH_SQLITE=true;WITH_USE_PERL=true;WITH_WERROR=true</build_options> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <depends_on_package>zabbix-proxy-1.8.8,2.tbz</depends_on_package> <depends_on_package_pbi>zabbix-proxy-1.8.13-i386.pbi</depends_on_package_pbi> </package> <package> <name>OpenVPN Client Export Utility</name> - <descr>Allows a pre-configured OpenVPN Windows Client or or Mac OSX's Viscosity configuration bundle to be exported directly from pfSense.</descr> + <descr>Allows a pre-configured OpenVPN Windows Client or Mac OSX's Viscosity configuration bundle to be exported directly from pfSense.</descr> <category>Security</category> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <depends_on_package>p7zip-9.20.1.tbz</depends_on_package> @@ -1381,8 +1435,8 @@ <depends_on_package_pbi>zip-3.0-i386.pbi p7zip-9.20.1-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/archivers/p7zip</build_port_path> <build_port_path>/usr/ports/archivers/zip</build_port_path> - <version>0.26</version> - <status>BETA</status> + <version>1.0.11</version> + <status>RELEASE</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/openvpn-client-export/openvpn-client-export.xml</config_file> <configurationfile>openvpn-client-export.xml</configurationfile> @@ -1397,7 +1451,7 @@ <depends_on_package>havp-0.91_1.tbz</depends_on_package> <depends_on_package_pbi>havp-0.91_1-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/www/havp</build_port_path> - <build_options>CLAMAVUSER=havp CLAMAVGROUP=havp</build_options> + <build_options>CLAMAVUSER=havp;CLAMAVGROUP=havp</build_options> <version>0.91_1 pkg v1.01</version> <status>BETA</status> <required_version>1.2.2</required_version> @@ -1468,7 +1522,7 @@ <descr>Dashboard widget for Snort.</descr> <category>System</category> <config_file>http://www.pfsense.com/packages/config/widget-snort/widget-snort.xml</config_file> - <version>0.3.2</version> + <version>0.3.4</version> <status>BETA</status> <required_version>1.2</required_version> <configurationfile>widget-snort.xml</configurationfile> @@ -1520,17 +1574,16 @@ <descr>Unbound is a validating, recursive, and caching DNS resolver. This package is a drop in replacement for Services: DNS Forwarder and also supports DNSSEC extensions. Once installed please configure the Unbound service by visiting Services: Unbound DNS.</descr> <website>http://www.unbound.net/</website> <category>Services</category> - <version>1.4.14_01</version> + <version>1.4.20_8</version> <status>Alpha</status> <maintainer>warren@decoy.co.za</maintainer> <required_version>2.0</required_version> - <maximum_version>2.1</maximum_version> <pkginfolink>http://doc.pfsense.org/index.php/Unbound_package</pkginfolink> <config_file>http://www.pfsense.com/packages/config/unbound/unbound.xml</config_file> <configurationfile>unbound.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package>unbound-1.4.14.tbz</depends_on_package> - <depends_on_package>ldns-1.6.11.tbz</depends_on_package> + <depends_on_package>unbound-1.4.20.tbz</depends_on_package> + <depends_on_package>ldns-1.6.16.tbz</depends_on_package> <depends_on_package>expat-2.0.1_2.tbz</depends_on_package> <depends_on_package>libevent-1.4.14b_2.tbz</depends_on_package> <build_port_path>/usr/ports/dns/unbound/</build_port_path> @@ -1541,7 +1594,8 @@ <ports_before>dns/ldns textproc/expat2 devel/libevent2</ports_before> <port>dns/unbound</port> </build_pbi> - <build_options>WITH_LIBEVENT=true WITH_THREADS=true WITHOUT_GOST=true WITHOUT_MAN=true</build_options> + <depends_on_package_pbi>unbound-1.4.20-i386.pbi</depends_on_package_pbi> + <build_options>unbound_UNSET=GOST ECDSA;unbound_SET=LIBEVENT THREADS</build_options> <logging> <facilityname>unbound</facilityname> <logfilename>unbound.log</logfilename> @@ -1574,8 +1628,8 @@ <maintainer>ey@tm-k.com</maintainer> <config_file>http://www.pfsense.org/packages/config/widescreen/widescreen.xml</config_file> <configurationfile>widescreen.xml</configurationfile> - <!-- Disabling on 2.1 since it overwrites the menu --> - <maximum_version>2.1</maximum_version> + <!-- Disabling on 2.0.2 and 2.1 since it overwrites the menu --> + <maximum_version>2.0.1</maximum_version> </package> <package> <name>NRPE v2</name> @@ -1585,24 +1639,45 @@ <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <depends_on_package>nrpe-2.12_3.tbz</depends_on_package> <depends_on_package>nagios-plugins-1.4.15_1,1.tbz</depends_on_package> - <depends_on_package_pbi>nrpe-2.13-i386.pbi</depends_on_package_pbi> + <depends_on_package_pbi>nrpe-2.13_2-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/net-mgmt/nrpe2</build_port_path> <build_port_path>/usr/ports/net-mgmt/nagios-plugins</build_port_path> <build_pbi> <ports_before>net-mgmt/nagios-plugins</ports_before> <port>net-mgmt/nrpe2</port> </build_pbi> - <build_options>WITH_SSL=true WITHOUT_ARGS=true</build_options> + <build_options>nrpe2_SET=SSL;nrpe2_UNSET=ARGS</build_options> <config_file>http://www.pfsense.com/packages/config/nrpe2/nrpe2.xml</config_file> - <version>2.12_3 v2.1</version> + <version>2.12_3 v2.2</version> <status>Beta</status> <required_version>1.2</required_version> <maintainer>erik@erikkristensen.com</maintainer> <configurationfile>nrpe2.xml</configurationfile> </package> <package> + <name>Check_mk agent</name> + <website>https://github.com/sileht/check_mk/blob/master/doc/README</website> + <descr><![CDATA[The basic idea of check_mk is to fetch "all" information about a target host at once.<br>For each host to be monitored check_mk is called by Nagios only once per time period.]]></descr> + <category>Services</category> + <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> + <build_port_path>/usr/ports/sysutils/muse</build_port_path> + <build_port_path>/usr/ports/sysutils/ipmitool</build_port_path> + <build_port_path>devel/libstatgrab</build_port_path> + <build_pbi> + <ports_before>sysutils/ipmitool devel/libstatgrab</ports_before> + <port>sysutils/muse</port> + </build_pbi> + <build_options></build_options> + <config_file>http://www.pfsense.com/packages/config/checkmk-agent/checkmk.xml</config_file> + <version>v0.1</version> + <status>RC1</status> + <required_version>2.0</required_version> + <maintainer>marcellocoutinho@gmail.com</maintainer> + <configurationfile>checkmk.xml</configurationfile> + </package> + <package> <name>SSHDCond</name> - <descr><![CDATA[Allows to define SSH overrides for users,groups,hosts and addresses using Match in a convenient way.<br> + <descr><![CDATA[Allows to define SSH overrides for users,groups,hosts and addresses using Match in a convenient way.<br /> This package acts as an access list frontend for ssh connections]]></descr> <category>Enhancements</category> <version>1.0</version> @@ -1614,9 +1689,9 @@ </package> <package> <name>mailreport</name> - <descr>Allows you to setup periodic e-mail reports containing RRD graphs.</descr> + <descr>Allows you to setup periodic e-mail reports containing command output, log file contents, and RRD graphs.</descr> <category>Network Management</category> - <version>1.2</version> + <version>2.0.4</version> <status>BETA</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/mailreport/mailreport.xml</config_file> @@ -1624,7 +1699,7 @@ </package> <package> <name>zebedee</name> - <descr><![CDATA[Zebedee is a simple program to establish an encrypted, compressed "tunnel" for TCP/IP or UDP data transfer between two systems.<br> + <descr><![CDATA[Zebedee is a simple program to establish an encrypted, compressed "tunnel" for TCP/IP or UDP data transfer between two systems.<br /> This allows traffic such as telnet, ftp and X to be protected from snooping as well as potentially gaining performance over low-bandwidth networks from compression.]]> </descr> <category>Services</category> @@ -1645,16 +1720,16 @@ <descr>Patch to fix OpenVPN tap bridging on 2.0.x. WARNING! Cannot be uninstalled.</descr> <category>System</category> <config_file>http://www.pfsense.com/packages/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml</config_file> - <version>0.3</version> + <version>0.4</version> <status>BETA</status> <required_version>2.0</required_version> - <maximum_version>2.1</maximum_version> + <maximum_version>2.0.4</maximum_version> </package> <package> <name>Quagga OSPF</name> - <descr>OSPF routing protocol using Quagga -- WARNING! Installs files to the same place as OpenOSPFD. Installing both will break things.</descr> + <descr>OSPF routing protocol using Quagga -- WARNING! Installs files to the same place as OpenOSPFD and OpenBGPD. Installing both will break things.</descr> <maintainer>jimp@pfsense.org</maintainer> - <version>0.99.20.1 v0.5</version> + <version>0.99.20.1 v0.5.4</version> <category>Routing</category> <status>BETA</status> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> @@ -1670,9 +1745,9 @@ <name>System Patches</name> <descr>A package to apply and maintain custom system patches.</descr> <maintainer>jimp@pfsense.org</maintainer> - <version>0.7.1</version> + <version>1.0</version> <category>System</category> - <status>BETA</status> + <status>RELEASE</status> <config_file>http://www.pfsense.com/packages/config/systempatches/systempatches.xml</config_file> <pkginfolink></pkginfolink> <required_version>2.0</required_version> @@ -1684,13 +1759,13 @@ <descr><![CDATA[Bacula is a set of Open Source, computer programs that permit you (or the system administrator) to manage backup, recovery, and verification of computer data across a network of computers of different kinds.]]></descr> <website>http://www.bacula.org/</website> <category>Services</category> - <version>5.2.6 pkg v 1.0</version> + <version>5.2.6 pkg v 1.0.1</version> <status>Stable</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/bacula-client/bacula-client.xml</config_file> <depends_on_package_base_url>http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/All/</depends_on_package_base_url> <depends_on_package>bacula-client-5.2.6.tbz</depends_on_package> - <depends_on_package_pbi>bacula-5.2.6-i386.pbi</depends_on_package_pbi> + <depends_on_package_pbi>bacula-5.2.12-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/sysutils/bacula-client</build_port_path> <build_pbi> <port>sysutils/bacula-client</port> @@ -1703,15 +1778,16 @@ <!-- This does not exist yet, this is here to trigger a PBI build --> <name>urlsnarf</name> <pkginfolink>http://forum.pfsense.org/</pkginfolink> - <descr><![CDATA[HTTP URL Sniffer]]></descr> + <descr><![CDATA[HTTP URL Sniffer (console/shell only)]]></descr> <category>Services</category> - <version>0.1</version> + <version>2.3_4</version> <status>Beta</status> - <required_version>2.2</required_version> + <required_version>2.1</required_version> <config_file>http://www.pfsense.com/packages/config/urlsnarf/urlsnarf.xml</config_file> <maintainer>jimp@pfsense.org</maintainer> <configurationfile>urlsnarf.xml</configurationfile> <build_pbi> + <ports_before>net/libnet10</ports_before> <port>security/dsniff</port> </build_pbi> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> @@ -1721,11 +1797,11 @@ <!-- This does not exist yet, this is here to trigger a PBI build --> <name>iftop</name> <pkginfolink>http://forum.pfsense.org/</pkginfolink> - <descr><![CDATA[Realtime interface monitor (console only)]]></descr> + <descr><![CDATA[Realtime interface monitor (console/shell only)]]></descr> <category>Services</category> - <version>0.1</version> + <version>0.17</version> <status>Beta</status> - <required_version>2.2</required_version> + <required_version>2.1</required_version> <config_file>http://www.pfsense.com/packages/config/iftop/iftop.xml</config_file> <maintainer>jimp@pfsense.org</maintainer> <configurationfile>iftop.xml</configurationfile> @@ -1736,17 +1812,37 @@ <depends_on_package_pbi>iftop-0.17-i386.pbi</depends_on_package_pbi> </package> <package> + <!-- This does not exist yet, this is here to trigger a pkg build --> + <name>git</name> + <pkginfolink>http://forum.pfsense.org/</pkginfolink> + <descr><![CDATA[GIT Source Code Management (console/shell only)]]></descr> + <category>Services</category> + <version>1.8.1.3</version> + <status>Beta</status> + <required_version>2.1</required_version> + <config_file>http://www.pfsense.com/packages/config/git/git.xml</config_file> + <maintainer>jimp@pfsense.org</maintainer> + <configurationfile>git.xml</configurationfile> + <build_options>git_UNSET=GITWEB GUI HTMLDOCS CVS P4 SVN;git_SET=CONTRIB CURL ETCSHELLS ICONV NLS PERL</build_options> + <build_port_path>/usr/ports/devel/git</build_port_path> + <build_pbi> + <port>devel/git</port> + </build_pbi> + <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> + <depends_on_package_pbi>git-1.8.1.3-i386.pbi</depends_on_package_pbi> + </package> + <package> <name>tinc</name> <website>http://www.tinc-vpn.org/</website> <descr>tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private mesh network between hosts on the Internet.</descr> <category>Network Management</category> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package_pbi>tinc-1.0.19-i386.pbi</depends_on_package_pbi> + <depends_on_package_pbi>tinc-1.0.21-i386.pbi</depends_on_package_pbi> <build_pbi> <port>security/tinc</port> </build_pbi> <build_options></build_options> - <version>1.0.19</version> + <version>1.0.21</version> <status>ALPHA</status> <pkginfolink>http://doc.pfsense.org/index.php/tinc_package</pkginfolink> <required_version>2.1</required_version> @@ -1767,7 +1863,7 @@ <status>ALPHA</status> <required_version>2.1</required_version> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package_pbi>syslog-ng-3.3.6_2-i386.pbi</depends_on_package_pbi> + <depends_on_package_pbi>syslog-ng-3.3.7_4-i386.pbi</depends_on_package_pbi> <build_pbi> <ports_before>sysutils/logrotate</ports_before> <port>sysutils/syslog-ng</port> @@ -1777,5 +1873,82 @@ <config_file>http://www.pfsense.com/packages/config/syslog-ng/syslog-ng.xml</config_file> <configurationfile>syslog-ng.xml</configurationfile> </package> - </packages> + <package> + <name>Zabbix-2 Agent</name> + <descr>Monitoring agent.</descr> + <category>Services</category> + <config_file>http://www.pfsense.org/packages/config/zabbix2/zabbix2-agent.xml</config_file> + <version>zabbix2-agent-2.0.4 pkg v0.6_3</version> + <status>BETA</status> + <required_version>2.0</required_version> + <configurationfile>zabbix2-agent.xml</configurationfile> + <maintainer>dbaio@bsd.com.br</maintainer> + <build_port_path>/usr/ports/net-mgmt/zabbix2-agent</build_port_path> + <build_pbi> + <custom_name>zabbix2-agent</custom_name> + <port>net-mgmt/zabbix2-agent</port> + </build_pbi> + <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> + <depends_on_package>zabbix2-agent-2.0.4.tbz</depends_on_package> + <depends_on_package_pbi>zabbix2-agent-2.0.4-i386.pbi</depends_on_package_pbi> + </package> + <package> + <name>Zabbix-2 Proxy</name> + <descr>Monitoring agent proxy.</descr> + <category>Services</category> + <config_file>http://www.pfsense.org/packages/config/zabbix2/zabbix2-proxy.xml</config_file> + <version>zabbix2-proxy-2.0.4 pkg v0.6_2</version> + <status>BETA</status> + <required_version>2.0</required_version> + <configurationfile>zabbix2-proxy.xml</configurationfile> + <maintainer>dbaio@bsd.com.br</maintainer> + <build_port_path>/usr/ports/net-mgmt/zabbix2-proxy</build_port_path> + <build_pbi> + <custom_name>zabbix2-proxy</custom_name> + <port>net-mgmt/zabbix2-proxy</port> + </build_pbi> + <build_options>OPTIONS_SET+= SQLITE;OPTIONS_UNSET+= MYSQL JABBER LDAP</build_options> + <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> + <depends_on_package>zabbix2-proxy-2.0.4.tbz</depends_on_package> + <depends_on_package_pbi>zabbix2-proxy-2.0.4-i386.pbi</depends_on_package_pbi> + </package> + <package> + <!-- This does not exist yet, this is here to trigger a PBI build --> + <name>ipmitool</name> + <pkginfolink>http://forum.pfsense.org/</pkginfolink> + <descr><![CDATA[IPMI Tools for local/remote data retrieval and control (Console only, no GUI)]]></descr> + <category>Services</category> + <version>1.8.12</version> + <status>Beta</status> + <required_version>2.1</required_version> + <config_file>http://www.pfsense.com/packages/config/ipmitool/ipmitool.xml</config_file> + <maintainer>jimp@pfsense.org</maintainer> + <configurationfile>ipmitool.xml</configurationfile> + <build_pbi> + <port>sysutils/ipmitool</port> + </build_pbi> + <build_options>ipmitool_SET=FREEIPMI;freeipmi_UNSET=DOCS DEBUG IOPERM</build_options> + <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> + <depends_on_package_pbi>ipmitool-1.8.12_3-i386.pbi</depends_on_package_pbi> + </package> + <package> + <name>sudo</name> + <pkginfolink>http://doc.pfsense.org/index.php/Sudo_Package</pkginfolink> + <descr><![CDATA[sudo allows delegation of privileges to users in the shell so commands can be run as other users, such as root.]]></descr> + <category>Security</category> + <version>0.1</version> + <status>Beta</status> + <required_version>2.0.2</required_version> + <config_file>http://www.pfsense.com/packages/config/sudo/sudo.xml</config_file> + <maintainer>jimp@pfsense.org</maintainer> + <configurationfile>sudo.xml</configurationfile> + <build_pbi> + <port>security/sudo</port> + </build_pbi> + <build_port_path>/usr/ports/security/sudo</build_port_path> + <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> + <depends_on_package>sudo-1.8.6.p8.tbz</depends_on_package> + <depends_on_package_pbi>sudo-1.8.6p8-i386.pbi</depends_on_package_pbi> + </package> +</packages> </pfsensepkgs> diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index 8caf5758..374d44e6 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -8,6 +8,7 @@ <!-- <package> <name>someprogram</name> + <internal_name>someprogram</internal_name> <pkginfolink>http://forum.pfsense.org/</pkginfolink> <descr><![CDATA[Some cool program]]></descr> <website>http://www.example.org/someprogram</website> @@ -30,7 +31,7 @@ <package> <name>Asterisk</name> <pkginfolink>http://forum.pfsense.org/index.php/topic,47210.0.html</pkginfolink> - <descr><![CDATA[Asterisk is an open source framework for building communications applications.<br>Asterisk turns an ordinary computer into a communications server.]]></descr> + <descr><![CDATA[Asterisk is an open source framework for building communications applications.<br />Asterisk turns an ordinary computer into a communications server.]]></descr> <website>http://www.asterisk.org/</website> <category>Services</category> <version>1.8.8.1 pkg v 0.1</version> @@ -40,7 +41,7 @@ <depends_on_package_base_url>http://e-sac.siteseguro.ws/packages/amd64/8/All/</depends_on_package_base_url> <depends_on_package>asterisk18-1.8.8.1.tbz</depends_on_package> <depends_on_package>openldap-sasl-client-2.4.26.tbz</depends_on_package> - <depends_on_package_pbi>asterisk-1.8.13.0-amd64.pbi</depends_on_package_pbi> + <depends_on_package_pbi>asterisk-1.8.19.0-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/net/asterisk</build_port_path> <maintainer>marcellocoutinho@gmail.com robreg@zsurob.hu</maintainer> <configurationfile>asterisk.xml</configurationfile> @@ -60,20 +61,6 @@ <configurationfile>filer.xml</configurationfile> </package> <package> - <name>IP-Blocklist</name> - <website/> - <descr>IP-Blocklist is PeerGuardian2 but on pfsense. This package has been replaced by pfblocker. <u>This is a legacy app</u></descr> - <category>Firewall</category> - <pkginfolink>http://forum.pfsense.org/index.php/topic,24769.0.html</pkginfolink> - <config_file>http://www.pfsense.com/packages/config/ipblocklist/8/ipblocklist.xml</config_file> - <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <version>0.3.5</version> - <status>Beta</status> - <required_version>1.2.2</required_version> - <maintainer>tom@tomschaefer.org</maintainer> - <configurationfile>ipblocklist.xml</configurationfile> - </package> - <package> <name>Country Block</name> <website/> <descr>Block countries - This has been replaced by pfblocker. <u>This is a legacy app</u></descr> @@ -94,7 +81,7 @@ <category>Diagnostics</category> <pkginfolink>http://forum.pfsense.org/index.php/topic,26974.0.html</pkginfolink> <config_file>http://pfsense.org/packages/config/filemgr/filemgr.xml</config_file> - <version>0.1.1</version> + <version>0.1.2</version> <status>Beta</status> <required_version>2.0</required_version> <maintainer>tom@tomschaefer.org</maintainer> @@ -103,9 +90,9 @@ <package> <name>pfBlocker</name> <website/> - <descr><![CDATA[Introduce Enhanced Aliastable Feature to pfsense.<br> - Assign many IP urls lists from sites like I-blocklist to a single alias and then choose rule action to take.<br> - This package also Block countries and IP ranges.<br> + <descr><![CDATA[Introduce Enhanced Aliastable Feature to pfsense.<br /> + Assign many IP urls lists from sites like I-blocklist to a single alias and then choose rule action to take.<br /> + This package also Block countries and IP ranges.<br /> pfBlocker replaces Countryblock and IPblocklist]]></descr> <category>Firewall</category> <pkginfolink>http://forum.pfsense.org/index.php/topic,42543.0.html</pkginfolink> @@ -132,35 +119,61 @@ <package> <name>haproxy</name> <pkginfolink>http://doc.pfsense.org/index.php/haproxy_package</pkginfolink> - <descr><![CDATA[The Reliable, High Performance HTTP Load Balancer<br> - This package implements HTTP balance features from Haproxy.]]></descr> + <descr><![CDATA[The Reliable, High Performance TCP/HTTP Load Balancer<br /> + This package implements both TCP and HTTP balance features from Haproxy.<br /> + Supports acl's for smart backend switching.]]></descr> <website>http://haproxy.1wt.eu/</website> <category>Services</category> - <version>1.4.21 pkg v 1.2</version> + <version>1.4.24 pkg v 1.2.3</version> <status>Release</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/haproxy/haproxy.xml</config_file> <configurationfile>haproxy.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package>haproxy-1.4.21.tbz</depends_on_package> - <depends_on_package_pbi>haproxy-1.4.21-amd64.pbi</depends_on_package_pbi> + <depends_on_package>haproxy-1.4.24.tbz</depends_on_package> + <depends_on_package_pbi>haproxy-1.4.24-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/net/haproxy</build_port_path> </package> <package> <name>haproxy-full</name> <pkginfolink>http://doc.pfsense.org/index.php/haproxy_package</pkginfolink> - <descr><![CDATA[The Reliable, High Performance TCP/HTTP Load Balancer package<br> - This package implements both TCP and HTTP balance features from Haproxy.]]></descr> + <descr><![CDATA[The Reliable, High Performance TCP/HTTP Load Balancer package<br /> + This package implements both TCP and HTTP balance features from Haproxy.<br /> + (Legacy version)]]></descr> <website>http://haproxy.1wt.eu/</website> <category>Services</category> - <version>1.4.21 pkg v 1.0</version> + <version>1.4.24 pkg v 1.0</version> <status>Release</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/haproxy-legacy/haproxy.xml</config_file> <configurationfile>haproxy.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> + <depends_on_package>haproxy-1.4.24.tbz</depends_on_package> + <depends_on_package_pbi>haproxy-1.4.24-amd64.pbi</depends_on_package_pbi> + </package> + <package> + <name>haproxy-devel</name> + <pkginfolink>http://doc.pfsense.org/index.php/haproxy_package</pkginfolink> + <descr><![CDATA[The Reliable, High Performance TCP/HTTP(s) Load Balancer<br /> + This package implements TCP, HTTP and HTTPS balance features from Haproxy.<br /> + Supports acl's for smart backend switching.]]></descr> + <website>http://haproxy.1wt.eu/</website> + <category>Services</category> + <version>1.5-dev19 pkg v 0.3</version> + <status>Release</status> + <required_version>2.1</required_version> + <config_file>http://www.pfsense.com/packages/config/haproxy-devel/haproxy.xml</config_file> + <configurationfile>haproxy.xml</configurationfile> + <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> <depends_on_package>haproxy-1.4.21.tbz</depends_on_package> - <depends_on_package_pbi>haproxy-1.4.21-amd64.pbi</depends_on_package_pbi> + <depends_on_package_pbi>haproxy-devel-1.5-dev19-amd64.pbi</depends_on_package_pbi> + <build_port_path>/usr/ports/net/haproxy-devel</build_port_path> + <build_pbi> + <ports_before>security/openssl</ports_before> + <custom_name>haproxy-devel</custom_name> + <port>/usr/ports/net/haproxy-devel</port> + </build_pbi> + <build_options>WITH_OPENSSL_PORT=yes;OPTIONS_UNSET=PCRE DPCRE;OPTIONS_SET=OPENSSL SPCRE</build_options> </package> <package> <name>Apache with mod_security-dev</name> @@ -205,7 +218,7 @@ <port>www/apache22-worker-mpm</port> <ports_after>www/mod_security www/mod_memcache</ports_after> </build_pbi> - <build_options>WITH_MPM=worker WITH_THREADS=yes WITHOUT_MYSQL=yes WITHOUT_PGSQL=yes WITH_SQLITE=yes WITH_IPV6=yes WITHOUT_BDB=yes WITH_AUTH_BASIC=yes WITH_AUTH_DIGEST=yes WITH_AUTHN_FILE=yes WITHOUT_AUTHN_DBD=yes WITH_AUTHN_DBM=yes WITH_AUTHN_ANON=yes WITH_AUTHN_DEFAULT=yes WITH_AUTHN_ALIAS=yes WITH_AUTHZ_HOST=yes WITH_AUTHZ_GROUPFILE=yes WITH_AUTHZ_USER=yes WITH_AUTHZ_DBM=yes WITH_AUTHZ_OWNER=yes WITH_AUTHZ_DEFAULT=yes WITH_CACHE=yes WITH_DISK_CACHE=yes WITH_FILE_CACHE=yes WITH_MEM_CACHE=yes WITH_DAV=yes WITH_DAV_FS=yes WITHOUT_BUCKETEER=yes WITHOUT_CASE_FILTER=yes WITHOUT_CASE_FILTER_IN=yes WITHOUT_EXT_FILTER=yes WITHOUT_LOG_FORENSIC=yes WITHOUT_OPTIONAL_HOOK_EXPORT=yes WITHOUT_OPTIONAL_HOOK_IMPORT=yes WITHOUT_OPTIONAL_FN_IMPORT=yes WITHOUT_OPTIONAL_FN_EXPORT=yes WITHOUT_LDAP=yes WITHOUT_AUTHNZ_LDAP=yes WITH_ACTIONS=yes WITH_ALIAS=yes WITH_ASIS=yes WITH_AUTOINDEX=yes WITH_CERN_META=yes WITH_CGI=yes WITH_CHARSET_LITE=yes WITHOUT_DBD=yes WITH_DEFLATE=yes WITH_DIR=yes WITH_DUMPIO=yes WITH_ENV=yes WITH_EXPIRES=yes WITH_HEADERS=yes WITH_IMAGEMAP=yes WITH_INCLUDE=yes WITH_INFO=yes WITH_LOG_CONFIG=yes WITH_LOGIO=yes WITH_MIME=yes WITH_MIME_MAGIC=yes WITH_NEGOTIATION=yes WITH_REWRITE=yes WITH_SETENVIF=yes WITH_SPELING=yes WITH_STATUS=yes WITH_UNIQUE_ID=yes WITH_USERDIR=yes WITH_USERTRACK=yes WITH_VHOST_ALIAS=yes WITH_FILTER=yes WITHOUT_SUBSTITUTE=yes WITH_VERSION=yes WITH_PROXY=yes WITH_PROXY_CONNECT=yes WITH_PROXY_FTP=yes WITH_PROXY_HTTP=yes WITH_PROXY_AJP=yes WITH_PROXY_BALANCER=yes WITH_PROXY_SCGI=yes WITH_SSL=yes WITHOUT_SUEXEC=yes WITHOUT_SUEXEC_RSRCLIMIT=yes WITH_REQTIMEOUT=yes WITHOUT_CGID=yes</build_options> + <build_options>OPTIONS_UNSET=BDB MYSQL PGSQL;OPTIONS_SET=SQLITE THREADS IPV6 SSL;WITH_MPM=worker;apache22-worker-mpm_UNSET=AUTHNZ_LDAP AUTHN_DBD BUCKETEER CASE_FILTER CASE_FILTER_IN CGID DBD EXT_FILTER LDAP LOG_FORENSIC OPTIONAL_FN_EXPORT OPTIONAL_FN_IMPORT OPTIONAL_HOOK_EXPORT OPTIONAL_HOOK_IMPORT SUBSTITUTE SUEXEC SUEXEC_RSRCLIMIT;apache22-worker-mpm_SET=ACTIONS ALIAS AUTHN_ALIAS VHOST_ALIAS ASIS AUTHN_ANON AUTHN_DBM AUTHN_DEFAULT AUTHN_FILE AUTHZ_DBM AUTHZ_DEFAULT AUTHZ_GROUPFILE AUTHZ_HOST AUTHZ_OWNER AUTHZ_USER AUTH_BASIC AUTH_DIGEST AUTOINDEX CACHE DISK_CACHE FILE_CACHE MEM_CACHE CERN_META CGI CHARSET_LITE DAV DAV_FS DEFLATE DIR DUMPIO ENV EXPIRES FILTER HEADERS IMAGEMAP INCLUDE INFO LOGIO LOG_CONFIG MIME MIME_MAGIC NEGOTIATION PROXY PROXY_AJP PROXY_BALANCER PROXY_CONNECT PROXY_FTP PROXY_HTTP PROXY_SCGI REQTIMEOUT REWRITE SETENVIF SPELING STATUS THREADS UNIQUE_ID USERDIR USERTRACK VERSION</build_options> <after_install_info>Please visit the ProxyServer settings tab and set the service up so that it may be started.</after_install_info> </package> <package> @@ -225,7 +238,7 @@ <depends_on_package>ap22-mod_memcache-0.1.0_4.tbz</depends_on_package> <depends_on_package>apache-2.2.22_5.tbz</depends_on_package> <depends_on_package>ap22-mod_security-2.6.5_1.tbz</depends_on_package> - <depends_on_package_pbi>proxy_mod_security-2.2.22_6-amd64.pbi</depends_on_package_pbi> + <depends_on_package_pbi>proxy_mod_security-2.2.23_3-amd64.pbi</depends_on_package_pbi> <configurationfile>apache_mod_security.xml</configurationfile> <build_port_path>/usr/ports/devel/gettext</build_port_path> <build_port_path>/usr/ports/misc/help2man</build_port_path> @@ -251,7 +264,7 @@ <port>www/apache22-worker-mpm</port> <ports_after>www/mod_security www/mod_memcache</ports_after> </build_pbi> - <build_options>WITH_MPM=worker WITH_THREADS=yes WITHOUT_MYSQL=yes WITHOUT_PGSQL=yes WITH_SQLITE=yes WITH_IPV6=yes WITHOUT_BDB=yes WITH_AUTH_BASIC=yes WITH_AUTH_DIGEST=yes WITH_AUTHN_FILE=yes WITHOUT_AUTHN_DBD=yes WITH_AUTHN_DBM=yes WITH_AUTHN_ANON=yes WITH_AUTHN_DEFAULT=yes WITH_AUTHN_ALIAS=yes WITH_AUTHZ_HOST=yes WITH_AUTHZ_GROUPFILE=yes WITH_AUTHZ_USER=yes WITH_AUTHZ_DBM=yes WITH_AUTHZ_OWNER=yes WITH_AUTHZ_DEFAULT=yes WITH_CACHE=yes WITH_DISK_CACHE=yes WITH_FILE_CACHE=yes WITH_MEM_CACHE=yes WITH_DAV=yes WITH_DAV_FS=yes WITHOUT_BUCKETEER=yes WITHOUT_CASE_FILTER=yes WITHOUT_CASE_FILTER_IN=yes WITHOUT_EXT_FILTER=yes WITHOUT_LOG_FORENSIC=yes WITHOUT_OPTIONAL_HOOK_EXPORT=yes WITHOUT_OPTIONAL_HOOK_IMPORT=yes WITHOUT_OPTIONAL_FN_IMPORT=yes WITHOUT_OPTIONAL_FN_EXPORT=yes WITHOUT_LDAP=yes WITHOUT_AUTHNZ_LDAP=yes WITH_ACTIONS=yes WITH_ALIAS=yes WITH_ASIS=yes WITH_AUTOINDEX=yes WITH_CERN_META=yes WITH_CGI=yes WITH_CHARSET_LITE=yes WITHOUT_DBD=yes WITH_DEFLATE=yes WITH_DIR=yes WITH_DUMPIO=yes WITH_ENV=yes WITH_EXPIRES=yes WITH_HEADERS=yes WITH_IMAGEMAP=yes WITH_INCLUDE=yes WITH_INFO=yes WITH_LOG_CONFIG=yes WITH_LOGIO=yes WITH_MIME=yes WITH_MIME_MAGIC=yes WITH_NEGOTIATION=yes WITH_REWRITE=yes WITH_SETENVIF=yes WITH_SPELING=yes WITH_STATUS=yes WITH_UNIQUE_ID=yes WITH_USERDIR=yes WITH_USERTRACK=yes WITH_VHOST_ALIAS=yes WITH_FILTER=yes WITHOUT_SUBSTITUTE=yes WITH_VERSION=yes WITH_PROXY=yes WITH_PROXY_CONNECT=yes WITH_PROXY_FTP=yes WITH_PROXY_HTTP=yes WITH_PROXY_AJP=yes WITH_PROXY_BALANCER=yes WITH_PROXY_SCGI=yes WITH_SSL=yes WITHOUT_SUEXEC=yes WITHOUT_SUEXEC_RSRCLIMIT=yes WITH_REQTIMEOUT=yes WITHOUT_CGID=yes</build_options> + <build_options>OPTIONS_UNSET=BDB MYSQL PGSQL;OPTIONS_SET=SQLITE THREADS IPV6 SSL;WITH_MPM=worker;apache22-worker-mpm_UNSET=AUTHNZ_LDAP AUTHN_DBD BUCKETEER CASE_FILTER CASE_FILTER_IN CGID DBD EXT_FILTER LDAP LOG_FORENSIC OPTIONAL_FN_EXPORT OPTIONAL_FN_IMPORT OPTIONAL_HOOK_EXPORT OPTIONAL_HOOK_IMPORT SUBSTITUTE SUEXEC SUEXEC_RSRCLIMIT;apache22-worker-mpm_SET=ACTIONS ALIAS AUTHN_ALIAS VHOST_ALIAS ASIS AUTHN_ANON AUTHN_DBM AUTHN_DEFAULT AUTHN_FILE AUTHZ_DBM AUTHZ_DEFAULT AUTHZ_GROUPFILE AUTHZ_HOST AUTHZ_OWNER AUTHZ_USER AUTH_BASIC AUTH_DIGEST AUTOINDEX CACHE DISK_CACHE FILE_CACHE MEM_CACHE CERN_META CGI CHARSET_LITE DAV DAV_FS DEFLATE DIR DUMPIO ENV EXPIRES FILTER HEADERS IMAGEMAP INCLUDE INFO LOGIO LOG_CONFIG MIME MIME_MAGIC NEGOTIATION PROXY PROXY_AJP PROXY_BALANCER PROXY_CONNECT PROXY_FTP PROXY_HTTP PROXY_SCGI REQTIMEOUT REWRITE SETENVIF SPELING STATUS THREADS UNIQUE_ID USERDIR USERTRACK VERSION</build_options> <after_install_info>Please visit the ProxyServer settings tab and set the service up so that it may be started.</after_install_info> </package> <package> @@ -302,15 +315,15 @@ <descr>ntop is a network probe that shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user's terminal. In Web mode it acts as a Web server, creating an HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics.</descr> <category>Network Management</category> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package_pbi>ntop-4.1.0_5-amd64.pbi</depends_on_package_pbi> - <depends_on_package>rrdtool-1.2.30_1.tbz</depends_on_package> + <depends_on_package_pbi>ntop-5.0.1-amd64.pbi</depends_on_package_pbi> + <depends_on_package>rrdtool-1.2.30_2.tbz</depends_on_package> <depends_on_package>gdbm-1.9.1.tbz</depends_on_package> - <depends_on_package>perl-5.12.4_4.tbz</depends_on_package> - <depends_on_package>libpcap-1.1.1_1.tbz</depends_on_package> - <depends_on_package>GeoIP-1.4.8_1.tbz</depends_on_package> + <depends_on_package>perl-5.14.2_2.tbz</depends_on_package> + <depends_on_package>libpcap-1.3.0.tbz</depends_on_package> + <depends_on_package>GeoIP-1.4.8_3.tbz</depends_on_package> <depends_on_package>font-util-1.2.0.tbz</depends_on_package> <depends_on_package>webfonts-0.30_6.tbz</depends_on_package> - <depends_on_package>ntop-4.1.0_3.tbz</depends_on_package> + <depends_on_package>ntop-5.0.1.tbz</depends_on_package> <build_port_path>/usr/ports/net/GeoIP</build_port_path> <build_port_path>/usr/ports/databases/gdbm</build_port_path> <build_port_path>/usr/ports/databases/rrdtool12</build_port_path> @@ -322,8 +335,8 @@ <ports_before>databases/gdbm net/GeoIP x11-fonts/font-util x11-fonts/webfonts graphics/graphviz</ports_before> <port>net/ntop</port> </build_pbi> - <build_options>WITH_PCAP_PORT=true WITH_XMLDUMP=true WITHOUT_JUMBO_FRAMES=true WITH_MAKO=true WITHOUT_DEJAVU=true WITH_JSON=true WITH_MMAP=true WITHOUT_PERL_MODULE=true WITHOUT_PYTHON_MODULE=true WITHOUT_RUBY_MODULE=true WITHOUT_EXAMPLES=true WITHOUT_FPECTL=true WITH_IPV6=true WITH_NLS=true WITHOUT_PTH=true WITH_PYMALLOC=true WITHOUT_SEM=true WITH_THREADS=true WITHOUT_UCS2=true WITH_UCS4=true WITH_FONTCONFIG=true WITH_ICONV=true WITHOUT_XPM=true WITHOUT_DAG=true WITHOUT_DIGCOLA=true WITHOUT_IPSEPCOLA=true WITHOUT_PANGOCAIRO=true WITHOUT_GTK=true WITHOUT_XCB=true</build_options> - <version>4.1.0_3 v2.3</version> + <build_options>WITH_PCAP_PORT=true;WITH_XMLDUMP=true;WITHOUT_JUMBO_FRAMES=true;WITH_MAKO=true;WITHOUT_DEJAVU=true;WITH_JSON=true;WITH_MMAP=true;WITHOUT_PERL_MODULE=true;WITHOUT_PYTHON_MODULE=true;WITHOUT_RUBY_MODULE=true;WITHOUT_EXAMPLES=true;WITHOUT_FPECTL=true;WITH_IPV6=true;WITH_NLS=true;WITHOUT_PTH=true;WITH_PYMALLOC=true;WITHOUT_SEM=true;WITH_THREADS=true;WITHOUT_UCS2=true;WITH_UCS4=true;WITH_FONTCONFIG=true;WITH_ICONV=true;WITHOUT_XPM=true;WITHOUT_DAG=true;WITHOUT_DIGCOLA=true;WITHOUT_IPSEPCOLA=true;WITHOUT_PANGOCAIRO=true;WITHOUT_GTK=true;WITHOUT_XCB=true</build_options> + <version>5.0.1 v2.3</version> <status>BETA</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/ntop2/ntop.xml</config_file> @@ -349,6 +362,7 @@ </package> <package> <name>FreeSWITCH Dev</name> + <internal_name>FreeSWITCH</internal_name> <website>http://www.freeswitch.org/</website> <descr>FreeSWITCH package development version.</descr> <category>Services</category> @@ -426,7 +440,7 @@ <pkginfolink></pkginfolink> <config_file>http://www.pfsense.com/packages/config/cron/cron.xml</config_file> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <version>0.1.5</version> + <version>0.1.7</version> <status>Beta</status> <required_version>1.2</required_version> <maintainer>markjcrane@gmail.com</maintainer> @@ -453,69 +467,35 @@ <descr>Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection.</descr> <category>Security</category> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package>mysql-client-5.1.53.tbz</depends_on_package> - <depends_on_package>barnyard2-1.9_2.tbz</depends_on_package> - <depends_on_package>libnet11-1.1.2.1_3,1.tbz</depends_on_package> + <depends_on_package>mysql-client-5.5.30.tbz</depends_on_package> + <depends_on_package>barnyard2-1.12.tbz</depends_on_package> + <depends_on_package>libnet11-1.1.6,1.tbz</depends_on_package> <depends_on_package>libdnet-1.11_3.tbz</depends_on_package> - <depends_on_package>libpcap-1.1.1_1.tbz</depends_on_package> - <depends_on_package>daq-0.6.2.tbz</depends_on_package> - <depends_on_package>snort-2.9.2.3.tbz</depends_on_package> - <depends_on_package_pbi>snort-2.9.2.3-amd64.pbi</depends_on_package_pbi> + <depends_on_package>libpcap-1.3.0.tbz</depends_on_package> + <depends_on_package>daq-2.0.0.tbz</depends_on_package> + <depends_on_package>snort-2.9.4.6.tbz</depends_on_package> + <depends_on_package_pbi>snort-2.9.4.6-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/devel/pcre</build_port_path> <build_port_path>/usr/ports/net/daq</build_port_path> <build_port_path>/usr/ports/net/libnet</build_port_path> + <build_port_path>/usr/ports/net/libpcap</build_port_path> <build_port_path>/usr/ports/security/barnyard2</build_port_path> - <build_port_path>/usr/ports/databases/mysql51-client</build_port_path> + <build_port_path>/usr/ports/databases/mysql55-client</build_port_path> <build_port_path>/usr/ports/security/snort</build_port_path> <build_pbi> <port>security/snort</port> <ports_after>security/barnyard2</ports_after> </build_pbi> - <build_options>WITH_THREADS=yes WITH_IPV6=true WITH_MPLS=true WITH_GRE=true WITHOUT_TARGETBASED=true WITH_DECODERPRE=true WITH_ZLIB=true WITH_NORMALIZER=true WITH_REACT=true WITH_PERFPROFILE=true WITH_FLEXRESP3=true WITH_MYSQL=true WITHOUT_ODBC=true WITHOUT_POSTGRESQL=true WITHOUT_PRELUDE=true WITH_SNORTSAM=true NOPORTDOCS=true</build_options> + <!-- Use both styles for now, since our snort port isn't yet optionsng, but barnyard2 and others are. --> + <build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL;snort_UNSET=REACT;snort_SET=TARGETBASED PERFPROFILE DECODERPRE FLEXRESP3 GRE IPV6 MPLS NORMALIZER ZLIB;perl_SET=THREADS;WITH_THREADS=yes;WITH_IPV6=true;WITH_MPLS=true;WITH_GRE=true;WITH_TARGETBASED=true;WITH_PERFPROFILE=true;WITH_DECODERPRE=true;WITH_ZLIB=true;WITH_NORMALIZER=true;WITHOUT_REACT=true;WITH_FLEXRESP3=true;WITHOUT_ODBC=true;WITHOUT_POSTGRESQL=true;WITHOUT_PRELUDE=true;NOPORTDOCS=true</build_options> <config_file>http://www.pfsense.com/packages/config/snort/snort.xml</config_file> - <version>2.9.2.3 pkg v. 2.5.2</version> + <version>2.9.4.6 pkg v. 2.5.9</version> <required_version>2.0</required_version> <status>Stable</status> <configurationfile>/snort.xml</configurationfile> <after_install_info>Please visit the Snort settings tab and enter your oinkid code. Afterwards visit the update rules tab to download the snort rules.</after_install_info> </package> <package> - <name>snort-dev</name> - <pkginfolink>http://forum.pfsense.org/index.php/topic,16847.0.html</pkginfolink> - <website>http://www.snort.org</website> - <descr>Snort-dev is a development branch.</descr> - <category>Security</category> - <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package_pbi>snort-2.9.2.3-amd64.pbi</depends_on_package_pbi> - <depends_on_package>mysql-client-5.1.53.tbz</depends_on_package> - <depends_on_package>barnyard2-1.9_2.tbz</depends_on_package> - <depends_on_package>libnet11-1.1.2.1_3,1.tbz</depends_on_package> - <depends_on_package>libdnet-1.11_3.tbz</depends_on_package> - <depends_on_package>libpcap-1.1.1_1.tbz</depends_on_package> - <depends_on_package>daq-0.6.2.tbz</depends_on_package> - <depends_on_package>snort-2.9.2.3.tbz</depends_on_package> - <depends_on_package>perl-threaded-5.12.4_4.tbz</depends_on_package> - <build_port_path>/usr/ports/devel/pcre</build_port_path> - <build_port_path>/usr/ports/net/daq</build_port_path> - <build_port_path>/usr/ports/net/libnet</build_port_path> - <build_port_path>/usr/ports/lang/perl5.12</build_port_path> - <build_port_path>/usr/ports/security/barnyard2</build_port_path> - <build_port_path>/usr/ports/databases/mysql51-client</build_port_path> - <build_port_path>/usr/ports/security/snort</build_port_path> - <build_pbi> - <custom_name>snort-dev</custom_name> - <port>security/snort</port> - <ports_after>security/barnyard2</ports_after> - </build_pbi> - <build_options>WITH_THREADS=yes WITH_IPV6=true WITH_MPLS=true WITH_GRE=true WITHOUT_TARGETBASED=true WITH_DECODERPRE=true WITH_ZLIB=true WITH_NORMALIZER=true WITH_REACT=true WITH_PERFPROFILE=true WITH_FLEXRESP3=true WITH_MYSQL=true WITHOUT_ODBC=true WITHOUT_POSTGRESQL=true WITHOUT_PRELUDE=true WITH_SNORTSAM=true NOPORTDOCS=true</build_options> - <config_file>http://www.pfsense.com/packages/config/snort-dev/snort.xml</config_file> - <version>2.9.2.3 pkg v. 3.0</version> - <required_version>2.0</required_version> - <status>Stable</status> - <configurationfile>/snort.xml</configurationfile> - <after_install_info>Please visit the Snort settings tab and enter your oinkid code. Afterwards visit the update rules tab to download the snort rules.</after_install_info> - </package> - <package> <name>olsrd</name> <website>http://www.olsr.org/</website> <descr>The olsr.org OLSR daemon is an implementation of the Optimized Link State Routing protocol. OLSR is a routing protocol for mobile ad-hoc networks. The protocol is pro-active, table driven and utilizes a technique called multipoint relaying for message flooding.</descr> @@ -531,6 +511,17 @@ <configurationfile>olsrd.xml</configurationfile> </package> <package> + <name>routed</name> + <website>http://www.pfsense.com/</website> + <descr>RIP v1 and v2 daemon.</descr> + <category>Network Management</category> + <config_file>http://www.pfsense.com/packages/config/routed/routed.xml</config_file> + <version>1.1</version> + <status>Stable</status> + <required_version>2.1</required_version> + <configurationfile>routed.xml</configurationfile> + </package> + <package> <name>spamd</name> <website>http://www.openbsd.org/spamd/</website> <descr>Tarpits like spamd are fake SMTP servers, which accept connections but don't deliver mail. Instead, they keep the connections open and reply very slowly. If the peer is patient enough to actually complete the SMTP dialogue (which will take ten minutes or more), the tarpit returns a 'temporary error' code (4xx), which indicates that the mail could not be delivered successfully and that the sender should keep the mail in their queue and retry again later.</descr> @@ -552,68 +543,72 @@ <package> <name>Postfix Forwarder</name> <website>http://www.postfix.org/</website> - <descr><![CDATA[Postfix mail forwarder acts as a relay server for your domain.<br> - It can do first and second line antispam combat before sending incoming mail to local mail servers.<br> + <descr><![CDATA[Postfix mail forwarder acts as a relay server for your domain.<br /> + It can do first and second line antispam combat before sending incoming mail to local mail servers.<br /> Postfix can also detect zombies, check RBLS, SPF, seach ldap for valid recipients and use third part antispam engines like policyd and mailscanner for better antispam solution.]]></descr> <category>Services</category> <pkginfolink>http://forum.pfsense.org/index.php/topic,40622.0.html</pkginfolink> <config_file>http://www.pfsense.com/packages/config/postfix/postfix.xml</config_file> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package>postfix-2.8.7,1.tbz</depends_on_package> + <depends_on_package>postfix-2.10.0,1.tbz</depends_on_package> <depends_on_package>perl-5.12.4_3.tbz</depends_on_package> - <depends_on_package_pbi>postfix-2.9.4-amd64.pbi</depends_on_package_pbi> - <version>2.8.7,1 pkg v.2.3.4_1</version> - <status>RC1</status> + <depends_on_package_pbi>postfix-2.10.0-amd64.pbi</depends_on_package_pbi> + <version>2.10.0 pkg v.2.3.5</version> + <status>Release</status> <required_version>2.0</required_version> <configurationfile>postfix.xml</configurationfile> <build_port_path>/usr/ports/mail/postfix</build_port_path> - <build_options>WITH_PCRE=true WITH_SPF=true WITH_SASL2=true WITH_TLS=true</build_options> + <build_options>WITH_PCRE=true;WITH_SPF=true;WITH_SASL2=true;WITH_TLS=true</build_options> </package> <package> <name>Dansguardian</name> <website>http://www.dansguardian.org/</website> - <descr><![CDATA[DansGuardian is an award winning Open Source web content filter.<br> - It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering.<br> - It does not purely filter based on a banned list of sites like lesser totally commercial filters.<br> - For all non-commercial it's free, without cost.<br> + <descr><![CDATA[DansGuardian is an award winning Open Source web content filter.<br /> + It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering.<br /> + It does not purely filter based on a banned list of sites like lesser totally commercial filters.<br /> + For all non-commercial it's free, without cost.<br /> For all commercial use visit dansguardian website to get a licence.]]></descr> <category>Services</category> <config_file>http://www.pfsense.com/packages/config/dansguardian/dansguardian.xml</config_file> <pkginfolink>http://forum.pfsense.org/index.php/topic,43786.0.html</pkginfolink> - <depends_on_package_base_url>http://e-sac.siteseguro.ws/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package>dansguardian-2.12.0.0.tbz</depends_on_package> - <depends_on_package>clamav-0.97.3_1.tbz</depends_on_package> - <depends_on_package>ca_root_nss-3.13.3.tbz</depends_on_package> - <depends_on_package_pbi>dansguardian-2.12.0.0_1-amd64.pbi</depends_on_package_pbi> - <version>2.12.0.0 pkg v.0.1.6_1</version> + <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> + <depends_on_package>dansguardian-2.12.0.3.tbz</depends_on_package> + <depends_on_package>ca_root_nss-3.14.1.tbz</depends_on_package> + <depends_on_package_pbi>dansguardian-2.12.0.3-amd64.pbi</depends_on_package_pbi> + <version>2.12.0.3 pkg v.0.1.8</version> <status>beta</status> <required_version>2.0</required_version> <configurationfile>dansguardian.xml</configurationfile> <build_port_path>/usr/ports/www/dansguardian-devel</build_port_path> - <build_options>WITHOUT_APACHE=true WITH_TRICKLE=true WITH_CLAMD=true WITH_ICAP=true WITH_NTLM=true WITH_SSL=true</build_options> + <build_port_path>/usr/ports/www/ca_root_nss</build_port_path> + <build_options>dansguardian-devel_UNSET=APACHE;dansguardian-devel_SET=TRICKLE CLAMD ICAP NTLM SSL</build_options> <!-- NOTE: Distfile must be fetched manually from http://dansguardian.org/downloads/2/Alpha/dansguardian-2.12.0.0.tar.gz --> </package> <package> - <name>mailscanner-dev</name> + <name>mailscanner</name> + <internal_name>mailscanner</internal_name> <website>www.mailscanner.info</website> - <descr><![CDATA[MailScanner is an e-mail security and anti-spam package for e-mail gateway systems.<br> + <descr><![CDATA[MailScanner is an e-mail security and anti-spam package for e-mail gateway systems.<br /> This is a level3 mail scanning tool with high CPU load.]]></descr> <category>Services</category> <config_file>http://www.pfsense.com/packages/config/mailscanner/mailscanner.xml</config_file> <pkginfolink>http://forum.pfsense.org/index.php/topic,43687.0.html</pkginfolink> <depends_on_package_base_url>http://e-sac.siteseguro.ws/pfsense/8/amd64/All/</depends_on_package_base_url> - <depends_on_package>MailScanner-4.83.5.tbz</depends_on_package> + <depends_on_package>MailScanner-4.84.5_3.tbz</depends_on_package> <depends_on_package>perl-5.12.4_3.tbz</depends_on_package> - <depends_on_package>pyzor-0.5.0_1.tbz</depends_on_package> + <depends_on_package>pyzor-0.5.0_2.tbz</depends_on_package> <depends_on_package>p5-Mail-SPF-2.007.tbz</depends_on_package> <depends_on_package>p5-IP-Country-2.27.tbz</depends_on_package> <depends_on_package_pbi>mailscanner-4.84.5_3-amd64.pbi</depends_on_package_pbi> - <version>4.83.5 pkg v.0.2.1</version> + <version>4.84.5_3 pkg v.0.2.2</version> <status>beta</status> <required_version>2.0</required_version> <configurationfile>mailscanner.xml</configurationfile> <build_port_path>/usr/ports/mail/mailscanner</build_port_path> - <build_options></build_options> + <build_port_path>/usr/ports/mail/p5-Mail-SPF</build_port_path> + <build_port_path>/usr/ports/mail/pyzor</build_port_path> + <build_port_path>/usr/ports/net/p5-IP-Country</build_port_path> + <build_options>mailscanner_UNSET=BDC CLAMAVMODULE;mailscanner_SET=SPAMASSASSIN CLAMAV</build_options> </package> <package> <name>siproxd</name> @@ -633,18 +628,21 @@ </package> <package> <name>OpenBGPD</name> - <descr>OpenBGPD is a FREE implementation of the Border Gateway Protocol, Version 4. It allows ordinary machines to be used as routers exchanging routes with other systems speaking the BGP protocol.</descr> + <descr>OpenBGPD is a FREE implementation of the Border Gateway Protocol, Version 4. It allows ordinary machines to be used as routers exchanging routes with other systems speaking the BGP protocol. -- WARNING! Installs files to the same place as Quagga OSPF. Installing both will result in a broken state, remove this package before installing Quagga OSPF.</descr> <category>NET</category> <config_file>http://www.pfsense.com/packages/config/openbgpd/openbgpd.xml</config_file> <build_port_path>/usr/ports/net/openbgpd</build_port_path> - <version>0.5.6</version> + <build_pbi> + <port>net/openbgpd</port> + </build_pbi> + <version>0.9</version> <status>STABLE</status> <pkginfolink>http://doc.pfsense.org/index.php/OpenBGPD_package</pkginfolink> <required_version>1.3</required_version> <configurationfile>openbgpd.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package>openbgpd-4.9.20110612_1.tbz</depends_on_package> - <depends_on_package_pbi>openbgpd-4.9.20110612_1-amd64.pbi</depends_on_package_pbi> + <depends_on_package>openbgpd-5.2.20121209.tbz</depends_on_package> + <depends_on_package_pbi>openbgpd-5.2.20121209-amd64.pbi</depends_on_package_pbi> </package> <package> <name>OpenOSPFD</name> @@ -677,15 +675,14 @@ <maintainer>dv_serg@mail.ru</maintainer> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> <depends_on_package>lightsquid-1.8_2.tbz</depends_on_package> - <depends_on_package>perl-5.12.4_3.tbz</depends_on_package> + <depends_on_package>perl-5.14.2_2.tbz</depends_on_package> <depends_on_package_pbi>lightsquid-1.8_2-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/www/lightsquid</build_port_path> - <build_port_path>/usr/ports/lang/perl5.12</build_port_path> <build_pbi> - <ports_before>lang/perl5.12</ports_before> + <ports_before>lang/perl5.14 graphics/gd graphics/p5-GD</ports_before> <port>www/lightsquid</port> </build_pbi> - <build_options>WITHOUT_DEBUGGING=true WITHOUT_GDBM=true WITHOUT_PERL_MALLOC=true WITH_PERL_64BITINT=true WITHOUT_THREADS=true WITHOUT_MULTIPLICITY=true WITHOUT_SUIDPERL=true WITHOUT_SITECUSTOMIZE=true WITH_USE_PERL=true</build_options> + <build_options>WITHOUT_DEBUGGING=true;WITHOUT_GDBM=true;WITHOUT_PERL_MALLOC=true;WITH_PERL_64BITINT=true;WITHOUT_THREADS=true;WITHOUT_MULTIPLICITY=true;WITHOUT_SUIDPERL=true;WITHOUT_SITECUSTOMIZE=true;WITH_USE_PERL=true;WITH_GDSUPPORT=true</build_options> <status>Beta</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/lightsquid/lightsquid.xml</config_file> @@ -696,28 +693,29 @@ <package> <name>Sarg</name> <website>http://www.dansguardian.org/</website> - <descr><![CDATA[Sarg - Squid Analysis Report Generator is a tool that allow you to view "where" your users are going to on the Internet.<br> + <descr><![CDATA[Sarg - Squid Analysis Report Generator is a tool that allow you to view "where" your users are going to on the Internet.<br /> Sarg provides many informations about Proxy(squid,squidguard or dansguardian) users activities: times, bytes, sites, etc...]]></descr> <category>Network Report</category> <config_file>http://www.pfsense.com/packages/config/sarg/sarg.xml</config_file> <pkginfolink>http://forum.pfsense.org/index.php/topic,47765.0.html</pkginfolink> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package>sarg-2.3.2_2.tbz</depends_on_package> - <depends_on_package>gd-2.0.35_7,1.tbz</depends_on_package> - <depends_on_package_pbi>sarg-2.3.2_5-amd64.pbi</depends_on_package_pbi> - <version>2.3.2 pkg v.0.6.1</version> - <status>RC2</status> + <depends_on_package>sarg-2.3.6.tbz</depends_on_package> + <depends_on_package>gd-2.0.35_8,1.tbz</depends_on_package> + <depends_on_package_pbi>sarg-2.3.6-amd64.pbi</depends_on_package_pbi> + <version>2.3.6 pkg v.0.6.1</version> + <status>Release</status> <required_version>2.0</required_version> <configurationfile>sarg.xml</configurationfile> <build_port_path>/usr/ports/www/sarg</build_port_path> - <build_options>WITHOUT_GD=false WITHOUT_PHP=true</build_options> + <build_options>sarg_UNSET=GD PHP</build_options> <after_install_info>Please visit sarg settings on Status Menu to configure sarg.</after_install_info> </package> <package> <name>Ipguard-dev</name> + <internal_name>ipguard</internal_name> <website>http://ipguard.deep.perm.ru/</website> - <descr><![CDATA[Ipguard listens network for ARP packets. All permitted MAC-IP pairs listed in config files.<br> - If it recieves one with MAC-IP pair, which is not listed in 'ethers' file, it will send ARP reply with configured fake address.<br> + <descr><![CDATA[Ipguard listens network for ARP packets. All permitted MAC-IP pairs listed in config files.<br /> + If it receives one with MAC-IP pair, which is not listed in 'ethers' file, it will send ARP reply with configured fake address.<br /> This will prevent not permitted host to work properly in local ethernet segment.]]></descr> <category>Security</category> <config_file>http://www.pfsense.com/packages/config/ipguard/ipguard.xml</config_file> @@ -730,11 +728,11 @@ <required_version>2.0</required_version> <configurationfile>ipguard.xml</configurationfile> <build_port_path>/usr/ports/security/ipguard</build_port_path> - <after_install_info>Please visit ipguard settings on Services Menu to configure.</after_install_info> + <after_install_info>Please visit ipguard settings on the Firewall Menu to configure.</after_install_info> </package> <package> <name>Varnish</name> - <descr><![CDATA[Varnish is a state-of-the-art, high-performance HTTP accelerator.<br> + <descr><![CDATA[Varnish is a state-of-the-art, high-performance HTTP accelerator.<br /> It uses the advanced features in FreeBSD 6/7/8 to achieve its high performance.]]></descr> <website>http://varnish-cache.org</website> <pkginfolink>http://doc.pfsense.org/index.php/Varnish_package</pkginfolink> @@ -745,7 +743,7 @@ <config_file>http://www.pfsense.com/packages/config/varnish64/varnish_backends.xml</config_file> <configurationfile>varnish_backends.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package_pbi>varnish-2.1.5_1-amd64.pbi gcc-4.2.5.20090325_5-amd64.pbi</depends_on_package_pbi> + <depends_on_package_pbi>varnish-2.1.5_2-amd64.pbi gcc-4.2.5.20090325_5-amd64.pbi</depends_on_package_pbi> <depends_on_package>varnish-2.1.5.tbz</depends_on_package> <depends_on_package>gcc-4.2.5.20090325_5.tbz</depends_on_package> <build_port_path>/usr/ports/www/varnish2</build_port_path> @@ -753,8 +751,9 @@ </package> <package> <name>Varnish3</name> - <descr><![CDATA[Varnish is a state-of-the-art, high-performance HTTP accelerator.<br> - It uses the advanced features in FreeBSD 6/7/8 to achieve its high performance.<br> + <internal_name>varnish</internal_name> + <descr><![CDATA[Varnish is a state-of-the-art, high-performance HTTP accelerator.<br /> + It uses the advanced features in FreeBSD 6/7/8 to achieve its high performance.<br /> Version 3.0.2 includes streaming support]]></descr> <website>http://varnish-cache.org</website> <pkginfolink>http://doc.pfsense.org/index.php/Varnish_package</pkginfolink> @@ -765,7 +764,7 @@ <config_file>http://www.pfsense.com/packages/config/varnish3/varnish_backends.xml</config_file> <configurationfile>varnish_backends.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package_pbi>gcc-4.2.5.20090325_5-amd64.pbi varnish-3.0.2_1-amd64.pbi</depends_on_package_pbi> + <depends_on_package_pbi>gcc-4.2.5.20090325_5-amd64.pbi varnish-3.0.3_2-amd64.pbi</depends_on_package_pbi> <depends_on_package>varnish-3.0.2.tbz</depends_on_package> <depends_on_package>pcre-8.21_1.tbz</depends_on_package> <build_port_path>/usr/ports/www/varnish</build_port_path> @@ -799,7 +798,7 @@ <required_version>1.0</required_version> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> <depends_on_package>mbmon-205_5.tbz</depends_on_package> - <depends_on_package_pbi>mbmon-205_5-amd64.pbi</depends_on_package_pbi> + <depends_on_package_pbi>mbmon-205_6-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/sysutils/mbmon</build_port_path> <config_file>http://www.pfsense.com/packages/config/phpsysinfo/phpsysinfo.xml</config_file> <configurationfile>phpsysinfo.xml</configurationfile> @@ -810,7 +809,7 @@ <descr>pfSense version of TinyDNS which features failover host support</descr> <website>http://cr.yp.to/djbdns.html</website> <category>Services</category> - <version>1.0.6.17</version> + <version>1.0.6.18</version> <status>Beta</status> <pkginfolink>http://doc.pfsense.org/index.php/Tinydns_package</pkginfolink> <required_version>2.0</required_version> @@ -828,7 +827,7 @@ <ports_before>sysutils/ucspi-tcp sysutils/daemontools</ports_before> <port>dns/djbdns</port> </build_pbi> - <build_options>WITH_IPV6=true WITH_SRV=true WITHOUT_DUMPCACHE=true WITHOUT_IGNOREIP=true WITHOUT_JUMBO=true WITHOUT_MAN=true WITHOUT_PERSISTENT_MMAP=true</build_options> + <build_options>WITH_IPV6=true;WITH_SRV=true;WITHOUT_DUMPCACHE=true;WITHOUT_IGNOREIP=true;WITHOUT_JUMBO=true;WITHOUT_MAN=true;WITHOUT_PERSISTENT_MMAP=true</build_options> <supportedbybsdperimeter>YES</supportedbybsdperimeter> </package> <package> @@ -836,7 +835,7 @@ <descr>VMware Tools</descr> <website>http://open-vm-tools.sourceforge.net/</website> <category>Services</category> - <version>8.7.0.3046 (build-313025)</version> + <version>8.7.0.3046 (build-425873)</version> <status>Stable</status> <pkginfolink>http://doc.pfsense.org/index.php/Open_VM_Tools_package</pkginfolink> <required_version>2.0</required_version> @@ -844,27 +843,27 @@ <configurationfile>open-vm-tools.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> <build_port_path>/usr/ports/emulators/open-vm-tools-nox11/</build_port_path> - <depends_on_package>open-vm-tools-nox11-313025_2.tbz</depends_on_package> - <depends_on_package>icu-4.8.1.1_1.tbz</depends_on_package> + <depends_on_package>open-vm-tools-nox11-425873_3,1.tbz</depends_on_package> + <depends_on_package>icu-50.1.2.tbz</depends_on_package> <build_port_path>/usr/ports/devel/icu</build_port_path> - <depends_on_package>fusefs-kmod-0.3.9.p1.20080208_7.tbz</depends_on_package> + <depends_on_package>fusefs-kmod-0.3.9.p1.20080208_11.tbz</depends_on_package> <build_port_path>/usr/ports/sysutils/fusefs-kmod</build_port_path> - <depends_on_package>fusefs-libs-2.7.4.tbz</depends_on_package> + <depends_on_package>fusefs-libs-2.9.2.tbz</depends_on_package> <build_port_path>/usr/ports/sysutils/fusefs-libs</build_port_path> - <depends_on_package>glib-2.28.8_3.tbz</depends_on_package> + <depends_on_package>glib-2.28.8_5.tbz</depends_on_package> <build_port_path>/usr/ports/devel/glib2</build_port_path> <depends_on_package>libdnet-1.11_3.tbz</depends_on_package> <build_port_path>/usr/ports/net/libdnet</build_port_path> - <depends_on_package>libiconv-1.13.1_1.tbz</depends_on_package> + <depends_on_package>libiconv-1.14.tbz</depends_on_package> <build_port_path>/usr/ports/converters/libiconv</build_port_path> - <depends_on_package>pcre-8.21_1.tbz</depends_on_package> + <depends_on_package>pcre-8.32.tbz</depends_on_package> <build_port_path>/usr/ports/devel/pcre</build_port_path> - <depends_on_package>perl-5.12.3.tbz</depends_on_package> - <build_port_path>/usr/ports/lang/perl5.12</build_port_path> - <depends_on_package>pkg-config-0.25_1.tbz</depends_on_package> + <depends_on_package>perl-5.14.2_2.tbz</depends_on_package> + <build_port_path>/usr/ports/lang/perl5.14</build_port_path> + <depends_on_package>pkgconf-0.8.9.tbz</depends_on_package> <build_port_path>/usr/ports/devel/pkg-config</build_port_path> <depends_on_package>python27-2.7.2_3.tbz</depends_on_package> - <build_port_path>/usr/ports/lang/python27</build_port_path> + <build_port_path>python27-2.7.3_6.tbz</build_port_path> <build_pbi> <port>emulators/open-vm-tools-nox11</port> </build_pbi> @@ -923,10 +922,10 @@ <category>Security</category> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> <depends_on_package>lua-5.1.5_4.tbz</depends_on_package> - <depends_on_package>nmap-6.01.tbz</depends_on_package> - <depends_on_package_pbi>nmap-6.01-amd64.pbi</depends_on_package_pbi> + <depends_on_package>nmap-6.25_1.tbz</depends_on_package> + <depends_on_package_pbi>nmap-6.25_1-amd64.pbi</depends_on_package_pbi> <config_file>http://www.pfsense.com/packages/config/nmap/nmap.xml</config_file> - <version>nmap-6.01 pkg v1.2</version> + <version>nmap-6.25_1 pkg v1.2</version> <status>Stable</status> <pkginfolink>http://doc.pfsense.org/index.php/Nmap_package</pkginfolink> <required_version>2.0</required_version> @@ -954,6 +953,7 @@ </package> <package> <name>imspector-dev</name> + <internal_name>imspector</internal_name> <descr>IMSpector is an Instant Messenger transparent proxy with logging capabilities. Currently it supports MSN, AIM, ICQ, Yahoo and IRC to different degrees.</descr> <website>http://www.imspector.org/</website> <category>Network Management</category> @@ -982,7 +982,7 @@ <configurationfile>nut.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> <depends_on_package>nut-2.6.4.tbz</depends_on_package> - <depends_on_package_pbi>nut-2.6.4-amd64.pbi</depends_on_package_pbi> + <depends_on_package_pbi>nut-2.6.5_1-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/sysutils/nut</build_port_path> <pkginfolink>http://doc.pfsense.org/index.php/Nut_package</pkginfolink> </package> @@ -1072,19 +1072,19 @@ <package> <name>freeradius2</name> <website>http://www.freeradius.org/</website> - <descr><![CDATA[A free implementation of the RADIUS protocol.<br> - Support: MySQL, PostgreSQL, LDAP, Kerberos<br> - FreeRADIUS and FreeRADIUS2 settings are not compatible so don't use them together or try to update<br> + <descr><![CDATA[A free implementation of the RADIUS protocol.<br /> + Support: MySQL, PostgreSQL, LDAP, Kerberos<br /> + FreeRADIUS and FreeRADIUS2 settings are not compatible so don't use them together or try to update<br /> On pfSense docs there is a how-to which could help you on porting users.]]></descr> <pkginfolink>http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package</pkginfolink> <category>System</category> - <version>2.1.12_1 pkg v1.6.6_4</version> + <version>2.1.12_1/2.2.0 pkg v1.6.7_2</version> <status>RC1</status> <required_version>2.0</required_version> <maintainer>nachtfalkeaw@web.de</maintainer> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> <depends_on_package>freeradius-2.1.12_1.tbz</depends_on_package> - <depends_on_package_pbi>freeradius-2.1.12_1-amd64.pbi</depends_on_package_pbi> + <depends_on_package_pbi>freeradius-2.2.0-amd64.pbi</depends_on_package_pbi> <depends_on_package>mysql-client-5.1.63.tbz</depends_on_package> <depends_on_package>postgresql-client-9.0.8.tbz</depends_on_package> <depends_on_package>openldap-sasl-client-2.4.31_1.tbz</depends_on_package> @@ -1096,18 +1096,18 @@ <ports_before>security/krb5</ports_before> <port>net/freeradius2</port> </build_pbi> - <build_options>WITH_KERBEROS=yes WITH_MYSQL=yes WITH_PGSQL=yes WITH_PERL=yes WITH_PYTHON=yes WITH_LDAP=yes</build_options> + <build_options>freeradius_SET=KERBEROS MYSQL PGSQL PERL PYTHON LDAP</build_options> </package> <package> <name>bandwidthd</name> <website>http://bandwidthd.sourceforge.net/</website> <descr>BandwidthD tracks usage of TCP/IP network subnets and builds html files with graphs to display utilization. Charts are built by individual IPs, and by default display utilization over 2 day, 8 day, 40 day, and 400 day periods. Furthermore, each ip address's utilization can be logged out at intervals of 3.3 minutes, 10 minutes, 1 hour or 12 hours in cdf format, or to a backend database server. HTTP, TCP, UDP, ICMP, VPN, and P2P traffic are color coded.</descr> <category>System</category> - <version>2.0.1.3</version> + <version>2.0.1_5 pkg v.0.1</version> <status>BETA</status> <required_version>1.2.1</required_version> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package>bandwidthd-2.0.1_4.tbz</depends_on_package> + <depends_on_package>bandwidthd-2.0.1_5.tbz</depends_on_package> <depends_on_package>libpcap-1.1.1.tbz</depends_on_package> <depends_on_package>postgresql-client-8.4.12.tbz</depends_on_package> <depends_on_package_pbi>bandwidthd-2.0.1_5-amd64.pbi</depends_on_package_pbi> @@ -1120,7 +1120,7 @@ <ports_before>net/libpcap databases/postgresql91-client graphics/gd</ports_before> <port>net-mgmt/bandwidthd</port> </build_pbi> - <build_options>WITH_NLS=true WITHOUT_PAM=true WITHOUT_LDAP=true WITHOUT_MIT_KRB5=true WITHOUT_HEIMDAL_KRB5=true WITHOUT_OPTIMIZED_CFLAGS=true WITHOUT_XML=true WITHOUT_TZDATA=true WITHOUT_DEBUG=true WITHOUT_GSSAPI=true WITHOUT_ICU=true WITH_INTDATE=true</build_options> + <build_options>WITH_NLS=true;WITHOUT_PAM=true;WITHOUT_LDAP=true;WITHOUT_MIT_KRB5=true;WITHOUT_HEIMDAL_KRB5=true;WITHOUT_OPTIMIZED_CFLAGS=true;WITHOUT_XML=true;WITHOUT_TZDATA=true;WITHOUT_DEBUG=true;WITHOUT_GSSAPI=true;WITHOUT_ICU=true;WITH_INTDATE=true</build_options> </package> <package> <name>stunnel</name> @@ -1129,7 +1129,7 @@ <category>Network Management</category> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> <depends_on_package>stunnel-4.43.tbz</depends_on_package> - <depends_on_package_pbi>stunnel-4.53-amd64.pbi</depends_on_package_pbi> + <depends_on_package_pbi>stunnel-4.54-amd64.pbi</depends_on_package_pbi> <version>4.43</version> <status>Stable</status> <pkginfolink>http://doc.pfsense.org/index.php/Stunnel_package</pkginfolink> @@ -1137,7 +1137,7 @@ <config_file>http://www.pfsense.com/packages/config/stunnel.xml</config_file> <configurationfile>stunnel.xml</configurationfile> <build_port_path>/usr/ports/security/stunnel</build_port_path> - <build_options>WITHOUT_FORK=true WITH_PTHREAD=true WITHOUT_UCONTEXT=true WITHOUT_IPV6=true WITH_LIBWRAP=true WITHOUT_SSL_PORT=true</build_options> + <build_options>WITHOUT_FORK=true;WITH_PTHREAD=true;WITHOUT_UCONTEXT=true;WITHOUT_IPV6=true;WITH_LIBWRAP=true;WITHOUT_SSL_PORT=true</build_options> </package> <package> <name>iperf</name> @@ -1185,21 +1185,22 @@ <config_file>http://www.pfsense.com/packages/config/mtr-nox11.xml</config_file> <configurationfile>mtr-nox11.xml</configurationfile> <build_port_path>/usr/ports/net/mtr</build_port_path> + <build_options>mtr_UNSET=X11</build_options> </package> <package> <name>squid</name> <descr>High performance web proxy cache.</descr> <website>http://www.squid-cache.org/</website> <category>Network</category> - <version>2.7.9 pkg v.4.3.1</version> + <version>2.7.9 pkg v.4.3.3</version> <status>Stable</status> <required_version>2</required_version> <maintainer>fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package>squid-2.7.9_1.tbz</depends_on_package> + <depends_on_package>squid-2.7.9_3.tbz</depends_on_package> <depends_on_package>squid_radius_auth-1.10.tbz</depends_on_package> <depends_on_package>libwww-5.4.0_4.tbz</depends_on_package> - <depends_on_package_pbi>squid-2.7.9_1-amd64.pbi</depends_on_package_pbi> + <depends_on_package_pbi>squid-2.7.9_3-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/www/squid</build_port_path> <build_port_path>/usr/ports/www/squid_radius_auth</build_port_path> <build_port_path>/usr/ports/www/libwww</build_port_path> @@ -1208,19 +1209,20 @@ <port>www/squid</port> <ports_after>www/squid_radius_auth</ports_after> </build_pbi> - <build_options>WITH_SQUID_KERB_AUTH=true WITH_SQUID_LDAP_AUTH=true WITH_SQUID_NIS_AUTH=true WITH_SQUID_SASL_AUTH=true WITH_SQUID_DELAY_POOLS=true WITH_SQUID_SNMP=true WITH_SQUID_CARP=true WITH_SQUID_SSL=true WITHOUT_SQUID_PINGER=true WITHOUT_SQUID_DNS_HELPER=true WITH_SQUID_HTCP=true WITH_SQUID_VIA_DB=true WITH_SQUID_CACHE_DIGESTS=true WITH_SQUID_WCCP=true WITHOUT_SQUID_WCCPV2=true WITHOUT_SQUID_STRICT_HTTP=true WITH_SQUID_IDENT=true WITH_SQUID_REFERER_LOG=true WITHOUT_SQUID_USERAGENT_LOG=true WITH_SQUID_ARP_ACL=true WITH_SQUID_PF=true WITHOUT_SQUID_IPFILTER=true WITH_SQUID_FOLLOW_XFF=true WITH_SQUID_AUFS=true WITH_SQUID_COSS=true WITH_SQUID_KQUEUE=true WITH_SQUID_LARGEFILE=true WITHOUT_SQUID_STACKTRACES=true SQUID_UID=proxy SQUID_GID=proxy</build_options> + <build_options>squid_UNSET=DNS_HELPER IPFILTER PINGER STACKTRACES STRICT_HTTP_DESC USERAGENT_LOG WCCPV2;squid_SET=PF LDAP_AUTH NIS_AUTH SASL_AUTH ARP_ACL AUFS CACHE_DIGESTS CARP COSS DELAY_POOLS FOLLOW_XFF HTCP IDENT KERB_AUTH KQUEUE LARGEFILE REFERER_LOG SNMP SSL VIA_DB WCCP;SQUID_UID=proxy;SQUID_GID=proxy</build_options> <config_file>http://www.pfsense.org/packages/config/squid/squid.xml</config_file> <configurationfile>squid.xml</configurationfile> </package> <package> <name>squid3</name> - <descr><![CDATA[High performance web proxy cache.<br> - It combines squid as a proxy server with it's capabilities of acting as a HTTP / HTTPS reverse proxy.<br> + <internal_name>squid</internal_name> + <descr><![CDATA[High performance web proxy cache.<br /> + It combines squid as a proxy server with it's capabilities of acting as a HTTP / HTTPS reverse proxy.<br /> It includes an Exchange-Web-Access (OWA) Assistant.]]></descr> <pkginfolink>http://forum.pfsense.org/index.php/topic,48347.0.html</pkginfolink> <website>http://www.squid-cache.org/</website> <category>Network</category> - <version>3.1.20 pkg 2.0.5_5</version> + <version>3.1.20 pkg 2.0.6</version> <status>beta</status> <required_version>2.0</required_version> <maintainer>marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer> @@ -1232,10 +1234,42 @@ <port>www/squid31</port> <ports_after>www/squid_radius_auth</ports_after> </build_pbi> - <build_options>WITH_SQUID_KERB_AUTH=true WITH_SQUID_LDAP_AUTH=true WITH_SQUID_NIS_AUTH=true WITH_SQUID_SASL_AUTH=true WITH_SQUID_IPV6=true WITH_SQUID_DELAY_POOLS=true WITH_SQUID_SNMP=true WITH_SQUID_SSL=true WITH_SQUID_SSL_CRTD=true WITH_SQUID_PINGER=true WITH_SQUID_DNS_HELPER=true WITH_SQUID_HTCP=true WITH_SQUID_VIA_DB=true WITH_SQUID_CACHE_DIGESTS=true WITHOUT_SQUID_WCCP=true WITH_SQUID_WCCPV2=true WITHOUT_SQUID_STRICT_HTTP=true WITH_SQUID_IDENT=true WITH_SQUID_REFERER_LOG=true WITH_SQUID_USERAGENT_LOG=true WITH_SQUID_ARP_ACL=true WITH_SQUID_IPFW=true WITH_SQUID_PF=true WITHOUT_SQUID_IPFILTER=true WITH_SQUID_FOLLOW_XFF=true WITHOUT_SQUID_ECAP=true WITHOUT_SQUID_ICAP=true WITHOUT_SQUID_ESI=true WITH_SQUID_AUFS=true WITHOUT_SQUID_COSS=true WITHOUT_SQUID_KQUEUE=true WITH_SQUID_LARGEFILE=true WITHOUT_SQUID_STACKTRACES=true WITHOUT_SQUID_DEBUG=true</build_options> - <config_file>http://www.pfsense.org/packages/config/squid-reverse/squid.xml</config_file> + <build_options>c-icap_UNSET=IPV6 squid33_UNSET=AUTH_SMB AUTH_SQL DNS_HELPER FS_COSS ESI ECAP SNMP STACKTRACES STRICT_HTTP TP_IPF TP_IPFW VIA_DB DEBUG DOCS EXAMPLES;squid33_SET=ARP_ACL AUTH_KERB AUTH_LDAP AUTH_NIS AUTH_SASL CACHE_DIGESTS DELAY_POOLS FOLLOW_XFF TP_PF MSSL_CRTD WCCP WCCPV2 FS_AUFS HTCP ICAP ICMP IDENT IPV6 KQUEUE LARGEFILE SSL SSL_CRTD</build_options> + <!--<build_options>WITH_SQUID_KERB_AUTH=true;WITH_SQUID_LDAP_AUTH=true;WITH_SQUID_NIS_AUTH=true;WITH_SQUID_SASL_AUTH=true;WITH_SQUID_IPV6=true;WITH_SQUID_DELAY_POOLS=true;WITH_SQUID_SNMP=true;WITH_SQUID_SSL=true;WITH_SQUID_SSL_CRTD=true;WITH_SQUID_PINGER=true;WITHOUT_SQUID_DNS_HELPER=true;WITH_SQUID_HTCP=true;WITH_SQUID_VIA_DB=true;WITH_SQUID_CACHE_DIGESTS=true;WITHOUT_SQUID_WCCP=true;WITH_SQUID_WCCPV2=true;WITHOUT_SQUID_STRICT_HTTP=true;WITH_SQUID_IDENT=true;WITH_SQUID_REFERER_LOG=true;WITH_SQUID_USERAGENT_LOG=true;WITH_SQUID_ARP_ACL=true;WITH_SQUID_IPFW=true;WITH_SQUID_PF=true;WITHOUT_SQUID_IPFILTER=true;WITH_SQUID_FOLLOW_XFF=true;WITHOUT_SQUID_ECAP=true;WITHOUT_SQUID_ICAP=true;WITHOUT_SQUID_ESI=true;WITH_SQUID_AUFS=true;WITHOUT_SQUID_COSS=true;WITHOUT_SQUID_KQUEUE=true;WITH_SQUID_LARGEFILE=true;WITHOUT_SQUID_STACKTRACES=true;WITHOUT_SQUID_DEBUG=true</build_options>--> + <config_file>http://www.pfsense.org/packages/config/squid3/31/squid.xml</config_file> <configurationfile>squid.xml</configurationfile> - <depends_on_package_pbi>squid-3.1.20-amd64.pbi</depends_on_package_pbi> + <depends_on_package_pbi>squid-3.1.22_1-amd64.pbi</depends_on_package_pbi> + </package> + <package> + <name>squid3-dev</name> + <internal_name>squid</internal_name> + <descr><![CDATA[High performance web proxy cache.<br /> + It combines squid as a proxy server with it's capabilities of acting as a HTTP / HTTPS reverse proxy.<br /> + It includes an Exchange-Web-Access (OWA) Assistant, ssl filtering and antivirus integration via i-cap]]></descr> + <pkginfolink>http://forum.pfsense.org/index.php/topic,48347.0.html</pkginfolink> + <website>http://www.squid-cache.org/</website> + <category>Network</category> + <version>3.3.8 pkg 2.1.2</version> + <status>beta</status> + <required_version>2.0</required_version> + <maintainer>marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer> + <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> + <depends_on_package>squid-3.3.5.tbz</depends_on_package> + <depends_on_package>libltdl-2.4.2.tbz</depends_on_package> + <depends_on_package>libwww-5.4.0_4.tbz</depends_on_package> + <depends_on_package>squidclamav-6.10_1.tbz</depends_on_package> + <depends_on_package>cyrus-sasl-2.1.26_2.tbz</depends_on_package> + <depends_on_package>clamav-0.97.8.tbz</depends_on_package> + <depends_on_package>ca_root_nss-3.14.1.tbz</depends_on_package> + <build_pbi> + <ports_before>www/libwww security/cyrus-sasl2</ports_before> + <port>www/squid33</port> + <ports_after>www/squid_radius_auth security/clamav www/squidclamav security/ca_root_nss www/c-icap-modules</ports_after> + </build_pbi> + <build_options>c-icap_UNSET=IPV6 squid33_UNSET=AUTH_SMB AUTH_SQL DNS_HELPER FS_COSS ESI ECAP SNMP STACKTRACES STRICT_HTTP TP_IPF TP_IPFW VIA_DB DEBUG DOCS EXAMPLES;squid33_SET=ARP_ACL AUTH_KERB AUTH_LDAP AUTH_NIS AUTH_SASL CACHE_DIGESTS DELAY_POOLS FOLLOW_XFF TP_PF MSSL_CRTD WCCP WCCPV2 FS_AUFS HTCP ICAP ICMP IDENT IPV6 KQUEUE LARGEFILE SSL SSL_CRTD</build_options> + <config_file>http://www.pfsense.org/packages/config/squid3/33/squid.xml</config_file> + <configurationfile>squid.xml</configurationfile> + <depends_on_package_pbi>squid-3.3.8-amd64.pbi</depends_on_package_pbi> </package> <package> <name>LCDproc</name> @@ -1248,25 +1282,26 @@ <maintainer>seth.mos@dds.nl</maintainer> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> <depends_on_package>lcdproc-0.5.5.tbz</depends_on_package> - <depends_on_package_pbi>lcdproc-0.5.5-amd64.pbi</depends_on_package_pbi> + <depends_on_package_pbi>lcdproc-0.5.6-amd64.pbi</depends_on_package_pbi> <config_file>http://www.pfsense.org/packages/config/lcdproc/lcdproc.xml</config_file> <configurationfile>lcdproc.xml</configurationfile> <build_port_path>/usr/ports/sysutils/lcdproc</build_port_path> - <build_options>WITH_USB=true</build_options> + <build_options>lcdproc_SET=USB</build_options> </package> <package> <name>LCDproc-dev</name> + <internal_name>lcdproc</internal_name> <descr>LCD display driver - Development version</descr> <website>http://www.lcdproc.org/</website> <category>Utility</category> - <version>lcdproc-0.5.5 pkg v. 0.9.4</version> + <version>lcdproc-0.5.6 pkg v. 0.9.5</version> <status>BETA</status> <required_version>2.0</required_version> <maintainer>michele@nt2.it</maintainer> <pkginfolink>http://forum.pfsense.org/index.php/topic,44034.0.html</pkginfolink> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package>lcdproc-0.5.5.tbz</depends_on_package> - <depends_on_package_pbi>lcdproc-0.5.5-amd64.pbi</depends_on_package_pbi> + <depends_on_package>lcdproc-0.5.6.tbz</depends_on_package> + <depends_on_package_pbi>lcdproc-0.5.6-amd64.pbi</depends_on_package_pbi> <config_file>http://www.pfsense.org/packages/config/lcdproc-dev/lcdproc.xml</config_file> <configurationfile>lcdproc.xml</configurationfile> <build_port_path>/usr/ports/sysutils/lcdproc</build_port_path> @@ -1294,18 +1329,17 @@ </package> <package> <name>squidGuard</name> - <descr>High perfomance web proxy URL filter. Requires proxy Squid package.</descr> + <descr>High perfomance web proxy URL filter. Requires proxy Squid 2.x package.</descr> <website>http://www.squidGuard.org/</website> <maintainer>dv_serg@mail.ru</maintainer> <category>Network Management</category> - <version>1.3_1 pkg v.1.9.1</version> + <version>1.4_4 pkg v.1.9.5</version> <status>Beta</status> <required_version>1.1</required_version> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> <depends_on_package>squidGuard-1.4_4.tbz</depends_on_package> <depends_on_package>db41-4.1.25_4.tbz</depends_on_package> - <depends_on_package>db3-3.3.11_3,1.tbz</depends_on_package> - <depends_on_package>cyrus-sasl-2.1.25_1.tbz</depends_on_package> + <depends_on_package>cyrus-sasl-2.1.26_2.tbz</depends_on_package> <depends_on_package_pbi>squidguard-1.4_4-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/www/squidguard</build_port_path> <build_port_path>/usr/ports/databases/db41</build_port_path> @@ -1314,7 +1348,27 @@ <ports_before>databases/db41 security/cyrus-sasl2</ports_before> <port>www/squidguard</port> </build_pbi> - <build_options>WITH_SQUID_KERB_AUTH=true WITH_SQUID_LDAP_AUTH=true WITH_SQUID_NIS_AUTH=true WITH_SQUID_SASL_AUTH=true WITH_SQUID_DELAY_POOLS=true WITH_SQUID_SNMP=true WITH_SQUID_CARP=true WITH_SQUID_SSL=true WITHOUT_SQUID_PINGER=true WITHOUT_SQUID_DNS_HELPER=true WITH_SQUID_HTCP=true WITH_SQUID_VIA_DB=true WITH_SQUID_CACHE_DIGESTS=true WITH_SQUID_WCCP=true WITHOUT_SQUID_WCCPV2=true WITHOUT_SQUID_STRICT_HTTP=true WITH_SQUID_IDENT=true WITH_SQUID_REFERER_LOG=true WITHOUT_SQUID_USERAGENT_LOG=true WITH_SQUID_ARP_ACL=true WITH_SQUID_PF=true WITHOUT_SQUID_IPFILTER=true WITH_SQUID_FOLLOW_XFF=true WITH_SQUID_AUFS=true WITH_SQUID_COSS=true WITH_SQUID_KQUEUE=true WITH_SQUID_LARGEFILE=true WITHOUT_SQUID_STACKTRACES=true WITH_SAMPLE_BL=true WITH_LDAP=true WITH_SASL=true WITH_FETCH=true</build_options> + <build_options>squidGuard_UNSET=SQUID32 SQUID33;squidGuard_SET=SAMPLE_BL SASL LDAP SQUID27;squid_UNSET=DNS_HELPER IPFILTER PINGER STACKTRACES STRICT_HTTP_DESC USERAGENT_LOG WCCPV2;squid_SET=PF LDAP_AUTH NIS_AUTH SASL_AUTH ARP_ACL AUFS CACHE_DIGESTS CARP COSS DELAY_POOLS FOLLOW_XFF HTCP IDENT KERB_AUTH KQUEUE LARGEFILE REFERER_LOG SNMP SSL VIA_DB WCCP;SQUID_UID=proxy;SQUID_GID=proxy</build_options> + <config_file>http://www.pfsense.org/packages/config/squidGuard/squidguard.xml</config_file> + <configurationfile>squidguard.xml</configurationfile> + </package> + <package> + <name>squidGuard-squid3</name> + <descr>High perfomance web proxy URL filter. Requires proxy Squid 3.x package.</descr> + <website>http://www.squidGuard.org/</website> + <maintainer>dv_serg@mail.ru</maintainer> + <category>Network Management</category> + <version>1.4_4 pkg v.1.9.5</version> + <status>Experimental</status> + <required_version>2.1</required_version> + <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> + <depends_on_package_pbi>squidguard-squid3-1.4_4-amd64.pbi</depends_on_package_pbi> + <build_pbi> + <ports_before>www/squid33 databases/db41 security/cyrus-sasl2</ports_before> + <port>www/squidguard</port> + <custom_name>squidguard-squid3</custom_name> + </build_pbi> + <build_options>OPTIONS_SET=FETCH LDAP;squidGuard_UNSET=SQUID27;squidGuard_SET=SAMPLE_BL SASL SQUID33;c-icap_UNSET=IPV6 squid33_UNSET=AUTH_SMB AUTH_SQL DNS_HELPER FS_COSS ESI SNMP ECAP STACKTRACES STRICT_HTTP TP_IPF TP_IPFW VIA_DB DEBUG DOCS EXAMPLES;squid33_SET=ARP_ACL AUTH_KERB AUTH_LDAP AUTH_NIS AUTH_SASL CACHE_DIGESTS DELAY_POOLS FOLLOW_XFF TP_PF MSSL_CRTD WCCP WCCPV2 FS_AUFS HTCP ICAP ICMP IDENT IPV6 KQUEUE LARGEFILE SSL SSL_CRTD</build_options> <config_file>http://www.pfsense.org/packages/config/squidGuard/squidguard.xml</config_file> <configurationfile>squidguard.xml</configurationfile> </package> @@ -1333,7 +1387,7 @@ <custom_name>zabbix-agent</custom_name> <port>net-mgmt/zabbix-agent</port> </build_pbi> - <build_options>WITHOUT_CARES=true WITHOUT_CURL_DEBUG=true WITHOUT_DEBUGGING=true WITHOUT_DMALLOC=true WITHOUT_ETCSYMLINK=true WITHOUT_EXTRA_PATCHES=true WITHOUT_GDBM=true WITHOUT_GNUTLS=true WITHOUT_IODBC=true WITHOUT_IPMI=true WITHOUT_KERBEROS4=true WITHOUT_LDAP=true WITHOUT_LDAPS=true WITHOUT_LIBIDN=true WITHOUT_LIBSIGSEGV=true WITHOUT_LIBSSH2=true WITHOUT_MFD_REWRITES=true WITHOUT_MULTIPLICITY=true WITHOUT_MYSQL=true WITHOUT_NTLM=true WITHOUT_PERL_MALLOC=true WITHOUT_PGSQL=true WITHOUT_RTMP=true WITHOUT_SITECUSTOMIZE=true WITHOUT_SSH=true WITHOUT_SUIDPERL=true WITHOUT_THREADS=true WITHOUT_TKMIB=true WITHOUT_TRACKMEMORY=true WITHOUT_UNIXODBC=true WITH_CA_BUNDLE=true WITH_CURL=true WITH_DUMMY=true WITH_EXTRA_ENCODINGS=true WITH_FETCH=true WITH_FPING=true WITH_IPV6=true WITH_JABBER=true WITH_LDAP=true WITH_OPENSSL=true WITH_PERL=true WITH_PERL_64BITINT=true WITH_PERL_EMBEDDED=true WITH_PROXY=true WITH_SASL=true WITH_SQLITE=true WITH_USE_PERL=true WITH_WERROR=true</build_options> + <build_options>WITHOUT_CARES=true;WITHOUT_CURL_DEBUG=true;WITHOUT_DEBUGGING=true;WITHOUT_DMALLOC=true;WITHOUT_ETCSYMLINK=true;WITHOUT_EXTRA_PATCHES=true;WITHOUT_GDBM=true;WITHOUT_GNUTLS=true;WITHOUT_IODBC=true;WITHOUT_IPMI=true;WITHOUT_KERBEROS4=true;WITHOUT_LDAP=true;WITHOUT_LDAPS=true;WITHOUT_LIBIDN=true;WITHOUT_LIBSIGSEGV=true;WITHOUT_LIBSSH2=true;WITHOUT_MFD_REWRITES=true;WITHOUT_MULTIPLICITY=true;WITHOUT_MYSQL=true;WITHOUT_NTLM=true;WITHOUT_PERL_MALLOC=true;WITHOUT_PGSQL=true;WITHOUT_RTMP=true;WITHOUT_SITECUSTOMIZE=true;WITHOUT_SSH=true;WITHOUT_SUIDPERL=true;WITHOUT_THREADS=true;WITHOUT_TKMIB=true;WITHOUT_TRACKMEMORY=true;WITHOUT_UNIXODBC=true;WITH_CA_BUNDLE=true;WITH_CURL=true;WITH_DUMMY=true;WITH_EXTRA_ENCODINGS=true;WITH_FETCH=true;WITH_FPING=true;WITH_IPV6=true;WITH_JABBER=true;WITH_LDAP=true;WITH_OPENSSL=true;WITH_PERL=true;WITH_PERL_64BITINT=true;WITH_PERL_EMBEDDED=true;WITH_PROXY=true;WITH_SASL=true;WITH_SQLITE=true;WITH_USE_PERL=true;WITH_WERROR=true</build_options> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> <depends_on_package>zabbix-agent-1.8.10,2.tbz</depends_on_package> <depends_on_package_pbi>zabbix-agent-1.8.13-amd64.pbi</depends_on_package_pbi> @@ -1353,14 +1407,14 @@ <custom_name>zabbix-proxy</custom_name> <port>net-mgmt/zabbix-proxy</port> </build_pbi> - <build_options>WITHOUT_CARES=true WITHOUT_CURL_DEBUG=true WITHOUT_DEBUGGING=true WITHOUT_DMALLOC=true WITHOUT_ETCSYMLINK=true WITHOUT_EXTRA_PATCHES=true WITHOUT_GDBM=true WITHOUT_GNUTLS=true WITHOUT_IODBC=true WITHOUT_IPMI=true WITHOUT_KERBEROS4=true WITHOUT_LDAP=true WITHOUT_LDAPS=true WITHOUT_LIBIDN=true WITHOUT_LIBSIGSEGV=true WITHOUT_LIBSSH2=true WITHOUT_MFD_REWRITES=true WITHOUT_MULTIPLICITY=true WITHOUT_MYSQL=true WITHOUT_NTLM=true WITHOUT_PERL_MALLOC=true WITHOUT_PGSQL=true WITHOUT_RTMP=true WITHOUT_SITECUSTOMIZE=true WITHOUT_SSH=true WITHOUT_SUIDPERL=true WITHOUT_THREADS=true WITHOUT_TKMIB=true WITHOUT_TRACKMEMORY=true WITHOUT_UNIXODBC=true WITH_CA_BUNDLE=true WITH_CURL=true WITH_DUMMY=true WITH_EXTRA_ENCODINGS=true WITH_FETCH=true WITH_FPING=true WITH_IPV6=true WITH_JABBER=true WITH_LDAP=true WITH_OPENSSL=true WITH_PERL=true WITH_PERL_64BITINT=true WITH_PERL_EMBEDDED=true WITH_PROXY=true WITH_SASL=true WITH_SQLITE=true WITH_USE_PERL=true WITH_WERROR=true</build_options> + <build_options>WITHOUT_CARES=true;WITHOUT_CURL_DEBUG=true;WITHOUT_DEBUGGING=true;WITHOUT_DMALLOC=true;WITHOUT_ETCSYMLINK=true;WITHOUT_EXTRA_PATCHES=true;WITHOUT_GDBM=true;WITHOUT_GNUTLS=true;WITHOUT_IODBC=true;WITHOUT_IPMI=true;WITHOUT_KERBEROS4=true;WITHOUT_LDAP=true;WITHOUT_LDAPS=true;WITHOUT_LIBIDN=true;WITHOUT_LIBSIGSEGV=true;WITHOUT_LIBSSH2=true;WITHOUT_MFD_REWRITES=true;WITHOUT_MULTIPLICITY=true;WITHOUT_MYSQL=true;WITHOUT_NTLM=true;WITHOUT_PERL_MALLOC=true;WITHOUT_PGSQL=true;WITHOUT_RTMP=true;WITHOUT_SITECUSTOMIZE=true;WITHOUT_SSH=true;WITHOUT_SUIDPERL=true;WITHOUT_THREADS=true;WITHOUT_TKMIB=true;WITHOUT_TRACKMEMORY=true;WITHOUT_UNIXODBC=true;WITH_CA_BUNDLE=true;WITH_CURL=true;WITH_DUMMY=true;WITH_EXTRA_ENCODINGS=true;WITH_FETCH=true;WITH_FPING=true;WITH_IPV6=true;WITH_JABBER=true;WITH_LDAP=true;WITH_OPENSSL=true;WITH_PERL=true;WITH_PERL_64BITINT=true;WITH_PERL_EMBEDDED=true;WITH_PROXY=true;WITH_SASL=true;WITH_SQLITE=true;WITH_USE_PERL=true;WITH_WERROR=true</build_options> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> <depends_on_package>zabbix-proxy-1.8.8,2.tbz</depends_on_package> <depends_on_package_pbi>zabbix-proxy-1.8.13-amd64.pbi</depends_on_package_pbi> </package> <package> <name>OpenVPN Client Export Utility</name> - <descr>Allows a pre-configured OpenVPN Windows Client or or Mac OSX's Viscosity configuration bundle to be exported directly from pfSense.</descr> + <descr>Allows a pre-configured OpenVPN Windows Client or Mac OSX's Viscosity configuration bundle to be exported directly from pfSense.</descr> <category>Security</category> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> <depends_on_package>p7zip-9.20.1.tbz</depends_on_package> @@ -1368,8 +1422,8 @@ <depends_on_package_pbi>p7zip-9.20.1-amd64.pbi zip-3.0-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/archivers/p7zip</build_port_path> <build_port_path>/usr/ports/archivers/zip</build_port_path> - <version>0.26</version> - <status>BETA</status> + <version>1.0.11</version> + <status>RELEASE</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/openvpn-client-export/openvpn-client-export.xml</config_file> <configurationfile>openvpn-client-export.xml</configurationfile> @@ -1384,7 +1438,7 @@ <depends_on_package>havp-0.91_1.tbz</depends_on_package> <depends_on_package_pbi>havp-0.91_1-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/www/havp</build_port_path> - <build_options>CLAMAVUSER=havp CLAMAVGROUP=havp</build_options> + <build_options>CLAMAVUSER=havp;CLAMAVGROUP=havp</build_options> <version>0.91_1 pkg v1.01</version> <status>BETA</status> <required_version>1.2.2</required_version> @@ -1455,7 +1509,7 @@ <descr>Dashboard widget for Snort.</descr> <category>System</category> <config_file>http://www.pfsense.com/packages/config/widget-snort/widget-snort.xml</config_file> - <version>0.3.2</version> + <version>0.3.4</version> <status>BETA</status> <required_version>1.2</required_version> <configurationfile>widget-snort.xml</configurationfile> @@ -1507,17 +1561,16 @@ <descr>Unbound is a validating, recursive, and caching DNS resolver. This package is a drop in replacement for Services: DNS Forwarder and also supports DNSSEC extensions. Once installed please configure the Unbound service by visiting Services: Unbound DNS.</descr> <website>http://www.unbound.net/</website> <category>Services</category> - <version>1.4.14_01</version> + <version>1.4.20_8</version> <status>Alpha</status> <maintainer>warren@decoy.co.za</maintainer> <required_version>2.0</required_version> - <maximum_version>2.1</maximum_version> <pkginfolink>http://doc.pfsense.org/index.php/Unbound_package</pkginfolink> <config_file>http://www.pfsense.com/packages/config/unbound/unbound.xml</config_file> <configurationfile>unbound.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package>unbound-1.4.14.tbz</depends_on_package> - <depends_on_package>ldns-1.6.11.tbz</depends_on_package> + <depends_on_package>unbound-1.4.20.tbz</depends_on_package> + <depends_on_package>ldns-1.6.16.tbz</depends_on_package> <depends_on_package>expat-2.0.1_2.tbz</depends_on_package> <depends_on_package>libevent-1.4.14b_2.tbz</depends_on_package> <build_port_path>/usr/ports/dns/unbound/</build_port_path> @@ -1528,7 +1581,8 @@ <ports_before>dns/ldns textproc/expat2 devel/libevent2</ports_before> <port>dns/unbound</port> </build_pbi> - <build_options>WITH_LIBEVENT=true WITH_THREADS=true WITHOUT_GOST=true WITHOUT_MAN=true</build_options> + <depends_on_package_pbi>unbound-1.4.20-amd64.pbi</depends_on_package_pbi> + <build_options>unbound_UNSET=GOST ECDSA;unbound_SET=LIBEVENT THREADS</build_options> <logging> <facilityname>unbound</facilityname> <logfilename>unbound.log</logfilename> @@ -1561,8 +1615,8 @@ <maintainer>ey@tm-k.com</maintainer> <config_file>http://www.pfsense.org/packages/config/widescreen/widescreen.xml</config_file> <configurationfile>widescreen.xml</configurationfile> - <!-- Disabling on 2.1 since it overwrites the menu --> - <maximum_version>2.1</maximum_version> + <!-- Disabling on 2.0.2 and 2.1 since it overwrites the menu --> + <maximum_version>2.0.1</maximum_version> </package> <package> <name>NRPE v2</name> @@ -1572,24 +1626,45 @@ <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> <depends_on_package>nrpe-2.12_3.tbz</depends_on_package> <depends_on_package>nagios-plugins-1.4.15_1,1.tbz</depends_on_package> - <depends_on_package_pbi>nrpe-2.13-amd64.pbi</depends_on_package_pbi> + <depends_on_package_pbi>nrpe-2.13_2-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/net-mgmt/nrpe2</build_port_path> <build_port_path>/usr/ports/net-mgmt/nagios-plugins</build_port_path> <build_pbi> <ports_before>net-mgmt/nagios-plugins</ports_before> <port>net-mgmt/nrpe2</port> </build_pbi> - <build_options>WITH_SSL=true WITHOUT_ARGS=true</build_options> + <build_options>nrpe2_SET=SSL;nrpe2_UNSET=ARGS</build_options> <config_file>http://www.pfsense.com/packages/config/nrpe2/nrpe2.xml</config_file> - <version>2.12_3 v2.1</version> + <version>2.12_3 v2.2</version> <status>Beta</status> <required_version>1.2</required_version> <maintainer>erik@erikkristensen.com</maintainer> <configurationfile>nrpe2.xml</configurationfile> </package> <package> + <name>Check_mk agent</name> + <website>https://github.com/sileht/check_mk/blob/master/doc/README</website> + <descr><![CDATA[The basic idea of check_mk is to fetch "all" information about a target host at once.<br>For each host to be monitored check_mk is called by Nagios only once per time period.]]></descr> + <category>Services</category> + <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> + <build_port_path>/usr/ports/sysutils/muse</build_port_path> + <build_port_path>/usr/ports/sysutils/ipmitool</build_port_path> + <build_port_path>devel/libstatgrab</build_port_path> + <build_pbi> + <ports_before>sysutils/ipmitool devel/libstatgrab</ports_before> + <port>sysutils/muse</port> + </build_pbi> + <build_options></build_options> + <config_file>http://www.pfsense.com/packages/config/checkmk-agent/checkmk.xml</config_file> + <version>v0.1</version> + <status>RC1</status> + <required_version>2.0</required_version> + <maintainer>marcellocoutinho@gmail.com</maintainer> + <configurationfile>checkmk.xml</configurationfile> + </package> + <package> <name>SSHDCond</name> - <descr><![CDATA[Allows to define SSH overrides for users,groups,hosts and addresses using Match in a convenient way.<br> + <descr><![CDATA[Allows to define SSH overrides for users,groups,hosts and addresses using Match in a convenient way.<br /> This package acts as an access list frontend for ssh connections]]></descr> <category>Enhancements</category> <version>1.0</version> @@ -1601,9 +1676,9 @@ </package> <package> <name>mailreport</name> - <descr>Allows you to setup periodic e-mail reports containing RRD graphs.</descr> + <descr>Allows you to setup periodic e-mail reports containing command output, log file contents, and RRD graphs.</descr> <category>Network Management</category> - <version>1.2</version> + <version>2.0.4</version> <status>BETA</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/mailreport/mailreport.xml</config_file> @@ -1611,7 +1686,7 @@ </package> <package> <name>zebedee</name> - <descr><![CDATA[Zebedee is a simple program to establish an encrypted, compressed "tunnel" for TCP/IP or UDP data transfer between two systems.<br> + <descr><![CDATA[Zebedee is a simple program to establish an encrypted, compressed "tunnel" for TCP/IP or UDP data transfer between two systems.<br /> This allows traffic such as telnet, ftp and X to be protected from snooping as well as potentially gaining performance over low-bandwidth networks from compression.]]> </descr> <category>Services</category> @@ -1632,16 +1707,16 @@ <descr>Patch to fix OpenVPN tap bridging on 2.0.x. WARNING! Cannot be uninstalled.</descr> <category>System</category> <config_file>http://www.pfsense.com/packages/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml</config_file> - <version>0.3</version> + <version>0.4</version> <status>BETA</status> <required_version>2.0</required_version> - <maximum_version>2.1</maximum_version> + <maximum_version>2.0.4</maximum_version> </package> <package> <name>Quagga OSPF</name> - <descr>OSPF routing protocol using Quagga -- WARNING! Installs files to the same place as OpenOSPFD. Installing both will break things.</descr> + <descr>OSPF routing protocol using Quagga -- WARNING! Installs files to the same place as OpenOSPFD and OpenBGPD. Installing both will break things.</descr> <maintainer>jimp@pfsense.org</maintainer> - <version>0.99.20.1 v0.5</version> + <version>0.99.20.1 v0.5.4</version> <category>Routing</category> <status>BETA</status> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> @@ -1657,9 +1732,9 @@ <name>System Patches</name> <descr>A package to apply and maintain custom system patches.</descr> <maintainer>jimp@pfsense.org</maintainer> - <version>0.7.1</version> + <version>1.0</version> <category>System</category> - <status>BETA</status> + <status>RELEASE</status> <config_file>http://www.pfsense.com/packages/config/systempatches/systempatches.xml</config_file> <pkginfolink></pkginfolink> <required_version>2.0</required_version> @@ -1671,13 +1746,13 @@ <descr><![CDATA[Bacula is a set of Open Source, computer programs that permit you (or the system administrator) to manage backup, recovery, and verification of computer data across a network of computers of different kinds.]]></descr> <website>http://www.bacula.org/</website> <category>Services</category> - <version>5.2.6 pkg v 1.0</version> + <version>5.2.6 pkg v 1.0.1</version> <status>Stable</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/bacula-client/bacula-client.xml</config_file> <depends_on_package_base_url>http://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/All/</depends_on_package_base_url> <depends_on_package>bacula-client-5.2.6.tbz</depends_on_package> - <depends_on_package_pbi>bacula-5.2.6-amd64.pbi</depends_on_package_pbi> + <depends_on_package_pbi>bacula-5.2.12-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/sysutils/bacula-client</build_port_path> <build_pbi> <port>sysutils/bacula-client</port> @@ -1690,15 +1765,16 @@ <!-- This does not exist yet, this is here to trigger a PBI build --> <name>urlsnarf</name> <pkginfolink>http://forum.pfsense.org/</pkginfolink> - <descr><![CDATA[HTTP URL Sniffer]]></descr> + <descr><![CDATA[HTTP URL Sniffer (console/shell only)]]></descr> <category>Services</category> - <version>0.1</version> + <version>2.3_4</version> <status>Beta</status> - <required_version>2.2</required_version> + <required_version>2.1</required_version> <config_file>http://www.pfsense.com/packages/config/urlsnarf/urlsnarf.xml</config_file> <maintainer>jimp@pfsense.org</maintainer> <configurationfile>urlsnarf.xml</configurationfile> <build_pbi> + <ports_before>net/libnet</ports_before> <port>security/dsniff</port> </build_pbi> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> @@ -1708,11 +1784,11 @@ <!-- This does not exist yet, this is here to trigger a PBI build --> <name>iftop</name> <pkginfolink>http://forum.pfsense.org/</pkginfolink> - <descr><![CDATA[Realtime interface monitor (console only)]]></descr> + <descr><![CDATA[Realtime interface monitor (console/shell only)]]></descr> <category>Services</category> - <version>0.1</version> + <version>0.17</version> <status>Beta</status> - <required_version>2.2</required_version> + <required_version>2.1</required_version> <config_file>http://www.pfsense.com/packages/config/iftop/iftop.xml</config_file> <maintainer>jimp@pfsense.org</maintainer> <configurationfile>iftop.xml</configurationfile> @@ -1723,17 +1799,37 @@ <depends_on_package_pbi>iftop-0.17-amd64.pbi</depends_on_package_pbi> </package> <package> + <!-- This does not exist yet, this is here to trigger a pkg build --> + <name>git</name> + <pkginfolink>http://forum.pfsense.org/</pkginfolink> + <descr><![CDATA[GIT Source Code Management (console/shell only)]]></descr> + <category>Services</category> + <version>1.8.1.3</version> + <status>Beta</status> + <required_version>2.1</required_version> + <config_file>http://www.pfsense.com/packages/config/git/git.xml</config_file> + <maintainer>jimp@pfsense.org</maintainer> + <configurationfile>git.xml</configurationfile> + <build_options>git_UNSET=GITWEB GUI HTMLDOCS CVS P4 SVN;git_SET=CONTRIB CURL ETCSHELLS ICONV NLS PERL</build_options> + <build_port_path>/usr/ports/devel/git</build_port_path> + <build_pbi> + <port>devel/git</port> + </build_pbi> + <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> + <depends_on_package_pbi>git-1.8.1.3-amd64.pbi</depends_on_package_pbi> + </package> + <package> <name>tinc</name> <website>http://www.tinc-vpn.org/</website> <descr>tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private mesh network between hosts on the Internet.</descr> <category>Network Management</category> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package_pbi>tinc-1.0.19-amd64.pbi</depends_on_package_pbi> + <depends_on_package_pbi>tinc-1.0.21-amd64.pbi</depends_on_package_pbi> <build_pbi> <port>security/tinc</port> </build_pbi> <build_options></build_options> - <version>1.0.19</version> + <version>1.0.21</version> <status>ALPHA</status> <pkginfolink>http://doc.pfsense.org/index.php/tinc_package</pkginfolink> <required_version>2.1</required_version> @@ -1754,7 +1850,7 @@ <status>ALPHA</status> <required_version>2.1</required_version> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package_pbi>syslog-ng-3.3.6_2-amd64.pbi</depends_on_package_pbi> + <depends_on_package_pbi>syslog-ng-3.3.7_4-amd64.pbi</depends_on_package_pbi> <build_pbi> <ports_before>sysutils/logrotate</ports_before> <port>sysutils/syslog-ng</port> @@ -1764,5 +1860,82 @@ <config_file>http://www.pfsense.com/packages/config/syslog-ng/syslog-ng.xml</config_file> <configurationfile>syslog-ng.xml</configurationfile> </package> + <package> + <name>Zabbix-2 Agent</name> + <descr>Monitoring agent.</descr> + <category>Services</category> + <config_file>http://www.pfsense.org/packages/config/zabbix2/zabbix2-agent.xml</config_file> + <version>zabbix2-agent-2.0.4 pkg v0.6_3</version> + <status>BETA</status> + <required_version>2.0</required_version> + <configurationfile>zabbix2-agent.xml</configurationfile> + <maintainer>dbaio@bsd.com.br</maintainer> + <build_port_path>/usr/ports/net-mgmt/zabbix2-agent</build_port_path> + <build_pbi> + <custom_name>zabbix2-agent</custom_name> + <port>net-mgmt/zabbix2-agent</port> + </build_pbi> + <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> + <depends_on_package>zabbix2-agent-2.0.4.tbz</depends_on_package> + <depends_on_package_pbi>zabbix2-agent-2.0.4-amd64.pbi</depends_on_package_pbi> + </package> + <package> + <name>Zabbix-2 Proxy</name> + <descr>Monitoring agent proxy.</descr> + <category>Services</category> + <config_file>http://www.pfsense.org/packages/config/zabbix2/zabbix2-proxy.xml</config_file> + <version>zabbix2-proxy-2.0.4 pkg v0.6_2</version> + <status>BETA</status> + <required_version>2.0</required_version> + <configurationfile>zabbix2-proxy.xml</configurationfile> + <maintainer>dbaio@bsd.com.br</maintainer> + <build_port_path>/usr/ports/net-mgmt/zabbix2-proxy</build_port_path> + <build_pbi> + <custom_name>zabbix2-proxy</custom_name> + <port>net-mgmt/zabbix2-proxy</port> + </build_pbi> + <build_options>OPTIONS_SET+= SQLITE;OPTIONS_UNSET+= MYSQL JABBER LDAP</build_options> + <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> + <depends_on_package>zabbix2-proxy-2.0.4.tbz</depends_on_package> + <depends_on_package_pbi>zabbix2-proxy-2.0.4-amd64.pbi</depends_on_package_pbi> + </package> + <package> + <!-- This does not exist yet, this is here to trigger a PBI build --> + <name>ipmitool</name> + <pkginfolink>http://forum.pfsense.org/</pkginfolink> + <descr><![CDATA[IPMI Tools for local/remote data retrieval and control (Console only, no GUI)]]></descr> + <category>Services</category> + <version>1.8.12</version> + <status>Alpha</status> + <required_version>2.1</required_version> + <config_file>http://www.pfsense.com/packages/config/ipmitool/ipmitool.xml</config_file> + <maintainer>jimp@pfsense.org</maintainer> + <configurationfile>ipmitool.xml</configurationfile> + <build_pbi> + <port>sysutils/ipmitool</port> + </build_pbi> + <build_options>ipmitool_SET=FREEIPMI;freeipmi_UNSET=DOCS DEBUG IOPERM</build_options> + <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> + <depends_on_package_pbi>ipmitool-1.8.12_3-amd64.pbi</depends_on_package_pbi> + </package> + <package> + <name>sudo</name> + <pkginfolink>http://doc.pfsense.org/index.php/Sudo_Package</pkginfolink> + <descr><![CDATA[sudo allows delegation of privileges to users in the shell so commands can be run as other users, such as root.]]></descr> + <category>Security</category> + <version>0.1</version> + <status>Beta</status> + <required_version>2.0.2</required_version> + <config_file>http://www.pfsense.com/packages/config/sudo/sudo.xml</config_file> + <maintainer>jimp@pfsense.org</maintainer> + <configurationfile>sudo.xml</configurationfile> + <build_pbi> + <port>security/sudo</port> + </build_pbi> + <build_port_path>/usr/ports/security/sudo</build_port_path> + <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> + <depends_on_package>sudo-1.8.6.p8.tbz</depends_on_package> + <depends_on_package_pbi>sudo-1.8.6p8-amd64.pbi</depends_on_package_pbi> + </package> </packages> </pfsensepkgs> diff --git a/pkg_config.xml b/pkg_config.xml index 6d7a2a1c..1d4258fd 100644 --- a/pkg_config.xml +++ b/pkg_config.xml @@ -198,36 +198,6 @@ technique called multipoint relaying for message flooding.</descr> <configurationfile>clamav.xml</configurationfile> </package> <package> - <name>phpmrss</name> - <descr>mRss is a C library for parsing, writing and creating RSS files or streams.</descr> - <website>http://www2.autistici.org/bakunin//libmrss/doc/</website> - <category>Textproc</category> - <version>0.13</version> - <status>BETA</status> - <required_version>2.0</required_version> - <depends_on_package_base_url>http://files.pfsense.org/packages/All/</depends_on_package_base_url> - <depends_on_package>libmrss-0.13.tbz</depends_on_package> - <config_file>http://www.pfsense.org/packages/config/phpmrss.xml</config_file> - <configurationfile>phpmrss.xml</configurationfile> - </package> - <package> - <name>p3scan-pf</name> - <descr> - A transparent POP3-Proxy with virus-scanning- and - spam-scanning-capabilities. - </descr> - <website>http://www.undergroundsecurity.com/p3scan/</website> - <category>Security</category> - <version>0.1</version> - <status>ALPHA</status> - <required_version>2.0</required_version> - <maintainer>fernando@netfilter.com.br</maintainer> - <depends_on_package_base_url>http://files.pfsense.org/packages/All/</depends_on_package_base_url> - <depends_on_package>p3scan-pf-2.3.2.tbz</depends_on_package> - <config_file>http://www.pfsense.org/packages/config/p3scan-pf/p3scan-pf.xml</config_file> - <configurationfile>p3scan-pf.xml</configurationfile> - </package> - <package> <name>clamsmtp</name> <descr>SMTP virus scanner.</descr> <website>http://memberwebs.com/nielsen/software/clamsmtp/</website> diff --git a/pkg_config.xsl b/pkg_config.xsl new file mode 100644 index 00000000..d5df5626 --- /dev/null +++ b/pkg_config.xsl @@ -0,0 +1,40 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="2.0"> + <xsl:output method="html" encoding="UTF-8" indent="yes"/> + <xsl:template match="pfsensepkgs"> + <html> + <head> + <title>pfSense Open Source Firewall Distribution - Packages</title> + <link rel="shortcut icon" href="http://www.pfsense.org/images/favicon.ico"/> + + <link rel="stylesheet" href="templates/modular_plazza/css/template_css.css" type="text/css"/> + <link rel="stylesheet" href="templates/modular_plazza/css/sfish.css" type="text/css"/> + </head> + <body class="bodies"> + <h2>pfSense Package list</h2> + <xsl:apply-templates/> + </body> + </html> + </xsl:template> + + <xsl:template match="packages"> + <xsl:for-each-group select="package" group-by="category"> + <h3> + Category: <xsl:value-of select="current-grouping-key()"/> + </h3> + <xsl:for-each select="current-group()"> + <h4> + <xsl:value-of select="name"/> + </h4> + <span class="version">Version <xsl:value-of select="version"/> </span> + <xsl:choose> + <xsl:when test="status = 'ALPHA'"><span style="color:red">alpha</span></xsl:when> + <xsl:when test="status = 'BETA'"><span style="color:blue">beta</span></xsl:when> + <xsl:otherwise><span style="color:green"><xsl:value-of select="status"/></span></xsl:otherwise> + </xsl:choose> + <br/> + <xsl:value-of select="descr" disable-output-escaping="yes"/> + </xsl:for-each> + </xsl:for-each-group> + </xsl:template> +</xsl:stylesheet> |