diff options
111 files changed, 4944 insertions, 9686 deletions
diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc index 72c1f9b4..ed5596d6 100644 --- a/config/apache_mod_security-dev/apache_mod_security.inc +++ b/config/apache_mod_security-dev/apache_mod_security.inc @@ -603,8 +603,8 @@ EOF; } $vh_config.=" <Location ".($backend['sitepath'] ? $backend['sitepath'] : "/").">\n"; - $vh_config.=" ProxyPass balancer://{$backend['balancer']}{$backend['backendpath']}\n"; - $vh_config.=" ProxyPassReverse balancer://{$backend['balancer']}{$backend['backendpath']}\n"; + $vh_config.=" ProxyPass balancer://{$backend['balancer']}".($backend['backendpath'] ? $backend['backendpath'] : "/")."\n"; + $vh_config.=" ProxyPassReverse balancer://{$backend['balancer']}".($backend['backendpath'] ? $backend['backendpath'] : "/")."\n"; if ($backend['compress']== "no") $vh_config.=" SetInputFilter INFLATE\n SetOutputFilter INFLATE\n"; if ($backend['modsecgroup']!="" && $backend['modsecgroup']!="none" && $mods_settings['enablemodsecurity']=="on"){ diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc index 8475ca50..8bcf3ddd 100644 --- a/config/apache_mod_security/apache_mod_security.inc +++ b/config/apache_mod_security/apache_mod_security.inc @@ -1005,7 +1005,9 @@ SSLRandomSeed connect builtin Include etc/apache22/Includes/*.conf EOF; - + if (!is_dir('/usr/local/etc/apache22')) { + mkdir('/usr/local/etc/apache22', 0775, true); + } $fd = fopen("/usr/local/etc/apache22/httpd.conf", "w"); if(!$fd) { $error_text = "Could not open httpd.conf for writing!"; diff --git a/config/arping/arping.xml b/config/arping/arping.xml index 02531b76..c8ab9931 100644 --- a/config/arping/arping.xml +++ b/config/arping/arping.xml @@ -47,7 +47,7 @@ <faq>Currently there are no FAQ items provided.</faq> <name>arping</name> <version>2.6.0.2</version> - <title>Services: ARPing</title> + <title>Diagnostics: ARPing</title> <savetext>ARPing</savetext> <preoutput>yes</preoutput> <donotsave>true</donotsave> @@ -55,7 +55,7 @@ <menu> <name>Arping</name> <tooltiptext>Host to arp ping</tooltiptext> - <section>Services</section> + <section>Diagnostics</section> <url><![CDATA[/pkg_edit.php?xml=arping.xml&id=0]]></url> </menu> <tabs> diff --git a/config/backup/backup.inc b/config/backup/backup.inc index df508775..748b7fc6 100644 --- a/config/backup/backup.inc +++ b/config/backup/backup.inc @@ -32,16 +32,17 @@ */ -function byte_convert( $bytes ) { - if ($bytes<=0) - return '0 Byte'; - - $convention=1000; //[1000->10^x|1024->2^x] - $s=array('B', 'kB', 'MB', 'GB', 'TB', 'PB', 'EB', 'ZB'); - $e=floor(log($bytes,$convention)); - return round($bytes/pow($convention,$e),2).' '.$s[$e]; +if (!function_exists("byte_convert")) { + function byte_convert( $bytes ) { + if ($bytes<=0) + return '0 Byte'; + + $convention=1000; //[1000->10^x|1024->2^x] + $s=array('B', 'kB', 'MB', 'GB', 'TB', 'PB', 'EB', 'ZB'); + $e=floor(log($bytes,$convention)); + return round($bytes/pow($convention,$e),2).' '.$s[$e]; + } } - function backup_sync_package_php() { diff --git a/config/checkmk-agent/checkmk.xml b/config/checkmk-agent/checkmk.xml index 2b4f6996..3709dce1 100644 --- a/config/checkmk-agent/checkmk.xml +++ b/config/checkmk-agent/checkmk.xml @@ -93,13 +93,12 @@ <fieldname>checkmkport</fieldname> <type>input</type> <size>10</size> - <description>Enter port to listen on. Leave empty to use Default prot 6556</description> - <required/> + <description>Enter port to listen on. Leave empty to use Default port 6556.</description> </field> <field> <fielddescr>Hosts.allow</fielddescr> <fieldname>checkmkhosts</fieldname> - <description>Enter hosts(comma separeted) that can communicate with this agent.</description> + <description>Enter hosts (comma separated) that can communicate with this agent.</description> <type>input</type> <size>60</size> </field> @@ -118,4 +117,4 @@ <custom_php_resync_config_command> sync_package_checkmk(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/dansguardian/dansguardian.inc b/config/dansguardian/dansguardian.inc index 0dd8ff99..c915d579 100755 --- a/config/dansguardian/dansguardian.inc +++ b/config/dansguardian/dansguardian.inc @@ -164,7 +164,7 @@ function sync_package_dansguardian($via_rpc="no",$install_process=false) { $maxips=($dansguardian['maxips']?$dansguardian['maxips']:"0"); $preforkchildren=($dansguardian['preforkchildren']?$dansguardian['preforkchildren']:"10"); $proxyip=($dansguardian['proxyip']?$dansguardian['proxyip']:"127.0.0.1"); - $proxyport=($dansguardian['proxyport']?$dansguardian['proxyport']:"127.0.0.1"); + $proxyport=($dansguardian['proxyport']?$dansguardian['proxyport']:"3128"); $proxytimeout=($dansguardian['proxytimeout']?$dansguardian['proxytimeout']:"30"); #general options diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 76da6213..8472ea5e 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -76,6 +76,15 @@ if ($pfs_version == "2.2") { } function freeradius_deinstall_command() { + $pidFile = "/var/run/radiusd.pid"; + $i = 0; + + while (isvalidpid($pidFile) && $i < 3) { + $sig = ($i == 2 ? SIGKILL : SIGTERM); + sigkillbypid($pidFile, $sig); + sleep(1); + $i++; + } return; } diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml index 16a4875c..4563ef62 100644 --- a/config/freeradius2/freeradius.xml +++ b/config/freeradius2/freeradius.xml @@ -45,7 +45,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradius</name> - <version>1.6.12</version> + <version>1.6.13</version> <title>FreeRADIUS: Users</title> <include_file>/usr/local/pkg/freeradius.inc</include_file> <menu> @@ -472,6 +472,8 @@ freeradius_users_resync(); </custom_delete_php_command> <custom_php_resync_config_command> + freeradius_settings_resync(); + sleep(1); freeradius_users_resync(); </custom_php_resync_config_command> <custom_php_install_command> diff --git a/config/freeradius2/freeradius_view_config.php b/config/freeradius2/freeradius_view_config.php index 0095b009..8cdc844e 100644 --- a/config/freeradius2/freeradius_view_config.php +++ b/config/freeradius2/freeradius_view_config.php @@ -100,8 +100,8 @@ else{ display_top_tabs($tab_array); ?> </td></tr> - <tr> - <td> + <tr> + <td> <div id="mainarea"> <table class="tabcont" width="100%" border="0" cellpadding="8" cellspacing="0"> <tr><td></td></tr> @@ -126,8 +126,8 @@ else{ </td> </tr> <tr> - <td class="tabcont" > - <div id="file_div"></div> + <td class="tabcont" > + <div id="file_div"></div> </td> </tr> diff --git a/config/freeradius2/freeradiusauthorizedmacs.xml b/config/freeradius2/freeradiusauthorizedmacs.xml index 594e7398..3a643a86 100644 --- a/config/freeradius2/freeradiusauthorizedmacs.xml +++ b/config/freeradius2/freeradiusauthorizedmacs.xml @@ -45,7 +45,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradiusauthorizedmacs</name> - <version>2.1.12</version> + <version>2.2.0</version> <title>FreeRADIUS: MACs</title> <include_file>/usr/local/pkg/freeradius.inc</include_file> <menu> @@ -54,13 +54,6 @@ <section>Services</section> <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> </menu> - <service> - <name>radiusd</name> - <rcfile>radiusd.sh</rcfile> - <executable>radiusd</executable> - <description><![CDATA[FreeRADIUS Server]]></description> - </service> - <tabs> <tab> <text>Users</text> @@ -108,61 +101,6 @@ <url>/pkg_edit.php?xml=freeradiussync.xml&id=0</url> </tab> </tabs> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/freeradius2/freeradius.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/freeradius2/freeradius_view_config.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/freeradius2/freeradiusclients.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/freeradius2/freeradiussettings.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/freeradius2/freeradiuseapconf.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/freeradius2/freeradiussqlconf.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/freeradius2/freeradiusinterfaces.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/freeradius2/freeradiuscerts.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/freeradius2/freeradiussync.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/freeradius2/freeradiusmodulesldap.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/freeradius2/freeradiusauthorizedmacs.xml</item> - </additional_files_needed> <adddeleteeditpagefields> <columnitem> <fielddescr>MAC Address</fielddescr> diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml index 4909411a..9899d19f 100644 --- a/config/freeradius2/freeradiuscerts.xml +++ b/config/freeradius2/freeradiuscerts.xml @@ -45,7 +45,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradiuscerts</name> - <version>none</version> + <version>2.2.0</version> <title>FreeRADIUS: Certificates</title> <aftersaveredirect>pkg_edit.php?xml=freeradiuscerts.xml&id=0</aftersaveredirect> <include_file>/usr/local/pkg/freeradius.inc</include_file> diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml index 99ac2af1..16d8d1e9 100644 --- a/config/freeradius2/freeradiusclients.xml +++ b/config/freeradius2/freeradiusclients.xml @@ -45,7 +45,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradiusclients</name> - <version>none</version> + <version>2.2.0</version> <title>FreeRADIUS: Clients</title> <include_file>/usr/local/pkg/freeradius.inc</include_file> <tabs> diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml index 947ef6b9..8f81094a 100644 --- a/config/freeradius2/freeradiuseapconf.xml +++ b/config/freeradius2/freeradiuseapconf.xml @@ -46,7 +46,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradiuseapconf</name> - <version>none</version> + <version>2.2.0</version> <title>FreeRADIUS: EAP</title> <aftersaveredirect>pkg_edit.php?xml=freeradiuseapconf.xml&id=0</aftersaveredirect> <include_file>/usr/local/pkg/freeradius.inc</include_file> @@ -470,7 +470,7 @@ <field> <fielddescr>Microsoft Statement of Health (SoH) Support</fielddescr> <fieldname>vareapconfpeapsohenable</fieldname> - <description><![CDATA[You can accept/reject clients based on Microsoft's Statement of Health, such as if they are missing Windows updates, don't have a firewall enabled, antivirus not in line with policy, etc. You need to change server-file for your needs. It cannot be changed from GUI and will be deleted after package reinstallation. (/usr/local/etc/raddb/sites-available/soh). (Default: no)]]></description> + <description><![CDATA[You can accept/reject clients based on Microsoft's Statement of Health, such as if they are missing Windows updates, don't have a firewall enabled, antivirus not in line with policy, etc. You need to change server-file for your needs. It cannot be changed from GUI and will be deleted after package reinstallation. (/usr/local/etc/raddb/sites-available/soh). (Default: Disable)]]></description> <type>select</type> <default_value>Disable</default_value> <options> diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml index 5427f988..0538633a 100644 --- a/config/freeradius2/freeradiusinterfaces.xml +++ b/config/freeradius2/freeradiusinterfaces.xml @@ -45,7 +45,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradiusinterfaces</name> - <version>none</version> + <version>2.2.0</version> <title>FreeRADIUS: Interfaces</title> <include_file>/usr/local/pkg/freeradius.inc</include_file> <tabs> diff --git a/config/freeradius2/freeradiussync.xml b/config/freeradius2/freeradiussync.xml index be678e5a..61c7eecb 100644 --- a/config/freeradius2/freeradiussync.xml +++ b/config/freeradius2/freeradiussync.xml @@ -56,12 +56,6 @@ POSSIBILITY OF SUCH DAMAGE. <section>Services</section> <url>/pkg.php?xml=freeradiussync.xml</url> </menu> - <service> - <name>FreeRADIUS</name> - <rcfile>radiusd.sh</rcfile> - <executable>radiusd</executable> - <description><![CDATA[The FreeRADIUS daemon.]]></description> - </service> <tabs> <tab> <text>Users</text> diff --git a/config/haproxy-devel/pkg/haproxy.inc b/config/haproxy-devel/pkg/haproxy.inc index f8aab3b1..eceef783 100644 --- a/config/haproxy-devel/pkg/haproxy.inc +++ b/config/haproxy-devel/pkg/haproxy.inc @@ -345,10 +345,12 @@ function haproxy_custom_php_deinstall_command() { update_output_window($static_output); $static_output .= "HAProxy, deleting haproxy webgui\n"; update_output_window($static_output); - exec("rm /usr/local/etc/rc.d/haproxy.sh"); + unlink_if_exists("/usr/local/etc/rc.d/haproxy.sh"); + unlink_if_exists("/etc/rc.haproxy_ocsp.sh"); $static_output .= "HAProxy, installing cron job if needed\n"; update_output_window($static_output); haproxy_install_cron(false); + haproxy_install_cronjob(false, '/etc/rc.haproxy_ocsp.sh'); $static_output .= "HAProxy, running haproxy_custom_php_deinstall_command() DONE\n"; update_output_window($static_output); } @@ -431,7 +433,32 @@ EOD; $fd = fopen("/usr/local/etc/rc.d/haproxy.sh", "w"); fwrite($fd, $haproxy); fclose($fd); - exec("chmod a+rx /usr/local/etc/rc.d/haproxy.sh"); + chmod("/usr/local/etc/rc.d/haproxy.sh", 0755); + + $haproxy_ocsp = <<<EOD +#!/usr/local/bin/php -f + +<?php + +/* + Updates haproxy OCSP responses. +*/ + +require_once("globals.inc"); +require_once("functions.inc"); +require_once("haproxy.inc"); +require_once("haproxy_socketinfo.inc"); +haproxy_updateocsp(); + +?> + +EOD; + // removing the \r prevents the "No input file specified." error.. + $haproxy_ocsp = str_replace("\r\n","\n", $haproxy_ocsp); + $fd = fopen("/etc/rc.haproxy_ocsp.sh", "w"); + fwrite($fd, $haproxy_ocsp); + fclose($fd); + chmod("/etc/rc.haproxy_ocsp.sh", 0755); $static_output .= "HAProxy, update configuration\n"; update_output_window($static_output); @@ -453,6 +480,51 @@ EOD; update_output_window($static_output); } +function haproxy_install_cronjob($should_install, $script, $interval = 60, $parameters = "") { + global $config, $g; + if($g['booting']==true) + return; + $is_installed = false; + if(!$config['cron']['item']) + return; + $x=0; + foreach($config['cron']['item'] as $item) { + if(strstr($item['command'], $script)) { + $is_installed = true; + break; + } + $x++; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "*/{$interval}"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "$script $parameters"; + $config['cron']['item'][] = $cron_item; + parse_config(true); + write_config("haproxy, install cron job"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + parse_config(true); + write_config("haproxy, remove cron job"); + } + configure_cron(); + } + break; + } +} + function haproxy_install_cron($should_install) { global $config, $g; if($g['booting']==true) @@ -885,36 +957,120 @@ function haproxy_write_certificate_crl($filename, $crlid, $append = false) { unset($crl); } -function haproxy_write_certificate_fullchain($filename, $certid, $append = false) { +function haproxy_write_certificate_fullchain($filename, $certid, $append = false, $skiproot = true) { $cert = haproxy_lookup_cert($certid); $certcontent = base64_decode($cert['crt']); if (isset($cert['prv'])) $certcontent .= "\r\n".base64_decode($cert['prv']); + $ca = $cert; + while(!empty($ca['caref'])) { + $ca = lookup_ca($ca['caref']); + if ($ca) { + if ($skiproot && (cert_get_subject($ca['crt']) == cert_get_issuer($ca['crt']))) + break; + $certcontent .= "\r\n" . base64_decode($ca['crt']); + } else + break; + } + $flags = $append ? FILE_APPEND : 0; + file_put_contents($filename, $certcontent, $flags); + unset($certcontent); + unset($cert); +} + +function haproxy_write_certificate_issuer($filename, $certid) { + $cert = haproxy_lookup_cert($certid); $certchaincontent = ca_chain($cert); if ($certchaincontent != "") { $certcontent .= "\r\n" . $certchaincontent; } unset($certchaincontent); - $flags = $append ? FILE_APPEND : 0; - file_put_contents($filename, $certcontent, $flags); + file_put_contents($filename, $certcontent, 0); unset($certcontent); unset($cert); } +function haproxy_uses_ocsp() { + global $config; + $a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + if (!is_array($a_frontends)) + return false; + + $configpath = "{$g['varetc_path']}/haproxy"; + foreach ($a_frontends as $frontend) { + if ($frontend['sslocsp'] == 'yes') { + return true; + } + } + return false; +} + +function haproxy_getocspurl($filename) { + return exec("openssl x509 -noout -ocsp_uri -in $filename", $output, $err); +} + +function haproxy_updateocsp_one($socketupdate, $filename, $name) { + if (file_exists("{$filename}.ocsp")) { + // If the .ocsp file exists we want to use ocsp + syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}.. "); + $ocsp_url = haproxy_getocspurl($filename); + $ocsp_host = parse_url($ocsp_url, PHP_URL_HOST); + if (empty($ocsp_url)) { + // If cert does not have a ocsp_uri, it cannot be updated.. + syslog(LOG_ERR, "HAProxy OCSP ERROR Cert does not have a ocsp_uri"); + } else { + $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host {$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err); + if ($socketupdate) { + $ocspresponse = base64_encode(file_get_contents("{$filename}.ocsp")); + $r = haproxy_socket_command("set ssl ocsp-response $ocspresponse"); + if ($r[0] == "OCSP Response updated!\n") + syslog(LOG_NOTICE, "HAProxy OCSP socket update successful for frontend {$name}..result: ".$retval); + else { + syslog(LOG_ERR, "HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: {$name}"); + } + } else { + syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}..result: ".$retval); + } + } + } +} + +function haproxy_updateocsp($socketupdate = true) { + global $config, $g; + $a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + if (!is_array($a_frontends)) + return true; + + $configpath = "{$g['varetc_path']}/haproxy"; + foreach ($a_frontends as $frontend) { + $filename = "$configpath/{$frontend['name']}.pem"; + haproxy_updateocsp_one($socketupdate, $filename, $frontend['name']); + + $subfolder = "$configpath/{$frontend['name']}"; + $certs = $frontend['ha_certificates']['item']; + if (is_array($certs)){ + foreach($certs as $cert){ + $filename = "$subfolder/{$cert['ssl_certificate']}.pem"; + haproxy_updateocsp_one($socketupdate, $filename, $frontend['name']); + } + } + } +} + function haproxy_writeconf($configpath) { global $config; global $aliastable; if (!isset($aliastable)) alias_make_table($config); $chroot_dir = "/tmp/haproxy_chroot"; // can contain socket to forward connection from backend to frontend. "/var/empty" - make_dirs($chroot_dir); + @mkdir($chroot_dir, 0755, true); $configfile = $configpath . "/haproxy.cfg"; rmdir_recursive($configpath); - make_dirs($configpath); + @mkdir($configpath, 0755, true); $a_global = &$config['installedpackages']['haproxy']; $a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item']; @@ -999,14 +1155,29 @@ function haproxy_writeconf($configpath) { //ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem $filename = "$configpath/{$frontend['name']}.pem"; $ssl_crt = " crt $filename"; + haproxy_write_certificate_fullchain($filename, $frontend['ssloffloadcert']); + if ($frontend['sslocsp'] == 'yes') { + if (!empty(haproxy_getocspurl($filename))) { + haproxy_write_certificate_issuer($filename . ".issuer", $frontend['ssloffloadcert']); + touch($filename . ".ocsp");//create initial empty file. this will trigger updates, and inform haproxy it 'should' be using ocsp + } + } + $subfolder = "$configpath/{$frontend['name']}"; $certs = $frontend['ha_certificates']['item']; if (is_array($certs)){ if (count($certs) > 0){ - make_dirs($subfolder); + @mkdir($subfolder, 0755, true); foreach($certs as $cert){ - haproxy_write_certificate_fullchain("$subfolder/{$cert['ssl_certificate']}.pem", $cert['ssl_certificate']); + $filenamefoldercert = "$subfolder/{$cert['ssl_certificate']}.pem"; + haproxy_write_certificate_fullchain($filenamefoldercert, $cert['ssl_certificate']); + if ($frontend['sslocsp'] == 'yes') { + if (!empty(haproxy_getocspurl($filenamefoldercert))) { + haproxy_write_certificate_issuer($filenamefoldercert . ".issuer", $cert['ssl_certificate']); + touch($filenamefoldercert . ".ocsp"); + } + } } $ssl_crt .= " crt $subfolder"; } @@ -1350,11 +1521,6 @@ function haproxy_writeconf($configpath) { haproxy_do_xmlrpc_sync(); } } - - if (isset($a_global['carpdev'])) - haproxy_install_cron(true); - else - haproxy_install_cron(false); } function haproxy_is_running() { @@ -1566,8 +1732,18 @@ function haproxy_check_run($reload) { $a_global = &$config['installedpackages']['haproxy']; $configpath = "{$g['varetc_path']}/haproxy"; - if ($reload) + if ($reload) { haproxy_writeconf($configpath); + haproxy_updateocsp(false); + + if (isset($a_global['carpdev'])) + haproxy_install_cron(true); + else + haproxy_install_cron(false); + + $useocsp = haproxy_uses_ocsp(); + haproxy_install_cronjob($useocsp, '/etc/rc.haproxy_ocsp.sh', 120); + } if(isset($a_global['enable'])) { if (isset($a_global['carpdev'])) { diff --git a/config/haproxy-devel/pkg/haproxy_utils.inc b/config/haproxy-devel/pkg/haproxy_utils.inc index d8c4faf4..ec72b986 100644 --- a/config/haproxy-devel/pkg/haproxy_utils.inc +++ b/config/haproxy-devel/pkg/haproxy_utils.inc @@ -36,24 +36,38 @@ require_once("config.inc"); class haproxy_utils { public static $pf_version; - public function query_dns($host, $querytype="A,AAAA", $dnsserver = "127.0.0.1") { + public function query_dns($host, $querytype="A,AAAA") { $result = array(); - $host = trim($host, " \t\n\r\0\x0B[];\"'"); - $host_esc = escapeshellarg($host); $types = explode(',',$querytype); + $recordtype = 0; foreach($types as $type){ - $resolved = gethostbyname($host); - if($resolved) { - $resolved = array(); - if (haproxy_utils::$pf_version < '2.2') - exec("/usr/bin/dig {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); - else - exec("/usr/bin/drill {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); - foreach($resolved as $item) { - $newitem = array(); - $newitem["typeid"] = $type; - $newitem["data"] = $item; - $result[] = $newitem; + switch ($type) { + case 'A': + $recordtype = DNS_A; + break; + case 'AAAA': + $recordtype = DNS_AAAA; + break; + } + if ($recordtype != 0) { + //query one type at a time, querying multiple types in one call dns_get_record fails if one is not present.. + $errreporting = error_reporting(); + error_reporting($errreporting & ~E_WARNING);// dns_get_record throws a warning if nothing is resolved.. + $dnsresult = dns_get_record($host, $recordtype); + error_reporting($errreporting); + if (is_array($dnsresult)) { + foreach($dnsresult as $item) { + $newitem["typeid"] = $item['type']; + switch ($item['type']) { + case 'A': + $newitem["data"] = $item['ip']; + break; + case 'AAAA': + $newitem["data"] = $item['ipv6']; + break; + } + $result[] = $newitem; + } } } } diff --git a/config/haproxy-devel/www/haproxy_listeners_edit.php b/config/haproxy-devel/www/haproxy_listeners_edit.php index d8841c33..6998e099 100644 --- a/config/haproxy-devel/www/haproxy_listeners_edit.php +++ b/config/haproxy-devel/www/haproxy_listeners_edit.php @@ -71,7 +71,7 @@ uasort($a_pools, haproxy_compareByName); global $simplefields; $simplefields = array('name','desc','status','secondary','primary_frontend','type','forwardfor','httpclose','extaddr','backend_serverpool', 'max_connections','client_timeout','port','advanced_bind', - 'ssloffloadcert','dcertadv','ssloffload','ssloffloadacl','ssloffloadacladditional','sslclientcert-none','sslclientcert-invalid', + 'ssloffloadcert','dcertadv','ssloffload','ssloffloadacl','ssloffloadacladditional','sslclientcert-none','sslclientcert-invalid','sslocsp', 'socket-stats', 'dontlognull','dontlog-normal','log-separate-errors','log-detailed'); @@ -787,6 +787,12 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); <input id="ssloffloadacl" name="ssloffloadacl" type="checkbox" value="yes" <?php if ($pconfig['ssloffloadacl']=='yes') echo "checked";?> onclick="updatevisibility();" />Add ACL for certificate CommonName. (host header matches the 'CN' of the certificate)<br/> </td> </tr> + <tr class="haproxy_ssloffloading_enabled" align="left"> + <td width="22%" valign="top" class="vncell">OCSP</td> + <td width="78%" class="vtable" colspan="2"> + <input id="sslocsp" name="sslocsp" type="checkbox" value="yes" <?php if ($pconfig['sslocsp']=='yes') echo "checked";?> onclick="updatevisibility();" />Load certificate ocsp responses for easy certificate validation by the client.<br/> + </td> + </tr> <tr class="haproxy_ssloffloading_enabled"> <td width="22%" valign="top" class="vncell">Additional certificates</td> <td width="78%" class="vtable" colspan="2" valign="top"> @@ -805,7 +811,8 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); <input type='text' name='dcertadv' size="64" id='dcertadv' <?if(isset($pconfig['dcertadv'])) echo 'value="'.htmlspecialchars($pconfig['dcertadv']).'"';?> /> <br/> NOTE: Paste additional ssl options(without commas) to include on ssl listening options.<br/> - some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets + some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets<br/> + Example: no-sslv3 ciphers EECDH+aRSA+AES:TLSv1+kRSA+AES:TLSv1+kRSA+3DES </td> </tr> <tr class="haproxy_ssloffloading_enabled haproxy_primary"> diff --git a/config/haproxy-devel/www/haproxy_pool_edit.php b/config/haproxy-devel/www/haproxy_pool_edit.php index 5e38b12d..0824e45c 100644 --- a/config/haproxy-devel/www/haproxy_pool_edit.php +++ b/config/haproxy-devel/www/haproxy_pool_edit.php @@ -961,7 +961,7 @@ set by the 'retries' parameter.</div> <td colspan="2" valign="top" class="listtopic">Advanced</td> </tr> <tr class="" align="left" id='Strict-Transport-Security'> - <td width="22%" valign="top" class="vncell">Strict-Transport-Security</td> + <td width="22%" valign="top" class="vncell">HSTS Strict-Transport-Security</td> <td width="78%" class="vtable" colspan="2"> When configured enables "HTTP Strict Transport Security" leave empty to disable. (only used on 'http' frontends)<br/> <b>WARNING! the domain will only work over https with a valid certificate!</b><br/> diff --git a/config/haproxy1_5/pkg/haproxy.inc b/config/haproxy1_5/pkg/haproxy.inc index 135f2d4f..793c5c28 100644 --- a/config/haproxy1_5/pkg/haproxy.inc +++ b/config/haproxy1_5/pkg/haproxy.inc @@ -903,12 +903,12 @@ function haproxy_writeconf($configpath) { if (!isset($aliastable)) alias_make_table($config); $chroot_dir = "/tmp/haproxy_chroot"; // can contain socket to forward connection from backend to frontend. "/var/empty" - make_dirs($chroot_dir); + @mkdir($chroot_dir, 0755, true); $configfile = $configpath . "/haproxy.cfg"; rmdir_recursive($configpath); - make_dirs($configpath); + @mkdir($configpath, 0755, true); $a_global = &$config['installedpackages']['haproxy']; $a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item']; @@ -998,7 +998,7 @@ function haproxy_writeconf($configpath) { $certs = $frontend['ha_certificates']['item']; if (is_array($certs)){ if (count($certs) > 0){ - make_dirs($subfolder); + @mkdir($subfolder, 0755, true); foreach($certs as $cert){ haproxy_write_certificate_fullchain("$subfolder/{$cert['ssl_certificate']}.pem", $cert['ssl_certificate']); } diff --git a/config/lightsquid/lightsquid.inc b/config/lightsquid/lightsquid.inc index 503e9cf3..a5f6b77b 100644 --- a/config/lightsquid/lightsquid.inc +++ b/config/lightsquid/lightsquid.inc @@ -39,6 +39,7 @@ if (file_exists('squid.inc')) { } else update_log("File 'squid.inc' not found."); +global $pfs_version; $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); switch ($pfs_version) { case "2.1": @@ -63,7 +64,7 @@ define('LS_CONFIGPATH', LIGHTSQUID_BASE . '/etc/lightsquid'); define('LS_CONFIGFILE', 'lightsquid.cfg'); define('LS_CONFIGFILE_DIST', 'lightsquid.cfg.dist'); define('LS_WWWPATH', LIGHTSQUID_BASE . '/www/lightsquid'); -define('LS_TEMPLATEPATH', '/usr/local/www/lightsquid/tpl'); +define('LS_TEMPLATEPATH', LS_WWWPATH . '/tpl'); define('LS_LANGPATH', LIGHTSQUID_BASE . '/share/lightsquid/lang'); define('LS_REPORTPATH', '/var/lightsquid/report'); @@ -145,11 +146,21 @@ function lightsquid_install() { if (!is_dir('/usr/local/etc/lightsquid') && is_dir(LS_CONFIGPATH)) { symlink(LS_CONFIGPATH, '/usr/local/etc/lightsquid'); } - if (!is_dir('/usr/local/www/lightsquid') && is_dir(LS_WWWPATH)) { + + if (is_dir('/usr/local/www/lightsquid')) + $_gc = exec('rm -rf /usr/local/www/lightsquid'); + + if (is_dir(LS_WWWPATH)) { symlink(LS_WWWPATH, '/usr/local/www/lightsquid'); } } + foreach (array('novopf', 'novosea') as $tpl) { + if (file_exists(LS_TEMPLATEPATH . '/' . $tpl)) + $_gc = exec('rm -rf ' . LS_TEMPLATEPATH . '/' . $tpl); + symlink('/usr/local/share/lightsquid/tpl/' . $tpl, LS_TEMPLATEPATH . '/' . $tpl); + } + update_log("lightsquid_install: stopped"); } diff --git a/config/lightsquid/lightsquid.xml b/config/lightsquid/lightsquid.xml index 19ba4512..f5f09b94 100644 --- a/config/lightsquid/lightsquid.xml +++ b/config/lightsquid/lightsquid.xml @@ -46,7 +46,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>lightsquid</name> - <version>2.39</version> + <version>2.41</version> <title>Services: Proxy Reports (LightSquid, SQStat) -> Settings</title> <category>Status</category> <include_file>/usr/local/pkg/lightsquid.inc</include_file> @@ -97,192 +97,192 @@ <item>https://packages.pfsense.org/packages/config/lightsquid/zhabascript.js</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/bigfiles.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/day_detail.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/graph.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/group_detail.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/images/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/images/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/images/datetime.png</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/images/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/images/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/images/flag_red.png</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/images/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/images/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/images/graph.png</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/images/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/images/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/images/groups.png</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/images/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/images/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/images/printer.png</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/images/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/images/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/images/users.png</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/index.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/month_detail.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/print.css</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/screen.css</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/topsites.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/user_detail.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/user_month.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/user_time.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novopf/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novopf/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novopf/whousesite.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/bigfiles.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/day_detail.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/graph.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/group_detail.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/images/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/images/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/images/datetime.png</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/images/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/images/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/images/flag_red.png</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/images/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/images/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/images/graph.png</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/images/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/images/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/images/groups.png</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/images/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/images/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/images/printer.png</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/images/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/images/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/images/users.png</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/index.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/month_detail.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/print.css</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/screen.css</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/topsites.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/user_detail.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/user_month.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/user_time.html</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/lightsquid/tpl/novosea/</prefix> + <prefix>/usr/local/share/lightsquid/tpl/novosea/</prefix> <chmod>0444</chmod> <item>https://packages.pfsense.org/packages/config/lightsquid/tpl/novosea/whousesite.html</item> </additional_files_needed> diff --git a/config/mailreport/status_mail_report_add_cmd.php b/config/mailreport/status_mail_report_add_cmd.php index 6a924142..b60f9a80 100644 --- a/config/mailreport/status_mail_report_add_cmd.php +++ b/config/mailreport/status_mail_report_add_cmd.php @@ -130,7 +130,7 @@ include("head.inc"); <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>"> <a href="status_mail_report_edit.php?id=<?php echo $reportid;?>"><input name="cancel" type="button" class="formbtn" value="<?=gettext("Cancel");?>"></a> <input name="reportid" type="hidden" value="<?=htmlspecialchars($reportid);?>"> - <?php if (isset($id) && $a_graphs[$id]): ?> + <?php if (isset($id) && $a_cmds[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>"> <?php endif; ?> </td> diff --git a/config/ntopng/ntopng.xml b/config/ntopng/ntopng.xml index 9382912a..225b3941 100644 --- a/config/ntopng/ntopng.xml +++ b/config/ntopng/ntopng.xml @@ -153,12 +153,18 @@ $ntopng_config =& $config['installedpackages']['ntopng']['config'][0]; $if_final = ""; $ifaces_final = ""; - system("/bin/mkdir -p /var/db/ntopng"); - system("/bin/mkdir -p /var/db/ntopng/rrd"); - system("/bin/mkdir -p /var/db/ntopng/rrd/graphics"); + safe_mkdir("/var/db/ntopng/rrd/graphics", 0755, true); system("/bin/chmod -R 755 /var/db/ntopng"); system("/usr/sbin/chown -R nobody:nobody /var/db/ntopng"); - system("/bin/cp -Rp /usr/local/lib/X11/fonts/webfonts/ /usr/local/lib/X11/fonts/TTF/"); + $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); + if ($pf_version == "2.2") { + $fonts_path = "/usr/pbi/ntopng-" . php_uname("m") . "/local/lib/X11/fonts"; + } else if ($pf_version == "2.1") { + $fonts_path = "/usr/pbi/ntopng-" . php_uname("m") . "/lib/X11/fonts"; + } else { + $fonts_path = "/usr/local/lib/X11/fonts"; + } + system("/bin/cp -Rp {$fonts_path}/webfonts/ {$fonts_path}/TTF/"); $first = 0; foreach($ntopng_config['interface_array'] as $iface) { $if = convert_friendly_interface_to_real_interface_name($iface); @@ -206,13 +212,18 @@ } $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); - if ($pf_version >= 2.2) { + if ($pf_version == "2.2") { $redis_path = "/usr/pbi/ntopng-" . php_uname("m") . "/local/bin"; - } else { + } else if ($pf_version == "2.1") { $redis_path = "/usr/pbi/ntopng-" . php_uname("m") . "/bin"; + } else { + $redis_path = "/usr/local/bin"; } - $start = "ldconfig -m /usr/pbi/ntopng-" . php_uname("m") . "/lib\n"; + $start = ""; + if ($pf_version == "2.1" || $pf_version == "2.2") { + $start .= "ldconfig -m /usr/pbi/ntopng-" . php_uname("m") . "/lib\n"; + } $start .= "\t{$redis_path}/redis-server --dir /var/db/ntopng/ --dbfilename ntopng.rdb &\n"; // TODO: // Add support for --data-dir /somewhere, --httpdocs-dir /somewhereelse, @@ -243,13 +254,35 @@ config_unlock(); } function ntopng_update_geoip() { - mwexec("/usr/pbi/ntopng-" . php_uname("m") . "/bin/ntopng-geoipupdate.sh"); + $fetchcmd = "/usr/bin/fetch"; + $geolite_city = "https://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz"; + $geolite_city_v6 = "https://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz"; + $geoip_asnum = "https://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz"; + $geoip_asnum_v6 = "https://download.maxmind.com/download/geoip/database/asnum/GeoIPASNumv6.dat.gz"; + $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); + if ($pf_version == "2.1" || $pf_version == "2.2") { + $output_dir = "/usr/pbi/ntopng-" . php_uname("m") . "/share/ntopng"; + } else { + $output_dir = "/usr/local/share/ntopng"; + } + + mwexec("{$fetchcmd} -o {$output_dir} -T 5 {$geolite_city}"); + mwexec("{$fetchcmd} -o {$output_dir} -T 5 {$geolite_city_v6}"); + mwexec("{$fetchcmd} -o {$output_dir} -T 5 {$geoip_asnum}"); + mwexec("{$fetchcmd} -o {$output_dir} -T 5 {$geoip_asnum_v6}"); + ntopng_fixup_geoip(); restart_service("ntopng"); } function ntopng_fixup_geoip() { - $target_dir = "/usr/pbi/ntopng-" . php_uname("m") . "/local/share/ntopng/httpdocs/geoip"; - $source_dir = "/usr/pbi/ntopng-" . php_uname("m") . "/share/ntopng"; + $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); + if ($pf_version == "2.1" || $pf_version == "2.2") { + $target_dir = "/usr/pbi/ntopng-" . php_uname("m") . "/local/share/ntopng/httpdocs/geoip"; + $source_dir = "/usr/pbi/ntopng-" . php_uname("m") . "/share/ntopng"; + } else { + $target_dir = "/usr/local/share/ntopng/httpdocs/geoip"; + $source_dir = "/usr/local/share/ntopng"; + } foreach(glob("{$source_dir}/Geo*.dat*") as $geofile) { /* Decompress if needed. */ diff --git a/config/nut/nut.inc b/config/nut/nut.inc index 9ba942ab..a186ab30 100644 --- a/config/nut/nut.inc +++ b/config/nut/nut.inc @@ -35,6 +35,7 @@ define('NUT_RCFILE', '/usr/local/etc/rc.d/nut.sh'); + global $pfs_version; $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); if ($pfs_version == "2.1" || $pfs_version == "2.2") { define('NUT_DIR', '/usr/pbi/nut-' . php_uname("m") . '/etc/nut'); diff --git a/config/open-vm-tools_2/open-vm-tools.inc b/config/open-vm-tools_2/open-vm-tools.inc index e36b3e8e..912c4032 100644 --- a/config/open-vm-tools_2/open-vm-tools.inc +++ b/config/open-vm-tools_2/open-vm-tools.inc @@ -17,10 +17,13 @@ function open_vm_tools_install() { unlink_if_exists("/boot/kernel/vmxnet.ko"); $pfs_version=substr(trim(file_get_contents("/etc/version")),0,3); - if ($pfs_version == "2.1" || $pfs_version == "2.2") - $openvmtools_path = "/usr/pbi/open-vm-tools-" . php_uname("m"); - else + if ($pfs_version == "2.1") { + $openvmtools_path = "/usr/pbi/open-vm-tools-nox11-" . php_uname("m"); + } else if ($pfs_version == "2.2") { + $openvmtools_path = "/usr/pbi/open-vm-tools-" . php_uname("m") . "/local"; + } else { $openvmtools_path = "/usr/local"; + } // won't copy this either for now, some sequences of loading/unloading of the module will kernel panic. //exec("cp $openvmtools_path/local/lib/vmware-tools/modules/drivers/vmmemctl.ko /boot/kernel/"); @@ -60,7 +63,7 @@ unset start_cmd stop_precmd="\${checkvm_cmd}" unset stop_cmd command="/usr/local/bin/vmtoolsd" -command_args="-c {$openvmtools_path}/share/vmware-tools/tools.conf -p {$openvmtools_path}/local/lib/open-vm-tools/plugins/vmsvc" +command_args="-c {$openvmtools_path}/share/vmware-tools/tools.conf -p {$openvmtools_path}/lib/open-vm-tools/plugins/vmsvc" pidfile="/var/run/\${name}.pid" load_rc_config \$name @@ -128,10 +131,10 @@ EOF; fclose($fd); */ - $fd = fopen("$openvmtools_path/local/share/vmware-tools/tools.conf", "w"); + $fd = fopen("$openvmtools_path/share/vmware-tools/tools.conf", "w"); if (!$fd) { - log_error("Could not open $openvmtools_path/local/share/vmware-tools/tools.conf for writing"); - die("Could not open $openvmtools_path/local/share/vmware-tools/tools.conf for writing"); + log_error("Could not open $openvmtools_path/share/vmware-tools/tools.conf for writing"); + die("Could not open $openvmtools_path/share/vmware-tools/tools.conf for writing"); } fwrite($fd, $vmware_tools_conf); fclose($fd); diff --git a/config/openbgpd/openbgpd.inc b/config/openbgpd/openbgpd.inc index c625cff8..038ffa11 100644 --- a/config/openbgpd/openbgpd.inc +++ b/config/openbgpd/openbgpd.inc @@ -191,6 +191,46 @@ function openbgpd_install_conf() { @chmod("{$bgpd_config_base}/bgpd.conf", 0600); unset($conffile); + $carp_ip_status_check = ""; + if (is_ipaddr($openbgpd_conf['carpstatusip'])) { + + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); + switch ($pfs_version) { + case "2.0": + case "2.1": + /* Check for 2.1 and before */ + $carpcheckinterface = trim(find_carp_interface($openbgpd_conf['carpstatusip'])); + $carp_ip_status_check = <<<EOF + +CARP_STATUS=`/sbin/ifconfig {$carpcheckinterface} | /usr/bin/grep carp: | /usr/bin/awk '{print \$2;}'` +if [ \${CARP_STATUS} != "MASTER" ]; then + exit; +fi + +EOF; + break; + case "2.2": + default: + /* Check for 2.2 and later */ + if (is_array($config['virtualip']['vip'])) { + foreach ($config['virtualip']['vip'] as $vip) { + if (($vip['mode'] == "carp") && ($vip['subnet'] == $openbgpd_conf['carpstatusip'])) { + $carpcheckinterface = escapeshellarg(get_real_interface($vip['interface'])); + $vhid = escapeshellarg($vip['vhid']); + $carp_ip_status_check = <<<EOF + +CARP_STATUS=`/sbin/ifconfig {$carpcheckinterface} | /usr/bin/grep 'carp:' | /usr/bin/grep 'vhid {$vhid}' | /usr/bin/awk '{print \$2;}'` +if [ \${CARP_STATUS} != "MASTER" ]; then + exit; +fi +EOF; + } + } + } + break; + } + } + // Create rc.d file $rc_file_stop = <<<EOF killall -TERM bgpd @@ -210,6 +250,7 @@ fi NUMBGPD=`ps auxw | grep -c '[b]gpd.*parent'` if [ \${NUMBGPD} -lt 1 ] ; then + {$carp_ip_status_check} {$pkg_bin}/bgpd -f {$bgpd_config_base}/bgpd.conf else {$pkg_bin}/bgpctl reload @@ -225,13 +266,36 @@ EOF; $_gb = exec("/sbin/sysctl net.inet.ip.ipsec_in_use=1"); // bgpd process running? if so reload, else start. + + // Kick off newly created rc.d script + if (is_ipaddr($openbgpd_conf['carpstatusip'])) { + $status = openbgpd_get_carp_status_by_ip($openbgpd_conf['carpstatusip']); + switch (strtoupper($status)) { + // Stop the service if the VIP is in BACKUP or INIT state. + case "BACKUP": + case "INIT": + exec("/usr/local/etc/rc.d/bgpd.sh stop"); + break; + // Start the service if the VIP is MASTER state. + case "MASTER": + // Assume it's up if the status can't be determined. + default: + openbgpd_restart(); + break; + } + } else { + openbgpd_restart(); + } + + conf_mount_ro(); +} + +function openbgpd_restart() { if(is_openbgpd_running() == true) { exec("{$pkg_bin}/bgpctl reload"); } else { exec("{$pkg_bin}/bgpd -f {$bgpd_config_base}/bgpd.conf"); } - - conf_mount_ro(); } // get the raw openbgpd confi file for manual inspection/editing @@ -362,4 +426,52 @@ function is_openbgpd_running() { return false; } +function openbgpd_get_carp_status_by_ip($ipaddr) { + $iface = trim(find_carp_interface($ipaddr)); + if ($iface) { + $status = get_carp_interface_status($iface); + // If there is no status for that interface, return null. + if (!$status) + $status = null; + } else { + // If there is no VIP by that IP, return null. + $status = null; + } + return $status; +} + +function openbgpd_plugin_carp($pluginparams) { + global $config; + require_once("service-utils.inc"); + // Called when a CARP interface changes state + // $pluginparams['event'] either 'rc.carpmaster' or 'rc.carpbackup' + // $pluginparams['interface'] contains the affected interface + + /* If there is no bgp config, then stop */ + if(is_array($config['installedpackages']['openbgpd']['config'])) { + $openbgpd_conf = &$config['installedpackages']['openbgpd']['config'][0]; + } else { + return null; + } + /* If there is no properly configured CARP status check IP, then stop */ + if (!is_ipaddr($openbgpd_conf['carpstatusip'])) { + return null; + } + list($vhid, $iface) = explode("@", trim($pluginparams['interface'])); + $friendly = convert_real_interface_to_friendly_interface_name($iface); + $carp_iface = "{$friendly}_vip${vhid}"; + + /* If this CARP transition is not from the IP address to check, then stop. */ + if (get_interface_ip($carp_iface) != $openbgpd_conf['carpstatusip']) { + return null; + } + + /* Start or stop the service as needed based on the CARP transition. */ + if ($pluginparams['event'] == "rc.carpmaster") { + start_service("bgpd"); + } elseif ($pluginparams['event'] == "rc.carpbackup") { + stop_service("bgpd"); + } +} + ?> diff --git a/config/openbgpd/openbgpd.xml b/config/openbgpd/openbgpd.xml index ff40452a..e7d77786 100644 --- a/config/openbgpd/openbgpd.xml +++ b/config/openbgpd/openbgpd.xml @@ -105,6 +105,11 @@ <url>/openbgpd_status.php</url> </tab> </tabs> + <plugins> + <item> + <type>plugin_carp</type> + </item> + </plugins> <fields> <field> <fielddescr>Autonomous Systems (AS) Number</fielddescr> @@ -143,8 +148,13 @@ <description>Set the router ID to the given IP address, which must be local to the machine.</description> <type>input</type> </field> - - + <field> + <fielddescr>CARP Status IP</fielddescr> + <fieldname>carpstatusip</fieldname> + <description>IP address used to determine the CARP status. When the VIP is in BACKUP status, bgpd will not be started. <br/>NOTE: On 2.1.x and before this requires changes to /etc/rc.carpmaster to start bgpd and /etc/rc.carpbackup to stop bgpd or it will not be fully effective. On pfSense 2.2.x and later, full support is automatic.</description> + <type>input</type> + <size>25</size> + </field> <field> <fielddescr>Networks</fielddescr> <fieldname>network</fieldname> diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index 16ccb6a4..9488119e 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -44,17 +44,20 @@ $current_openvpn_version_rev = "03"; function openvpn_client_export_install() { global $current_openvpn_version; - conf_mount_rw(); - $tarpath = "/usr/local/pkg/openvpn-client-export-{$current_openvpn_version}.tgz"; - $phpfile = "vpn_openvpn_export.php"; - $ovpndir = "/usr/local/share/openvpn"; - $workdir = "{$ovpndir}/client-export"; - if (!is_dir($workdir)) - mkdir($workdir, 0777, true); + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); + if ($pfs_version == "2.1" || $pfs_version == "2.2") { + conf_mount_rw(); + $tarpath = "/usr/local/pkg/openvpn-client-export-{$current_openvpn_version}.tgz"; + $ovpndir = "/usr/local/share/openvpn"; + $workdir = "{$ovpndir}/client-export"; - exec("/usr/bin/tar zxf {$tarpath} -C {$ovpndir}"); - conf_mount_ro(); + if (!is_dir($workdir)) + mkdir($workdir, 0777, true); + + exec("/usr/bin/tar zxf {$tarpath} -C {$ovpndir}"); + conf_mount_ro(); + } } function openvpn_client_export_deinstall() { diff --git a/config/openvpn-client-export/openvpn-client-export.xml b/config/openvpn-client-export/openvpn-client-export.xml index 42a3c327..47ad4744 100755 --- a/config/openvpn-client-export/openvpn-client-export.xml +++ b/config/openvpn-client-export/openvpn-client-export.xml @@ -28,6 +28,7 @@ <prefix>/usr/local/pkg/</prefix> <chmod>077</chmod> <item>https://files.pfsense.org/packages/openvpn-client-export/openvpn-client-export-2.3.6.tgz</item> + <do_not_add_to_port/> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> diff --git a/config/pfblockerng/pfblockerng.inc b/config/pfblockerng/pfblockerng.inc index 26eeb5e5..379ce223 100644 --- a/config/pfblockerng/pfblockerng.inc +++ b/config/pfblockerng/pfblockerng.inc @@ -46,7 +46,7 @@ require_once("pfsense-utils.inc"); require_once("globals.inc"); require_once("services.inc"); -# [ $pfb ] pfBlockerNG Global Array for Paths and Variables. This needs to be called to get the Updated Settings. +// [ $pfb ] pfBlockerNG Global Array for Paths and Variables. This needs to be called to get the Updated Settings. function pfb_global() { global $g,$config,$pfb; @@ -58,10 +58,7 @@ function pfb_global() { $prefix = "/usr/local"; } - # Collect pfSense Version - $pfb['pfsenseversion'] = substr(trim(file_get_contents("/etc/version")),0,3); - - # Folders + // Folders $pfb['dbdir'] = "{$g['vardb_path']}/pfblockerng"; $pfb['aliasdir'] = "{$g['vardb_path']}/aliastables"; $pfb['logdir'] = "{$g['varlog_path']}/pfblockerng"; @@ -71,39 +68,49 @@ function pfb_global() { $pfb['matchdir'] = "{$pfb['dbdir']}/match"; $pfb['permitdir'] = "{$pfb['dbdir']}/permit"; $pfb['origdir'] = "{$pfb['dbdir']}/original"; - $pfb['ccdir'] = $prefix . "/share/GeoIP"; + $pfb['ccdir'] = "{$prefix}/share/GeoIP"; - # Create Folders if not Exist. + // Create Folders if not Exist. $folder_array = array ("{$pfb['dbdir']}","{$pfb['logdir']}","{$pfb['ccdir']}","{$pfb['origdir']}","{$pfb['nativedir']}","{$pfb['denydir']}","{$pfb['matchdir']}","{$pfb['permitdir']}","{$pfb['aliasdir']}"); foreach ($folder_array as $folder) { safe_mkdir ("{$folder}",0755); } - # Files - $pfb['master'] = "{$pfb['dbdir']}/masterfile"; - $pfb['errlog'] = "{$pfb['logdir']}/error.log"; - $pfb['geolog'] = "{$pfb['logdir']}/geoip.log"; - $pfb['log'] = "{$pfb['logdir']}/pfblockerng.log"; - $pfb['supptxt'] = "{$pfb['dbdir']}/pfbsuppression.txt"; - $pfb['script'] = 'sh /usr/local/pkg/pfblockerng/pfblockerng.sh'; - $pfb['aliasarchive'] = $prefix . "/etc/aliastables.tar.bz2"; - - # General Variables - $pfb['config'] = $config['installedpackages']['pfblockerng']['config'][0]; - - # Enable/Disable of pfBlockerNG - $pfb['enable'] = $pfb['config']['enable_cb']; - # Keep Blocklists on pfBlockerNG Disable - $pfb['keep'] = $pfb['config']['pfb_keep']; - # Enable Suppression - $pfb['supp'] = $pfb['config']['suppression']; - # Max Lines in pfblockerng.log file - $pfb['logmax'] = $pfb['config']['log_maxlines']; - $pfb['iplocal'] = $config['interfaces']['lan']['ipaddr']; - # Disable Country Database CRON Updates - $pfb['cc'] = $pfb['config']['database_cc']; - - # Set pfBlockerNG to Disabled on 'Re-Install' + // Files + $pfb['master'] = "{$pfb['dbdir']}/masterfile"; + $pfb['errlog'] = "{$pfb['logdir']}/error.log"; + $pfb['geolog'] = "{$pfb['logdir']}/geoip.log"; + $pfb['log'] = "{$pfb['logdir']}/pfblockerng.log"; + $pfb['supptxt'] = "{$pfb['dbdir']}/pfbsuppression.txt"; + $pfb['script'] = 'sh /usr/local/pkg/pfblockerng/pfblockerng.sh'; + $pfb['aliasarchive'] = "{$prefix}/etc/aliastables.tar.bz2"; + + // General Variables + $pfb['config'] = $config['installedpackages']['pfblockerng']['config'][0]; + + // Enable/Disable of pfBlockerNG + $pfb['enable'] = $pfb['config']['enable_cb']; + // Keep Blocklists on pfBlockerNG Disable + $pfb['keep'] = $pfb['config']['pfb_keep']; + // Enable Suppression + $pfb['supp'] = $pfb['config']['suppression']; + // Max Lines in pfblockerng.log file + $pfb['logmax'] = $pfb['config']['log_maxlines']; + // Lan IP Address + $pfb['iplocal'] = $config['interfaces']['lan']['ipaddr']; + // Disable Country Database CRON Updates + $pfb['cc'] = $pfb['config']['database_cc']; + + // User Defined CRON Start Minute + $pfb['min'] = $pfb['config']['pfb_min']; + // Start hour of the Scheduler + $pfb['hour'] = $pfb['config']['pfb_hour']; + // Hour cycle for Scheduler + $pfb['interval'] = $pfb['config']['pfb_interval']; + // Start hour of the 'Once a day' Schedule + $pfb['24hour'] = $pfb['config']['pfb_dailystart']; + + // Set pfBlockerNG to Disabled on 'Re-Install' if (isset($pfb['install']) && $pfb['install']) { $pfb['enable'] = ""; $pfb['install'] = FALSE; @@ -112,38 +119,51 @@ function pfb_global() { pfb_global(); -# Set Max PHP Memory Setting +// Set Max PHP Memory Setting $uname = posix_uname(); -if ($uname['machine'] == 'amd64') +if ($uname['machine'] == 'amd64') { ini_set('memory_limit', '256M'); +} -# Function to decode to Alias Custom Entry Box. +// Function to decode to Alias Custom entry box. function pfbng_text_area_decode($text) { - return preg_replace('/\r\n/', "\n",base64_decode($text)); + $customlist = explode("\r\n", base64_decode($text)); + foreach ($customlist as $line) { + if (substr(trim($line), 0, 1) != '#' && !empty($line)) { + if (strpos($line, '#')) { + $custom .= trim(strstr($line, '#', TRUE)) . "\n"; + } else { + $custom .= $line . "\n"; + } + } + } + return $custom; } -# Manage Log File Line Limit +// Manage Log File Line Limit function pfb_log_mgmt() { global $pfb; pfb_global(); if ($pfb['logmax'] == "nolimit") { - # Skip Log Mgmt + // Skip Log Mgmt } else { - exec("/usr/bin/tail -n {$pfb['logmax']} {$pfb['log']} > /tmp/pfblog; /bin/mv -f /tmp/pfblog {$pfb['log']}"); + if (file_exists($pfb['log'])) { + exec("/usr/bin/tail -n {$pfb['logmax']} {$pfb['log']} > /tmp/pfblog; /bin/mv -f /tmp/pfblog {$pfb['log']}"); + } } } -# Record Log Messsages to pfBlockerNG Log File and/or Error Log File. +// Record Log Messsages to pfBlockerNG Log File and/or Error Log File. function pfb_logger($log, $type) { global $g,$pfb,$pfbarr; $now = date("m/d/y G:i:s", time()); - # Only log timestamp if new + // Only log timestamp if new if (preg_match("/NOW/", $log)) { if ($now == $pfb['pnow']) { $log = str_replace("[ NOW ]", "", "{$log}"); @@ -164,9 +184,9 @@ function pfb_logger($log, $type) { } -# Determine Folder Location for 'List' -function pfb_determine_list_detail($list) { - global $g,$pfb,$pfbarr; +// Determine 'List' Details +function pfb_determine_list_detail($list="", $header_url="", $confconfig="", $key="") { + global $pfb,$pfbarr,$config; $pfbarr = array(); if (in_array($list,array('Match_Both','Match_Inbound','Match_Outbound','Alias_Match'))) { @@ -179,7 +199,7 @@ function pfb_determine_list_detail($list) { $pfbarr['skip'] = FALSE; $pfbarr['folder'] = "{$pfb['nativedir']}"; } else { - # Deny + // Deny $pfbarr['skip'] = TRUE; $pfbarr['folder'] = "{$pfb['denydir']}"; } @@ -191,10 +211,180 @@ function pfb_determine_list_detail($list) { $pfbarr['descr'] = " Auto "; } + // Determine length of Header to format log Output + if (strlen($header_url) > 19) { + $pfbarr['logtab'] = ""; + } + elseif (strlen($header_url) > 11) { + $pfbarr['logtab'] = "\t"; + } + elseif (strlen($header_url) < 4) { + $pfbarr['logtab'] = "\t\t\t"; + } + else { + $pfbarr['logtab'] = "\t\t"; + } + + if ($confconfig != "") { + // Configure Autoports/Protocol and Auto Destination if required. + $autotype = array( 'autoports' => 'aliasports', 'autodest' => 'aliasdest'); + $aports = ""; $adest = ""; + $pfbarr['aproto'] = $config['installedpackages'][$confconfig]['config'][$key]['autoproto']; + foreach ($autotype as $akey => $atype) { + if ($config['installedpackages'][$confconfig]['config'][$key][$akey] == "on" && is_array($config['aliases']['alias'])) { + foreach ($config['aliases']['alias'] as $palias) { + if ($palias['name'] == $config['installedpackages'][$confconfig]['config'][$key][$atype]) { + if (!empty($palias['address'])) { + switch($akey) { + case "autoports": + $pfbarr['aports'] = $config['installedpackages'][$confconfig]['config'][$key][$atype]; + break; + case "autodest": + $pfbarr['adest'] = $config['installedpackages'][$confconfig]['config'][$key][$atype]; + break; + } + } + } + } + } + } + } return $pfbarr; } -# Create Suppression Alias + +// Determine if Cron Task requires updating +function pfblockerng_cron_exists($crontask, $pfb_min, $pfb_hour) { + global $config; + + if (is_array($config['cron']['item'])) { + foreach ($config['cron']['item'] as $item) { + if (strpos($item['command'], $crontask) !== FALSE) { + if ($item['minute'] != $pfb_min) { + return FALSE; + } + if ($pfb_hour == 'maxmind' && !empty($item['hour'])) { + // Maxmind hour is randomized. Skip comparison. + return TRUE; + } + if ($item['hour'] != $pfb_hour) { + return FALSE; + } + return TRUE; + } + } + } + return FALSE; +} + + +// Calculate the cron task base hour setting +function pfb_cron_base_hour() { + global $pfb; + + if ($pfb['interval'] == 1) { + return; + } + + if ($pfb['interval'] == 2) { + // 2 Hour Schedule Converter + $shour = intval(substr($pfb['hour'], 0, 2)); + $sch2 = strval($shour); + for ($i=0; $i<11; $i++) { + $shour += 2; + if ($shour >= 24) + $shour -= 24; + $sch2 .= "," . strval($shour); + } + $sch2 = explode(",", $sch2); + sort($sch2); + return $sch2; + } + + if ($pfb['interval'] == 3) { + // 3 Hour Schedule Converter + $shour = intval(substr($pfb['hour'], 0, 2)); + $sch3 = strval($shour); + for ($i=0; $i<7; $i++) { + $shour += 3; + if ($shour >= 24) + $shour -= 24; + $sch3 .= "," . strval($shour); + } + $sch3 = explode(",", $sch3); + sort($sch3); + return $sch3; + } + + if ($pfb['interval'] == 4) { + // 4 Hour Schedule Converter + $shour = intval(substr($pfb['hour'], 0, 2)); + $sch4 = strval($shour); + for ($i=0; $i<5; $i++) { + $shour += 4; + if ($shour >= 24) + $shour -= 24; + $sch4 .= "," . strval($shour); + } + $sch4 = explode(",", $sch4); + sort($sch4); + return $sch4; + } + + if ($pfb['interval'] == 6) { + // 6 Hour Schedule Converter + $shour = intval(substr($pfb['hour'], 0, 2)); + $sch6 = strval($shour); + for ($i=0; $i<3; $i++) { + $shour += 6; + if ($shour >= 24) + $shour -= 24; + $sch6 .= "," . strval($shour); + } + $sch6 = explode(",", $sch6); + sort($sch6); + return $sch6; + } + + if ($pfb['interval'] == 8) { + // 8 Hour Schedule Converter + $shour = intval(substr($pfb['hour'], 0, 2)); + $sch8 = strval($shour); + for ($i=0; $i<2; $i++) { + $shour += 8; + if ($shour >= 24) + $shour -= 24; + $sch8 .= "," . strval($shour); + } + $sch8 = explode(",", $sch8); + sort($sch8); + return $sch8; + } + + if ($pfb['interval'] == 12) { + // 12 Hour Schedule Converter + $shour = intval(substr($pfb['hour'], 0, 2)); + $sch12 = strval($shour) . ","; + $shour += 12; + if ($shour >= 24) + $shour -= 24; + $sch12 .= strval($shour); + $sch12 = explode(",", $sch12); + sort($sch12); + return $sch12; + } + + if ($pfb['interval'] == 24) { + return array($pfb['24hour']); + } + + // Default to hourly schedule + $pfb['interval'] = 1; + return; +} + + +// Create Suppression Alias function pfb_create_suppression_alias() { global $config; @@ -212,11 +402,11 @@ function pfb_create_suppression_alias() { "detail" => "" ); $config['aliases']['alias'] = $new_aliases; - write_config(); + $pfb['cron_mod'] = TRUE; } -# Create Suppression file from Alias +// Create Suppression file from Alias function pfb_create_suppression_file() { global $config,$pfb; @@ -235,19 +425,20 @@ function pfb_create_suppression_file() { if ($pfb['found']) { $pfb_suppress = str_replace(" ", "\n", $config['aliases']['alias'][$pfb_id]['address']); if (!empty($pfb_suppress)) { - @file_put_contents("{$pfb['supptxt']}",$pfb_suppress, LOCK_EX); + @file_put_contents("{$pfb['supptxt']}", $pfb_suppress, LOCK_EX); } else { unlink_if_exists("{$pfb['supptxt']}"); } } else { - # Delete Suppression File if Alias is Empty. + // Delete Suppression File if Alias is Empty. unlink_if_exists("{$pfb['supptxt']}"); } } // Call Function to Create Suppression Alias. - if (!$pfb['found']) + if (!$pfb['found']) { pfb_create_suppression_alias(); + } } @@ -306,7 +497,7 @@ function ip_range_to_subnet_array_temp2($ip1, $ip2) { // already checked for the edge case where end = start+1 and start ends in 0x1, above, so it's safe } - // this is the only edge case arising from increment/decrement. + // this is the only edge case arising from increment/decrement. // it happens if the range at start of loop is exactly 2 adjacent ips, that spanned the 1->0 gap. (we will have enumerated both by now) if (strcmp($ip2bin, $ip1bin) < 0) @@ -393,18 +584,21 @@ function pfb_aliastables($mode) { } } - if ($msg != "") + if ($msg != "") { pfb_logger("{$msg}","1"); + $pfb['cron_mod'] = TRUE; + } } -# Main pfBlockerNG Function +// Main pfBlockerNG Function function sync_package_pfblockerng($cron = "") { global $g,$config,$pfb,$pfbarr; pfb_global(); + $pfb['cron_mod'] = FALSE; // Flag to check for mods to the config.xml file. - # Detect Boot Process or Update via CRON + // Detect Boot Process or Update via CRON if (isset($_POST) && $cron == "") { if (!preg_match("/\w+/",$_POST['__csrf_magic'])) { log_error("[pfBlockerNG] Sync terminated during boot process."); @@ -418,7 +612,7 @@ function sync_package_pfblockerng($cron = "") { $pfb['save'] = TRUE; } - # Start of pfBlockerNG Logging to 'pfblockerng.log' + // Start of pfBlockerNG Logging to 'pfblockerng.log' if ($pfb['enable'] == "on" && !$pfb['save']) { $log = " UPDATE PROCESS START [ NOW ]\n"; pfb_logger("{$log}","1"); @@ -432,13 +626,15 @@ function sync_package_pfblockerng($cron = "") { // Call function for NanoBSD/Ramdisk processes. pfb_aliastables("conf"); - # Collect pfSense Max Table Size Entry - $pfb['table_limit'] = ($config['system']['maximumtableentries'] != "" ? $config['system']['maximumtableentries'] : "2000000"); - - # If Table limit not defined, set Default to 2M - $config['system']['maximumtableentries'] = "{$pfb['table_limit']}"; + // Collect pfSense Max Table Size Entry + if (empty($config['system']['maximumtableentries'])) { + // If Table limit not defined, set Default to 2M + $config['system']['maximumtableentries'] = "2000000"; + $pfb['cron_mod'] = TRUE; + } + $pfb['table_limit'] = $config['system']['maximumtableentries']; - # Collect local web gui configuration + // Collect local web gui configuration $pfb['weblocal'] = ($config['system']['webgui']['protocol'] != "" ? $config['system']['webgui']['protocol'] : "http"); $pfb['port'] = $config['system']['webgui']['port']; if ($pfb['port'] == "") { @@ -450,72 +646,57 @@ function sync_package_pfblockerng($cron = "") { } $pfb['weblocal'] .= "://127.0.0.1:{$pfb['port']}/pfblockerng/pfblockerng.php"; - # Define Inbound/Outbound Action is not user selected. + // Define Inbound/Outbound Action is not user selected. $pfb['deny_action_inbound'] = ($pfb['config']['inbound_deny_action'] != "" ? $pfb['config']['inbound_deny_action'] : "block"); $pfb['deny_action_outbound'] = ($pfb['config']['outbound_deny_action'] != "" ? $pfb['config']['outbound_deny_action'] : "reject"); - # Validation check to see if the Original pfBlocker package is Enabled - $pfb['validate']= $pfb['config']['pfblocker_cb']; - # User Defined CRON Start Minute - $pfb['min'] = $pfb['config']['pfb_min']; - # Reloads Existing Blocklists without Downloading New Lists + // Reloads Existing Blocklists without Downloading New Lists $pfb['reuse'] = $pfb['config']['pfb_reuse']; - # Enable OpenVPN AutoRules + // Enable OpenVPN AutoRules $pfb['openvpn'] = $pfb['config']['openvpn_action']; - # Enable/Disable Floating Auto-Rules + // Enable/Disable Floating Auto-Rules $pfb['float'] = $pfb['config']['enable_float']; - # Enable Remove of Duplicate IPs utilizing Grepcidr + // Enable Remove of Duplicate IPs utilizing Grepcidr $pfb['dup'] = $pfb['config']['enable_dup']; - # Order of the Auto-Rules + // Order of the Auto-Rules $pfb['order'] = $pfb['config']['pass_order']; - # Suffix used for Auto-Rules + // Suffix used for Auto-Rules $pfb['suffix'] = $pfb['config']['autorule_suffix']; - # Reputation Variables + // Reputation Variables $pfb['config_rep'] = $config['installedpackages']['pfblockerngreputation']['config'][0]; - # Enable/Disable Reputation + // Enable/Disable Reputation $pfb['rep'] = $pfb['config_rep']['enable_rep']; - # Enable/Disable 'pDup' + // Enable/Disable 'pDup' $pfb['pdup'] = $pfb['config_rep']['enable_pdup']; - # Enable/Disable 'dDup' + // Enable/Disable 'dDup' $pfb['dedup'] = ($pfb['config_rep']['enable_dedup'] != "" ? $pfb['config_rep']['enable_dedup'] : "x"); - # 'Max' variable setting for Reputation + // 'Max' variable setting for Reputation $pfb['max'] = ($pfb['config_rep']['p24_max_var'] != "" ? $pfb['config_rep']['p24_max_var'] : "x"); - # 'dMax' variable setting for Reputation + // 'dMax' variable setting for Reputation $pfb['dmax'] = ($pfb['config_rep']['p24_dmax_var'] != "" ? $pfb['config_rep']['p24_dmax_var'] : "x"); - # 'pMax' variable setting for Reputation + // 'pMax' variable setting for Reputation $pfb['pmax'] = ($pfb['config_rep']['p24_pmax_var'] != "" ? $pfb['config_rep']['p24_pmax_var'] : "x"); - # Action for Whitelist Country Category + // Action for Whitelist Country Category $pfb['ccwhite'] = $pfb['config_rep']['ccwhite']; - # Action for Blacklist Country Category + // Action for Blacklist Country Category $pfb['ccblack'] = $pfb['config_rep']['ccblack']; - # List of Countries in the Whitelist Category + // List of Countries in the Whitelist Category $pfb['ccexclude']= ($pfb['config_rep']['ccexclude'] != "" ? $pfb['config_rep']['ccexclude'] : "x"); - # Emerging Threats IQRisk Block Categories + // Emerging Threats IQRisk Block Categories $pfb['etblock'] = ($pfb['config_rep']['etblock'] != "" ? $pfb['config_rep']['etblock'] : "x"); - # Emerging Threats IQRisk Match Categories + // Emerging Threats IQRisk Match Categories $pfb['etmatch'] = ($pfb['config_rep']['etmatch'] != "" ? $pfb['config_rep']['etmatch'] : "x"); - # Perform a Force Update on ET Categories + // Perform a Force Update on ET Categories $pfb['etupdate']= $pfb['config_rep']['et_update']; - # Variables + // Variables - # Starting Variable to Skip rep, pdup and dedeup functions if no changes are required + // Starting Variable to Skip rep, pdup and dedeup functions if no changes are required $pfb['dupcheck'] = FALSE; - ## $pfb['save'] is used to determine if User pressed "Save" Button to avoid Collision with CRON. - ## This is defined in each pfBlockerNG XML Files - - # Validation Check to ensure pfBlocker and pfBlockerNG are not running at the same time. - if ($pfb['validate'] == "") { - # Collect pfBlocker Enabled Status from config file - $pfb['validate_chk'] = $config['installedpackages']['pfblocker']['config'][0]['enable_cb']; - if ($pfb['validate_chk'] == "on") { - $log = "\n The Package 'pfBlocker' is currently Enabled. Either Disable pfBlocker, or 'Disable Validation Check' in pfBlockerNG \n"; - pfb_logger("{$log}","1"); - return; - } - } + // $pfb['save'] is used to determine if User pressed "Save" Button to avoid Collision with CRON. + // This is defined in each pfBlockerNG XML Files ################################# @@ -533,8 +714,8 @@ function sync_package_pfblockerng($cron = "") { "Proxy and Satellite" => "pfB_PS" ); - #create rules vars and arrays - # Array used to Collect Changes to Aliases to be saved to Config + // create rules vars and arrays + // Array used to Collect Changes to Aliases to be saved to Config $new_aliases = array(); $new_aliases_list = array(); $continent_existing = array(); @@ -543,14 +724,14 @@ function sync_package_pfblockerng($cron = "") { $permit_outbound = array(); $deny_inbound = array(); $deny_outbound = array(); - # An Array of all Aliases (Active and non-Active) + // An Array of all Aliases (Active and non-Active) $aliases_list = array(); - # This is an Array of Aliases that Have Updated Lists via CRON/Force Update when 'Reputation' disabled. + // This is an Array of Aliases that Have Updated Lists via CRON/Force Update when 'Reputation' disabled. $pfb_alias_lists = array(); - # This is an Array of All Active Aliases used when 'Reputation' enabled + // This is an Array of All Active Aliases used when 'Reputation' enabled $pfb_alias_lists_all = array(); - # Base Rule Array + // Base Rule Array $base_rule_reg = array( "id" => "", "tag" => "", "tagged" => "", @@ -563,7 +744,7 @@ function sync_package_pfblockerng($cron = "") { "os" => "" ); - # Floating Rules, Base Rule Array + // Floating Rules, Base Rule Array $base_rule_float = array("id" => "", "tag" => "", "tagged" => "", @@ -583,8 +764,8 @@ function sync_package_pfblockerng($cron = "") { # Configure Rule Suffix # ######################################### - # Discover if any Rules are AutoRules (If no AutoRules found, $pfb['autorules'] is FALSE, Skip Rules Re-Order ) - # To configure Auto Rule Suffix. pfBlockerNG must be disabled to change Suffix and to avoid Duplicate Rules + // Discover if any Rules are AutoRules (If no AutoRules found, $pfb['autorules'] is FALSE, Skip Rules Re-Order ) + // To configure Auto Rule Suffix. pfBlockerNG must be disabled to change Suffix and to avoid Duplicate Rules $pfb['autorules'] = FALSE; $pfb['found'] = FALSE; foreach ($continents as $continent => $pfb_alias) { @@ -610,16 +791,16 @@ function sync_package_pfblockerng($cron = "") { } } - #Configure Auto Rule Suffix. pfBlockerNG must be disabled to change Suffix and to avoid Duplicate Rules - # Count Number of Rules with 'pfB_' + // Configure Auto Rule Suffix. pfBlockerNG must be disabled to change Suffix and to avoid Duplicate Rules + // Count Number of Rules with 'pfB_' $count = 0; if (is_array($config['filter']['rule'])) { foreach ($config['filter']['rule'] as $rule) { - # Collect any pre-existing Suffix + // Collect any pre-existing Suffix if (preg_match("/pfB_\w+(\s.*)/",$rule['descr'], $pfb_suffix_real) && $count == 0) { $pfb_suffix_match = $pfb_suffix_real[1]; } - # Query for Existing pfB Rules + // Query for Existing pfB Rules if (preg_match("/pfB_/",$rule['descr'])) { $count++; break; @@ -627,7 +808,7 @@ function sync_package_pfblockerng($cron = "") { } } - # Change Suffix only if No pfB Rules Found and Auto Rules are Enabled. + // Change Suffix only if No pfB Rules Found and Auto Rules are Enabled. if ($pfb['autorules'] && $count == 0) { switch ($pfb['suffix']) { case "autorule": @@ -642,10 +823,10 @@ function sync_package_pfblockerng($cron = "") { } } else { if ($pfb['autorules']) { - # Use existing Suffix Match + // Use existing Suffix Match $pfb['suffix'] = $pfb_suffix_match; } else { - # Leave Rule Suffix 'Blank' + // Leave Rule Suffix 'Blank' $pfb['suffix'] = ""; } } @@ -655,50 +836,52 @@ function sync_package_pfblockerng($cron = "") { # Configure INBOUND/OUTBOUND INTERFACES # ######################################################### - # Collect pfSense Interface Order + // Collect pfSense Interface Order $ifaces = get_configured_interface_list(); if (!empty($pfb['config']['inbound_interface'])) { - # Sort Interface Array to match pfSense Interface order to allow Floating Rules to populate. + // Sort Interface Array to match pfSense Interface order to allow Floating Rules to populate. $selected_interfaces = explode(",",$pfb['config']['inbound_interface']); - # Sort pfBlockerNG Interface order to pfSense Interface Order + // Sort pfBlockerNG Interface order to pfSense Interface Order $sort_interfaces = array_intersect($ifaces, $selected_interfaces); $implode_interfaces = ltrim(implode(",",$sort_interfaces), ","); - # CSV String for Inbound Interfaces for 'pfB_' Match Rules + // CSV String for Inbound Interfaces for 'pfB_' Match Rules $pfb['inbound_floating'] = $implode_interfaces; $pfb['inbound_interfaces_float'] = explode(" ",$implode_interfaces); - # Assign Inbound Base Rule/Interfaces + // Assign Inbound Base Rule/Interfaces if ($pfb['float'] == "on") { - # Define Base Firewall Floating Rules Settings + // Define Base Firewall Floating Rules Settings $base_rule = $base_rule_float; $pfb['inbound_interfaces'] = $pfb['inbound_interfaces_float']; } else { - # Define Base Firewall Rules Settings + // Define Base Firewall Rules Settings $base_rule = $base_rule_reg; $pfb['inbound_interfaces'] = explode(",",$pfb['config']['inbound_interface']); } } else { - # Define Empty Variable/Array + // Define Empty Variable/Array $pfb['inbound_interfaces_float'] = ""; $pfb['inbound_interfaces'] = array(); } if (!empty($pfb['config']['outbound_interface'])) { - # Sort Interface Array to match pfSense Interface order to allow Floating Rules to populate. + // Sort Interface Array to match pfSense Interface order to allow Floating Rules to populate. $selected_interfaces = explode(",",$pfb['config']['outbound_interface']); - # Sort pfBlockerNG Interface order to pfSense Interface Order + // Sort pfBlockerNG Interface order to pfSense Interface Order $sort_interfaces = array_intersect($ifaces, $selected_interfaces); // If OpenVPN Interfaces are not in dropdown menu - if ($pfb['openvpn'] == "on" && $config['openvpn']['openvpn-server'] || $pfb['openvpn'] == "on" && $config['openvpn']['openvpn-client']) - if (!in_array("openvpn",$sort_interfaces)) + if ($pfb['openvpn'] == "on" && $config['openvpn']['openvpn-server'] || $pfb['openvpn'] == "on" && $config['openvpn']['openvpn-client']) { + if (!in_array("openvpn",$sort_interfaces)) { array_push($sort_interfaces, "openvpn"); + } + } $implode_interfaces = ltrim(implode(",",$sort_interfaces), ","); - # CSV String for Outbound Interfaces for 'pfB_' Match Rules + // CSV String for Outbound Interfaces for 'pfB_' Match Rules $pfb['outbound_floating'] = $implode_interfaces; $pfb['outbound_interfaces_float'] = explode(" ",$implode_interfaces); - # Assign Outbound Base Rule/Interfaces + // Assign Outbound Base Rule/Interfaces if ($pfb['float'] == "on") { $base_rule = $base_rule_float; $pfb['outbound_interfaces'] = $pfb['outbound_interfaces_float']; @@ -706,12 +889,14 @@ function sync_package_pfblockerng($cron = "") { $base_rule = $base_rule_reg; $pfb['outbound_interfaces'] = explode(",",$pfb['config']['outbound_interface']); // If OpenVPN Interfaces are not in dropdown menu - if ($pfb['openvpn'] == "on" && $config['openvpn']['openvpn-server'] || $pfb['openvpn'] == "on" && $config['openvpn']['openvpn-client']) - if (!in_array("openvpn",$sort_interfaces)) + if ($pfb['openvpn'] == "on" && $config['openvpn']['openvpn-server'] || $pfb['openvpn'] == "on" && $config['openvpn']['openvpn-client']) { + if (!in_array("openvpn",$sort_interfaces)) { array_push($pfb['outbound_interfaces'], "openvpn"); + } + } } } else { - # Define Empty Variable/Array + // Define Empty Variable/Array $pfb['outbound_interfaces_float'] = ""; $pfb['outbound_interfaces'] = array(); } @@ -721,12 +906,13 @@ function sync_package_pfblockerng($cron = "") { # Clear Removed Lists from Masterfiles # ################################################# - # Process to keep Masterfiles in Sync with Valid Lists from config.conf file. + // Process to keep Masterfiles in Sync with Valid Lists from config.conf file. $pfb['sync_master'] = TRUE; - # Don't execute this function when pfBlockerNG is Disabled and 'Keep Blocklists' is enabled. - if ($pfb['enable'] == "" && $pfb['keep'] == "on") + // Don't execute this function when pfBlockerNG is Disabled and 'Keep Blocklists' is enabled. + if ($pfb['enable'] == "" && $pfb['keep'] == "on") { $pfb['sync_master'] = FALSE; + } if ($pfb['sync_master']) { $pfb['existing']['match']['type'] = "match"; @@ -754,7 +940,7 @@ function sync_package_pfblockerng($cron = "") { $cont_type = array ("countries4" => "_v4", "countries6" => "_v6"); foreach ($cont_type as $c_type => $vtype) { if ($continent_config[$c_type] != "") { - # Set Parameters for 'Match', 'Permit', 'Native' and 'Deny' + // Set Parameters for 'Match', 'Permit', 'Native' and 'Deny' if (in_array($continent_config['action'],array('Match_Both','Match_Inbound','Match_Outbound','Alias_Match'))) { $pfb['existing']['match'][] = "{$pfb_alias}{$vtype}"; } elseif (in_array($continent_config['action'],array('Permit_Both','Permit_Inbound','Permit_Outbound','Alias_Permit'))){ @@ -770,7 +956,7 @@ function sync_package_pfblockerng($cron = "") { } } - # Find all Enabled IPv4/IPv6 Lists + // Find all Enabled IPv4/IPv6 Lists $list_type = array ("pfblockernglistsv4" => "_v4", "pfblockernglistsv6" => "_v6"); foreach ($list_type as $ip_type => $vtype) { if ($config['installedpackages'][$ip_type]['config'] != "" && $pfb['enable'] == "on") { @@ -782,9 +968,9 @@ function sync_package_pfblockerng($cron = "") { } else { $pfb_alias = "{$row['header']}_v6"; } - # Collect Enabled Lists + // Collect Enabled Lists if ($row['url'] != "" && $row['state'] != "Disabled") { - # Set Parameters for 'Match', 'Permit', 'Native' and 'Deny' + // Set Parameters for 'Match', 'Permit', 'Native' and 'Deny' if (in_array($list['action'],array('Match_Both','Match_Inbound','Match_Outbound','Alias_Match'))) { $pfb['existing']['match'][] = "{$pfb_alias}"; } elseif (in_array($list['action'],array('Permit_Both','Permit_Inbound','Permit_Outbound','Alias_Permit'))) { @@ -801,7 +987,7 @@ function sync_package_pfblockerng($cron = "") { } } - # Find all Enabled IPv4 'Custom List' Header Names and Check if 'Emerging Threats Update' and 'Custom List Update' Needs Force Updating + // Find all Enabled IPv4 'Custom List' Header Names and Check if 'Emerging Threats Update' and 'Custom List Update' Needs Force Updating $list_type = array ("pfblockernglistsv4" => "_v4", "pfblockernglistsv6" => "_v6"); foreach ($list_type as $ip_type => $vtype) { if ($config['installedpackages'][$ip_type]['config'] != "" && $pfb['enable'] == "on") { @@ -809,27 +995,28 @@ function sync_package_pfblockerng($cron = "") { foreach ($config['installedpackages'][$ip_type]['config'] as $list) { if (is_array($list['row']) && $list['action'] != "Disabled") { $count++; - # Check if 'Emerging Threats Update' Needs Updating before next CRON Event. + // Check if 'Emerging Threats Update' Needs Updating before next CRON Event. if (is_array($list['row']) && $row['state'] != "Disabled" && $pfb['etupdate'] == "enabled" && $vtype == "_v4") { foreach ($list['row'] as $row) { $aliasname = $row['header']; if ($row['format'] == "et") { unlink_if_exists("{$pfb['denydir']}/{$aliasname}.txt"); $config['installedpackages']['pfblockerngreputation']['config'][0]['et_update'] = "disabled"; + $pfb['cron_mod'] = TRUE; break; } } } } - # Collect Enabled Custom List Box Aliases + // Collect Enabled Custom List Box Aliases if (pfbng_text_area_decode($list['custom']) != "") { if ($vtype == "_v4") { $pfb_alias = "{$list['aliasname']}_custom"; } else { $pfb_alias = "{$list['aliasname']}_custom_v6"; } - # Determine Folder Location for 'List' + // Determine Folder Location for 'List' if (in_array($list['action'],array('Match_Both','Match_Inbound','Match_Outbound','Alias_Match'))) { $pfb['existing']['match'][] = "{$pfb_alias}"; $pfbfolder = "{$pfb['matchdir']}"; @@ -843,18 +1030,19 @@ function sync_package_pfblockerng($cron = "") { $pfb['existing']['deny'][] = "{$pfb_alias},"; // Add Trailing ',' $pfbfolder = "{$pfb['denydir']}"; } - # Determine if 'Custom List' Needs Force Updating before next CRON Event. + // Determine if 'Custom List' Needs Force Updating before next CRON Event. if ($list['custom_update'] == "enabled") { unlink_if_exists("{$pfbfolder}/{$pfb_alias}.txt"); - # Uncheck 'Enabled' in List 'Custom_update' Setting + // Uncheck 'Enabled' in List 'Custom_update' Setting $config['installedpackages'][$ip_type]['config'][$count]['custom_update'] = "disabled"; + $pfb['cron_mod'] = TRUE; } } } } } - # Collect all .txt file Names for each List Type + // Collect all .txt file Names for each List Type $list_types = array('match' => $pfb['matchdir'], 'permit' => $pfb['permitdir'], 'deny' => $pfb['denydir'], 'native' => $pfb['nativedir']); foreach ($list_types as $type => $pfbfolder) { $pfb_files = glob("$pfbfolder/*.txt"); @@ -868,12 +1056,12 @@ function sync_package_pfblockerng($cron = "") { } } - # Flag to execute pfctl and Rules Ordering + // Flag to execute pfctl and Rules Ordering $pfb['remove'] = FALSE; - # Execute Final Summary as a List was Removed + // Execute Final Summary as a List was Removed $pfb['summary'] = FALSE; - # Process to Remove Lists from Masterfile/DB Folder if they do not Exist + // Process to Remove Lists from Masterfile/DB Folder if they do not Exist if (isset($pfb['existing'])) { foreach ($pfb['existing'] as $pfb_exist) { $existing_type = $pfb_exist['type']; @@ -888,7 +1076,7 @@ function sync_package_pfblockerng($cron = "") { if ($f_result != "") { $log = "[ Removing List(s) : {$f_result} ]\n"; pfb_logger("{$log}","1"); - # Script to Remove un-associated Lists + // Script to Remove un-associated Lists exec ("{$pfb['script']} remove x x x {$f_result} >> {$pfb['log']} 2>&1"); $pfb['summary'] = TRUE; $pfb['remove'] = TRUE; @@ -898,13 +1086,13 @@ function sync_package_pfblockerng($cron = "") { case "permit": case "native": $results = array_diff($pfb_act, $pfb_exist); - # This variable ($f_result) used in next section below. + // This variable ($f_result) used in next section below. $f_result = implode($results); if (!empty($results)) { - foreach ($results as $pfb_results) { - $log = "[ Removing List(s) : {$pfb_results} ]\n"; + foreach ($results as $pfb_result) { + $log = "[ Removing List : {$pfb_result} ]\n"; pfb_logger("{$log}","1"); - unlink_if_exists("{$pfbfolder}/{$pfb_results}.txt"); + unlink_if_exists("{$pfbfolder}/{$pfb_result}.txt"); } $pfb['summary'] = TRUE; $pfb['remove'] = TRUE; @@ -912,12 +1100,12 @@ function sync_package_pfblockerng($cron = "") { break; } - # Allow Rebuilding of Changed Aliase to purge 'SKIP' Lists (when pfBlockerNG is Enabled) + // Allow rebuilding of changed Alias to purge 'SKIP' Lists (when pfBlockerNG is enabled) $list_type = array ("pfblockernglistsv4" => "_v4", "pfblockernglistsv6" => "_v6"); foreach ($list_type as $ip_type => $vtype) { if ($f_result != "" && $pfb['enable'] == "on") { foreach ($results as $removed_header) { - if ($config['installedpackages'][$ip_type]['config'] != "" && $pfb['enable'] == "on") { + if ($config['installedpackages'][$ip_type]['config'] != "") { foreach ($config['installedpackages'][$ip_type]['config'] as $list) { $alias = "pfB_" . preg_replace("/\W/","",$list['aliasname']); if (is_array($list['row'])) { @@ -926,7 +1114,7 @@ function sync_package_pfblockerng($cron = "") { if ($row['header'] == $removed) { $pfb['summary'] = TRUE; $pfb['remove'] = TRUE; - # Add Alias to Update Array + // Add Alias to Update Array $pfb_alias_lists[] = "{$alias}"; $pfb_alias_lists_all[] = "{$alias}"; } @@ -947,7 +1135,7 @@ function sync_package_pfblockerng($cron = "") { # Clear Match/Pass/ET/Original Files/Folders # ######################################################### - # When pfBlockerNG is Disabled and 'Keep Blocklists' is Disabled. + // When pfBlockerNG is Disabled and 'Keep Blocklists' is Disabled. if ($pfb['enable'] == "" && $pfb['keep'] == "" && !$pfb['install']) { $log = "\n Removing DB Files/Folders \n"; pfb_logger("{$log}","1"); @@ -964,12 +1152,13 @@ function sync_package_pfblockerng($cron = "") { } - ######################################### - # Create Suppression Txt File # - ######################################### + ################################################# + # Create IP Suppression Txt File # + ################################################# - if ($pfb['enable'] == "on" && $pfb['supp'] == "on") + if ($pfb['enable'] == "on" && $pfb['supp'] == "on") { pfb_create_suppression_file(); + } ################################# @@ -979,18 +1168,23 @@ function sync_package_pfblockerng($cron = "") { foreach ($continents as $continent => $pfb_alias) { if (is_array($config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'])) { $continent_config = $config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'][0]; + $cc_name = 'pfblockerng' . strtolower(preg_replace('/ /','',$continent)); if ($continent_config['action'] != "Disabled" && $pfb['enable'] == "on") { - # Determine Folder Location for Alias (return array $pfbarr) - pfb_determine_list_detail($continent_config['action']); - $pfb['skip'] = $pfbarr['skip']; - $pfb_descr = $pfbarr['descr']; - $pfbfolder = $pfbarr['folder']; - // Determine if Continent Lists require Action (IPv4 and IPv6) $cont_type = array ("countries4" => "_v4", "countries6" => "_v6"); foreach ($cont_type as $c_type => $vtype) { + // Determine 'List' details (return array $pfbarr) + pfb_determine_list_detail($continent_config['action'], "{$pfb_alias}{$vtype}", $cc_name, "0"); + $pfb['skip'] = $pfbarr['skip']; + $pfb_descr = $pfbarr['descr']; + $pfbfolder = $pfbarr['folder']; + $log_tab = $pfbarr['logtab']; + $aports = $pfbarr['aports']; + $adest = $pfbarr['adest']; + $aproto = $pfbarr['aproto']; + $continent = ""; if ($continent_config[$c_type] != "") { @@ -1001,48 +1195,40 @@ function sync_package_pfblockerng($cron = "") { } } - if (file_exists($pfb['origdir'] . '/' . $pfb_alias . $vtype . '.orig')) + if (file_exists($pfb['origdir'] . '/' . $pfb_alias . $vtype . '.orig')) { $continent_existing = preg_replace('/\s/', '', file ($pfb['origdir'] . '/' . $pfb_alias . $vtype . '.orig')); - + } // Collect New Continent Data for comparison. Cleanup Array for Comparison $continent_new = preg_split ('/$\R?^/m', $continent); $line = count ( $continent_new ) - 1; $match = $continent_new[$line]; $continent_new[$line] = rtrim($match, "\n"); - # Check if pfBlockerNG pfctl Continent Tables are Empty (pfBlockerNG was Disabled w/ "keep", then Re-enabled) + // Check if pfBlockerNG pfctl Continent Tables are Empty (pfBlockerNG was Disabled w/ "keep", then Re-enabled) $pfctlck = exec ("/sbin/pfctl -vvsTables | grep -A1 {$pfb_alias}{$vtype} | awk '/Addresses/ {s+=$2}; END {print s}'"); if (empty($pfctlck) && file_exists($pfbfolder . '/' . $pfb_alias . $vtype . '.txt')) { $file_cont = file_get_contents($pfbfolder . '/' . $pfb_alias . $vtype . '.txt'); @file_put_contents($pfb['aliasdir'] . '/' . $pfb_alias . $vtype . '.txt',$file_cont, LOCK_EX); - # PFCTL - Update Only Aliases that have been updated. ('Reputation' Disabled) + // PFCTL - Update Only Aliases that have been updated. ('Reputation' Disabled) $pfb_alias_lists[] = "{$pfb_alias}{$vtype}"; } - # Collect Active Alias Lists (Used for pfctl Update when 'Reputation' is enabled). + // Collect Active Alias Lists (Used for pfctl Update when 'Reputation' is enabled). $pfb_alias_lists_all[] = "{$pfb_alias}{$vtype}"; // Compare Existing (Original File) and New Continent Data if ($continent_new === $continent_existing && !empty($pfctlck) && file_exists($pfbfolder . '/' . $pfb_alias . $vtype . '.txt') && $pfb['reuse'] == "") { - # Format Log into clean Tab Spaces - $string_final = "{$pfb_alias}{$vtype}"; - if (strlen($string_final) > 10) { - $log_tab = "\t"; - } else { - $log_tab = "\t\t"; - } - if (!$pfb['save']) { - $log = "\n[ {$pfb_alias}{$vtype} ] {$log_tab} exists, Reloading File [ NOW ]\n"; + $log = "\n[ {$pfb_alias}{$vtype} ]{$log_tab} exists, Reloading File [ NOW ]"; pfb_logger("{$log}","1"); } } else { // Do not proceed with Changes on User 'Save' if (!$pfb['save']) { - $log = "\n[ {$pfb_alias}{$vtype} ] {$log_tab} Changes Found... Updating \n"; + $log = "\n[ {$pfb_alias}{$vtype} ]{$log_tab} Changes Found... Updating \n"; pfb_logger("{$log}","1"); - # Test to Skip d-dup and p-dup functions when changes are found. + // Test to Skip d-dup and p-dup functions when changes are found. $pfb['dupcheck'] = TRUE; $pfb_alias_lists[] = "{$pfb_alias}{$vtype}"; @@ -1061,11 +1247,12 @@ function sync_package_pfblockerng($cron = "") { @file_put_contents($pfb['aliasdir'] . '/' . $pfb_alias . $vtype . '.txt',$continent, LOCK_EX); } - # Check if File Exists and is >0 in Size and Save alias file + // Check if File Exists and is > 0 in Size and Save alias file $file_chk = "0"; $cont_chk = "{$pfbfolder}/{$pfb_alias}{$vtype}.txt"; - if (file_exists($cont_chk) && @filesize($cont_chk) >0) + if (file_exists($cont_chk) && @filesize($cont_chk) > 0) { $file_chk = exec ("/usr/bin/grep -cv '^#\|^$' {$cont_chk}"); + } if ($file_chk == "0" || $file_chk == "1") { $new_file = "1.1.1.1\n"; @@ -1077,9 +1264,8 @@ function sync_package_pfblockerng($cron = "") { } } - if (file_exists($pfbfolder . '/' . $pfb_alias . $vtype . '.txt')) { - #Create alias config + // Create alias config $new_aliases_list[] = "{$pfb_alias}{$vtype}"; $pfb_contlog = $continent_config['aliaslog']; @@ -1093,7 +1279,7 @@ function sync_package_pfblockerng($cron = "") { "detail" => "DO NOT EDIT THIS ALIAS" ); - #Create rule if action permits + // Create rule if action permits switch ($continent_config['action']) { case "Deny_Both": case "Deny_Outbound": @@ -1105,7 +1291,7 @@ function sync_package_pfblockerng($cron = "") { $rule['direction'] = "any"; $rule['descr']= "{$pfb_alias}{$vtype}{$pfb['suffix']}"; $rule['source'] = array("any" => ""); - $rule['destination'] = array ("address" => "{$pfb_alias}{$vtype}"); + $rule['destination'] = array("address" => "{$pfb_alias}{$vtype}"); if ($pfb['config']['enable_log'] == "on" || $pfb_contlog == "enabled") $rule['log'] = ""; $deny_outbound[] = $rule; @@ -1120,7 +1306,19 @@ function sync_package_pfblockerng($cron = "") { $rule['direction'] = "any"; $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; $rule['source'] = array("address" => "{$pfb_alias}{$vtype}"); - $rule['destination'] = array ("any" => ""); + if (!empty($adest) && !empty($aports)) { + $rule['destination'] = array("address" => "{$adest}", "port" => "{$aports}"); + } elseif (!empty($adest) && empty($aports)) { + $rule['destination'] = array("address" => "{$adest}"); + } elseif (empty($adest) && !empty($aports)) { + $rule['destination'] = array("any" => "", "port" => "{$aports}"); + } else { + $rule['destination'] = array("any" => ""); + } + if (!empty($adest) && $continent_config['autonot'] == "on") + $rule['destination']['not'] = ""; + if (!empty($aproto)) + $rule['protocol'] = "{$aproto}"; if ($pfb['config']['enable_log'] == "on" || $pfb_contlog == "enabled") $rule['log'] = ""; $deny_inbound[] = $rule; @@ -1150,7 +1348,19 @@ function sync_package_pfblockerng($cron = "") { $rule['direction'] = "any"; $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; $rule['source'] = array("address"=> "{$pfb_alias}{$vtype}"); - $rule['destination'] = array ("any" => ""); + if (!empty($adest) && !empty($aports)) { + $rule['destination'] = array("address" => "{$adest}", "port" => "{$aports}"); + } elseif (!empty($adest) && empty($aports)) { + $rule['destination'] = array("address" => "{$adest}"); + } elseif (empty($adest) && !empty($aports)) { + $rule['destination'] = array("any" => "", "port" => "{$aports}"); + } else { + $rule['destination'] = array("any" => ""); + } + if (!empty($adest) && $continent_config['autonot'] == "on") + $rule['destination']['not'] = ""; + if (!empty($aproto)) + $rule['protocol'] = "{$aproto}"; if ($pfb['config']['enable_log'] == "on" || $pfb_contlog == "enabled") $rule['log'] = ""; $permit_inbound[] = $rule; @@ -1163,8 +1373,8 @@ function sync_package_pfblockerng($cron = "") { $rule['ipprotocol'] = "inet6"; $rule['direction'] = "any"; $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; - $rule['source'] = array ("any" => ""); - $rule['destination'] = array ("address" => "{$pfb_alias}{$vtype}"); + $rule['source'] = array("any" => ""); + $rule['destination'] = array("address" => "{$pfb_alias}{$vtype}"); if ($pfb['config']['enable_log'] == "on" || $pfb_contlog == "enabled") $rule['log'] = ""; $match_outbound[] = $rule; @@ -1178,49 +1388,61 @@ function sync_package_pfblockerng($cron = "") { $rule['direction'] = "any"; $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; $rule['source'] = array ("address" => "{$pfb_alias}{$vtype}"); - $rule['destination'] = array ( "any" => ""); + if (!empty($adest) && !empty($aports)) { + $rule['destination'] = array("address" => "{$adest}", "port" => "{$aports}"); + } elseif (!empty($adest) && empty($aports)) { + $rule['destination'] = array("address" => "{$adest}"); + } elseif (empty($adest) && !empty($aports)) { + $rule['destination'] = array("any" => "", "port" => "{$aports}"); + } else { + $rule['destination'] = array("any" => ""); + } + if (!empty($adest) && $continent_config['autonot'] == "on") + $rule['destination']['not'] = ""; + if (!empty($aproto)) + $rule['protocol'] = "{$aproto}"; if ($pfb['config']['enable_log'] == "on" || $pfb_contlog == "enabled") $rule['log'] = ""; $match_inbound[] = $rule; break; } } else { - #unlink continent list if any + // unlink continent list if any unlink_if_exists($pfb['aliasdir'] . '/' . $pfb_alias . $vtype . '.txt'); } } } } - #mark pfctl aliastable for cleanup + // mark pfctl aliastable for cleanup if (!in_array($pfb_alias, $aliases_list)) { $aliases_list[] = "{$pfb_alias}{$vtype}"; } } } - # UNSET variables + // UNSET variables unset ($continent, $continent_existing, $continent_new); ################################################# # Download and Collect IPv4/IPv6 lists # ################################################# - # IPv4 REGEX Definitions + // IPv4 REGEX Definitions $pfb['range'] = '/((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))-((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))/'; $pfb['block'] = '/(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[ 0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.([0]{1})\s+/'; - $pfb['cidr'] = '/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)?\/[0-9]{2}/'; + $pfb['cidr'] = '/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)?\/([0-9]{2}|[0-9]{1})/'; $pfb['single'] = '/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\s+/'; $pfb['s_html'] = '/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/'; - # IPv4 preg_replace Regex Filter array + // IPv4 preg_replace Regex Filter array $pfb_ipreg = array(); - $pfb_ipreg[0] = '/\b0+(?=\d)/'; # Remove any Leading Zeros in each Octet - $pfb_ipreg[1] = '/\s/'; # Remove any Whitespaces - $pfb_ipreg[2] = '/127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/'; # Remove any Loopback Addresses 127/8 - $pfb_ipreg[3] = '/0\.0\.0\.0\/32/'; # Remove 0.0.0.0/32 - $pfb_ipreg[4] = '/0\.0\.0\.0/'; # Remove 0.0.0.0 - - # IPv6 REGEX Definitions -- ** Still Needs some Adjustment on Regex Definition for IPv6 ** - # https://mebsd.com/coding-snipits/php-regex-ipv6-with-preg_match.html + $pfb_ipreg[0] = '/\b0+(?=\d)/'; // Remove any Leading Zeros in each Octet + $pfb_ipreg[1] = '/\s/'; // Remove any Whitespaces + $pfb_ipreg[2] = '/\/32/'; // Remove any /32 CIDR + $pfb_ipreg[3] = '/127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/'; // Remove any Loopback Addresses 127/8 + $pfb_ipreg[4] = '/0\.0\.0\.0/'; // Remove 0.0.0.0 + + // IPv6 REGEX Definitions -- ** Still Needs some Adjustment on Regex Definition for IPv6 ** + // https://mebsd.com/coding-snipits/php-regex-ipv6-with-preg_match.html $pattern1 = '([A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}'; $pattern2 = '[A-Fa-f0-9]{1,4}::([A-Fa-f0-9]{1,4}:){0,5}[A-Fa-f0-9]{1,4}'; $pattern3 = '([A-Fa-f0-9]{1,4}:){2}:([A-Fa-f0-9]{1,4}:){0,4}[A-Fa-f0-9]{1,4}'; @@ -1239,28 +1461,22 @@ function sync_package_pfblockerng($cron = "") { if ($config['installedpackages'][$ip_type]['config'] != "") { foreach ($config['installedpackages'][$ip_type]['config'] as $list) { if ($list['action'] != "Disabled" && $pfb['enable'] == "on" && !$pfb['save'] && is_array($list['row'])) { - # Capture Alias Name + // capture Alias Name $alias = "pfB_" . preg_replace("/\W/","",$list['aliasname']); foreach ($list['row'] as $row) { if ($row['url'] != "" && $row['state'] != "Disabled") { - # Determine Folder Location for Alias (return array $pfbarr) - pfb_determine_list_detail($list['action']); - $pfb['skip'] = $pfbarr['skip']; - $pfbfolder = $pfbarr['folder']; - if ($vtype == "_v4") { $header_url = "{$row['header']}"; } else { $header_url = "{$row['header']}_v6"; } - # Format Log into clean Tab Spaces - if (strlen($header_url) > 10) { - $log_tab = "\t"; - } else { - $log_tab = "\t\t"; - } + // Determine 'List' details (return array $pfbarr) + pfb_determine_list_detail($list['action'], $header_url, "", ""); + $pfb['skip'] = $pfbarr['skip']; + $pfbfolder = $pfbarr['folder']; + $log_tab = $pfbarr['logtab']; // Empty Header Field Validation Check if (empty($header_url) || preg_match("/\W/",$header_url)) { @@ -1269,33 +1485,35 @@ function sync_package_pfblockerng($cron = "") { continue; } - # Collect Active Alias List (Used for pfctl Update when 'Reputation' is enabled. + // Collect Active Alias List (Used for pfctl Update when 'Reputation' is enabled. $pfb_alias_lists_all[] = "{$alias}"; if (file_exists($pfbfolder . '/' . $header_url . '.txt') && $pfb['reuse'] == "") { if ($row['state'] == "Hold") { - $log = "\n[ {$header_url} ] {$log_tab} Static Hold [ NOW ]\n"; + $log = "\n[ {$header_url} ]{$log_tab} Static Hold [ NOW ]"; } else { - $log = "\n[ {$header_url} ] {$log_tab} exists, Reloading File [ NOW ]\n"; + $log = "\n[ {$header_url} ]{$log_tab} exists, Reloading File [ NOW ]"; } pfb_logger("{$log}","1"); } else { if ($pfb['reuse'] == "on" && file_exists($pfb['origdir'] . '/' . $header_url . '.orig')) { - $log = "\n[ {$header_url} ] {$log_tab} Using Previously Downloaded File [ NOW ]\n"; + $log = "\n[ {$header_url} ]{$log_tab} Using Previously Downloaded File [ NOW ]"; } else { - $log = "\n[ {$header_url} ] {$log_tab} Downloading New File [ NOW ]\n"; - } + $log = "\n[ {$header_url} ]{$log_tab} Downloading New File [ NOW ]"; + } pfb_logger("{$log}","1"); - # Perform Remote URL Date/Time Stamp checks - $host = @parse_url($row['url']); $list_url = "{$row['url']}"; - if ($row['format'] != "rsync" || $row['format'] != "html") { - if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) { - $remote_tds = "local"; - } else { - $remote_tds = @implode(preg_grep("/Last-Modified/", get_headers($list_url))); - $remote_tds = preg_replace("/^Last-Modified: /","", $remote_tds); + if (!$pfb['reuse'] == "on") { + // Perform Remote URL Date/Time Stamp checks + $host = @parse_url($row['url']); + if ($row['format'] != "rsync" || $row['format'] != "html") { + if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) { + $remote_tds = "local"; + } else { + $remote_tds = @implode(preg_grep("/Last-Modified/", get_headers($list_url))); + $remote_tds = preg_replace("/^Last-Modified: /","", $remote_tds); + } } } @@ -1303,7 +1521,7 @@ function sync_package_pfblockerng($cron = "") { if ($row['format'] == "gz" || $row['format'] == "gz_2") { $file_dwn = "{$pfb['origdir']}/{$header_url}.gz"; if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse + // File Exists/Reuse } else { $url_gz = "{$row['url']}"; $file_gz = @file_get_contents($url_gz); @@ -1317,11 +1535,11 @@ function sync_package_pfblockerng($cron = "") { $url_list = @gzfile($file_dwn); } - # IBlock Large Files mixed with IPs and Domains. PHP mem of 256M can't handle very large Files. + // IBlock Large Files mixed with IPs and Domains. PHP mem of 256M can't handle very large Files. if ($row['format'] == "gz_lg") { $file_dwn = "{$pfb['origdir']}/{$header_url}.gz"; if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse + // File Exists/Reuse } else { $url_gz = "{$row['url']}"; $file_gz = @file_get_contents($url_gz); @@ -1339,12 +1557,12 @@ function sync_package_pfblockerng($cron = "") { elseif ($row['format'] == "zip") { $file_dwn = "{$pfb['origdir']}/{$header_url}.zip"; if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse + // File Exists/Reuse } else { $url_zip = "{$row['url']}"; if (!$file_zip = @file_get_contents($url_zip)) { $error = error_get_last(); - $log = "\n [ {$header_url} ] {$error['message']} \n"; + $log = "\n [ {$header_url} ] {$error['message']}\n"; pfb_logger("{$log}","2"); } else { @file_put_contents($file_dwn, $file_zip, LOCK_EX); @@ -1362,9 +1580,9 @@ function sync_package_pfblockerng($cron = "") { elseif ($row['format'] == "et") { $file_dwn = "{$pfb['origdir']}/{$header_url}.gz"; - # Script to Call ET IQRISK Process + // Script to Call ET IQRISK Process if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse + // File Exists/Reuse } else { $url_et = "{$row['url']}"; $file_et = @file_get_contents($url_et); @@ -1381,9 +1599,9 @@ function sync_package_pfblockerng($cron = "") { elseif ($row['format'] == "xlsx") { $file_dwn = "{$pfb['origdir']}/{$header_url}.zip"; - # Script to Call XLSX Process + // Script to Call XLSX Process if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse + // File Exists/Reuse } else { $url_xlsx = "{$row['url']}"; $file_xlsx = @file_get_contents($url_xlsx); @@ -1417,11 +1635,11 @@ function sync_package_pfblockerng($cron = "") { elseif ($row['format'] == "html" || $row['format'] == "block") { $file_dwn = "{$pfb['origdir']}/{$header_url}.raw"; if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse + // File Exists/Reuse $return = 0; } else { $url_html = "{$row['url']}"; - exec ("/usr/bin/fetch -v -o {$file_dwn} -T 20 {$url_html}",$output,$return); + exec ("/usr/bin/fetch -v -o {$file_dwn} -T 20 '{$url_html}'",$output,$return); } if ($return == 0) $url_list = @file($file_dwn); @@ -1430,7 +1648,7 @@ function sync_package_pfblockerng($cron = "") { elseif ($row['format'] == "rsync") { $file_dwn = "{$pfb['origdir']}/{$header_url}.orig"; if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse + // File Exists/Reuse } else { $url_rsync = "{$row['url']}"; exec ("/usr/local/bin/rsync --timeout=5 {$url_rsync} {$file_dwn}"); @@ -1438,13 +1656,13 @@ function sync_package_pfblockerng($cron = "") { $url_list = @file($file_dwn); } - #extract range lists + // extract range lists $new_file = ""; if (!empty($url_list)) { if ($row['format'] == "gz" && $vtype == "_v4") { foreach ($url_list as $line) { if (!preg_match("/^#/", $line)) { - # Network range 192.168.0.0-192.168.0.254 + // Network range 192.168.0.0-192.168.0.254 if (preg_match($pfb['range'],$line,$matches)) { $a_cidr = ip_range_to_subnet_array_temp2($matches[1],$matches[2]); if (!empty($a_cidr)) { @@ -1460,7 +1678,7 @@ function sync_package_pfblockerng($cron = "") { elseif ($row['format'] == "block" && $vtype == "_v4") { foreach ($url_list as $line) { if (!preg_match("/^#/", $line)) { - # Block Type '218.77.79.0 218.77.79.255 24' + // Block Type '218.77.79.0 218.77.79.255 24' if (preg_match($pfb['block'],$line,$matches)) { $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "/24\n"; } @@ -1471,11 +1689,11 @@ function sync_package_pfblockerng($cron = "") { elseif ($row['format'] == "html" && $vtype == "_v4") { foreach ($url_list as $line) { if (!preg_match("/^#/", $line)) { - # CIDR format 192.168.0.0/16 + // CIDR format 192.168.0.0/16 if (preg_match($pfb['cidr'],$line,$matches)) { $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } - # Single ip addresses + // Single ip addresses elseif (preg_match($pfb['s_html'],$line,$matches)) { $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } @@ -1486,7 +1704,7 @@ function sync_package_pfblockerng($cron = "") { elseif ($vtype == "_v6") { foreach ($url_list as $line) { if (!preg_match("/^#/", $line)) { - # IPv6 Regex Match + // IPv6 Regex Match if (preg_match($pfb['ipv6'],$line,$matches)) { $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } @@ -1497,11 +1715,20 @@ function sync_package_pfblockerng($cron = "") { else { foreach ($url_list as $line) { if (!preg_match("/^#/", $line)) { - # CIDR format 192.168.0.0/16 - if (preg_match($pfb['cidr'],$line,$matches)) { + // Network range 192.168.0.0-192.168.0.254 + if (preg_match($pfb['range'],$line,$matches)) { + $a_cidr = ip_range_to_subnet_array_temp2($matches[1],$matches[2]); + if (!empty($a_cidr)) { + foreach ($a_cidr as $cidr) { + $new_file .= preg_replace($pfb_ipreg,'',$cidr) . "\n"; + } + } + } + // CIDR format 192.168.0.0/16 + elseif (preg_match($pfb['cidr'],$line,$matches)) { $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } - # Single ip addresses + // Single ip addresses elseif (preg_match($pfb['single'],$line,$matches)) { $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } @@ -1510,17 +1737,18 @@ function sync_package_pfblockerng($cron = "") { } } - # Check to see if Blocklist actually Failed Download or has no IPs listed. + // Check to see if Blocklist actually Failed Download or has no IPs listed. if ($row['format'] == "html" || $row['format'] == "block") { $url_chk = $file_dwn; } else { $url_chk = "{$pfb['origdir']}/{$header_url}.orig"; } - # Check if File Exists and is >0 in Size + // Check if File Exists and is > 0 in Size $file_chk = ""; - if (file_exists($url_chk) && @filesize($url_chk) >0) + if (file_exists($url_chk) && @filesize($url_chk) > 0) { $file_chk = exec ("/usr/bin/grep -cv '^#\|^$' {$url_chk}"); + } if ($file_chk == "0") { $new_file = "1.1.1.1\n"; @@ -1531,41 +1759,42 @@ function sync_package_pfblockerng($cron = "") { if ($new_file != "") { if ($row['format'] == "gz" || $row['format'] == "gz_2" || $row['format'] == "html" || $row['format'] == "block") { - # Re-Save these formats as original file + // Re-Save these formats as original file $url_other = $new_file; @file_put_contents($pfb['origdir'] . '/' . $header_url . '.orig',$url_other, LOCK_EX); } - # Save List to '.txt' format in appropriate Folder + // Save List to '.txt' format in appropriate Folder @file_put_contents($pfbfolder . '/' .$header_url . '.txt',$new_file, LOCK_EX); if ($pfb['rep'] == "on" && $pfb['skip'] && $vtype == "_v4") { - # Script to Call p24 Process + // Script to Call p24 Process exec ("{$pfb['script']} p24 {$header_url} {$pfb['max']} {$pfb['dedup']} {$pfb['ccexclude']} {$pfb['ccwhite']} {$pfb['ccblack']} >> {$pfb['log']} 2>&1"); } if ($pfb['dup'] == "on" && $pfb['skip'] && $vtype == "_v4") { - # Script to call Duplication Check Process + // Script to call Duplication Check Process exec ("{$pfb['script']} duplicate {$header_url} >> {$pfb['log']} 2>&1"); } - # PFCTL - Update Only Aliases that have been updated only. + // PFCTL - Update Only Aliases that have been updated only. $pfb_alias_lists[] = "{$alias}"; - # Launch d-dup and p-dup functions when changes are found. - if ($pfb['skip'] && $vtype == "_v4") + // Launch d-dup and p-dup functions when changes are found. + if ($pfb['skip'] && $vtype == "_v4") { $pfb['dupcheck'] = TRUE; - # Enable Suppression Process due to Updates - if ($pfb['supp'] == "on" && $vtype == "_v4") + } + // Enable Suppression Process due to Updates + if ($pfb['supp'] == "on" && $vtype == "_v4") { $pfb['supp_update'] = TRUE; - + } } else { - # Log FAILED Downloads and Check if Firewall or Snort/Suricata is Blocking Host + // Log FAILED Downloads and Check if Firewall or Snort/Suricata is Blocking Host $log = "\n [ {$alias} {$header_url} ] Download FAIL [ NOW ]\n"; pfb_logger("{$log}","2"); - # Rebuild Previous List File from contents of Masterfile + // Rebuild Previous List File from contents of Masterfile if ($pfb['skip'] && $vtype == "_v4") { - # Search with trailing Whitespace to match exact Header in Masterfile + // Search with trailing Whitespace to match exact Header in Masterfile $header_url2 = $header_url . "[[:space:]]"; $file_chk = exec ("/usr/bin/grep {$header_url2} {$pfb['master']} | grep -c ^"); @@ -1575,17 +1804,17 @@ function sync_package_pfblockerng($cron = "") { exec ("/usr/bin/grep {$header_url2} {$pfb['master']} | cut -d' ' -f2 > {$pfbfolder}/{$header_url}.txt"); } } - # A "Space" string Variable + // A "Space" string Variable $sp = " "; $ip = @gethostbyname($host['host']); $ip2 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", "\"^$1\.$2\.$3\.\"", $ip); - # Only Perform these Checks if they are not "localfiles" + // Only Perform these Checks if they are not "localfiles" if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) { $log = " [ {$alias} {$header_url} ] Local File Failure \n"; pfb_logger("{$log}","2"); } else { - # only perform these steps if an 'IP' is found. + // only perform these steps if an 'IP' is found. if (!empty($ip)) { // Query for Exact IP Match $result_b1 = array(); @@ -1596,7 +1825,7 @@ function sync_package_pfblockerng($cron = "") { // Query Snort/Suricata snort2c IP Block Table $snort_pfb = exec("/sbin/pfctl -t snort2c -T show | grep {$ip}"); - # If an exact IP Match is not found report any First Three IP Octets. + // If an exact IP Match is not found report any First Three IP Octets. if (!empty($result_b1)) { $final_b1 = implode("\n ", $result_b1); $log = " [ {$alias} {$header_url}, {$ip} ] Firewall IP Block Found in : \n{$sp}{$final_b1}\n"; @@ -1618,12 +1847,12 @@ function sync_package_pfblockerng($cron = "") { } } } - # UNSET variables + // UNSET variables unset ($file_gz,$file_zip,$file_et,$file_xlsx,$url_other,$url_list); } } } - #check custom network list + // check custom network list if (pfbng_text_area_decode($list['custom']) != "") { if ($vtype == "_v4") { @@ -1632,27 +1861,21 @@ function sync_package_pfblockerng($cron = "") { $aliascustom = "{$list['aliasname']}_custom_v6"; } - # Format Log into clean Tab Spaces - if (strlen($aliascustom) > 10) { - $log_tab = "\t"; - } else { - $log_tab = "\t\t"; - } - - # Collect Active Alias List (Used for pfctl Update when 'Reputation' is enabled. + // Collect Active Alias List (Used for pfctl Update when 'Reputation' is enabled. $pfb_alias_lists_all[] = "{$alias}"; - # Determine Folder Location for Alias (return array $pfbarr) - pfb_determine_list_detail($list['action']); - $pfb['skip'] = $pfbarr['skip']; - $pfbfolder = $pfbarr['folder']; + // Determine 'List' details (return array $pfbarr) + pfb_determine_list_detail($list['action'], $aliascustom, "", ""); + $pfb['skip'] = $pfbarr['skip']; + $pfbfolder = $pfbarr['folder']; + $log_tab = $pfbarr['logtab']; if (file_exists($pfbfolder . '/' . $aliascustom . '.txt') && $pfb['reuse'] == "") { - $log = "\n[ {$aliascustom} ] {$log_tab} exists, Reloading File [ NOW ]\n"; + $log = "\n[ {$aliascustom} ]{$log_tab} exists, Reloading File [ NOW ]"; pfb_logger("{$log}","1"); } else { $url_list = array(); - $log = "\n[ {$aliascustom} ] {$log_tab} Loading Custom File [ NOW ]\n"; + $log = "\n[ {$aliascustom} ]{$log_tab} Loading Custom File [ NOW ]\n"; pfb_logger("{$log}","1"); $custom_list = pfbng_text_area_decode($list['custom']) . "\n"; @@ -1663,16 +1886,8 @@ function sync_package_pfblockerng($cron = "") { if (!empty($url_list)) { foreach ($url_list as $line) { if ($vtype == "_v4") { - # CIDR format 192.168.0.0/16 - if (preg_match($pfb['cidr'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; - } - # Single ip addresses - elseif (preg_match($pfb['s_html'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; - } - # Network range 192.168.0.0-192.168.0.254 - elseif (preg_match($pfb['range'],$line,$matches)) { + // Network range 192.168.0.0-192.168.0.254 + if (preg_match($pfb['range'],$line,$matches)) { $a_cidr = ip_range_to_subnet_array_temp2($matches[1],$matches[2]); if (!empty($a_cidr)) { foreach ($a_cidr as $cidr) { @@ -1680,8 +1895,16 @@ function sync_package_pfblockerng($cron = "") { } } } + // CIDR format 192.168.0.0/16 + elseif (preg_match($pfb['cidr'],$line,$matches)) { + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; + } + // Single ip addresses + elseif (preg_match($pfb['s_html'],$line,$matches)) { + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; + } } else { - # IPv6 Regex + // IPv6 Regex if (preg_match($pfb['ipv6'],$line,$matches)) { $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } @@ -1690,19 +1913,20 @@ function sync_package_pfblockerng($cron = "") { } if ($new_file != "") { - # PFCTL - Collect Only Aliases that have been updated only. + // PFCTL - Collect Only Aliases that have been updated only. $pfb_alias_lists[] = "{$alias}"; - # Collect Updated lists for Suppression Process + // Collect Updated lists for Suppression Process @file_put_contents($pfbfolder . '/'. $aliascustom . '.txt',$new_file, LOCK_EX); - # Enable Suppression Process due to Updates - if ($pfb['supp'] == "on" && $vtype == "_v4") + // Enable Suppression Process due to Updates + if ($pfb['supp'] == "on" && $vtype == "_v4") { $pfb['supp_update'] = TRUE; + } if ($pfb['rep'] == "on" && $pfb['skip'] && $vtype == "_v4") { - # Script to Call p24 Process + // Script to Call p24 Process exec ("{$pfb['script']} p24 {$aliascustom} {$pfb['max']} {$pfb['dedup']} {$pfb['ccexclude']} {$pfb['ccwhite']} {$pfb['ccblack']} >> {$pfb['log']} 2>&1"); } if ($pfb['dup'] == "on" && $pfb['skip'] && $vtype == "_v4") { - # Script to call Duplication Check Process + // Script to call Duplication Check Process exec ("{$pfb['script']} duplicate {$aliascustom} >> {$pfb['log']} 2>&1"); } } else { @@ -1721,13 +1945,13 @@ function sync_package_pfblockerng($cron = "") { # REPUTATION PROCESSES # ################################# - # IP Reputation processes (pdup and ddup) + // IP Reputation processes (pdup and ddup) if ($pfb['pdup'] == "on" && $pfb['dupcheck'] && !$pfb['save'] && $pfb['enable'] == "on") { - # Script to run pdup process + // Script to run pdup process exec ("{$pfb['script']} pdup x {$pfb['pmax']} >> {$pfb['log']} 2>&1"); } if ($pfb['dedup'] == "on" && $pfb['dupcheck'] && !$pfb['save'] && $pfb['enable'] == "on") { - # Script to run dedup process + // Script to run dedup process exec ("{$pfb['script']} dedup x {$pfb['dmax']} {$pfb['dedup']} {$pfb['ccexclude']} {$pfb['ccwhite']} {$pfb['ccblack']} >> {$pfb['log']} 2>&1"); } @@ -1739,28 +1963,33 @@ function sync_package_pfblockerng($cron = "") { foreach ($list_type as $ip_type => $vtype) { if ($config['installedpackages'][$ip_type]['config'] != "" && $pfb['enable'] == "on") { $runonce = 0; - foreach ($config['installedpackages'][$ip_type]['config'] as $list) { + foreach ($config['installedpackages'][$ip_type]['config'] as $key => $list) { $alias = "pfB_" . preg_replace("/\W/","",$list['aliasname']); - # Determine Folder Location for Alias (return array $pfbarr) - pfb_determine_list_detail($list['action']); + // Determine 'List' details (return array $pfbarr) + pfb_determine_list_detail($list['action'], "", $ip_type, $key); $pfb['skip'] = $pfbarr['skip']; $pfb_descr = $pfbarr['descr']; $pfbfolder = $pfbarr['folder']; + $aports = $pfbarr['aports']; + $adest = $pfbarr['adest']; + $aproto = $pfbarr['aproto']; // Re-Save Only Aliases that have been updated only. // When 'Reputation' is used, all Aliases need to be Updated. $final_alias = array(); if ($pfb['dedup'] == "on" || $pfb['pdup'] == "on") { - if (!empty($pfb_alias_lists_all)) + if (!empty($pfb_alias_lists_all)) { $final_alias = array_unique($pfb_alias_lists_all); + } } else { - if (!empty($pfb_alias_lists)) + if (!empty($pfb_alias_lists)) { $final_alias = array_unique($pfb_alias_lists); + } } if ($list['action'] != "Disabled") { - #remove empty lists files if any + // remove empty lists files if any if (is_array($list['row'])) { $update = 0; ${$alias} = ""; @@ -1773,20 +2002,20 @@ function sync_package_pfblockerng($cron = "") { } $pfctlck = exec ("/sbin/pfctl -vvsTables | grep -A1 {$alias} | awk '/Addresses/ {s+=$2}; END {print s}'"); - # Update Alias if List File Exists and its been updated or if the Alias URL Table is Empty. + // Update Alias if List File Exists and its been updated or if the Alias URL Table is Empty. if (file_exists($pfbfolder . "/" . $header_url . ".txt") && in_array($alias, $final_alias) || file_exists($pfbfolder . "/" . $header_url . ".txt") && empty($pfctlck)) { - # Script to run Suppression process (Print Header Only) + // Script to run Suppression process (Print Header Only) if ($pfb['supp'] == "on" && $vtype == "_v4" && $runonce == 0 && $pfb['supp_update']) { exec ("{$pfb['script']} suppress x x x suppressheader >> {$pfb['log']} 2>&1"); $runonce++; } - # Script to run Suppression Process (Body) + // Script to run Suppression Process (Body) if ($pfb['supp'] == "on" && $vtype == "_v4" && $pfb['supp_update']) { if ($pfb['dup'] == "on" || !$pfb['skip']) { - # Execute if Duplication Process is Enabled or List is Permit or Match + // Execute if Duplication Process is Enabled or List is Permit or Match exec ("{$pfb['script']} suppress x x x {$header_url}\|{$pfbfolder}/ >> {$pfb['log']} 2>&1"); } else { - # Execute if Duplication Process is Disabled + // Execute if Duplication Process is Disabled exec ("{$pfb['script']} suppress x x off {$header_url}\|{$pfbfolder}/ >> {$pfb['log']} 2>&1"); } } @@ -1797,14 +2026,14 @@ function sync_package_pfblockerng($cron = "") { } } - #check custom network list + // check custom network list if ($vtype == "_v4") { $aliasname = "{$list['aliasname']}_custom"; } else { $aliasname = "{$list['aliasname']}_custom_v6"; } - # Update Alias if List File Exists and its been updated or if the Alias URL Table is Empty. + // Update Alias if List File Exists and its been updated or if the Alias URL Table is Empty. $pfctlck = exec ("/sbin/pfctl -vvsTables | grep -A1 {$alias} | awk '/Addresses/ {s+=$2}; END {print s}'"); if (pfbng_text_area_decode($list['custom']) != "") { @@ -1813,7 +2042,7 @@ function sync_package_pfblockerng($cron = "") { $update++; } } - # Determine Validity of Alias URL Tables/Rules. ie: Don't create Empty URL Tables or Aliases + // Determine Validity of Alias URL Tables/Rules. ie: Don't create Empty URL Tables or Aliases if (${$alias} == "" && empty($pfctlck)) { unlink_if_exists($pfb['aliasdir'] . '/' . $alias. '.txt'); } else { @@ -1823,7 +2052,7 @@ function sync_package_pfblockerng($cron = "") { } $alias_log = $list['aliaslog']; - #create alias + // create alias $new_aliases_list[] = "{$alias}"; $new_aliases[] = array( "name" => "{$alias}", @@ -1835,7 +2064,7 @@ function sync_package_pfblockerng($cron = "") { "detail" => "DO NOT EDIT THIS ALIAS" ); - #Create rule if action permits + // Create rule if action permits switch ($list['action']) { case "Deny_Both": case "Deny_Outbound": @@ -1862,7 +2091,19 @@ function sync_package_pfblockerng($cron = "") { $rule['direction'] = "any"; $rule['descr'] = "{$alias}{$pfb['suffix']}"; $rule['source'] = array("address" => "{$alias}"); - $rule['destination'] = array ("any" => ""); + if (!empty($adest) && !empty($aports)) { + $rule['destination'] = array ("address" => "{$adest}", "port" => "{$aports}"); + } elseif (!empty($adest) && empty($aports)) { + $rule['destination'] = array ("address" => "{$adest}"); + } elseif (empty($adest) && !empty($aports)) { + $rule['destination'] = array ("any" => "", "port" => "{$aports}"); + } else { + $rule['destination'] = array ("any" => ""); + } + if (!empty($adest) && $list['autonot'] == "on") + $rule['destination']['not'] = ""; + if (!empty($aproto)) + $rule['protocol'] = "{$aproto}"; if ($pfb['config']['enable_log'] == "on" || $alias_log == "enabled") $rule['log'] = ""; $deny_inbound[] = $rule; @@ -1892,7 +2133,19 @@ function sync_package_pfblockerng($cron = "") { $rule['direction'] = "any"; $rule['descr'] = "{$alias}{$pfb['suffix']}"; $rule['source'] = array ("address" => "{$alias}"); - $rule['destination'] = array ("any" => ""); + if (!empty($adest) && !empty($aports)) { + $rule['destination'] = array ("address" => "{$adest}", "port" => "{$aports}"); + } elseif (!empty($adest) && empty($aports)) { + $rule['destination'] = array ("address" => "{$adest}"); + } elseif (empty($adest) && !empty($aports)) { + $rule['destination'] = array ("any" => "", "port" => "{$aports}"); + } else { + $rule['destination'] = array ("any" => ""); + } + if (!empty($adest) && $list['autonot'] == "on") + $rule['destination']['not'] = ""; + if (!empty($aproto)) + $rule['protocol'] = "{$aproto}"; if ($pfb['config']['enable_log'] == "on" || $alias_log == "enabled") $rule['log'] = ""; $permit_inbound[] = $rule; @@ -1920,25 +2173,37 @@ function sync_package_pfblockerng($cron = "") { $rule['direction'] = "any"; $rule['descr'] = "{$alias}{$pfb['suffix']}"; $rule['source'] = array ("address" => "{$alias}"); - $rule['destination'] = array ("any" => ""); + if (!empty($adest) && !empty($aports)) { + $rule['destination'] = array ("address" => "{$adest}", "port" => "{$aports}"); + } elseif (!empty($adest) && empty($aports)) { + $rule['destination'] = array ("address" => "{$adest}"); + } elseif (empty($adest) && !empty($aports)) { + $rule['destination'] = array ("any" => "", "port" => "{$aports}"); + } else { + $rule['destination'] = array ("any" => ""); + } + if (!empty($adest) && $list['autonot'] == "on") + $rule['destination']['not'] = ""; + if (!empty($aproto)) + $rule['protocol'] = "{$aproto}"; if ($pfb['config']['enable_log'] == "on" || $alias_log == "enabled") $rule['log'] = ""; $match_inbound[] = $rule; break; } } - #mark pfctl aliastable for cleanup + // mark pfctl aliastable for cleanup if (!in_array($alias, $aliases_list)) { $aliases_list[] = "{$alias}"; } } else { - #unlink previous pfblockerNG alias list if any + // unlink previous pfblockerNG alias list if any unlink_if_exists($pfb['aliasdir'] . '/' . $alias . '.txt'); } } } } - # Clear Variables + // Clear Variables ${$alias} = ""; @@ -1946,38 +2211,39 @@ function sync_package_pfblockerng($cron = "") { # UPDATE pfSense ALIAS TABLES # ######################################### - #update pfsense alias table + // update pfsense alias table if (is_array($config['aliases']['alias'])) { foreach ($config['aliases']['alias'] as $cbalias) { - if (preg_match("/pfB_/",$cbalias['name'])) { - #mark pfctl aliastable for cleaning + if (substr($cbalias['name'], 0, 4) == 'pfB_') { + // mark pfctl aliastable for cleaning if (!in_array($cbalias['name'], $aliases_list)) { - $aliases_list[] = $cbalias['name']; #mark aliastable for cleaning + $aliases_list[] = $cbalias['name']; // mark aliastable for cleaning } - #remove previous aliastable file if alias is not defined any more + // remove previous aliastable file if alias is not defined any more if (!in_array($cbalias['name'], $new_aliases_list)) { unlink_if_exists($pfb['aliasdir'] . '/' . $cbalias['name'] . ".txt"); } } else { $new_aliases[] = $cbalias; - # Check Table Size + // Check Table Size if (file_exists($pfb['aliasdir'] . '/' . $alias . '.txt') && $message == "") { preg_match("/(\d+)/",exec("/usr/bin/grep -c ^ " . $pfb['aliasdir'] . '/' . $alias . '.txt'),$matches); } if (($matches[1] * 2.1) >= $pfb['table_limit']) { - #alias table too large + // alias table too large $message = "{$alias} alias table is too large. Reduce networks in list or increase 'Firewall Maximum Table Entries' value to at least " . (int)($matches[1] * 2.1) . ' in "system - advanced - Firewall/NAT" . '; } } } } - #apply new alias table to xml + // apply new alias table to xml if ($message == "") { $config['aliases']['alias'] = $new_aliases; + $pfb['cron_mod'] = TRUE; } - # UNSET Variables + // UNSET Variables unset($new_aliases, $cbalias); @@ -1985,7 +2251,7 @@ function sync_package_pfblockerng($cron = "") { # Assign Rules # ######################### - # Only Execute if AutoRules are defined or if an Alias has been removed. + // Only Execute if AutoRules are defined or if an Alias has been removed. if ($pfb['autorules'] || $pfb['enable'] == "" || $pfb['remove']) { if (count($deny_inbound) > 0 || count($permit_inbound) > 0 || count($match_inbound) > 0) { if ($pfb['inbound_interfaces'] == "") { @@ -2007,9 +2273,9 @@ function sync_package_pfblockerng($cron = "") { $fmatch_rules = array(); $fother_rules = array(); - # Collect All Existing Rules + // Collect All Existing Rules $rules = $config['filter']['rule']; - # Collect Existing pfSense Rules 'Pass', 'Match' and 'Other' pfSense rules into new Arrays. + // Collect Existing pfSense Rules 'Pass', 'Match' and 'Other' pfSense rules into new Arrays. if (!empty($rules)) { foreach ($rules as $rule) { if (!preg_match("/pfB_.*" . $pfb['suffix'] . "/",$rule['descr'])) { @@ -2083,7 +2349,7 @@ function sync_package_pfblockerng($cron = "") { } } - # Define Inbound Interface Rules + // Define Inbound Interface Rules if (!empty($pfb['inbound_interfaces'])) { $counter = 0; foreach ($pfb['inbound_interfaces'] as $inbound_interface) { @@ -2099,7 +2365,7 @@ function sync_package_pfblockerng($cron = "") { $new_rules[] = $cb_rules; } } - # Match Inbound Rules defined as Floating Only. + // Match Inbound Rules defined as Floating Only. if (!empty($match_inbound) && $counter == 0) { foreach ($match_inbound as $cb_rules) { $cb_rules['interface'] = $pfb['inbound_floating']; @@ -2144,7 +2410,7 @@ function sync_package_pfblockerng($cron = "") { } } - # Define Outbound Interface Rules + // Define Outbound Interface Rules if (!empty($pfb['outbound_interfaces'])) { $counter = 0; foreach ($pfb['outbound_interfaces'] as $outbound_interface) { @@ -2160,7 +2426,7 @@ function sync_package_pfblockerng($cron = "") { $new_rules[] = $cb_rules; } } - # Match Outbound Rules defined as Floating Only. + // Match Outbound Rules defined as Floating Only. if (!empty($match_outbound) && $counter == 0) { foreach ($match_outbound as $cb_rules) { $cb_rules['interface'] = $pfb['outbound_floating']; @@ -2238,30 +2504,29 @@ function sync_package_pfblockerng($cron = "") { } } - # Save New Rule Order to Config + // Save New Rule Order to Config $config['filter']['rule'] = $new_rules; } - $log = "\n {$message} \n"; - pfb_logger("{$log}","1"); + if (!empty($message)) { + $log = "\n {$message}\n"; + pfb_logger("{$log}","1"); + } - # UNSET arrays + // UNSET arrays unset ($cb_rules,$permit_inbound,$permit_outbound,$deny_inbound,$deny_outbound,$match_inbound,$match_outbound); unset ($other_rules,$fother_rules,$permit_rules,$fpermit_rules,$match_rules,$fmatch_rules); } + // Set flag to Update config file. + if ($pfb['autorules'] && $rules != $new_rules) { + $pfb['cron_mod'] = TRUE; + } ################################# - # Closing Processes # + # pfSense Integration # ################################# - #uncheck Reusing Existing Downloads Check box - if (!$pfb['save'] && $pfb['enable'] == "on") - $config['installedpackages']['pfblockerng']['config'][0]['pfb_reuse'] = ""; - - # Save all Changes to pfSense config file - write_config(); - - # If 'Rule Changes' are found, utilize the 'filter_configure()' function, if not, utilize 'pfctl replace' command + // If 'Rule Changes' are found, utilize the 'filter_configure()' function, if not, utilize 'pfctl replace' command if ($pfb['autorules'] && $rules != $new_rules || $pfb['enable'] == "" || $pfb['remove']) { require_once("filter.inc"); @@ -2269,79 +2534,88 @@ function sync_package_pfblockerng($cron = "") { $log = "\n===[ Aliastables / Rules ]================================\n\n"; pfb_logger("{$log}","1"); - $log = "Firewall Rule Changes Found, Applying Filter Reload \n"; + $log = "Firewall Rule Changes Found, Applying Filter Reload\n"; pfb_logger("{$log}","1"); } - # Remove all pfBlockerNG Alias tables + // Remove all pfBlockerNG Alias tables if (!empty($aliases_list)) { foreach ($aliases_list as $table) { exec ("/sbin/pfctl -t " . escapeshellarg($table) . " -T kill 2>&1", $pfb_null); } } - #load filter file which will create the pfctl tables + // load filter file which will create the pfctl tables filter_configure(); // Call function for NanoBSD/Ramdisk processes. pfb_aliastables("update"); } else { - # Don't Execute on User 'Save' + // Don't Execute on User 'Save' if (!$pfb['save']) { - $log = "\n===[ Aliastables / Rules ]================================\n\n"; + $log = "\n\n===[ Aliastables / Rules ]================================\n\n"; pfb_logger("{$log}","1"); - $log = "No Changes to Firewall Rules, Skipping Filter Reload \n"; + $log = "No Changes to Firewall Rules, Skipping Filter Reload\n"; pfb_logger("{$log}","1"); // Re-Save Only Aliases that have been updated only. // When 'Reputation' is used, all Aliases Need to be Updated. $final_alias = array(); if ($pfb['dedup'] == "on" || $pfb['pdup'] == "on") { - if (!empty($pfb_alias_lists_all)) + if (!empty($pfb_alias_lists_all)) { $final_alias = array_unique($pfb_alias_lists_all); + } } else { - if (!empty($pfb_alias_lists)) + if (!empty($pfb_alias_lists)) { $final_alias = array_unique($pfb_alias_lists); + } } if (!empty($final_alias)) { foreach ($final_alias as $final) { - $log = "\n Updating: {$final} \n"; + $log = "\n Updating: {$final}\n"; pfb_logger("{$log}","1"); $result_pfctl = ""; - exec ("/sbin/pfctl -t " . escapeshellarg($final) . " -T replace -f " . $pfb['aliasdir'] . "/" . escapeshellarg($final) . ".txt 2>&1", $result_pfctl); - $log = implode($result_pfctl); + if (file_exists("{$pfb['aliasdir']}/{$final}.txt")) { + exec ("/sbin/pfctl -t " . escapeshellarg($final) . " -T replace -f " . $pfb['aliasdir'] . "/" . escapeshellarg($final) . ".txt 2>&1", $result_pfctl); + $log = implode($result_pfctl); + } + else { + $log = "Aliastable file not found\n"; + } pfb_logger("{$log}","1"); } + pfb_logger("\n","1"); // Call function for NanoBSD/Ramdisk processes. pfb_aliastables("update"); } else { - $log = "\nNo Changes to Aliases, Skipping pfctl Update \n"; + $log = "No Changes to Aliases, Skipping pfctl Update\n"; pfb_logger("{$log}","1"); } } } - # UNSET Variables + // UNSET Variables unset($rules, $new_rules); - #sync config + // sync config pfblockerng_sync_on_changes(); + ################################# # FINAL REPORTING # ################################# - # Only run with CRON or Force Invoked Process + // Only run with CRON or Force Invoked Process if ((!$pfb['save'] && $pfb['dupcheck'] && $pfb['enable'] == "on") || $pfb['summary']) { - # Script to run Final Script Processes. + // Script to run Final Script Processes. exec ("{$pfb['script']} closing {$pfb['dup']} >> {$pfb['log']} 2>&1"); } - if ($pfb['enable'] == "on" && !$pfb['save']) { - $log = "\n\n UPDATE PROCESS ENDED [ NOW ]\n"; + if ($pfb['enable'] == "on" && !$pfb['save'] || $pfb['summary']) { + $log = "\n UPDATE PROCESS ENDED [ NOW ]\n"; pfb_logger("{$log}","1"); } @@ -2350,32 +2624,40 @@ function sync_package_pfblockerng($cron = "") { # Define/Apply CRON Jobs # ######################################### - # Clear any existing pfBlockerNG Cron Jobs - install_cron_job("pfblockerng.php cron", false); - - # Replace Cron job with any User Changes to $pfb_min + // Replace Cron job with any User Changes to $pfb_min if ($pfb['enable'] == "on") { - # Define pfBlockerNG CRON Job + // Define pfBlockerNG CRON Job $pfb_cmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> {$pfb['log']} 2>&1"; - # $pfb['min'] ( User Defined Variable. Variable defined at start of Script ) - $pfb_hour = "*"; + // $pfb['min'] ( User Defined Variable. Variable defined at start of Script ) + + // Define Cron hour (Cron Interval & Start Hour) + if ($pfb['interval'] == 1) { + $pfb_hour = "*"; + } elseif ($pfb['interval'] == 24) { + $pfb_hour = $pfb['24hour']; + } else { + $pfb_hour = implode(",", pfb_cron_base_hour()); + } + $pfb_mday = "*"; $pfb_month = "*"; $pfb_wday = "*"; $pfb_who = "root"; - install_cron_job($pfb_cmd, true, $pfb['min'], $pfb_hour, $pfb_mday, $pfb_month, $pfb_wday, $pfb_who); + // Determine if Cron Task requires updating + if (!pfblockerng_cron_exists($pfb_cmd, $pfb['min'], $pfb_hour)) { + install_cron_job($pfb_cmd, true, $pfb['min'], $pfb_hour, $pfb_mday, $pfb_month, $pfb_wday, $pfb_who); + } + } + else { + // Clear any existing pfBlockerNG Cron Jobs + install_cron_job("pfblockerng.php cron", false); } - - # Clear any existing pfBlockerNG MaxMind CRON Job - install_cron_job("pfblockerng.php dc", false); if ($pfb['enable'] == "on") { - # Define pfBlockerNG MaxMind CRON Job + // Define pfBlockerNG MaxMind CRON Job $pfb_gcmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php dc >> {$pfb['geolog']} 2>&1"; - - # MaxMind GeoIP Cron Hour is randomized between 0-23 Hour to minimize effect on MaxMind Website - + // MaxMind GeoIP Cron Hour is randomized between 0-23 Hour to minimize effect on MaxMind Website $pfb_gmin = "0"; $pfb_ghour = rand(0,23); $pfb_gmday = "1,2,3,4,5,6,7"; @@ -2383,32 +2665,61 @@ function sync_package_pfblockerng($cron = "") { $pfb_gwday = "2"; $pfb_gwho = "root"; - install_cron_job($pfb_gcmd, true, $pfb_gmin, $pfb_ghour, $pfb_gmday, $pfb_gmonth, $pfb_gwday, $pfb_gwho); + // Determine if Cron Task requires updating + if (!pfblockerng_cron_exists($pfb_gcmd, $pfb_gmin, 'maxmind')) { + install_cron_job($pfb_gcmd, true, $pfb_gmin, $pfb_ghour, $pfb_gmday, $pfb_gmonth, $pfb_gwday, $pfb_gwho); + } + } + else { + // Clear any existing pfBlockerNG Cron Jobs + install_cron_job("pfblockerng.php dc", false); + } + + + ################################# + # Closing Processes # + ################################# + + // uncheck Reusing Existing Downloads Check box + if (!$pfb['save'] && $pfb['enable'] == "on" && $pfb['reuse'] == "on") { + $config['installedpackages']['pfblockerng']['config'][0]['pfb_reuse'] = ""; + $pfb['cron_mod'] = TRUE; + } + + // Only save config.xml changes if changes are found. + // Temporay to ensure all conditions are defined before fully enabling this feature + if ($pfb['cron_mod'] || !$pfb['cron_mod']) { + write_config("pfBlockerNG: Save settings"); } } function pfblockerng_validate_input($post, &$input_errors) { global $config; + foreach ($post as $key => $value) { - if (empty($value)) - continue; - if ($key == "message_size_limit" && !is_numeric($value)) - $input_errors[] = "Message size limit must be numeric."; - if ($key == "process_limit" && !is_numeric($value)) - $input_errors[] = "Process limit must be numeric."; - if ($key == "freq" && (!preg_match("/^\d+(h|m|d)$/",$value) || $value == 0)) - $input_errors[] = "A valid number with a time reference is required for the field 'Frequency'"; - if (substr($key, 0, 2) == "dc" && !is_hostname($value)) - $input_errors[] = "{$value} is not a valid host name."; - if (substr($key, 0, 6) == "domain" && is_numeric(substr($key, 6))) { - if (!is_domain($value)) - $input_errors[] = "{$value} is not a valid domain name."; - } else if (substr($key, 0, 12) == "mailserverip" && is_numeric(substr($key, 12))) { - if (empty($post['domain' . substr($key, 12)])) - $input_errors[] = "Domain for {$value} cannot be blank."; - if (!is_ipaddr($value) && !is_hostname($value)) - $input_errors[] = "{$value} is not a valid IP address or host name."; + + if (substr($key, 0, 3) == "url" && is_numeric( substr($key, 3, (strlen($key) - 3))) ) { + if (empty($value)) { + $input_url_empty = TRUE; + continue; + } + if (substr($value, 0, 1) == ' ') { + $input_errors[] = "Leading whitespace not allowed in URL field"; + } + } + + if (substr($key, 0, 6) == "header" && is_numeric( substr($key, 6, (strlen($key) - 6))) ) { + if ($input_url_empty && empty($value)) { + $input_url_empty = FALSE; + continue; + } + if ($input_url_empty && !empty($value)) { + $input_errors[] = "No URL Defined."; + } + if (substr($value, 0, 1) == ' ' || empty($value)) { + $input_errors[] = "Header field must be defined."; + } } } } @@ -2422,9 +2733,10 @@ function pfblockerng_php_install_command() { // Remove previously used CC folder location if exists @rmdir_recursive("{$pfb['dbdir']}/cc"); - # Uncompress Country Code File - exec("/usr/bin/tar -jx -C {$pfb['ccdir']} -f {$pfb['dbdir']}/countrycodes.tar.bz2"); - # Download MaxMind Files and Create Country Code files and Build Continent XML Files + // Uncompress Country Code File + @copy("{$pfb['dbdir']}/countrycodes.tar.bz2", "{$pfb['ccdir']}/countrycodes.tar.bz2"); + exec("/usr/bin/tar -jx -C {$pfb['ccdir']} -f {$pfb['ccdir']}/countrycodes.tar.bz2"); + // Download MaxMind Files and Create Country Code files and Build Continent XML Files update_output_window(gettext("Downloading MaxMind Country Databases. This may take a minute...")); exec("/bin/sh /usr/local/pkg/pfblockerng/geoipupdate.sh all >> {$pfb['geolog']} 2>&1"); @@ -2441,7 +2753,7 @@ function pfblockerng_php_install_command() { @unlink_if_exists("{$pfb['dbdir']}/GeoIPv6.csv"); @unlink_if_exists("{$pfb['dbdir']}/country_continent.csv"); - # Add Widget to Dashboard + // Add Widget to Dashboard update_output_window(gettext("Adding pfBlockerNG Widget to Dashboard.")); if ($pfb['keep'] == "on" && !empty($pfb['widgets'])) { // Restore previous Widget setting if "Keep" is enabled. @@ -2463,16 +2775,16 @@ function pfblockerng_php_deinstall_command() { require_once("config.inc"); global $config,$pfb; - # Set these two variables to Disable pfBlockerNG on De-Install + // Set these two variables to Disable pfBlockerNG on De-Install $pfb['save'] = TRUE; $pfb['install'] = TRUE; sync_package_pfblockerng(); rmdir_recursive("/usr/local/pkg/pfblockerng"); rmdir_recursive("/usr/local/www/pfblockerng"); - # Maintain pfBlockerNG Settings and Database Files if $pfb['keep'] is ON. + // Maintain pfBlockerNG Settings and Database Files if $pfb['keep'] is ON. if ($pfb['keep'] != "on") { - # Remove pfBlockerNG Log and DB Folder + // Remove pfBlockerNG Log and DB Folder rmdir_recursive("{$pfb['dbdir']}"); rmdir_recursive("{$pfb['logdir']}"); @@ -2485,7 +2797,7 @@ function pfblockerng_php_deinstall_command() { } } - # Remove Settings from Config + // Remove Settings from Config if (is_array($config['installedpackages']['pfblockerng'])) unset($config['installedpackages']['pfblockerng']); if (is_array($config['installedpackages']['pfblockerngglobal'])) @@ -2518,14 +2830,13 @@ function pfblockerng_php_deinstall_command() { unset($config['installedpackages']['pfblockerngproxyandsatellite']); } - # Remove Widget (code from Snort deinstall) + // Remove Widget (code from Snort deinstall) $pfb['widgets'] = $config['widgets']['sequence']; if (!empty($pfb['widgets'])) { $widgetlist = explode(",", $pfb['widgets']); foreach ($widgetlist as $key => $widget) { if (strstr($widget, "pfblockerng-container")) { unset($widgetlist[$key]); - break; } } $config['widgets']['sequence'] = implode(",", $widgetlist); @@ -2540,9 +2851,9 @@ function pfblockerng_sync_on_changes() { // Create Array of Sync Settings and exit if Sync is Disabled. if (is_array($config['installedpackages']['pfblockerngsync']['config'][0])) { $pfb_sync = $config['installedpackages']['pfblockerngsync']['config'][0]; - if ($pfb_sync['varsynconchanges'] == "disabled" || $pfb_sync['varsynconchanges'] == "") + if ($pfb_sync['varsynconchanges'] == "disabled" || $pfb_sync['varsynconchanges'] == "") { return; - + } $synctimeout = $pfb_sync['varsynctimeout']; } else { return; @@ -2553,15 +2864,15 @@ function pfblockerng_sync_on_changes() { if (is_array($config['installedpackages']['pfblockerngsync']['config'])) { switch ($pfb_sync['varsynconchanges']) { case "manual": - if (is_array($pfb_sync[row])) { - $rs = $pfb_sync[row]; + if (is_array($pfb_sync['row'])) { + $rs = $pfb_sync['row']; } else { - log_error("[pfBlockerNG] XMLRPC sync is enabled but there are no replication targets configured."); + log_error("[pfBlockerNG] Manual XMLRPC sync is enabled but there are no replication targets configured."); return; } break; case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])) { $system_carp = $config['installedpackages']['carpsettings']['config'][0]; $rs[0]['varsyncipaddress'] = $system_carp['synchronizetoip']; $rs[0]['varsyncusername'] = $system_carp['username']; @@ -2575,11 +2886,11 @@ function pfblockerng_sync_on_changes() { } if ($system_carp['synchronizetoip'] == "") { - log_error("[pfBlockerNG] XMLRPC sync is enabled but there are no replication targets configured."); + log_error("[pfBlockerNG] XMLRPC sync is enabled but there is no sync IP address configured."); return; } } else { - log_error("[pfBlockerNG] XMLRPC sync is enabled but there are no replication targets configured."); + log_error("[pfBlockerNG] Auto XMLRPC sync is enabled but there are no replication targets configured."); return; } break; @@ -2605,8 +2916,9 @@ function pfblockerng_sync_on_changes() { pfblockerng_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout); } } - if ($success) + if ($success) { log_error("[pfBlockerNG] XMLRPC sync completed successfully."); + } } } } @@ -2639,9 +2951,9 @@ function pfblockerng_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $p } /* Test key variables and set defaults if empty */ - if (empty($synctimeout)) + if (empty($synctimeout)) { $synctimeout = 150; - + } $url = "{$protocol}://{$sync_to_ip}"; if ($port == "") { $port = $config['system']['webgui']['port']; }; @@ -2656,26 +2968,37 @@ function pfblockerng_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $p /* xml will hold the sections to sync */ $xml = array(); // If User Disabled, remove 'General Tab Customizations' from Sync - if ($config['installedpackages']['pfblockerngsync']['config'][0]['syncinterfaces'] == "") - $xml['pfblockerng'] = $config['installedpackages']['pfblockerng']; - $xml['pfblockerngreputation'] = $config['installedpackages']['pfblockerngreputation']; - $xml['pfblockernglistsv4'] = $config['installedpackages']['pfblockernglistsv4']; - $xml['pfblockernglistsv6'] = $config['installedpackages']['pfblockernglistsv6']; - $xml['pfblockerngtopspammers'] = $config['installedpackages']['pfblockerngtopspammers']; - $xml['pfblockerngafrica'] = $config['installedpackages']['pfblockerngafrica']; - $xml['pfblockerngantartica'] = $config['installedpackages']['pfblockerngantartica']; - $xml['pfblockerngasia'] = $config['installedpackages']['pfblockerngasia']; - $xml['pfblockerngeurope'] = $config['installedpackages']['pfblockerngeurope']; - $xml['pfblockerngnorthamerica'] = $config['installedpackages']['pfblockerngnorthamerica']; - $xml['pfblockerngoceania'] = $config['installedpackages']['pfblockerngoceania']; - $xml['pfblockerngsouthamerica'] = $config['installedpackages']['pfblockerngsouthamerica']; - $xml['pfblockerngproxyandsatellite'] = $config['installedpackages']['pfblockerngproxyandsatellite']; + if ($config['installedpackages']['pfblockerngsync']['config'][0]['syncinterfaces'] == "") { + if (is_array($config['installedpackages']['pfblockerng'])) + $xml['pfblockerng'] = $config['installedpackages']['pfblockerng']; + } + if (is_array($config['installedpackages']['pfblockerngreputation'])) + $xml['pfblockerngreputation'] = $config['installedpackages']['pfblockerngreputation']; + if (is_array($config['installedpackages']['pfblockernglistsv4'])) + $xml['pfblockernglistsv4'] = $config['installedpackages']['pfblockernglistsv4']; + if (is_array($config['installedpackages']['pfblockernglistsv6'])) + $xml['pfblockernglistsv6'] = $config['installedpackages']['pfblockernglistsv6']; + if (is_array($config['installedpackages']['pfblockerngtopspammers'])) + $xml['pfblockerngtopspammers'] = $config['installedpackages']['pfblockerngtopspammers']; + if (is_array($config['installedpackages']['pfblockerngafrica'])) + $xml['pfblockerngafrica'] = $config['installedpackages']['pfblockerngafrica']; + if (is_array($config['installedpackages']['pfblockerngantartica'])) + $xml['pfblockerngantartica'] = $config['installedpackages']['pfblockerngantartica']; + if (is_array($config['installedpackages']['pfblockerngasia'])) + $xml['pfblockerngasia'] = $config['installedpackages']['pfblockerngasia']; + if (is_array($config['installedpackages']['pfblockerngeurope'])) + $xml['pfblockerngeurope'] = $config['installedpackages']['pfblockerngeurope']; + if (is_array($config['installedpackages']['pfblockerngnorthamerica'])) + $xml['pfblockerngnorthamerica'] = $config['installedpackages']['pfblockerngnorthamerica']; + if (is_array($config['installedpackages']['pfblockerngoceania'])) + $xml['pfblockerngoceania'] = $config['installedpackages']['pfblockerngoceania']; + if (is_array($config['installedpackages']['pfblockerngsouthamerica'])) + $xml['pfblockerngsouthamerica'] = $config['installedpackages']['pfblockerngsouthamerica']; + if (is_array($config['installedpackages']['pfblockerngproxyandsatellite'])) + $xml['pfblockerngproxyandsatellite'] = $config['installedpackages']['pfblockerngproxyandsatellite']; /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); + $params = array(XML_RPC_encode($password), XML_RPC_encode($xml)); /* set a few variables needed for sync code borrowed from filter.inc */ log_error("[pfBlockerNG] XMLRPC syncing to {$url}:{$port}."); @@ -2707,4 +3030,4 @@ function pfblockerng_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $p } return $success; } -?> +?>
\ No newline at end of file diff --git a/config/pfblockerng/pfblockerng.php b/config/pfblockerng/pfblockerng.php index 8c0c478d..f69983e2 100644 --- a/config/pfblockerng/pfblockerng.php +++ b/config/pfblockerng/pfblockerng.php @@ -146,10 +146,11 @@ function ip_range_to_subnet_array_temp($ip1, $ip2) { return $out; } -# Set php Memory Limit +// Set php Memory Limit $uname = posix_uname(); -if ($uname['machine'] == "amd64") +if ($uname['machine'] == "amd64") { ini_set('memory_limit', '256M'); +} function pfb_update_check($header_url, $list_url, $url_format, $pfbfolder) { global $pfb; @@ -220,13 +221,12 @@ function pfb_update_check($header_url, $list_url, $url_format, $pfbfolder) { } } - if ($argv[1] == 'update') { sync_package_pfblockerng("cron"); } if ($argv[1] == 'dc') { - # (Options - 'bu' Binary Update for Reputation/Alerts Page, 'all' for Country update and 'bu' options. + // (Options - 'bu' Binary Update for Reputation/Alerts Page, 'all' for Country update and 'bu' options. if ($pfb['cc'] == "") { exec("/bin/sh /usr/local/pkg/pfblockerng/geoipupdate.sh all >> {$pfb['geolog']} 2>&1"); } else { @@ -251,85 +251,13 @@ if ($argv[1] == 'gc') { } if ($argv[1] == 'cron') { + + // Call Base Hour converter + $pfb_sch = pfb_cron_base_hour(); + $hour = date('G'); $dow = date('N'); $pfb['update_cron'] = FALSE; - - # Start hour of the 'Once a day' Schedule - $pfb['dailystart'] = $config['installedpackages']['pfblockerng']['config'][0]['pfb_dailystart']; - # Start hour of the Scheduler - if ($config['installedpackages']['pfblockerng']['config'][0]['pfb_hour'] != "") { - $pfb['hour'] = $config['installedpackages']['pfblockerng']['config'][0]['pfb_hour']; - } else { - $pfb['hour'] = "1"; - } - $updates = 0; - - # 2 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch2 = strval($shour); - for ($i=0; $i<11; $i++) { - $shour += 2; - if ($shour >= 24) - $shour -= 24; - $sch2 .= "," . strval($shour); - } - - # 3 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch3 = strval($shour); - for ($i=0; $i<7; $i++) { - $shour += 3; - if ($shour >= 24) - $shour -= 24; - $sch3 .= "," . strval($shour); - } - - # 4 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch4 = strval($shour); - for ($i=0; $i<5; $i++) { - $shour += 4; - if ($shour >= 24) - $shour -= 24; - $sch4 .= "," . strval($shour); - } - - # 6 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch6 = strval($shour); - for ($i=0; $i<3; $i++) { - $shour += 6; - if ($shour >= 24) - $shour -= 24; - $sch6 .= "," . strval($shour); - } - - # 8 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch8 = strval($shour); - for ($i=0; $i<2; $i++) { - $shour += 8; - if ($shour >= 24) - $shour -= 24; - $sch8 .= "," . strval($shour); - } - - # 12 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch12 = strval($shour) . ","; - $shour += 12; - if ($shour >= 24) - $shour -= 24; - $sch12 .= strval($shour); - - $e_sch2 = explode(",", $sch2); - $e_sch3 = explode(",", $sch3); - $e_sch4 = explode(",", $sch4); - $e_sch6 = explode(",", $sch6); - $e_sch8 = explode(",", $sch8); - $e_sch12 = explode(",", $sch12); - $log = " CRON PROCESS START [ NOW ]\n"; pfb_logger("{$log}","1"); @@ -347,8 +275,8 @@ if ($argv[1] == 'cron') { $header_url = "{$row['header']}_v6"; } - # Determine Folder Location for Alias (return array $pfbarr) - pfb_determine_list_detail($list['action']); + // Determine Folder Location for Alias (return array $pfbarr) + pfb_determine_list_detail($list['action'], "", "", ""); $pfbfolder = $pfbarr['folder']; $list_cron = $list['cron']; @@ -361,7 +289,7 @@ if ($argv[1] == 'cron') { continue; } - # Check if List file exists, if not found run Update + // Check if List file exists, if not found run Update if (!file_exists($pfbfolder . '/' . $header_url . '.txt')) { $log = " Updates Found\n"; pfb_logger("{$log}","1"); @@ -370,42 +298,20 @@ if ($argv[1] == 'cron') { } switch ($list_cron) { - case "01hour": - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "02hours": - if (in_array($hour, $e_sch2)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "03hours": - if (in_array($hour, $e_sch3)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "04hours": - if (in_array($hour, $e_sch4)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "06hours": - if (in_array($hour, $e_sch6)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "08hours": - if (in_array($hour, $e_sch8)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "12hours": - if (in_array($hour, $e_sch12)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; case "EveryDay": - if ($hour == $pfb['dailystart']) + if ($hour == $pfb['24hour']) { pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); + } break; case "Weekly": - if ($hour == $pfb['dailystart'] && $dow == $header_dow) + if ($hour == $pfb['24hour'] && $dow == $header_dow) { pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); + } break; default: + if ($pfb['interval'] == "1" || in_array($hour, $pfb_sch)) { + pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); + } break; } } @@ -415,6 +321,30 @@ if ($argv[1] == 'cron') { } } + // If Continents are Defined, continue with Update Process to determine if further changes are required. + $continents = array ( "Africa" => "pfB_Africa", + "Antartica" => "pfB_Antartica", + "Asia" => "pfB_Asia", + "Europe" => "pfB_Europe", + "North America" => "pfB_NAmerica", + "Oceania" => "pfB_Oceania", + "South America" => "pfB_SAmerica", + "Top Spammers" => "pfB_Top", + "Proxy and Satellite" => "pfB_PS" + ); + + if (!$pfb['update_cron']) { + foreach ($continents as $continent => $pfb_alias) { + if (is_array($config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'])) { + $continent_config = $config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'][0]; + if ($continent_config['action'] != "Disabled" && $pfb['enable'] == "on") { + $pfb['update_cron'] = TRUE; + break; + } + } + } + } + if ($pfb['update_cron']) { sync_package_pfblockerng("cron"); } else { @@ -423,7 +353,7 @@ if ($argv[1] == 'cron') { pfb_logger("{$log}","1"); } - # Call Log Mgmt Function + // Call Log Mgmt Function // If Update GUI 'Manual view' is selected. Last output will be missed. So sleep for 5 secs. sleep(5); pfb_log_mgmt(); @@ -438,7 +368,7 @@ function pfblockerng_uc_countries() { $maxmind_cc4 = "{$pfb['dbdir']}/GeoIPCountryWhois.csv"; $maxmind_cc6 = "{$pfb['dbdir']}/GeoIPv6.csv"; - # Create Folders if not Exist + // Create Folders if not Exist $folder_array = array ("{$pfb['dbdir']}","{$pfb['logdir']}","{$pfb['ccdir']}"); foreach ($folder_array as $folder) { safe_mkdir ("{$folder}",0755); @@ -456,7 +386,7 @@ function pfblockerng_uc_countries() { return; } - # Save Date/Time Stamp to MaxMind version file + // Save Date/Time Stamp to MaxMind version file $maxmind_ver = "MaxMind GeoLite Date/Time Stamps \n\n"; $remote_tds = @implode(preg_grep("/Last-Modified/", get_headers("http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip"))); $maxmind_ver .= "MaxMind_v4 \t" . $remote_tds . "\n"; @@ -738,6 +668,7 @@ $xml = <<<EOF <version>1.0</version> <title>pfBlockerNG: {$cont}</title> <include_file>/usr/local/pkg/pfblockerng/pfblockerng.inc</include_file> + <addedit_string>pfBlockerNG: Save {$cont} settings</addedit_string> <menu> <name>pfBlockerNG: {$cont_name}</name> <tooltiptext>Configure pfBlockerNG</tooltiptext> @@ -824,44 +755,57 @@ $xml = <<<EOF </field> <field> <fielddescr>LINKS</fielddescr> - <fieldname></fieldname> - <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> + <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> + <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> </description> <type>info</type> </field> - <field> - <fielddescr><![CDATA[<br /><strong>IPv4</strong><br />Countries]]></fielddescr> + <field> <fieldname>countries4</fieldname> - <description> - <![CDATA[Select IPv4 Countries you want to take an action on.<br /> - <strong>Use CTRL + CLICK to unselect countries</strong>]]> - </description> + <fielddescr><![CDATA[<strong><center>Countries</center></strong><br /> + <center>Use CTRL + CLICK to unselect countries</center>]]> + </fielddescr> <type>select</type> <options> ${'options4'} </options> <size>${'ftotal4'}</size> <multiple/> + +EOF; + +// Adjust combinefields variable if IPv6 is empty. +if (!empty (${'options6'})) { + $xml .= <<<EOF + <description><![CDATA[<center><br />IPv4 Countries</center>]]></description> + <usecolspan2/> + <combinefields>begin</combinefields> </field> EOF; +} else { + $xml .= <<<EOF + <description><![CDATA[<br />IPv4 Countries]]></description> + </field> + +EOF; +} // Skip IPv6 when Null data found if (!empty (${'options6'})) { $xml .= <<<EOF <field> - <fielddescr><![CDATA[<br /><strong>IPv6</strong><br />Countries]]></fielddescr> <fieldname>countries6</fieldname> - <description> - <![CDATA[Select IPv6 Countries you want to take an action on.<br /> - <strong>Use CTRL + CLICK to unselect countries</strong>]]> - </description> + <description><![CDATA[<br /><center>IPv6 Countries</center>]]></description> <type>select</type> <options> ${'options6'} </options> <size>${'ftotal6'}</size> <multiple/> + <usecolspan2/> + <dontdisplayname/> + <combinefields>end</combinefields> </field> EOF; @@ -870,7 +814,7 @@ EOF; $xml .= <<<EOF <field> <fielddescr>List Action</fielddescr> - <description><![CDATA[<br />Default : <strong>Disabled</strong><br /><br /> + <description><![CDATA[<br />Default: <strong>Disabled</strong><br /><br /> Select the <strong>Action</strong> for Firewall Rules on lists you have selected.<br /><br /> <strong><u>'Disabled' Rules:</u></strong> Disables selection and does nothing to selected Alias.<br /><br /> @@ -901,7 +845,7 @@ $xml .= <<<EOF <li>'Alias Permit' and 'Alias Match' will be saved in the Same folder as the other Permit/Match Auto-Rules</li><br /> <li>'Alias Native' lists are kept in their Native format without any modifications.</li></ul> <strong>When using 'Alias' rules, change (pfB_) to ( pfb_ ) in the beginning of rule description and use the 'Exact' spelling of - the Alias (no trailing Whitespace) </strong> Custom 'Alias' rules with 'pfB_ xxx' description will be removed by package if + the Alias (no trailing Whitespace)</strong> Custom 'Alias' rules with 'pfB_ xxx' description will be removed by package if using Auto Rule Creation.<br /><br /><strong>Tip</strong>: You can create the Auto Rules and remove "<u>auto rule</u>" from the Rule Descriptions, then disable Auto Rules. This method will 'KEEP' these rules from being 'Deleted' which will allow editing for a Custom Alias Configuration<br />]]> @@ -928,9 +872,10 @@ $xml .= <<<EOF <field> <fielddescr>Enable Logging</fielddescr> <fieldname>aliaslog</fieldname> - <description><![CDATA[Default:<strong>Enable</strong><br /> + <description><![CDATA[Default: <strong>Enable</strong><br /> Select - Logging to Status: System Logs: FIREWALL ( Log )<br /> - This can be overriden by the 'Global Logging' Option in the General Tab.]]></description> + This can be overriden by the 'Global Logging' Option in the General Tab.]]> + </description> <type>select</type> <options> <option><name>Enable</name><value>enabled</value></option> @@ -938,9 +883,87 @@ $xml .= <<<EOF </options> </field> <field> - <name><![CDATA[<ul>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or - 'Force Update'</ul>]]> - </name> + <name>Advanced Inbound Firewall Rule Settings</name> + <type>listtopic</type> + </field> + <field> + <type>info</type> + <description><![CDATA[<font color='red'>Note: </font>In general Auto-Rules are created as follows:<br /> + <ul>Inbound - 'any' port, 'any' protocol and 'any' destination<br /> + Outbound - 'any' port, 'any' protocol and 'any' destination address in the lists</ul> + Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.<br /> + <strong>Select the pfSense 'Port' and/or 'Destination' Alias below:</strong>]]> + </description> + </field> + <field> + <fieldname>autoports</fieldname> + <fielddescr>Enable Custom Port</fielddescr> + <type>checkbox</type> + <enablefields>aliasports</enablefields> + <usecolspan2/> + <combinefields>begin</combinefields> + </field> + <field> + <fielddescr>Define Alias</fielddescr> + <fieldname>aliasports</fieldname> + <description><![CDATA[<a href="/firewall_aliases.php?tab=port">Click Here to add/edit Aliases</a> + Do not manually enter port numbers. <br />Do not use 'pfB_' in the Port Alias name.]]> + </description> + <size>21</size> + <type>aliases</type> + <typealiases>port</typealiases> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fieldname>autodest</fieldname> + <fielddescr>Enable Custom Destination</fielddescr> + <type>checkbox</type> + <enablefields>aliasdest,autonot</enablefields> + <usecolspan2/> + <combinefields>begin</combinefields> + </field> + <field> + <fieldname>aliasdest</fieldname> + <description><![CDATA[<a href="/firewall_aliases.php?tab=ip">Click Here to add/edit Aliases</a> + Do not manually enter Addresses(es). <br />Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> + </description> + <size>21</size> + <type>aliases</type> + <typealiases>network</typealiases> + <dontdisplayname/> + <usecolspan2/> + <combinefields/> + </field> + <field> + <fielddescr>Invert</fielddescr> + <fieldname>autonot</fieldname> + <description><![CDATA[<div style="padding-left: 22px;"><strong>Invert</strong> - Option to invert the sense of the match.<br /> + ie - Not (!) Destination Address(es)</div>]]> + </description> + <type>checkbox</type> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fielddescr>Custom Protocol</fielddescr> + <fieldname>autoproto</fieldname> + <description><![CDATA[<strong>Default: any</strong><br />Select the Protocol used for Inbound Firewall Rule(s).]]></description> + <type>select</type> + <options> + <option><name>any</name><value></value></option> + <option><name>TCP</name><value>tcp</value></option> + <option><name>UDP</name><value>udp</value></option> + <option><name>TCP/UDP</name><value>tcp/udp</value></option> + </options> + <size>4</size> + <default_value></default_value> + </field> + <field> + <name><![CDATA[<center>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or + 'Force Update'</center>]]></name> <type>listtopic</type> </field> </fields> @@ -1042,6 +1065,7 @@ $xmlrep = <<<EOF <version>1.0</version> <title>pfBlockerNG: IPv4 Reputation</title> <include_file>/usr/local/pkg/pfblockerng/pfblockerng.inc</include_file> + <addedit_string>pfBlockerNG: Save Reputation Settings</addedit_string> <menu> <name>pfBlockerNG</name> <tooltiptext>Configure pfblockerNG</tooltiptext> @@ -1122,14 +1146,13 @@ $xmlrep = <<<EOF </field> <field> <fielddescr>LINKS</fielddescr> - <fieldname></fieldname> - <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> + <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> + <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> </description> <type>info</type> </field> <field> <fielddescr><![CDATA[<strong>Why Reputation Matters:</strong>]]></fielddescr> - <fieldname></fieldname> <type>info</type> <description><![CDATA[By Enabling '<strong>Reputation</strong>', each Blocklist will be analyzed for Repeat Offenders in each IP Range. <ul>Example: x.x.x.1, x.x.x.2, x.x.x.3, x.x.x.4, x.x.x.5<br /> @@ -1150,7 +1173,6 @@ $xmlrep = <<<EOF <type>listtopic</type> </field> <field> - <fieldname></fieldname> <fielddescr><![CDATA[<br /><strong>Individual List Reputation</strong><br /><br />]]></fielddescr> <type>info</type> <description></description> @@ -1177,13 +1199,11 @@ $xmlrep = <<<EOF </options> </field> <field> - <fieldname></fieldname> <fielddescr><![CDATA[<br /><strong>Collective List Reputation</strong><br /><br />]]></fielddescr> <type>info</type> <description></description> </field> <field> - <fieldname></fieldname> <type>info</type> <description><![CDATA[Once all Blocklists are Downloaded, these two 'additional' processes <strong>[ pMax ] and [ dMax ]</strong><br /> Can be used to Further analyze for Repeat Offenders.<br /> @@ -1244,7 +1264,6 @@ $xmlrep = <<<EOF <type>listtopic</type> </field> <field> - <fieldname>INFO</fieldname> <type>info</type> <description><![CDATA[When performing Queries for Repeat Offenders, you can choose to <strong>ignore</strong> Repeat Offenders in select Countries. The Original Blocklisted IPs remain intact. All other Repeat Offending Country Ranges will be processed.<br /><br /> @@ -1286,7 +1305,7 @@ $xmlrep = <<<EOF </field> <field> <fielddescr><![CDATA[<br /><strong>IPv4</strong><br />Country Exclusion<br /> - <br />Geolite Data by:<br />MaxMind Inc. (ISO 3166)]]></fielddescr> + <br />Geolite Data by: <br />MaxMind Inc. (ISO 3166)]]></fielddescr> <fieldname>ccexclude</fieldname> <description> <![CDATA[Select Countries you want to <strong>Exclude</strong> from the Reputation Process.<br /> @@ -1305,7 +1324,6 @@ $xmlrep = <<<EOF </field> <field> <fielddescr>Subscription Pro. Blocklist</fielddescr> - <fieldname>ETINFO</fieldname> <type>info</type> <description><![CDATA[<strong>Emerging Threats IQRisk</strong> is a Subscription Professional Reputation List.<br /><br /> ET IQRisk Blocklist must be entered in the Lists Tab using the following example: @@ -1429,7 +1447,7 @@ $xmlrep = <<<EOF <field> <fielddescr>Update ET Categories</fielddescr> <fieldname>et_update</fieldname> - <description><![CDATA[Default:<strong>Disable</strong><br /> + <description><![CDATA[Default: <strong>Disable</strong><br /> Select - Enable ET Update if Category Changes are Made.<br /> You can perform a 'Force Update' to enable these changes.<br /> Cron will also resync this list at the next Scheduled Update.]]> @@ -1441,8 +1459,8 @@ $xmlrep = <<<EOF </options> </field> <field> - <name><![CDATA[<ul>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or - 'Force Update'</ul>]]></name> + <name><![CDATA[<center>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or + 'Force Update'</center>]]></name> <type>listtopic</type> </field> </fields> diff --git a/config/pfblockerng/pfblockerng.priv.inc b/config/pfblockerng/pfblockerng.priv.inc index 970ab25f..97cf6288 100644 --- a/config/pfblockerng/pfblockerng.priv.inc +++ b/config/pfblockerng/pfblockerng.priv.inc @@ -8,8 +8,6 @@ $priv_list['page-firewall-pfblockerng']['descr'] = "Allow access to pfBlockerNG $priv_list['page-firewall-pfblockerng']['match'] = array(); $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng.xml*"; $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_reputation.xml*"; -$priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_v4lists.xml*"; -$priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_v6lists.xml*"; $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_top20.xml*"; $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_Africa.xml*"; $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_Asia.xml*"; @@ -19,6 +17,10 @@ $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblocker $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_SouthAmerica.xml*"; $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_ProxyandSatellite.xml*"; $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_sync.xml*"; + +$priv_list['page-firewall-pfblockerng']['match'][] = "pkg.php?xml=pfblockerng/pfblockerng_v4lists.xml*"; +$priv_list['page-firewall-pfblockerng']['match'][] = "pkg.php?xml=pfblockerng/pfblockerng_v6lists.xml*"; + $priv_list['page-firewall-pfblockerng']['match'][] = "pfblockerng/pfblockerng_update.php*"; $priv_list['page-firewall-pfblockerng']['match'][] = "pfblockerng/pfblockerng_alerts.php*"; $priv_list['page-firewall-pfblockerng']['match'][] = "pfblockerng/pfblockerng_log.php*"; diff --git a/config/pfblockerng/pfblockerng.sh b/config/pfblockerng/pfblockerng.sh index ba0c908b..fcfbcae1 100644 --- a/config/pfblockerng/pfblockerng.sh +++ b/config/pfblockerng/pfblockerng.sh @@ -24,7 +24,7 @@ fi now=$(/bin/date +%m/%d/%y' '%T) -# Application Paths +# Application Locations pathgrepcidr="${prefix}/bin/grepcidr" pathgeoip="${prefix}/bin/geoiplookup" @@ -165,7 +165,7 @@ fi if [ -s "$matchfile" -a ! "$dedup" == "on" -a "$ccwhite" == "match" ]; then mon=$(sed -e 's/^/^/' -e 's/\./\\\./g' $matchfile) for ip in $mon; do - grep $ip $tempfile >> $tempfile2 + grep $ip $tempfile >> $tempfile2 done mcount=$(grep -c ^ $tempfile2) if [ "$ccwhite" == "match" ]; then @@ -372,7 +372,7 @@ if [ -e "$pfbsuppression" ] && [ -s "$pfbsuppression" ]; then fi else if [ "$cc" == "suppressheader" ]; then - echo "===[ Suppression Stats ]========================================"; echo + echo; echo "===[ Suppression Stats ]========================================"; echo printf "%-20s %-10s %-10s %-10s %-10s\n" "List" "Pre" "RFC1918" "Suppress" "Masterfile" echo "----------------------------------------------------------------" exitnow @@ -675,7 +675,6 @@ if [ -s $pfborig$alias".gz" ]; then $pathgunzip -c $pfborig$alias".gz" > $pfborig$alias".raw" # ET CSV Format (IP, Category, Score) - echo; echo "Processing [ $alias ]" while IFS="," read a b c; do # Some ET Categories are not in use (For Future Use) case "$b" in @@ -724,7 +723,7 @@ if [ -s $pfborig$alias".gz" ]; then esac done <"$pfborig$alias.raw" data=$(ls $etdir) - echo "Compiling ET IP IQRisk REP Lists based upon User Selected Categories" + echo; echo "Compiling ET IP IQRisk REP Lists based upon User Selected Categories" printf "%-10s %-25s\n" " Action" "Category" echo "-------------------------------------------" @@ -795,7 +794,7 @@ if [ "$alias" == "on" ]; then sort -o $masterfile $masterfile sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n $mastercat > $tempfile; mv -f $tempfile $mastercat - echo; echo; echo "===[ FINAL Processing ]====================================="; echo + echo; echo "===[ FINAL Processing ]====================================="; echo echo " [ Original count ] [ $fcount ]" count=$(grep -c ^ $masterfile) echo; echo " [ Processed Count ] [ $count ]"; echo @@ -976,4 +975,4 @@ case $1 in exitnow ;; esac -exitnow +exitnow
\ No newline at end of file diff --git a/config/pfblockerng/pfblockerng.widget.php b/config/pfblockerng/pfblockerng.widget.php index 229e084b..c9522cd7 100644 --- a/config/pfblockerng/pfblockerng.widget.php +++ b/config/pfblockerng/pfblockerng.widget.php @@ -15,7 +15,7 @@ snort_alerts.widget.php Copyright (C) 2009 Jim Pingle mod 24-07-2012 - mod 28-02-2014 by Bill Meeks + mod 28-02-2015 by Bill Meeks Javascript and Integration modifications by J. Nieuwenhuizen @@ -42,58 +42,268 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$nocsrf = true; @require_once("/usr/local/www/widgets/include/widget-pfblockerng.inc"); @require_once("/usr/local/pkg/pfblockerng/pfblockerng.inc"); @require_once("guiconfig.inc"); -@require_once("globals.inc"); -@require_once("pfsense-utils.inc"); -@require_once("functions.inc"); pfb_global(); -// Ackwnowlege Failed Downloads +// Image source definition +$pfb['down'] = "<img src ='/themes/{$g['theme']}/images/icons/icon_interface_down.gif' title='No Rules are Defined using this Alias' alt='' />"; +$pfb['up'] = "<img src ='/themes/{$g['theme']}/images/icons/icon_interface_up.gif' title='Rules are Defined using this Alias (# of fw rules defined)' alt='' />"; +$pfb['err'] = "<img src ='/themes/{$g['theme']}/images/icons/icon_wzd_nsaved.png' title='pf Errors found.' alt='' />"; + +// Alternating line shading +$pfb['RowOddClass'] = "style='background-color: #FFFFFF;'"; +$pfb['RowEvenClass'] = "style='background-color: #F0F0F0;'"; +$pfb['RowEvenClass2'] = "style='background-color: #D0D0D0;'"; +$pfb['ColClass'] = "listMRr"; + +$pfb['global'] = &$config['installedpackages']['pfblockerngglobal']; + +// Define default widget customizations +if (!isset($pfb['global']['widget-maxfails'])) { + $pfb['global']['widget-maxfails'] = '3'; +} +if (!isset($pfb['global']['widget-maxpivot'])) { + $pfb['global']['widget-maxpivot'] = '200'; +} +if (!isset($pfb['global']['widget-sortcolumn'])) { + $pfb['global']['widget-sortcolumn'] = 'none'; +} +if (!isset($pfb['global']['widget-sortdir'])) { + $pfb['global']['widget-sortdir'] = 'asc'; +} +if (!isset($pfb['global']['widget-popup'])) { + $pfb['global']['widget-popup'] = 'on'; +} + +// Collect variables +if (is_array($pfb['global'])) { + $pfb['maxfails'] = $pfb['global']['widget-maxfails']; + $pfb['maxpivot'] = $pfb['global']['widget-maxpivot']; + $pfb['sortcolumn'] = $pfb['global']['widget-sortcolumn']; + $pfb['sortdir'] = $pfb['global']['widget-sortdir']; + $pfb['popup'] = $pfb['global']['widget-popup']; +} + +// Save widget customizations +if ($_POST) { + if (is_numeric($_POST['pfb_maxfails'])) { + $pfb['global']['widget-maxfails'] = $_POST['pfb_maxfails']; + } + if (is_numeric($_POST['pfb_maxpivot'])) { + $pfb['global']['widget-maxpivot'] = $_POST['pfb_maxpivot']; + } + if (!empty($_POST['pfb_popup'])) { + $pfb['global']['widget-popup'] = $_POST['pfb_popup']; + } + if (!empty($_POST['pfb_sortcolumn'])) { + $pfb['global']['widget-sortcolumn'] = $_POST['pfb_sortcolumn']; + } + if (!empty($_POST['pfb_sortdir'])) { + $pfb['global']['widget-sortdir'] = $_POST['pfb_sortdir']; + } + write_config("pfBlockerNG: Saved Widget customizations via Dashboard"); + header("Location: ../../index.php"); +} + +// Ackwnowlege failed downloads if (isset($_POST['pfblockerngack'])) { - $clear = exec("/usr/bin/sed -i '' 's/FAIL/Fail/g' {$pfb['errlog']}"); + exec("/usr/bin/sed -i '' 's/FAIL/Fail/g' {$pfb['errlog']}"); header("Location: ../../index.php"); } -// This function will create the counts -function pfBlockerNG_get_counts() { - global $config, $g, $pfb; +// Called by Ajax to update table contents +if (isset($_GET['getNewCounts'])) { + pfBlockerNG_get_table("js"); + return; +} - // Collect Alias Count and Update Date/Time +// Sort widget table according to user configuration +function pfbsort(&$array, $subkey="id", $sort_ascending=FALSE) { + if (empty($array)) { + return; + } + if (count($array)) { + $temp_array[key($array)] = array_shift($array); + } + + foreach ($array as $key => $val) { + $offset = 0; + $found = FALSE; + foreach ($temp_array as $tmp_key => $tmp_val) { + if (!$found and strtolower($val[$subkey]) > strtolower($tmp_val[$subkey])) { + $temp_array = array_merge((array)array_slice($temp_array,0,$offset), array($key => $val), array_slice($temp_array,$offset)); + $found = TRUE; + } + $offset++; + } + if (!$found) { + $temp_array = array_merge($temp_array, array($key => $val)); + } + } + + if ($sort_ascending) { + $array = array_reverse($temp_array); + } else { + $array = $temp_array; + } + return; +} + +// Collect all pfBlockerNG statistics +function pfBlockerNG_get_counts() { + global $config, $pfb; $pfb_table = array(); - $out = "<img src ='/themes/{$g['theme']}/images/icons/icon_interface_down.gif' title=\"No Rules are Defined using this Alias\" alt=\"\" />"; - $in = "<img src ='/themes/{$g['theme']}/images/icons/icon_interface_up.gif' title=\"Rules are Defined using this Alias\" alt=\"\" />"; - if (is_array($config['aliases']['alias'])) { - foreach ($config['aliases']['alias'] as $cbalias) { - if (preg_match("/pfB_/", $cbalias['name'])) { - if (file_exists("{$pfb['aliasdir']}/{$cbalias['name']}.txt")) { - preg_match("/(\d+)/", exec("/usr/bin/grep -cv \"^1\.1\.1\.1\" {$pfb['aliasdir']}/{$cbalias['name']}.txt"), $matches); - $pfb_table[$cbalias['name']] = array("count" => $matches[1], "img" => $out); - $updates = exec("ls -ld {$pfb['aliasdir']}/{$cbalias['name']}.txt | awk '{ print $6,$7,$8 }'", $update); - $pfb_table[$cbalias['name']]['up'] = $updates; + + /* Alias Table Definitions - 'update' - Last Updated Timestamp + 'rule' - Total number of Firewall rules per alias + 'count' - Total Line Count per alias + 'packets' - Total number of pf packets per alias */ + + exec("/sbin/pfctl -vvsTables | grep -A4 'pfB_'", $pfb_pfctl); + if (!empty($pfb_pfctl)) { + foreach($pfb_pfctl as $line) { + $line = trim(str_replace(array( '[', ']' ), '', $line)); + if (substr($line, 0, 1) == '-') { + $pfb_alias = trim(strstr($line, 'pfB', FALSE)); + if (empty($pfb_alias)) { + unset($pfb_alias); + continue; + } + exec("/usr/bin/grep -cv '^1\.1\.1\.1' {$pfb['aliasdir']}/{$pfb_alias}.txt", $match); + $pfb_table[$pfb_alias] = array('count' => $match[1], 'img' => $pfb['down']); + exec("ls -ld {$pfb['aliasdir']}/{$pfb_alias}.txt | awk '{ print $6,$7,$8 }'", $update); + $pfb_table[$pfb_alias]['update'] = $update[0]; + $pfb_table[$pfb_alias]['rule'] = 0; + unset($match, $update); + continue; + } + + if (isset($pfb_alias)) { + if (substr($line, 0, 9) == 'Addresses') { + $addr = trim(substr(strrchr($line, ':'), 1)); + $pfb_table[$pfb_alias]['count'] = $addr; + continue; + } + if (substr($line, 0, 11) == 'Evaluations') { + $packets = trim(substr(strrchr($line, ':'), 1)); + $pfb_table[$pfb_alias]['packets'] = $packets; + unset($pfb_alias); } } } } + else { + // Error. No pf labels found. + $pfb['pfctl'] = TRUE; + } - // Collect if Rules are defined using pfBlockerNG Aliases. + // Determine if firewall rules are defined if (is_array($config['filter']['rule'])) { foreach ($config['filter']['rule'] as $rule) { - if (preg_match("/pfB_/",$rule['source']['address']) || preg_match("/pfb_/",$rule['source']['address'])) { - $pfb_table[$rule['source']['address']]['img'] = $in; + // Skip disabled rules + if (isset($rule['disabled'])) { + continue; + } + if (stripos($rule['source']['address'], "pfb_") !== FALSE) { + $pfb_table[$rule['source']['address']]['img'] = $pfb['up']; + $pfb_table[$rule['source']['address']]['rule'] += 1; } - if (preg_match("/pfB_/",$rule['destination']['address']) || preg_match("/pfb_/",$rule['destination']['address'])) { - $pfb_table[$rule['destination']['address']]['img'] = $in; + if (stripos($rule['destination']['address'], "pfb_") !== FALSE) { + $pfb_table[$rule['destination']['address']]['img'] = $pfb['up']; + $pfb_table[$rule['destination']['address']]['rule'] += 1; } } - return $pfb_table; } + + // Collect packet fence rule numbers + exec("/sbin/pfctl -vv -sr | grep 'pfB_'", $pfrules); + if (!empty($pfrules)) { + foreach ($pfrules as $result) { + // Sample : @112(0) block return in log quick on em1 from any to <pfB_PRI1:160323> label "USER_RULE: pfB_PRI1" + if (preg_match("/@(\d+)\(\d+\).*\<(pfB_\w+):\d+\>/", $result, $rule)) { + $pfb_table[$rule[2]]['rules'] .= $rule[1] . '|'; + } + } + } + + // Sort tables per sort customization + if ($pfb['sortcolumn'] != "none") { + if ($pfb['sortdir'] == "asc") { + pfbsort($pfb_table, $pfb['sortcolumn'], TRUE); + } else { + pfbsort($pfb_table, $pfb['sortcolumn'], FALSE); + } + } + return $pfb_table; } -// Status Indicator if pfBlockerNG is Enabled/Disabled +// Called on initial load and Ajax to update table contents +function pfBlockerNG_get_table($mode="") { + global $pfb; + $counter = 0; $dcounter = 1; $response = ''; + + $pfb_table = pfBlockerNG_get_counts(); + if (!empty($pfb_table)) { + foreach ($pfb_table as $pfb_alias => $values) { + // Add firewall rules count associated with alias + $values['img'] = $values['img'] . "<span title='Alias Firewall Rule count' ><small>({$values['rule']})</small></span>"; + + // If packet fence errors found, display error. + if ($pfb['pfctl']) { + $values['img'] = $pfb['err']; + } + + // Alias table popup + if ($values['count'] > 0 && $pfb['popup'] == "on") { + $alias_popup = rule_popup($pfb_alias, '', '', ''); + $alias_span = $alias_popup['src']; + $alias_span_end = $alias_popup['src_end']; + } + else { + $alias_span = ''; + $alias_span_end = ''; + } + + // Packet column pivot to Alerts Tab + if ($values['packets'] > 0) { + $rules = rtrim($values['rules'], '|'); + if ($values['packets'] > $pfb['maxpivot']) { + $aentries = $pfb['maxpivot']; + } else { + $aentries = $values['packets']; + } + + $packets = "<a target='_new' href='/pfblockerng/pfblockerng_alerts.php?rule={$rules}&entries={$aentries}' "; + $packets .= "style='text-decoration: underline;' title='Click to view these packets in Alerts tab' >{$values['packets']}</a>"; + } + else { + $packets = $values['packets']; + } + + if ($mode == "js") { + echo $response = $alias_span . $pfb_alias . $alias_span_end . "||" . $values['count'] . "||" . $packets . "||" . $values['update'] + . "||" . $values['img'] . "\n"; + } + else { + $RowClass = $counter % 2 ? $pfb['RowEvenClass'] : $pfb['RowOddClass']; + $counter++; + echo (" <tr {$RowClass}> + <td class='listMRr ellipsis'>" . $alias_span . $pfb_alias . $alias_span_end . "</td> + <td class='listMRr' align='center'>{$values['count']}</td> + <td class='listMRr' sorttable_customkey='{$values['packets']}' align='center'>{$packets}</td> + <td class='listMRr' align='center'>{$values['update']}</td> + <td class='listMRr' align='center'>{$values['img']}</td> + </tr>"); + } + } + } +} + +// Status indicator if pfBlockerNG is enabled/disabled if ("{$pfb['enable']}" == "on") { $pfb_status = "/themes/{$g['theme']}/images/icons/icon_pass.gif"; $pfb_msg = "pfBlockerNG is Active."; @@ -102,70 +312,78 @@ if ("{$pfb['enable']}" == "on") { $pfb_msg = "pfBlockerNG is Disabled."; } -// Collect Total IP/Cidr Counts +// Collect total IP/Cidr counts $dcount = exec("cat {$pfb['denydir']}/*.txt | grep -cv '^#\|^$\|^1\.1\.1\.1'"); $pcount = exec("cat {$pfb['permitdir']}/*.txt | grep -cv '^#\|^$\|^1\.1\.1\.1'"); $mcount = exec("cat {$pfb['matchdir']}/*.txt | grep -cv '^#\|^$\|^1\.1\.1\.1'"); $ncount = exec("cat {$pfb['nativedir']}/*.txt | grep -cv '^#\|^$\|^1\.1\.1\.1'"); -// Collect Number of Suppressed Hosts +// Collect number of suppressed hosts if (file_exists("{$pfb['supptxt']}")) { $pfbsupp_cnt = exec ("/usr/bin/grep -c ^ {$pfb['supptxt']}"); } else { $pfbsupp_cnt = 0; } -#check rule count -#(label, evaluations,packets total, bytes total, packets in, bytes in,packets out, bytes out) -$packets = exec("/sbin/pfctl -s labels", $debug); -if (!empty($debug)) { - foreach ($debug as $line) { - // Auto-Rules start with 'pfB_', Alias Rules should start with 'pfb_' and exact spelling of Alias Name. - $line = str_replace("pfb_","pfB_",$line); - if ("{$pfb['pfsenseversion']}" >= '2.2') { - #USER_RULE: pfB_Top auto rule 8494 17 900 17 900 0 0 0 - if (preg_match("/USER_RULE: (\w+).*\s+\d+\s+(\d+)\s+\d+\s+\d+\s+\d+\s+\d+\s+\d+\s+\d+/", $line, $matches)) { - if (isset($matches)) { - ${$matches[1]}+=$matches[2]; - } else { - ${$matches[1]} = 'Err'; - } - } - } else { - #USER_RULE: pfB_Top auto rule 1656 0 0 0 0 0 0 - if (preg_match("/USER_RULE: (\w+).*\s+\d+\s+(\d+)\s+\d+\s+\d+\s+\d+\s+\d+\s+\d+/", $line, $matches)) { - if (isset($matches)) { - ${$matches[1]}+=$matches[2]; - } else { - ${$matches[1]} = 'Err'; - } - } - } - } -} +// Collect any failed downloads +exec("grep $(date +%m/%d/%y) {$pfb['errlog']} | grep 'FAIL'", $results); +$results = array_reverse($results); -// Called by Ajax to update alerts table contents -if (isset($_GET['getNewCounts'])) { - $response = ""; - $pfb_table = pfBlockerNG_get_counts(); - if (!empty($pfb_table)) { - foreach ($pfb_table as $alias => $values){ - if (!isset(${$alias})) { ${$alias} = "-";} - $response .= $alias . "||" . $values['count'] . "||" . ${$alias} . "||" . $values['up'] . "||" . $values['img'] . "\n"; - } - echo $response; - return; - } -} +?> + <!-- Widget customization settings icon --> + <input type="hidden" id="pfblockerng-config" name="pfblockerng-config" value="" /> + <div id="pfblockerng-settings" class="widgetconfigdiv" style="display:none;outline: none;"> + <form action="/widgets/widgets/pfblockerng.widget.php" method="post" name="pfb_iform"> + <table id="widgettable" class="none" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="22%" class="vncellt" valign="top" align="right" ><input type="checkbox" name="pfb_popup" class="formfld unknown" id="pfb_popup" + title="Enabling this option, will Popup a Table showing all of the Alias Table IPs" + value="on" <?php if ($pfb['popup'] == "on") echo 'checked'; ?> /></td> + <td width="78%" class="listr" ><?=gettext("Enable Alias Table Popup");?></td> + </tr> + <tr> + <td width="22%" class="vncellt" valign="top" ><input type="text" size="3" name="pfb_maxfails" class="formfld unknown" id="pfb_maxfails" + title="Tha maximum number of Failed Download Alerts to be shown. Refer to the error.log for add'l details" + value="<?= $pfb['maxfails'] ?>" /></td> + <td width="78%" class="listr" ><?=gettext("Enter number of download fails to display (default:3)");?></td> + </tr> + <tr> + <td width="22%" class="vncellt" valign="top" ><input type="text" size="3" name="pfb_maxpivot" class="formfld unknown" id="pfb_maxpivot" + title="The maximum number of Packets to pivot to the Alerts Tab" + value="<?= $pfb['maxpivot'] ?>" /></td> + <td width="78%" class="listr" ><?=gettext("Enter 'max' Packets for Alerts Tab pivot (default:200)");?></td> + </tr> + <tr> + <td width="22" class="vncellt" valign="top" > + <select name="pfb_sortcolumn" id="pfb_sortcolumn" class="formselect" title="The Column to be sorted" > + <?php + $pfbsort = array( 'none' => 'None', 'alias' => 'Alias', 'count' => 'Count', + 'packets' => 'Packets', 'updated' => 'Updated' + ); + foreach ($pfbsort as $sort => $sorttype): ?> + <option value="<?=$sort; ?>" <?php if ($sort == $pfb['sortcolumn']) echo 'selected'; ?> ><?=$sorttype; ?></option> + <?php endforeach; ?> + </select></td> + <td width="78%" class="listr" ><?=gettext("Enter Sort Column");?></td> + </tr> + </table> -// Report any Failed Downloads -$results = array(); -$fails = exec("grep $(date +%m/%d/%y) {$pfb['errlog']} | grep 'FAIL'", $results); + <table id="widgettablesummary" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="92%" class="vncellt" > <?=gettext("Sort");?> + <input name="pfb_sortdir" type="radio" value="asc" <?php if ($pfb['sortdir'] == "asc") echo 'checked'; ?> /> + <?=gettext("Ascending");?> + <input name="pfb_sortdir" type="radio" value="des" <?php if ($pfb['sortdir'] == "des") echo 'checked'; ?> /> + <?=gettext("Descending");?></td> + <td width="8%" class="vncellt" valign="top" ><input id="pfb_submit" name="pfb_submit" type="submit" class="formbtns" value="Save" /></td> + </tr> + </table> + </form> + </div> -// Print widget Status Bar Items -?> + <!-- Print widget status bar items --> <div class="marinarea"> - <table border="0" cellspacing="0" cellpadding="0"> + <table id="pfb_table" border="0" cellspacing="0" cellpadding="0"> <thead> <tr> <td valign="middle"> <img src="<?= $pfb_status ?>" width="13" height="13" border="0" title="<?=gettext($pfb_msg) ?>" alt="" /></td> @@ -187,12 +405,14 @@ $fails = exec("grep $(date +%m/%d/%y) {$pfb['errlog']} | grep 'FAIL'", $results) <?=gettext(" Supp:"); echo(" <strong>" . $pfbsupp_cnt . "</strong>"); ?> <?php endif; ?></td> <td valign="middle"> </td> - <td valign="top"><a href="pfblockerng/pfblockerng_log.php"><img src="/themes/<?=$g['theme']; ?>/images/icons/icon_logs.gif" width="13" height="13" border="0" title="<?=gettext("View pfBlockerNG Logs TAB") ?>" alt="" /></a> + <td valign="top"><a href="pfblockerng/pfblockerng_log.php"><img src="/themes/<?=$g['theme']; ?>/images/icons/icon_logs.gif" + width="13" height="13" border="0" title="<?=gettext("View pfBlockerNG Logs TAB") ?>" alt="" /></a> <td valign="top"> <?php if (!empty($results)): ?> <!--Hide "Ack" Button when Failed Downloads are Empty--> <form action="/widgets/widgets/pfblockerng.widget.php" method="post" name="widget_pfblockerng_ack"> <input type="hidden" value="clearack" name="pfblockerngack" /> - <input class="vexpl" type="image" name="pfblockerng_ackbutton" src="/themes/<?=$g['theme']; ?>/images/icons/icon_x.gif" width="14" height="14" border="0" title="<?=gettext("Clear Failed Downloads") ?>"/> + <input class="vexpl" type="image" name="pfblockerng_ackbutton" src="/themes/<?=$g['theme']; ?>/images/icons/icon_x.gif" + width="14" height="14" border="0" title="<?=gettext("Clear Failed Downloads") ?>"/> </form> <?php endif; ?> </td> @@ -205,76 +425,53 @@ $fails = exec("grep $(date +%m/%d/%y) {$pfb['errlog']} | grep 'FAIL'", $results) <tbody id="pfb-fails"> <?php -if ("{$pfb['pfsenseversion']}" > '2.0') { - $alertRowEvenClass = "listMReven"; - $alertRowOddClass = "listMRodd"; - $alertColClass = "listMRr"; -} else { - $alertRowEvenClass = "listr"; - $alertRowOddClass = "listr"; - $alertColClass = "listr"; -} - -# Last errors first -$results = array_reverse($results); - +// Report any failed downloads $counter = 0; -# Max errors to display -$maxfailcount = 3; if (!empty($results)) { foreach ($results as $result) { - $alertRowClass = $counter % 2 ? $alertRowEvenClass : $alertRowOddClass; - if (!isset(${$alias})) { ${$alias} = "-";} - echo(" <tr class='" . $alertRowClass . "'><td class='" . $alertColClass . "'>" . $result . "</td><tr>"); + $RowClass = $counter % 2 ? $pfb['RowEvenClass'] : $pfb['RowOddClass']; + echo(" <tr " . $RowClass . "><td class='" . $pfb['ColClass'] . "'>" . $result . "</td><tr>"); $counter++; - if ($counter > $maxfailcount) { - # To many errors stop displaying - echo(" <tr class='" . $alertRowClass . "'><td class='" . $alertColClass . "'>" . (count($results) - $maxfailcount) . " more error(s)...</td><tr>"); + if ($counter > $pfb['maxfails']) { + // To many errors stop displaying + echo(" <tr " . $RowClass . "><td class='" . $pfb['ColClass'] . "'>" . (count($results) - $pfb['maxfails']) . " more error(s)...</td><tr>"); break; } } } -// Print Main Table Header ?> + <!-- Print main table header --> </tbody> </table> - <table id="pfb-tbl" width="100%" border="0" cellspacing="0" cellpadding="0"> + <table id="pfb-tbl" width="100%" class="sortable" border="0" cellspacing="0" cellpadding="0"> <thead> - <tr> - <th class="widgetsubheader" align="center"><?=gettext("Alias");?></th> - <th title="The count can be a mixture of Single IPs or CIDR values" class="widgetsubheader" align="center"><?=gettext("Count");?></th> - <th title="Packet Counts can be cleared by the pfSense filter_configure() function. Make sure Rule Descriptions start with 'pfB_'" class="widgetsubheader" align="center"><?=gettext("Packets");?></th> - <th title="Last Update (Date/Time) of the Alias " class="widgetsubheader" align="center"><?=gettext("Updated");?></th> - <th class="widgetsubheader" align="center"><?php echo $out; ?><?php echo $in; ?></th> + <tr class="sortableHeaderRowIdentifier"> + <th class="widgetsubheader" axis="string" align="center"><?=gettext("Alias");?></th> + <th title="The count can be a mixture of Single IPs or CIDR values" class="widgetsubheader" axis="string" + align="center"><?=gettext("Count");?></th> + <th title="Packet Counts can be cleared by the pfSense filter_configure() function. Make sure Rule Descriptions start with 'pfB_'" + class="widgetsubheader" axis="string" align="center"><?=gettext("Packets");?></th> + <th title="Last Update (Date/Time) of the Alias " class="widgetsubheader" axis="string" align="center"><?=gettext("Updated");?></th> + <th class="widgetsubheader" axis="string" align="center"><?php echo $pfb['down']; ?><?php echo $pfb['up']; ?></th> </tr> </thead> <tbody id="pfbNG-entries"> -<?php -// Print Main Table Body -$pfb_table = pfBlockerNG_get_counts(); -$counter=0; -if (is_array($pfb_table)) { - foreach ($pfb_table as $alias => $values) { - $evenRowClass = $counter % 2 ? " listMReven" : " listMRodd"; - if (!isset(${$alias})) { ${$alias} = "-";} - echo(" <tr class='" . $evenRowClass . "'> - <td class='listMRr ellipsis'>{$alias}</td> - <td class='listMRr' align='center'>{$values['count']}</td> - <td class='listMRr' align='center'>{${$alias}}</td> - <td class='listMRr' align='center'>{$values['up']}</td> - <td class='listMRr' align='center'>{$values['img']}</td> - </tr>"); - $counter++; - } -} -?> +<!-- Print main table body, subsequent refresh by javascript function --> +<?php pfBlockerNG_get_table(); ?> + </tbody> </table> <script type="text/javascript"> //<![CDATA[ - var pfBlockerNGupdateDelay = 10000; // update every 10000 ms +<!-- update every 10000 ms --> + var pfBlockerNGupdateDelay = 10000; + +<!-- needed to display the widget settings menu --> + selectIntLink = "pfblockerng-configure"; + textlink = document.getElementById(selectIntLink); + textlink.style.display = "inline"; //]]> </script>
\ No newline at end of file diff --git a/config/pfblockerng/pfblockerng.xml b/config/pfblockerng/pfblockerng.xml index 67deab8d..218b22e1 100644 --- a/config/pfblockerng/pfblockerng.xml +++ b/config/pfblockerng/pfblockerng.xml @@ -49,9 +49,10 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>pfblockerng</name> - <version>1.08</version> + <version>1.09</version> <title>pfBlockerNG: General Settings</title> <include_file>/usr/local/pkg/pfblockerng/pfblockerng.inc</include_file> + <addedit_string>pfBlockerNG: Save General Settings</addedit_string> <menu> <name>pfBlockerNG</name> <configfile>pfblockerng.xml</configfile> @@ -219,45 +220,83 @@ <field> <fielddescr>LINKS</fielddescr> <fieldname></fieldname> - <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]></description> + <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> + <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> + </description> <type>info</type> </field> <field> - <fielddescr><![CDATA[<strong>Enable pfBlockerNG</strong>]]></fielddescr> + <fielddescr>Enable pfBlockerNG</fielddescr> <fieldname>enable_cb</fieldname> <type>checkbox</type> - <description><![CDATA[Note - with "Keep settings" enabled, pfBlockerNG will maintain run state on Installation/Upgrade<br /> - If "Keep Settings" is not "enabled" on pkg Install/De-Install, all Settings will be Wiped!]]></description> + <description><![CDATA[<div style="padding-right: 56px;">Enable/Disable</div>]]></description> + <usecolspan2/> + <combinefields>begin</combinefields> </field> <field> - <fielddescr><![CDATA[<strong>Keep Settings</strong>/Lists After Disable/Re-Install/De-Install]]></fielddescr> <fieldname>pfb_keep</fieldname> <type>checkbox</type> - <description>Keep Settings and Lists intact when pfBlockerNG is Disabled or After pfBlockerNG Re-Install/De-Install</description> + <description><![CDATA[Keep Settings: <br /><font color='red'>Note:</font> - with 'Keep settings' enabled, pfBlockerNG will maintain run state + on Installation/Upgrade<br />If 'Keep Settings' is not 'enabled' on pkg Install/De-Install, all Settings will be Wiped!<br /><br /> + <font color='red'>Note: </font>To clear all downloaded lists, uncheck these two checkboxes and 'Save'. + re-check both boxes and run a 'Force Update']]> + </description> <default_value>on</default_value> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fielddescr>CRON Settings</fielddescr> + <combinefields>begin</combinefields> + </field> + <field> + <fielddescr>Hour Interval</fielddescr> + <fieldname>pfb_interval</fieldname> + <description><![CDATA[Default: <strong>Every hour</strong><br /> + Select the cron Hour Interval. The interval selected will be used with the Start min/hour below.<br /> + <strong>Ensure that all List 'Update Settings' are within the selected Interval/Start Hour Settings.</strong>]]> + </description> + <type>select</type> + <options> + <option><name>Every hour</name><value>1</value></option> + <option><name>Every 2 hours</name><value>2</value></option> + <option><name>Every 3 hours</name><value>3</value></option> + <option><name>Every 4 hours</name><value>4</value></option> + <option><name>Every 6 hours</name><value>6</value></option> + <option><name>Every 8 hours</name><value>8</value></option> + <option><name>Every 12 hours</name><value>12</value></option> + <option><name>Once a day</name><value>24</value></option> + </options> + <default_value>1</default_value> + <combinefields/> </field> <field> - <fielddescr>CRON MIN Start Time</fielddescr> + <fielddescr>Start Min</fielddescr> <fieldname>pfb_min</fieldname> - <description><![CDATA[Default: <strong> : 00</strong><br /> - Select Cron Update Minute ]]></description> + <description><![CDATA[Default: <strong>:00</strong><br /> + Select Cron Update Minute]]> + </description> <type>select</type> <options> - <option><name> : 00</name><value>0</value></option> - <option><name> : 15</name><value>15</value></option> - <option><name> : 30</name><value>30</value></option> - <option><name> : 45</name><value>45</value></option> + <option><name>: 00</name><value>0</value></option> + <option><name>: 15</name><value>15</value></option> + <option><name>: 30</name><value>30</value></option> + <option><name>: 45</name><value>45</value></option> </options> + <default_value>0</default_value> + <combinefields/> </field> <field> - <fielddescr>CRON Base Hour Start Time</fielddescr> + <fielddescr>Start Hour</fielddescr> <fieldname>pfb_hour</fieldname> - <description><![CDATA[Default: <strong> 1 </strong><br /> - Select Cron Base Start Hour ]]></description> + <description><![CDATA[Default: <strong>0</strong><br /> + Select the Start Hour]]> + </description> <type>select</type> <options> - <option><name>1</name><value>0</value></option> - <option><name>0</name><value>1</value></option> + <option><name>0</name><value>0</value></option> + <option><name>1</name><value>1</value></option> <option><name>2</name><value>2</value></option> <option><name>3</name><value>3</value></option> <option><name>4</name><value>4</value></option> @@ -281,17 +320,17 @@ <option><name>22</name><value>22</value></option> <option><name>23</name><value>23</value></option> </options> + <default_value>0</default_value> + <combinefields/> </field> <field> - <fielddescr>'Daily/Weekly' Start Hour</fielddescr> + <fielddescr><![CDATA['Daily/Weekly'<br />Start Hour]]></fielddescr> <fieldname>pfb_dailystart</fieldname> - <description><![CDATA[Default: <strong> 1 </strong><br /> - Select 'Daily' Schedule Start Hour <br /> - This is used for the 'Daily/Weekly' Scheduler Only.]]></description> + <description><![CDATA[Default: <strong>0</strong><br />This is used for the 'Daily/Weekly' Scheduler Only.]]></description> <type>select</type> <options> - <option><name>1</name><value>0</value></option> - <option><name>0</name><value>1</value></option> + <option><name>0</name><value>0</value></option> + <option><name>1</name><value>1</value></option> <option><name>2</name><value>2</value></option> <option><name>3</name><value>3</value></option> <option><name>4</name><value>4</value></option> @@ -315,6 +354,8 @@ <option><name>22</name><value>22</value></option> <option><name>23</name><value>23</value></option> </options> + <default_value>0</default_value> + <combinefields>end</combinefields> </field> <field> <fielddescr>Enable De-Duplication</fielddescr> @@ -327,17 +368,20 @@ <fieldname>suppression</fieldname> <type>checkbox</type> <description><![CDATA[This will prevent Selected IPs from being Blocked. Only for IPv4 Lists (/32 and /24).<br /> - Country Blocking Lists cannot be Suppressed.<br /> - This will also remove any RFC1918 addresses from all Lists.<br /><br /> + Country Blocking Lists cannot be Suppressed.<br />This will also remove any RFC1918 addresses from all Lists.<br /><br /> Alerts can be Suppressed using the '+' icon in the Alerts Tab and IPs added to the 'pfBlockerNGSuppress' Alias<br /> - A Blocked IP in a CIDR other than /24 will need to be Suppressed by an 'Permit Outbound' Firewall Rule]]> + A Blocked IP in a CIDR other than /32 or /24 will need a 'Whitelist Alias' w/ List Action: 'Permit Outbound' Firewall Rule + <br />Do not use the pfBlockerNGSuppress Alias in a Firewall Rule. + This alias is used during the cron download process only.]]> </description> </field> <field> <fielddescr>Global Enable Logging</fielddescr> <fieldname>enable_log</fieldname> <type>checkbox</type> - <description>Enable Global Logging to Status: System Logs: FIREWALL ( Log ). This overrides any Log Settings in the Alias Tabs.</description> + <description><![CDATA[Firewall Rule logging - Enable Global Logging to [ Status: System Logs: FIREWALL Log ]<br /> + This overrides any Log Settings in the Alias Tabs.]]> + </description> </field> <field> <fielddescr>Disable MaxMind Country Database CRON Updates</fielddescr> @@ -350,8 +394,9 @@ <field> <fielddescr>Logfile Size</fielddescr> <fieldname>log_maxlines</fieldname> - <description><![CDATA[Default:<strong>20000</strong><br /> - Select number of Lines to Keep in Log File]]></description> + <description><![CDATA[Default: <strong>20000</strong><br /> + Select number of Lines to keep in the pfblockerng.log and dnsbl.log files]]> + </description> <type>select</type> <options> <option><name>20000</name><value>20000</value></option> @@ -361,72 +406,89 @@ <option><name>100000</name><value>100000</value></option> <option><name>No Limit</name><value>nolimit</value></option> </options> + <default_value>20000</default_value> </field> <field> - <name><![CDATA[Interface/Rules Configuration]]> </name> + <name><![CDATA[Interface/Rules Configuration]]></name> <type>listtopic</type> </field> <field> - <fielddescr>Inbound Interface(s)</fielddescr> + <fielddescr>Inbound Firewall Rules</fielddescr> + <combinefields>begin</combinefields> + </field> + <field> <fieldname>inbound_interface</fieldname> + <fielddescr>Interface(s)</fielddescr> <description>Select the Inbound interface(s) you want to Apply Auto Rules to</description> <type>interfaces_selection</type> <hideinterfaceregex>loopback</hideinterfaceregex> <required/> <multiple/> + <combinefields/> </field> <field> - <fielddescr> - Rule Action</fielddescr> + <fielddescr>Rule Action</fielddescr> <fieldname>inbound_deny_action</fieldname> - <description><![CDATA[Default:<strong>Block</strong><br /> - Select 'Rule Action' for Inbound Rules]]></description> + <description><![CDATA[Default: <strong>Block</strong><br />Select 'Rule Action' for Inbound Rules]]></description> <type>select</type> <options> <option><name>Block</name><value>block</value></option> <option><name>Reject</name><value>reject</value></option> </options> + <default_value>block</default_value> + <required/> + <combinefields>end</combinefields> </field> <field> - <fielddescr>Outbound Interface(s)</fielddescr> + <fielddescr>Outbound Firewall Rules</fielddescr> + <combinefields>begin</combinefields> + </field> + <field> + <fielddescr>Interface(s)</fielddescr> <fieldname>outbound_interface</fieldname> <description>Select the Outbound interface(s) you want to Apply Auto Rules to</description> <type>interfaces_selection</type> <hideinterfaceregex>loopback</hideinterfaceregex> <required/> <multiple/> + <combinefields/> </field> <field> - <fielddescr> - Rule Action</fielddescr> + <fielddescr>Rule Action</fielddescr> <fieldname>outbound_deny_action</fieldname> - <description><![CDATA[Default:<strong>Reject</strong><br /> - Select 'Rule Action' for Outbound rules]]></description> + <description><![CDATA[Default: <strong>Reject</strong><br />Select 'Rule Action' for Outbound rules]]></description> <type>select</type> <options> <option><name>Reject</name><value>reject</value></option> <option><name>Block</name><value>block</value></option> </options> + <default_value>reject</default_value> + <required/> + <combinefields>end</combinefields> </field> <field> - <fielddescr><![CDATA[<strong>OpenVPN Interface</strong>]]></fielddescr> + <fielddescr>OpenVPN Interface</fielddescr> <fieldname>openvpn_action</fieldname> <type>checkbox</type> <description>Select to add Auto-Rules for OpenVPN. These will be added to 'Floating Rules' or OpenVPN Rules Tab.</description> </field> <field> - <fielddescr><![CDATA[<strong>Floating Rules</strong>]]></fielddescr> + <fielddescr>Floating Rules</fielddescr> <fieldname>enable_float</fieldname> <type>checkbox</type> - <description><![CDATA[<strong>Enabled: </strong> Auto-Rules will be generated in the 'Floating Rules' Tab<br /><br /> + <description><![CDATA[<strong>Enabled:</strong> Auto-Rules will be generated in the 'Floating Rules' Tab<br /><br /> <strong>Disabled:</strong> Auto-Rules will be generated in the Selected Inbound/Outbound Interfaces<br /><br /> - <strong>Rules will be ordered by the selection below.</strong>]]></description> + <strong>Rules will be ordered by the selection below.</strong>]]> + </description> </field> <field> - <fielddescr><![CDATA[<strong>Rule Order</strong>]]></fielddescr> + <fielddescr>Rule Order</fielddescr> <fieldname>pass_order</fieldname> - <description><![CDATA[<br />Default Order: <strong> | pfB_Block/Reject | All other Rules | (original format)<br /></strong><br /> + <description><![CDATA[<br />Default Order:<strong> | pfB_Block/Reject | All other Rules | (original format)<br /></strong><br /> Select The '<strong>Order</strong>' of the Rules<br /> Selecting 'original format', sets pfBlockerNG rules at the top of the Firewall TAB.<br /> - Selecting any other 'Order' will re-order <strong>all the Rules to the format indicated!</strong>]]></description> + Selecting any other 'Order' will re-order <strong>all the Rules to the format indicated!</strong>]]> + </description> <type>select</type> <options> <option><name>| pfB_Block/Reject | All other Rules | (original format)</name><value>order_0</value></option> @@ -434,48 +496,48 @@ <option><name>| pfB_Pass/Match | pfSense Pass/Match | pfB_Block/Reject |</name><value>order_2</value></option> <option><name>| pfB_Pass/Match | pfB_Block/Reject | pfSense Pass/Match |</name><value>order_3</value></option> </options> + <default_value>order_0</default_value> </field> <field> - <fielddescr><![CDATA[<strong>Auto Rule Suffix</strong>]]></fielddescr> + <fielddescr>Auto Rule Suffix</fielddescr> <fieldname>autorule_suffix</fieldname> - <description><![CDATA[Default:<strong>auto rule</strong><br /> - Select 'Auto Rule' Description Suffix for Auto Defined rules. pfBlockerNG Must be Disabled to Modify Suffix]]></description> + <description><![CDATA[Default: <strong>auto rule</strong><br /> + Select 'Auto Rule' Description Suffix for Auto Defined rules. pfBlockerNG Must be Disabled to Modify Suffix]]> + </description> <type>select</type> <options> <option><name>auto rule</name><value>autorule</value></option> <option><name>Null (no suffix)</name><value>standard</value></option> <option><name>AR</name><value>ar</value></option> </options> + <default_value>autorule</default_value> </field> <field> - <name><![CDATA[Acknowledgements]]> </name> + <name><![CDATA[Acknowledgements]]></name> <type>listtopic</type> </field> <field> <fielddescr>Credits</fielddescr> <fieldname>credits</fieldname> <type>info</type> - <description><![CDATA[<strong> - pfBlockerNG</strong> Created in 2015 by <a target=_new href='https://forum.pfsense.org/index.php?action=profile;u=238481'>BBcan177.</a> - <br /><br />Based upon pfBlocker by Marcello Coutinho and Tom Schaefer.<br /> + <description><![CDATA[<strong>pfBlockerNG </strong> + Created in 2015 by <a target=_new href='https://forum.pfsense.org/index.php?action=profile;u=238481'>BBcan177.</a><br /><br /> + Based upon pfBlocker by Marcello Coutinho and Tom Schaefer.<br /> Country Database GeoLite distributed under the Creative Commons Attribution-ShareAlike 3.0 Unported License by: MaxMind Inc. @ <a target=_new href='http://www.maxmind.com'>MaxMind.com</a>. - The Database is Automatically Updated the First Tuesday of Each Month]]></description> - </field> - <field> - <fielddescr>pfBlocker Validation Check</fielddescr> - <fieldname>pfblocker_cb</fieldname> - <type>checkbox</type> - <description>Disable pfBlockerNG if the pfBlocker package is Enabled. Click to Disable this validation check.</description> + The Database is Automatically Updated the First Tuesday of Each Month]]> + </description> </field> <field> - <fielddescr>Gold Membership</fielddescr> + <fielddescr>Support</fielddescr> <type>info</type> - <description><![CDATA[If you like this package, please Support pfSense by subscribing to a <a target=_new href='https://portal.pfsense.org/gold-subscription.php'>Gold Membership</a><br /> or support the developer @ BBCan177@gmail.com]]></description> + <description><![CDATA[This package has been developed by BBcan177.<br /> + If you like this package, please support the developer @ BBCan177@gmail.com.]]> + </description> </field> <field> - <name><![CDATA[<ul>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or - 'Force Update'</ul>]]></name> + <name><![CDATA[<center>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or + 'Force Update'</center>]]></name> <type>listtopic</type> </field> </fields> @@ -493,4 +555,4 @@ $pfb['save'] = TRUE; sync_package_pfblockerng(); </custom_php_resync_config_command> -</packagegui> +</packagegui>
\ No newline at end of file diff --git a/config/pfblockerng/pfblockerng_alerts.php b/config/pfblockerng/pfblockerng_alerts.php index 0b251295..bfb15c07 100644 --- a/config/pfblockerng/pfblockerng_alerts.php +++ b/config/pfblockerng/pfblockerng_alerts.php @@ -57,7 +57,7 @@ if (isset($_REQUEST['getpfhostname'])) { require_once("util.inc"); require_once("guiconfig.inc"); require_once("/usr/local/pkg/pfblockerng/pfblockerng.inc"); -global $rule_list; +global $rule_list, $pfb_localsub; pfb_global(); $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); @@ -69,26 +69,25 @@ if ($pfs_version == "2.2") { } // Application Paths -$pathgeoip = $prefix . "/bin/geoiplookup"; -$pathgeoip6 = $prefix . "/bin/geoiplookup6"; +$pathgeoip = "{$prefix}/bin/geoiplookup"; +$pathgeoip6 = "{$prefix}/bin/geoiplookup6"; // Define File Locations $filter_logfile = "{$g['varlog_path']}/filter.log"; -$pathgeoipdat = $prefix . "/share/GeoIP/GeoIP.dat"; -$pathgeoipdat6 = $prefix . "/share/GeoIP/GeoIPv6.dat"; - -// Define Alerts Log filter Rollup window variable. (Alert Filtering Code adapted from B.Meeks - Snort Package) -$pfb['filterlogentries'] = FALSE; +$pathgeoipdat = "{$prefix}/share/GeoIP/GeoIP.dat"; +$pathgeoipdat6 = "{$prefix}/share/GeoIP/GeoIPv6.dat"; // Emerging Threats IQRisk Header Name Reference $pfb['et_header'] = TRUE; $et_header = $config['installedpackages']['pfblockerngreputation']['config'][0]['et_header']; -if (empty($et_header)) +if (empty($et_header)) { $pfb['et_header'] = FALSE; +} // Collect pfBlockerNGSuppress Alias and Create pfbsuppression.txt -if ($pfb['supp'] == "on") +if ($pfb['supp'] == "on") { pfb_create_suppression_file(); +} // Collect Number of Suppressed Hosts if (file_exists("{$pfb['supptxt']}")) { @@ -97,62 +96,88 @@ if (file_exists("{$pfb['supptxt']}")) { $pfbsupp_cnt = 0; } -// Collect pfBlockerNG Rule Names and Number -$rule_list = array(); -$results = array(); -$data = exec ("/sbin/pfctl -vv -sr | grep 'pfB_'", $results); - -if (!isset($config['installedpackages']['pfblockerngglobal']['pfbdenycnt'])) - $config['installedpackages']['pfblockerngglobal']['pfbdenycnt'] = '25'; -if (!isset($config['installedpackages']['pfblockerngglobal']['pfbpermitcnt'])) - $config['installedpackages']['pfblockerngglobal']['pfbpermitcnt'] = '5'; -if (!isset($config['installedpackages']['pfblockerngglobal']['pfbmatchcnt'])) - $config['installedpackages']['pfblockerngglobal']['pfbmatchcnt'] = '5'; -if (empty($config['installedpackages']['pfblockerngglobal']['alertrefresh'])) - $config['installedpackages']['pfblockerngglobal']['alertrefresh'] = 'off'; -if (empty($config['installedpackages']['pfblockerngglobal']['hostlookup'])) - $config['installedpackages']['pfblockerngglobal']['hostlookup'] = 'off'; +$pfb['global'] = &$config['installedpackages']['pfblockerngglobal']; -if (isset($_POST['save'])) { - if (!is_array($config['installedpackages']['pfblockerngglobal'])) - $config['installedpackages']['pfblockerngglobal'] = array(); - $config['installedpackages']['pfblockerngglobal']['alertrefresh'] = $_POST['alertrefresh'] ? 'on' : 'off'; - $config['installedpackages']['pfblockerngglobal']['hostlookup'] = $_POST['hostlookup'] ? 'on' : 'off'; - if (is_numeric($_POST['pfbdenycnt'])) - $config['installedpackages']['pfblockerngglobal']['pfbdenycnt'] = $_POST['pfbdenycnt']; - if (is_numeric($_POST['pfbpermitcnt'])) - $config['installedpackages']['pfblockerngglobal']['pfbpermitcnt'] = $_POST['pfbpermitcnt']; - if (is_numeric($_POST['pfbmatchcnt'])) - $config['installedpackages']['pfblockerngglobal']['pfbmatchcnt'] = $_POST['pfbmatchcnt']; +if (!isset($pfb['global']['pfbdenycnt'])) { + $pfb['global']['pfbdenycnt'] = '25'; +} +if (!isset($pfb['global']['pfbpermitcnt'])) { + $pfb['global']['pfbpermitcnt'] = '5'; +} +if (!isset($pfb['global']['pfbmatchcnt'])) { + $pfb['global']['pfbmatchcnt'] = '5'; +} +if (!isset($pfb['global']['pfbdnscnt'])) { + $pfb['global']['pfbdnscnt'] = '5'; +} +if (empty($pfb['global']['alertrefresh'])) { + $pfb['global']['alertrefresh'] = 'off'; +} +if (empty($pfb['global']['hostlookup'])) { + $pfb['global']['hostlookup'] = 'off'; +} +if (isset($_POST['save'])) { + if (!is_array($pfb['global'])) { + $pfb['global'] = array(); + } + $pfb['global']['alertrefresh'] = $_POST['alertrefresh'] ? 'on' : 'off'; + $pfb['global']['hostlookup'] = $_POST['hostlookup'] ? 'on' : 'off'; + if (is_numeric($_POST['pfbdenycnt'])) { + $pfb['global']['pfbdenycnt'] = $_POST['pfbdenycnt']; + } + if (is_numeric($_POST['pfbpermitcnt'])) { + $pfb['global']['pfbpermitcnt'] = $_POST['pfbpermitcnt']; + } + if (is_numeric($_POST['pfbmatchcnt'])) { + $pfb['global']['pfbmatchcnt'] = $_POST['pfbmatchcnt']; + } + if (is_numeric($_POST['pfbdnscnt'])) { + $pfb['global']['pfbdnscnt'] = $_POST['pfbdnscnt']; + } write_config("pfBlockerNG pkg: updated ALERTS tab settings."); header("Location: " . $_SERVER['PHP_SELF']); exit; } -if (is_array($config['installedpackages']['pfblockerngglobal'])) { - $alertrefresh = $config['installedpackages']['pfblockerngglobal']['alertrefresh']; - $hostlookup = $config['installedpackages']['pfblockerngglobal']['hostlookup']; - $pfbdenycnt = $config['installedpackages']['pfblockerngglobal']['pfbdenycnt']; - $pfbpermitcnt = $config['installedpackages']['pfblockerngglobal']['pfbpermitcnt']; - $pfbmatchcnt = $config['installedpackages']['pfblockerngglobal']['pfbmatchcnt']; +if (is_array($pfb['global'])) { + $alertrefresh = $pfb['global']['alertrefresh']; + $hostlookup = $pfb['global']['hostlookup']; + $pfbdenycnt = $pfb['global']['pfbdenycnt']; + $pfbpermitcnt = $pfb['global']['pfbpermitcnt']; + $pfbmatchcnt = $pfb['global']['pfbmatchcnt']; + $pfbdnscnt = $pfb['global']['pfbdnscnt']; +} + + +// Define Alerts Log filter Rollup window variable and collect Widget Alert Pivot details +if (isset($_REQUEST['rule'])) { + $filterfieldsarray[0] = $_REQUEST['rule']; + $pfbdenycnt = $pfbpermitcnt = $pfbmatchcnt = $_REQUEST['entries']; + $pfb['filterlogentries'] = TRUE; +} +else { + $pfb['filterlogentries'] = FALSE; } function pfb_match_filter_field($flent, $fields) { foreach ($fields as $key => $field) { - if ($field == null) + if ($field == null) { continue; + } if ((strpos($field, '!') === 0)) { $field = substr($field, 1); $field_regex = str_replace('/', '\/', str_replace('\/', '/', $field)); - if (@preg_match("/{$field_regex}/i", $flent[$key])) + if (@preg_match("/{$field_regex}/i", $flent[$key])) { return false; + } } else { $field_regex = str_replace('/', '\/', str_replace('\/', '/', $field)); - if (!@preg_match("/{$field_regex}/i", $flent[$key])) + if (!@preg_match("/{$field_regex}/i", $flent[$key])) { return false; + } } } return true; @@ -185,23 +210,22 @@ if ($_POST['filterlogentries_clear']) { } -// Collect pfBlockerNG Firewall Rules +// Collect pfBlockerNG Rule Names and Number +$rule_list = array(); +exec("/sbin/pfctl -vv -sr | grep 'pfB_'", $results); if (!empty($results)) { foreach ($results as $result) { - # Find Rule Descriptions + // Find Rule Descriptions $descr = ""; - if (preg_match("/USER_RULE: (\w+)/",$result,$desc)) + if (preg_match("/USER_RULE: (\w+)/",$result,$desc)) { $descr = $desc[1]; - - if ($pfb['pfsenseversion'] >= '2.2') { - preg_match ("/@(\d+)\(/",$result, $rule); - } else { - preg_match ("/@(\d+)\s/",$result, $rule); } + preg_match ("/@(\d+)\(/",$result, $rule); + $id = $rule[1]; - # Create array of Rule Description and pfctl Rule Number + // Create array of Rule Description and pfctl Rule Number $rule_list['id'][] = $id; $rule_list[$id]['name'] = $descr; } @@ -291,8 +315,9 @@ if (isset($_POST['addsuppress'])) { } // Call Function to Create Suppression Alias if not found. - if (!$pfb['found']) + if (!$pfb['found']) { pfb_create_suppression_alias(); + } // Save New Suppress IP to pfBlockerNGSuppress Alias if (in_array($ip . '/' . $cidr, $pfb_sup_list)) { @@ -332,12 +357,13 @@ if (isset($_POST['addsuppress'])) { if ($pfb['found'] || $pfb['update']) { // Save all Changes to pfsense config file - write_config(); + write_config("pfBlockerNG: Added {$ip} to IP Suppress List"); } } } } + // Host Resolve Function lookup function getpfbhostname($type = 'src', $hostip, $countme = 0) { $hostnames['src'] = ''; @@ -347,10 +373,18 @@ function getpfbhostname($type = 'src', $hostip, $countme = 0) { } -// Determine if Alert Host 'Dest' is within the Local Lan IP Range. -function check_lan_dest($lan_ip,$lan_mask,$dest_ip,$dest_mask="32") { - $result = check_subnets_overlap($lan_ip, $lan_mask, $dest_ip, $dest_mask); - return $result; +// For subnet addresses - Determine if Alert Host 'Dest' is within a Local IP Range. +function ip_in_pfb_localsub($subnet) { + global $pfb_localsub; + + if (!empty($pfb_localsub)) { + foreach ($pfb_localsub as $line) { + if (ip_in_subnet($subnet, $line)) { + return true; + } + } + } + return false; } @@ -373,16 +407,18 @@ function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermi $pfbalert = array(); $log_split = ""; - if (!preg_match("/(.*)\s(.*)\sfilterlog:\s(.*)$/", $logent, $log_split)) + if (!preg_match("/(.*)\s(.*)\sfilterlog:\s(.*)$/", $logent, $log_split)) { continue; + } list($all, $pfbalert[99], $host, $rule) = $log_split; $rule_data = explode(",", $rule); $pfbalert[0] = $rule_data[0]; // Rulenum // Skip Alert if Rule is not a pfBNG Alert - if (!in_array($pfbalert[0], $rule_list['id'])) + if (!in_array($pfbalert[0], $rule_list['id'])) { continue; + } $pfbalert[1] = $rule_data[4]; // Realint $pfbalert[3] = $rule_data[6]; // Act @@ -415,8 +451,9 @@ function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermi } // Skip Repeated Alerts - if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) + if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) { continue; + } $pfbalert[2] = convert_real_interface_to_friendly_descr($rule_data[4]); // Friendly Interface Name $pfbalert[6] = str_replace("TCP", "TCP-", strtoupper($pfbalert[6]), $pfbalert[6]) . $pfbalert[11]; // Protocol Flags @@ -474,12 +511,14 @@ include_once("head.inc"); include_once("fbegin.inc"); /* refresh every 60 secs */ -if ($alertrefresh == 'on') +if ($alertrefresh == 'on') { echo "<meta http-equiv=\"refresh\" content=\"60;url={$_SERVER['PHP_SELF']}\" />\n"; +} if ($savemsg) { print_info_box($savemsg); } +$skipcount = 0; $counter = 0; ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> @@ -518,17 +557,22 @@ if ($savemsg) { <tr> <td width="10%" class="vncell"><?php echo gettext('Alert Settings'); ?></td> <td width="90%" class="vtable"> - <input name="pfbdenycnt" type="text" class="formfld unknown" id="pdbdenycnt" size="1" title="Enter the number of 'Deny' Alerts to Show" value="<?=htmlspecialchars($pfbdenycnt);?>"/> + <input name="pfbdenycnt" type="text" class="formfld unknown" id="pdbdenycnt" size="1" + title="Enter the number of 'Deny' Alerts to Show" value="<?=htmlspecialchars($pfbdenycnt);?>"/> <?php printf(gettext('%sDeny%s. ') , '<strong>', '</strong>'); ?> - <input name="pfbpermitcnt" type="text" class="formfld unknown" id="pdbpermitcnt" size="1" title="Enter the number of 'Permit' Alerts to Show" value="<?=htmlspecialchars($pfbpermitcnt);?>"/> + <input name="pfbpermitcnt" type="text" class="formfld unknown" id="pdbpermitcnt" size="1" + title="Enter the number of 'Permit' Alerts to Show" value="<?=htmlspecialchars($pfbpermitcnt);?>"/> <?php printf(gettext('%sPermit%s. '), '<strong>', '</strong>'); ?> - <input name="pfbmatchcnt" type="text" class="formfld unknown" id="pdbmatchcnt" size="1" title="Enter the number of 'Match' Alerts to Show" value="<?=htmlspecialchars($pfbmatchcnt); ?>"/> + <input name="pfbmatchcnt" type="text" class="formfld unknown" id="pdbmatchcnt" size="1" + title="Enter the number of 'Match' Alerts to Show" value="<?=htmlspecialchars($pfbmatchcnt); ?>"/> <?php printf(gettext('%sMatch%s.'), '<strong>', '</strong>'); ?> - <?php echo gettext(' Click to Auto-Refresh');?> <input name="alertrefresh" type="checkbox" value="on" title="Click to enable Auto-Refresh of this Tab once per minute" + <?php echo gettext(' Click to Auto-Refresh');?> <input name="alertrefresh" type="checkbox" value="on" + title="Click to enable Auto-Refresh of this Tab once per minute" <?php if ($config['installedpackages']['pfblockerngglobal']['alertrefresh']=="on") echo "checked"; ?>/> - <?php echo gettext(' Click to Auto-Resolve');?> <input name="hostlookup" type="checkbox" value="on" title="Click to enable Auto-Resolve of Hostnames. Country Blocks/Permit/Match Lists will not auto-resolve" + <?php echo gettext(' Click to Auto-Resolve');?> <input name="hostlookup" type="checkbox" value="on" + title="Click to enable Auto-Resolve of Hostnames. Country Blocks/Permit/Match Lists will not auto-resolve" <?php if ($config['installedpackages']['pfblockerngglobal']['hostlookup']=="on") echo "checked"; ?>/> <input name="save" type="submit" class="formbtns" value="Save" title="<?=gettext('Save settings');?>"/><br /> @@ -542,7 +586,8 @@ if ($savemsg) { <tr id="filter_enable_row" style="display:<?php if (!$pfb['filterlogentries']) {echo "table-row;";} else {echo "none;";} ?>"> <td width="10%" class="vncell"><?php echo gettext('Filter Options'); ?></td> <td width="90%" class="vtable"> - <input name="show_filter" id="show_filter" type="button" class="formbtns" value="<?=gettext("Show Filter");?>" onclick="enable_showFilter();" /> + <input name="show_filter" id="show_filter" type="button" class="formbtns" value="<?=gettext("Show Filter");?>" + onclick="enable_showFilter();" /> <?=gettext("Click to display advanced filtering options dialog");?> </td> </tr> @@ -552,48 +597,67 @@ if ($savemsg) { <tr> <td valign="top"> <div align="center"><?=gettext("Date");?></div> - <div align="center"><input id="filterlogentries_date" name="filterlogentries_date" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[99] ?>" /></div> + <div align="center"><input id="filterlogentries_date" name="filterlogentries_date" class="formfld search" + type="text" size="15" value="<?= $filterfieldsarray[99] ?>" /></div> </td> <td valign="top"> - <div align="center"><?=gettext("Interface");?></div> - <div align="center"><input id="filterlogentries_int" name="filterlogentries_int" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[2] ?>" /></div> + <div align="center"><?=gettext("Source IP Address");?></div> + <div align="center"><input id="filterlogentries_srcip" name="filterlogentries_srcip" class="formfld search" + type="text" size="28" value="<?= $filterfieldsarray[7] ?>" /></div> </td> <td valign="top"> - <div align="center"><?=gettext("Rule Number Only");?></div> - <div align="center"><input id="filterlogentries_rule" name="filterlogentries_rule" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[0] ?>" /></div> + <div align="center"><?=gettext("Source Port");?></div> + <div align="center"><input id="filterlogentries_srcport" name="filterlogentries_srcport" class="formfld search" + type="text" size="5" value="<?= $filterfieldsarray[9] ?>" /></div> </td> <td valign="top"> - <div align="center"><?=gettext("Protocol");?></div> - <div align="center"><input id="filterlogentries_proto" name="filterlogentries_proto" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[6] ?>" /></div> + <div align="center"><?=gettext("Interface");?></div> + <div align="center"><input id="filterlogentries_int" name="filterlogentries_int" class="formfld search" + type="text" size="15" value="<?= $filterfieldsarray[2] ?>" /></div> </td> </tr> <tr> <td valign="top"> - <div align="center"><?=gettext("Source IP Address");?></div> - <div align="center"><input id="filterlogentries_srcip" name="filterlogentries_srcip" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[7] ?>" /></div> - </td> - <td valign="top"> - <div align="center"><?=gettext("Source Port");?></div> - <div align="center"><input id="filterlogentries_srcport" name="filterlogentries_srcport" class="formfld search" type="text" size="5" value="<?= $filterfieldsarray[9] ?>" /></div> + <div align="center"><?=gettext("Rule Number Only");?></div> + <div align="center"><input id="filterlogentries_rule" name="filterlogentries_rule" class="formfld search" + type="text" size="15" value="<?= $filterfieldsarray[0] ?>" /></div> </td> <td valign="top"> <div align="center"><?=gettext("Destination IP Address");?></div> - <div align="center"><input id="filterlogentries_dstip" name="filterlogentries_dstip" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[8] ?>" /></div> + <div align="center"><input id="filterlogentries_dstip" name="filterlogentries_dstip" class="formfld search" + type="text" size="28" value="<?= $filterfieldsarray[8] ?>" /></div> </td> <td valign="top"> <div align="center"><?=gettext("Destination Port");?></div> - <div align="center"><input id="filterlogentries_dstport" name="filterlogentries_dstport" class="formfld search" type="text" size="5" value="<?= $filterfieldsarray[10] ?>" /></div> + <div align="center"><input id="filterlogentries_dstport" name="filterlogentries_dstport" class="formfld search" + type="text" size="5" value="<?= $filterfieldsarray[10] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Protocol");?></div> + <div align="center"><input id="filterlogentries_proto" name="filterlogentries_proto" class="formfld search" + type="text" size="15" value="<?= $filterfieldsarray[6] ?>" /></div> + </td> + <td valign="top" colspan="3"> + </td> </tr> - <td colspan="5" style="vertical-align:bottom"> - <br /><?printf(gettext('Regex Style Matching Only! %1$s Regular Expression Help link%2$s.'), '<a target="_blank" href="http://www.php.net/manual/en/book.pcre.php">', '</a>');?> <?=gettext("Precede with exclamation (!) as first character to exclude match.) ");?> + <tr> + <td colspan="3" style="vertical-align:bottom"> + <br /><?printf(gettext('Regex Style Matching Only! %1$s Regular Expression Help link%2$s.'), ' + <a target="_blank" href="http://www.php.net/manual/en/book.pcre.php">', '</a>');?> + <?=gettext("Precede with exclamation (!) as first character to exclude match.) ");?> <br /><?printf(gettext("Example: ( ^80$ - Match Port 80, ^80$|^8080$ - Match both port 80 & 8080 ) "));?><br /> + </td> </tr> <tr> - <td colspan="1" style="vertical-align:bottom"> - <div align="left"><input id="filterlogentries_submit" name="filterlogentries_submit" type="submit" class="formbtns" value="<?=gettext("Apply Filter");?>" title="<?=gettext("Apply filter"); ?>" /> - <input id="filterlogentries_clear" name="filterlogentries_clear" type="submit" class="formbtns" value="<?=gettext("Clear");?>" title="<?=gettext("Remove filter");?>" /> - <input id="filterlogentries_hide" name="filterlogentries_hide" type="button" class="formbtns" value="<?=gettext("Hide");?>" onclick="enable_hideFilter();" title="<?=gettext("Hide filter options");?>" /></div> + <td colspan="3" style="vertical-align:bottom"> + <div align="left"><input id="filterlogentries_submit" name="filterlogentries_submit" type="submit" + class="formbtns" value="<?=gettext("Apply Filter");?>" title="<?=gettext("Apply filter"); ?>" /> + <input id="filterlogentries_clear" name="filterlogentries_clear" type="submit" + class="formbtns" value="<?=gettext("Clear");?>" title="<?=gettext("Remove filter");?>" /> + <input id="filterlogentries_hide" name="filterlogentries_hide" type="button" + class="formbtns" value="<?=gettext("Hide");?>" onclick="enable_hideFilter();" + title="<?=gettext("Hide filter options");?>" /></div> </td> </tr> </table> @@ -601,7 +665,7 @@ if ($savemsg) { </tr> <!--Create Three Output Windows 'Deny', 'Permit' and 'Match'--> -<?php foreach (array ("Deny" => $pfb['denydir'] . " " . $pfb['nativedir'], "Permit" => $pfb['permitdir'], "Match" => $pfb['matchdir']) as $type => $pfbfolder ): +<?php foreach (array ( "Deny" => $pfb['denydir'] . " " . $pfb['nativedir'], "Permit" => $pfb['permitdir'], "Match" => $pfb['matchdir']) as $type => $pfbfolder ): switch($type) { case "Deny": $rtype = "block"; @@ -612,15 +676,16 @@ if ($savemsg) { $pfbentries = "{$pfbpermitcnt}"; break; case "Match": - if ($pfb['pfsenseversion'] >= '2.2') { - $rtype = "unkn(%u)"; - } else { - $rtype = "unkn(11)"; - } + $rtype = "unkn(%u)"; $pfbentries = "{$pfbmatchcnt}"; break; } + // Skip Table output if $pfbentries is zero. + if ($pfbentries == 0 && $skipcount != 2) { + $skipcount++; + continue; + } ?> <table id="maintable" class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6"> <tr> @@ -660,30 +725,27 @@ if ($savemsg) { <?php $pfb['runonce'] = TRUE; -if (isset($pfb['load'])) +if (isset($pfb['load'])) { $pfb['runonce'] = FALSE; +} // Execute the following once per refresh if ($pfb['runonce']) { $pfb['load'] = TRUE; + $resolvecounter = 0; $fields_array = array(); - // pfSense versions below 2.2 have the Logfiles in two lines. - if ($pfb['pfsenseversion'] >= '2.2') { - $pfblines = exec("/usr/local/sbin/clog {$filter_logfile} | /usr/bin/grep -c ^"); - } else { - $pfblines = (exec("/usr/local/sbin/clog {$filter_logfile} | /usr/bin/grep -c ^") /2 ); - } - + $pfblines = exec("/usr/local/sbin/clog {$filter_logfile} | /usr/bin/grep -c ^"); $fields_array = conv_log_filter_lite($filter_logfile, $pfblines, $pfblines, $pfbdenycnt, $pfbpermitcnt, $pfbmatchcnt); $continents = array('pfB_Africa','pfB_Antartica','pfB_Asia','pfB_Europe','pfB_NAmerica','pfB_Oceania','pfB_SAmerica','pfB_Top'); - $supp_ip_txt .= "Clicking this Suppression Icon, will immediately remove the Block.\n\nSuppressing a /32 CIDR is better than Suppressing the full /24"; + $supp_ip_txt = "Clicking this Suppression Icon, will immediately remove the Block.\n\nSuppressing a /32 CIDR is better than Suppressing the full /24"; $supp_ip_txt .= " CIDR.\nThe Host will be added to the pfBlockerNG Suppress Alias Table.\n\nOnly 32 or 24 CIDR IPs can be Suppressed with the '+' Icon."; $supp_ip_txt .= "\nTo manually add Host(s), edit the 'pfBlockerNGSuppress' Alias in the Alias Tab.\nManual entries will not remove existing Blocked Hosts"; // Array of all Local IPs for Alert Analysis $pfb_local = array(); + $pfb_localsub = array(); // Collect Gateway IP Addresses for Inbound/Outbound List matching $int_gateway = get_interfaces_with_gateway(); @@ -697,12 +759,16 @@ if ($pfb['runonce']) { // Collect Virtual IP Aliases for Inbound/Outbound List Matching if (is_array($config['virtualip']['vip'])) { foreach ($config['virtualip']['vip'] as $list) { - if ($list['type'] == "single" && $list['subnet_bits'] == "32") - $pfb_local[] = $list['subnet']; - elseif ($list['type'] == "single" || $list['type'] == "network") - $pfb_local = array_merge (subnet_expand ("{$list['subnet']}/{$list['subnet_bits']}"), $pfb_local); + if ($list['subnet'] != "" && $list['subnet_bits'] != "") { + if ($list['subnet_bits'] >= 24) { + $pfb_local = array_merge(subnetv4_expand("{$list['subnet']}/{$list['subnet_bits']}"), $pfb_local); + } else { + $pfb_localsub[] = "{$list['subnet']}/{$list['subnet_bits']}"; + } + } } } + // Collect NAT IP Addresses for Inbound/Outbound List Matching if (is_array($config['nat']['rule'])) { foreach ($config['nat']['rule'] as $natent) { @@ -711,7 +777,7 @@ if ($pfb['runonce']) { } // Collect 1:1 NAT IP Addresses for Inbound/Outbound List Matching - if(is_array($config['nat']['onetoone'])) { + if (is_array($config['nat']['onetoone'])) { foreach ($config['nat']['onetoone'] as $onetoone) { $pfb_local[] = $onetoone['source']['address']; } @@ -729,17 +795,27 @@ if ($pfb['runonce']) { } } } - // Remove any Duplicate IPs - $pfb_local = array_unique($pfb_local); - // Determine Lan IP Address and Mask - if (is_array($config['interfaces']['lan'])) { - $lan_ip = $config['interfaces']['lan']['ipaddr']; - $lan_mask = $config['interfaces']['lan']['subnet']; + // Collect all Interface Addresses for Inbound/Outbound List Matching + if (is_array($config['interfaces'])) { + foreach ($config['interfaces'] as $int) { + if ($int['ipaddr'] != "dhcp") { + if ($int['ipaddr'] != "" && $int['subnet'] != "") { + if ($int['subnet'] >= 24) { + $pfb_local = array_merge(subnetv4_expand("{$int['ipaddr']}/{$int['subnet']}"), $pfb_local); + } else { + $pfb_localsub[] = "{$int['ipaddr']}/{$int['subnet']}"; + } + } + } + } } + + // Remove any Duplicate IPs + $pfb_local = array_unique($pfb_local); + $pfb_localsub = array_unique($pfb_localsub); } -$counter = 0; // Process Fields_array and generate Output if (!empty($fields_array[$type]) && !empty($rule_list)) { $key = 0; @@ -774,19 +850,19 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { } // Add DNS Resolve and Suppression Icons to External IPs only. GeoIP Code to External IPs only. - if (in_array($fields[8], $pfb_local) || check_lan_dest($lan_ip,$lan_mask,$fields[8],"32")) { + if (in_array($fields[8], $pfb_local) || ip_in_pfb_localsub($fields[8])) { // Destination is Gateway/NAT/VIP $rule = $rule_list[$rulenum]['name'] . "<br />(" . $rulenum .")"; $host = $fields[7]; - $alert_ip .= "<a href='/pfblockerng/pfblockerng_diag_dns.php?host={$host}' title=\" " . gettext("Resolve host via Rev. DNS lookup"); - $alert_ip .= "\"> <img src=\"/themes/{$g['theme']}/images/icons/icon_log.gif\" width=\"11\" height=\"11\" border=\"0\" "; - $alert_ip .= "alt=\"Icon Reverse Resolve with DNS\" style=\"cursor: pointer;\"/></a>"; + $alert_ip = "<a href='/pfblockerng/pfblockerng_diag_dns.php?host={$host}' title=\" " . gettext("Resolve host via Rev. DNS lookup"); + $alert_ip .= "\"> <img src=\"/themes/{$g['theme']}/images/icons/icon_log.gif\" width='11' height='11' border='0' "; + $alert_ip .= "alt=\"Icon Reverse Resolve with DNS\" style=\"cursor: pointer;\" /></a>"; if ($pfb_query != "Country" && $rtype == "block" && $pfb['supp'] == "on") { - $supp_ip .= "<input type='image' name='addsuppress[]' onclick=\"hostruleid('{$host}','{$rule_list[$rulenum]['name']}');\" "; + $supp_ip = "<input type='image' name='addsuppress[]' onclick=\"hostruleid('{$host}','{$rule_list[$rulenum]['name']}');\" "; $supp_ip .= "src=\"../themes/{$g['theme']}/images/icons/icon_pass_add.gif\" title=\""; - $supp_ip .= gettext($supp_ip_txt) . "\" border=\"0\" width='11' height='11'/>"; + $supp_ip .= gettext($supp_ip_txt) . "\" border='0' width='11' height='11' />"; } if ($pfb_query != "Country" && $rtype == "block" && $hostlookup == "on") { @@ -802,14 +878,14 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { $rule = $rule_list[$rulenum]['name'] . "<br />(" . $rulenum .")"; $host = $fields[8]; - $alert_ip .= "<a href='/pfblockerng/pfblockerng_diag_dns.php?host={$host}' title=\"" . gettext("Resolve host via Rev. DNS lookup"); - $alert_ip .= "\"> <img src=\"/themes/{$g['theme']}/images/icons/icon_log.gif\" width=\"11\" height=\"11\" border=\"0\" "; - $alert_ip .= "alt=\"Icon Reverse Resolve with DNS\" style=\"cursor: pointer;\"/></a>"; + $alert_ip = "<a href='/pfblockerng/pfblockerng_diag_dns.php?host={$host}' title=\"" . gettext("Resolve host via Rev. DNS lookup"); + $alert_ip .= "\"> <img src=\"/themes/{$g['theme']}/images/icons/icon_log.gif\" width='11' height='11' border='0' "; + $alert_ip .= "alt=\"Icon Reverse Resolve with DNS\" style=\"cursor: pointer;\" /></a>"; if ($pfb_query != "Country" && $rtype == "block" && $pfb['supp'] == "on") { - $supp_ip .= "<input type='image' name='addsuppress[]' onclick=\"hostruleid('{$host}','{$rule_list[$rulenum]['name']}');\" "; + $supp_ip = "<input type='image' name='addsuppress[]' onclick=\"hostruleid('{$host}','{$rule_list[$rulenum]['name']}');\" "; $supp_ip .= "src=\"../themes/{$g['theme']}/images/icons/icon_pass_add.gif\" title=\""; - $supp_ip .= gettext($supp_ip_txt) . "\" border=\"0\" width='11' height='11'/>"; + $supp_ip .= gettext($supp_ip_txt) . "\" border='0' width='11' height='11' />"; } if ($pfb_query != "Country" && $rtype == "block" && $hostlookup == "on") { @@ -829,7 +905,7 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { $country = substr(exec("$pathgeoip6 -f $pathgeoipdat6 $host"),26,2); } - # IP Query Grep Exclusion + // IP Query Grep Exclusion $pfb_ex1 = "grep -v 'pfB\_\|\_v6\.txt'"; $pfb_ex2 = "grep -v 'pfB\_\|/32\|/24\|\_v6\.txt' | grep -m1 '/'"; @@ -857,8 +933,9 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { $host3 = $host2 - $cnt . '\''; $pfb_query = exec("/usr/bin/grep -rH {$host1}{$host3} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex2}"); // Break out of loop if found. - if (!empty($pfb_query)) + if (!empty($pfb_query)) { $cnt = 6; + } } } // Search for First Three Octets @@ -886,10 +963,11 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { } // Default to "No Match" if not found. - if (empty($pfb_query)) + if (empty($pfb_query)) { $pfb_query = "No Match"; + } - # Split List Column into Two lines. + // Split List Column into Two lines. unset ($pfb_match); if ($pfb_query == "No Match") { $pfb_match[1] = "{$pfb_query}"; @@ -921,43 +999,44 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { } // Print Alternating Line Shading - if ($pfb['pfsenseversion'] > '2.0') { - $alertRowEvenClass = "listMReven"; - $alertRowOddClass = "listMRodd"; - } else { - $alertRowEvenClass = "listr"; - $alertRowOddClass = "listr"; - } + $alertRowEvenClass = "style='background-color: #D8D8D8;'"; + $alertRowOddClass = "style='background-color: #E8E8E8;'"; $alertRowClass = $counter % 2 ? $alertRowEvenClass : $alertRowOddClass; - echo "<tr class='{$alertRowClass}'> + echo "<tr {$alertRowClass}> <td class='listMRr' align='center'>{$fields[99]}</td> <td class='listMRr' align='center'>{$fields[2]}</td> <td class='listMRr' align='center' title='The pfBlockerNG Rule that Blocked this Host.'>{$rule}</td> <td class='listMRr' align='center'>{$fields[6]}</td> - <td class='listMRr' align='center' style='sorttable_customkey:{$fields[7]};' sorttable_customkey='{$fields[7]}'>{$src_icons}{$fields[97]}{$srcport}<br /><small>{$hostname['src']}</small></td> - <td class='listMRr' align='center' style='sorttable_customkey:{$fields[8]};' sorttable_customkey='{$fields[8]}'>{$dst_icons}{$fields[98]}{$dstport}<br /><small>{$hostname['dst']}</small></td> + <td class='listMRr' align='center' sorttable_customkey='{$fields[97]}'>{$src_icons}{$fields[97]}{$srcport}<br /><small>{$hostname['src']}</small></td> + <td class='listMRr' align='center' sorttable_customkey='{$fields[98]}'>{$dst_icons}{$fields[98]}{$dstport}<br /><small>{$hostname['dst']}</small></td> <td class='listMRr' align='center'>{$country}</td> <td class='listbg' align='center' title='{$pfb_matchtitle}' style=\"font-size: 10px word-wrap:break-word;\">{$pfb_match[1]}<br />{$pfb_match[2]}</td></tr>"; $counter++; - if ($counter > 0 && $rtype == "block") { - $mycounter = $counter; - } else { - $mycounter = 0; + if ($rtype == "block") { + $resolvecounter = $counter; } } } } ?> </tbody> + <tr> + <!--Print Final Table Info--> + <?php + if ($pfbentries != $counter) { + $msg = " - Insufficient Firewall Alerts found."; + } + echo (" <td colspan='8' style='font-size:10px; background-color: #F0F0F0;' >Found {$counter} Alert Entries {$msg}</td>"); + $counter = 0; $msg = ''; + ?> + </tr> </table> </table> <?php endforeach; ?> <!--End - Create Three Output Windows 'Deny', 'Permit' and 'Match'--> <?php unset ($fields_array); ?> </td></tr> </table> - -</div> </td> <script type="text/javascript"> @@ -991,7 +1070,7 @@ function findhostnames(counter) { ) } -var alertlines = <?php echo $mycounter; ?>; +var alertlines = <?php echo $resolvecounter; ?>; var autoresolve = "<?php echo $config['installedpackages']['pfblockerngglobal']['hostlookup']; ?>"; if ( autoresolve == "on" ) { for (alertcount = 0; alertcount < alertlines; alertcount++) { @@ -1014,4 +1093,4 @@ function enable_hideFilter() { <?php include("fend.inc"); ?> </form> </body> -</html> +</html>
\ No newline at end of file diff --git a/config/pfblockerng/pfblockerng_diag_dns.php b/config/pfblockerng/pfblockerng_diag_dns.php index b44bc71c..fa238b7a 100644 --- a/config/pfblockerng/pfblockerng_diag_dns.php +++ b/config/pfblockerng/pfblockerng_diag_dns.php @@ -56,15 +56,6 @@ foreach ($a_aliases as $a) { $counter++; } -# Collect pfSense Version -$pfs_version = substr(trim(file_get_contents("/etc/version")), 0, 3); - -if ($pfs_version > '2.2') { - $cmd = '/usr/bin/drill'; -} else { - $cmd = '/usr/bin/dig'; -} - if (isset($_POST['create_alias']) && (is_hostname($host) || is_ipaddr($host))) { if ($_POST['override']) { $override = true; @@ -73,7 +64,7 @@ if (isset($_POST['create_alias']) && (is_hostname($host) || is_ipaddr($host))) { $type = "hostname"; if ($resolved) { $resolved = array(); - exec("{$cmd} {$host_esc} A | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); + exec("/usr/bin/drill {$host_esc} A | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); $isfirst = true; foreach ($resolved as $re) { if ($re <> "") { @@ -120,7 +111,7 @@ if ($_POST) { $dns_servers = array(); exec("/usr/bin/grep nameserver /etc/resolv.conf | /usr/bin/cut -f2 -d' '", $dns_servers); foreach ($dns_servers as $dns_server) { - $query_time = exec("{$cmd} {$host_esc} " . escapeshellarg("@" . trim($dns_server)) . " | /usr/bin/grep Query | /usr/bin/cut -d':' -f2"); + $query_time = exec("/usr/bin/drill {$host_esc} " . escapeshellarg("@" . trim($dns_server)) . " | /usr/bin/grep Query | /usr/bin/cut -d':' -f2"); if ($query_time == "") { $query_time = gettext("No response"); } @@ -149,7 +140,7 @@ if ($_POST) { $resolved = gethostbyname($host); if ($resolved) { $resolved = array(); - exec("{$cmd} {$host_esc} A | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); + exec("/usr/bin/drill {$host_esc} A | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); } $hostname = $host; if ($host != $resolved) { @@ -208,7 +199,7 @@ include("head.inc"); ?> <input name="host" type="text" class="formfld unknown" id="host" size="20" value="<?=htmlspecialchars($host);?>"> </td> <?php if ($resolved && $type) { ?> - <td valign="middle"> = </td><td> + <td valign="middle"> </td><td> <font size="+1"> <?php $found = 0; @@ -244,8 +235,8 @@ include("head.inc"); ?> </tr> <?php if ($_POST): ?> <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Resolution time per server");?></td> - <td width="78%" class="vtable"> + <td width="22%" valign="top" class="vncell"><?=gettext("Resolution time per server");?></td> + <td width="78%" class="vtable"> <table width="170" border="0" cellpadding="6" cellspacing="0" summary="resolution time"> <tr> <td class="listhdrr"> @@ -271,7 +262,7 @@ include("head.inc"); ?> endforeach; ?> </table> - </td> + </td> </tr> <?php endif; ?> <?php if (!$input_errors && $ipaddr) { ?> diff --git a/config/pfblockerng/pfblockerng_log.php b/config/pfblockerng/pfblockerng_log.php index 4c25ce29..a235f20a 100644 --- a/config/pfblockerng/pfblockerng_log.php +++ b/config/pfblockerng/pfblockerng_log.php @@ -52,13 +52,13 @@ require_once("/usr/local/pkg/pfblockerng/pfblockerng.inc"); pfb_global(); -# Get log files from directory +// Get log files from directory function getlogs($logdir, $log_extentions = array('log')) { if (!is_array($log_extentions)) { $log_extentions = array($log_extentions); } - # Get logfiles + // Get logfiles $log_filenames = array(); foreach ($log_extentions as $extention) { if ($extention <> '*') { @@ -68,7 +68,7 @@ function getlogs($logdir, $log_extentions = array('log')) { } } - # Convert to filenames only + // Convert to filenames only if (count($log_filenames) > 0) { $log_totalfiles = count($log_filenames); for ($cnt = 0; $cnt < $log_totalfiles; $cnt++) { @@ -76,18 +76,19 @@ function getlogs($logdir, $log_extentions = array('log')) { } } - # Sort the filename + // Sort the filename asort($log_filenames); - # Done + // Done return $log_filenames; } -# Define logtypes -# name => Displayname of the type -# ext => Log extentions (array for multiple extentions) -# logdir=> Log directory -# clear => Add clear button (TRUE/FALSE) +/* Define logtypes: + name => Displayname of the type + ext => Log extentions (array for multiple extentions) + logdir => Log directory + clear => Add clear button (TRUE/FALSE) */ + $pfb_logtypes = array( 'defaultlogs' => array('name' => 'Log Files', 'logdir' => "{$pfb['logdir']}/", 'logs' => array("pfblockerng.log", "error.log", "geoip.log", "maxmind_ver"), @@ -153,7 +154,7 @@ $pfb_logtypes = array( 'defaultlogs' => array('name' => 'Log Files', ) ); -# Check logtypes +// Check logtypes $logtypeid = 'defaultlogs'; if (isset($_POST['logtype'])) { $logtypeid = $_POST['logtype']; @@ -161,13 +162,13 @@ if (isset($_POST['logtype'])) { $logtypeid = htmlspecialchars($_GET['logtype']); } -# Check if POST has been set +// Check if POST has been set if (isset($_POST['file'])) { clearstatcache(); $pfb_logfilename = $_POST['file']; $pfb_ext = pathinfo($pfb_logfilename, PATHINFO_EXTENSION); - # Load log + // Load log if ($_POST['action'] == 'load') { if (!is_file($pfb_logfilename)) { echo "|3|" . gettext("Log file is empty or does not exist") . ".|"; @@ -187,12 +188,12 @@ if (isset($_POST['file'])) { if (isset($_POST['logFile'])) { $s_logfile = $_POST['logFile']; - # Clear selected file + // Clear selected file if (isset($_POST['clear'])) { unlink_if_exists($s_logfile); } - # Download log + // Download log if (isset($_POST['download'])) { if (file_exists($s_logfile)) { ob_start(); //important or other posts will fail diff --git a/config/pfblockerng/pfblockerng_sync.xml b/config/pfblockerng/pfblockerng_sync.xml index f6cee305..03b86dce 100644 --- a/config/pfblockerng/pfblockerng_sync.xml +++ b/config/pfblockerng/pfblockerng_sync.xml @@ -52,6 +52,7 @@ <version>1.0</version> <title>pfBlockerNG: XMLRPC Sync</title> <include_file>/usr/local/pkg/pfblockerng/pfblockerng.inc</include_file> + <addedit_string>pfBlockerNG: Save XMLRPC Sync settings</addedit_string> <menu> <name>pfBlockerNG</name> <tooltiptext>Configure pfBlockerNG</tooltiptext> @@ -124,7 +125,7 @@ <url>/pkg_edit.php?xml=/pfblockerng/pfblockerng_sync.xml&id=0</url> <active/> </tab> - </tabs> + </tabs> <fields> <field> <name>pfBlockerNG XMLRPC Sync Settings</name> @@ -132,8 +133,8 @@ </field> <field> <fielddescr>LINKS</fielddescr> - <fieldname>none</fieldname> - <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> + <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> + <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> </description> <type>info</type> </field> @@ -173,7 +174,6 @@ </field> <field> <fielddescr>Replication Targets</fielddescr> - <fieldname>none</fieldname> <type>rowhelper</type> <rowhelper> <rowhelperfield> @@ -217,15 +217,15 @@ <rowhelperfield> <fielddescr>Target Password</fielddescr> <fieldname>varsyncpassword</fieldname> - <description><![CDATA[Password of the user "admin" on the destination host.]]></description> + <description><![CDATA[Password of the user 'admin' on the destination host.]]></description> <type>password</type> <size>20</size> </rowhelperfield> </rowhelper> </field> <field> - <name><![CDATA[<ul>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or - 'Force Update'</ul>]]></name> + <name><![CDATA[<center>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or + 'Force Update'</center>]]></name> <type>listtopic</type> </field> </fields> diff --git a/config/pfblockerng/pfblockerng_top20.xml b/config/pfblockerng/pfblockerng_top20.xml index db898112..32ed52e8 100644 --- a/config/pfblockerng/pfblockerng_top20.xml +++ b/config/pfblockerng/pfblockerng_top20.xml @@ -52,13 +52,14 @@ <version>1.0</version> <title>pfBlockerNG: Top 20 Spammer Countries</title> <include_file>/usr/local/pkg/pfblockerng/pfblockerng.inc</include_file> + <addedit_string>pfBlockerNG: Save Top20 settings</addedit_string> <menu> <name>pfBlockerNG</name> <tooltiptext>Configure pfblockerNG</tooltiptext> <section>Firewall</section> <url>pkg_edit.php?xml=pfblockerng.xml&id=0</url> </menu> - <tabs> + <tabs> <tab> <text>General</text> <url>/pkg_edit.php?xml=pfblockerng.xml&id=0</url> @@ -124,7 +125,7 @@ <text>Sync</text> <url>/pkg_edit.php?xml=/pfblockerng/pfblockerng_sync.xml&id=0</url> </tab> - </tabs> + </tabs> <fields> <field> <name><![CDATA[TOP 20 - Spammer Countries (Geolite Data by Maxmind Inc. - ISO 3166)]]></name> @@ -132,20 +133,19 @@ </field> <field> <fielddescr>LINKS</fielddescr> - <fieldname>none</fieldname> - <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> + <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> + <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> </description> <type>info</type> - </field> + </field> <field> - <fielddescr><![CDATA[<br /><strong>Top 20 IPv4</strong><br />Spammer Countries]]></fielddescr> <fieldname>countries4</fieldname> - <description> - <![CDATA[Select Top IPv4 Spammer Countries you want to take an action on.<br /> - <strong>Use CTRL + CLICK to unselect countries</strong>]]> - </description> + <fielddescr><![CDATA[<strong><center>Top 20<br /> Spammer Countries</center></strong><br /> + <center>Use CTRL + CLICK to unselect countries</center>]]> + </fielddescr> + <description><![CDATA[<center><br />IPv4 Countries</center>]]></description> <type>select</type> - <options> + <options> <option><name>China-CN</name><value>CN</value></option> <option><name>Russia-RU</name><value>RU</value></option> <option><name>Japan-JP</name><value>JP</value></option> @@ -169,14 +169,12 @@ </options> <size>20</size> <multiple/> + <usecolspan2/> + <combinefields>begin</combinefields> </field> <field> - <fielddescr><![CDATA[<br /><strong>Top 20 IPv6</strong><br />Spammer Countries]]></fielddescr> <fieldname>countries6</fieldname> - <description> - <![CDATA[Select Top IPv6 Spammer Countries you want to take an action on.<br /> - <strong>Use CTRL + CLICK to unselect countries</strong>]]> - </description> + <description><![CDATA[<br /><center>IPv6 Countries</center>]]></description> <type>select</type> <options> <option><name>China-CN</name><value>CN</value></option> @@ -199,13 +197,16 @@ <option><name>Taiwan-TW</name><value>TW</value></option> <option><name>Mexico-MX</name><value>MX</value></option> <option><name>Chilie-CL</name><value>CL</value></option> - </options> - <size>20</size> - <multiple/> + </options> + <size>20</size> + <multiple/> + <usecolspan2/> + <dontdisplayname/> + <combinefields>end</combinefields> </field> <field> <fielddescr>List Action</fielddescr> - <description><![CDATA[<br />Default : <strong>Disabled</strong><br /><br /> + <description><![CDATA[<br />Default: <strong>Disabled</strong><br /><br /> Select the <strong>Action</strong> for Firewall Rules on lists you have selected.<br /><br /> <strong><u>'Disabled' Rules:</u></strong> Disables selection and does nothing to selected Alias.<br /><br /> @@ -231,12 +232,12 @@ <strong><u>'Alias' Rules:</u></strong><br /> <strong>'Alias'</strong> rules create an <a href="/firewall_aliases.php">alias</a> for the list (and do nothing else). This enables a pfBlockerNG list to be used by name, in any firewall rule or pfSense function, as desired. - <ul><li><strong>Options - Alias Deny, Alias Permit, Alias Match, Alias Native</strong></li><br /> + <ul><li><strong>Options - Alias Deny, Alias Permit, Alias Match, Alias Native</strong></li><br /> <li>'Alias Deny' can use De-Duplication and Reputation Processes if configured.</li><br /> <li>'Alias Permit' and 'Alias Match' will be saved in the Same folder as the other Permit/Match Auto-Rules</li><br /> <li>'Alias Native' lists are kept in their Native format without any modifications.</li></ul> <strong>When using 'Alias' rules, change (pfB_) to ( pfb_ ) in the beginning of rule description and Use the 'Exact' spelling of - the Alias (no trailing Whitespace) </strong> Custom 'Alias' rules with 'pfB_ xxx' description will be removed by package if + the Alias (no trailing Whitespace)</strong> Custom 'Alias' rules with 'pfB_ xxx' description will be removed by package if using Auto Rule Creation.<br /><br /><strong>Tip</strong>: You can create the Auto Rules and remove "<u>auto rule</u>" from the Rule Descriptions, then disable Auto Rules. This method will 'KEEP' these rules from being 'Deleted' which will allow editing for a Custom Alias Configuration<br />]]> @@ -262,7 +263,7 @@ <field> <fielddescr>Enable Logging</fielddescr> <fieldname>aliaslog</fieldname> - <description><![CDATA[Default:<strong>Enable</strong><br /> + <description><![CDATA[Default: <strong>Enable</strong><br /> Select - Logging to Status: System Logs: FIREWALL ( Log )]]> </description> <type>select</type> @@ -272,8 +273,87 @@ </options> </field> <field> - <name><![CDATA[<ul>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or - 'Force Update'</ul>]]> </name> + <name>Advanced Inbound Firewall Rule Settings</name> + <type>listtopic</type> + </field> + <field> + <type>info</type> + <description><![CDATA[<font color='red'>Note: </font>In general Auto-Rules are created as follows:<br /> + <ul>Inbound - 'any' port, 'any' protocol and 'any' destination<br /> + Outbound - 'any' port, 'any' protocol and 'any' destination address in the lists</ul> + Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.<br /> + <strong>Select the pfSense 'Port' and/or 'Destination' Alias below:</strong>]]> + </description> + </field> + <field> + <fieldname>autoports</fieldname> + <fielddescr>Enable Custom Port</fielddescr> + <type>checkbox</type> + <enablefields>aliasports</enablefields> + <usecolspan2/> + <combinefields>begin</combinefields> + </field> + <field> + <fielddescr>Define Alias</fielddescr> + <fieldname>aliasports</fieldname> + <description><![CDATA[<a href="/firewall_aliases.php?tab=port">Click Here to add/edit Aliases</a> + Do not manually enter port numbers. <br />Do not use 'pfB_' in the Port Alias name.]]> + </description> + <size>21</size> + <type>aliases</type> + <typealiases>port</typealiases> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fieldname>autodest</fieldname> + <fielddescr>Enable Custom Destination</fielddescr> + <type>checkbox</type> + <enablefields>aliasdest,autonot</enablefields> + <usecolspan2/> + <combinefields>begin</combinefields> + </field> + <field> + <fieldname>aliasdest</fieldname> + <description><![CDATA[<a href="/firewall_aliases.php?tab=ip">Click Here to add/edit Aliases</a> + Do not manually enter Addresses(es). <br />Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> + </description> + <size>21</size> + <type>aliases</type> + <typealiases>network</typealiases> + <dontdisplayname/> + <usecolspan2/> + <combinefields/> + </field> + <field> + <fielddescr>Invert</fielddescr> + <fieldname>autonot</fieldname> + <description><![CDATA[<div style="padding-left: 22px;"><strong>Invert</strong> - Option to invert the sense of the match.<br /> + ie - Not (!) Destination Address(es)</div>]]> + </description> + <type>checkbox</type> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fielddescr>Custom Protocol</fielddescr> + <fieldname>autoproto</fieldname> + <description><![CDATA[<strong>Default: any</strong><br />Select the Protocol used for Inbound Firewall Rule(s).]]></description> + <type>select</type> + <options> + <option><name>any</name><value></value></option> + <option><name>TCP</name><value>tcp</value></option> + <option><name>UDP</name><value>udp</value></option> + <option><name>TCP/UDP</name><value>tcp/udp</value></option> + </options> + <size>4</size> + <default_value></default_value> + </field> + <field> + <name><![CDATA[<center>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or + 'Force Update'</center>]]></name> <type>listtopic</type> </field> </fields> diff --git a/config/pfblockerng/pfblockerng_update.php b/config/pfblockerng/pfblockerng_update.php index f3a18231..e63d04dc 100644 --- a/config/pfblockerng/pfblockerng_update.php +++ b/config/pfblockerng/pfblockerng_update.php @@ -76,7 +76,6 @@ function pfbupdate_status($status) { // Function to perform a Force Update, Cron or Reload function pfb_cron_update($type) { - global $pfb; // Query for any Active pfBlockerNG CRON Jobs @@ -87,8 +86,9 @@ function pfb_cron_update($type) { exit; } - if (!file_exists("{$pfb['log']}")) + if (!file_exists("{$pfb['log']}")) { touch("{$pfb['log']}"); + } // Update Status Window with correct Task if ($type == "update") { @@ -102,7 +102,6 @@ function pfb_cron_update($type) { // Remove any existing pfBlockerNG CRON Jobs install_cron_job("pfblockerng.php cron", false); - write_config(); // Execute PHP Process in the Background mwexec_bg("/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php {$type} >> {$pfb['log']} 2>&1"); @@ -121,18 +120,19 @@ function pfb_cron_update($type) { $lastpos = $len; } else { $f = fopen($pfb['log'], "rb"); - if ($f === false) + if ($f === false) { die(); + } fseek($f, $lastpos); while (!feof($f)) { $pfb_buffer = fread($f, 2048); $pfb_output .= str_replace( array ("\r", "\")"), "", $pfb_buffer); - // Refresh on new lines only. This allows Scrolling. - if ($lastpos != $lastpos_old) + if ($lastpos != $lastpos_old) { pfbupdate_output($pfb_output); + } $lastpos_old = $lastpos; ob_flush(); flush(); @@ -151,7 +151,7 @@ function pfb_cron_update($type) { ob_flush(); flush(); fclose($f); - # Call Log Mgmt Function + // Call Log Mgmt Function pfb_log_mgmt(); die(); } @@ -207,61 +207,112 @@ include_once("head.inc"); <tr> <td colspan="2" class="listr"> <?php - // Collect Existing CRON settings - if (is_array($config['cron']['item'])) { - foreach ($config['cron']['item'] as $cron) { - if (preg_match("/usr.local.www.pfblockerng.pfblockerng.php cron/",$cron["command"])) { - $pfb_min = "{$cron['minute']}"; - break; + if ($pfb['enable'] == "on") { + + /* Legend - Time Variables + + $pfb['interval'] Hour interval setting (1,2,3,4,6,8,12,24) + $pfb['min'] Cron minute start time (0-23) + $pfb['hour'] Cron start hour (0-23) + $pfb['24hour'] Cron daily/wk start hr (0-23) + + $currenthour Current hour + $currentmin Current minute + $cron_hour_begin First cron hour setting (interval 2-24) + $cron_hour_next Next cron hour setting (interval 2-24) + + $max_min_remain Max minutes to next cron (not including currentmin) + $min_remain Total minutes remaining to next cron + $min_final The minute component in hour:min + + $nextcron Next cron event in hour:mins + $cronreal Time remaining to next cron in hours:mins */ + + $currenthour = date('G'); + $currentmin = date('i'); + + if ($pfb['interval'] == 1) { + if (($currenthour + ($currentmin/60)) <= ($pfb['hour'] + ($pfb['min']/60))) { + $cron_hour_next = $currenthour; + } else { + $cron_hour_next = $currenthour + 1; + } + if (($currenthour + ($pfb['min']/60)) >= 24) { + $cron_hour_next = $pfb['hour']; } + $max_min_remain = 60 + $pfb['min']; } - } - // Calculate Minutes Remaining till next CRON Event. - $currentmin = date('i'); - switch ($pfb_min) { - case "0": - $min_remain = (60 - $currentmin); - break; - case "15": - if ($currentmin < 15) { - $min_remain = (15 - $currentmin); - } else { - $min_remain = (75 - $currentmin); + elseif ($pfb['interval'] == 24) { + $cron_hour_next = $cron_hour_begin = $pfb['24hour'] != '' ? $pfb['24hour'] : '00'; + } + else { + // Find Next Cron hour schedule + $crondata = pfb_cron_base_hour(); + if (!empty($crondata)) { + foreach ($crondata as $key => $line) { + if ($key == 0) { + $cron_hour_begin = $line; + } + if ($line > $currenthour) { + $cron_hour_next = $line; + break; + } + } } - break; - case "30": - if ($currentmin < 30) { - $min_remain = (30 - $currentmin); - } else { - $min_remain = (90 - $currentmin); + + // Roll over to First cron hour setting + if (!isset($cron_hour_next)) { + if (empty($cron_hour_begin)) { + // $cron_hour_begin is hour '0' + $cron_hour_next = (24 - $currenthour); + } else { + $cron_hour_next = $cron_hour_begin; + } } - break; - case "45": - if ($currentmin < 45) { - $min_remain = (45 - $currentmin); + } + + if ($pfb['interval'] != 1) { + if (($currenthour + ($currentmin/60)) <= ($cron_hour_next + ($pfb['min']/60))) { + $max_min_remain = (($cron_hour_next - $currenthour) * 60) + $pfb['min']; } else { - $min_remain = (105 - $currentmin); + $max_min_remain = ((24 - $currenthour + $cron_hour_begin) * 60) + $pfb['min']; + $cron_hour_next = $cron_hour_begin; } - break; - } + } - // Default to "< 1 minute" if empty - if (empty($min_remain)) - $min_remain = "< 1"; + $min_remain = ($max_min_remain - $currentmin); + $min_final = ($min_remain % 60); + $sec_final = (60 - date('s')); - // Next Scheduled Cron Time - if ($pfb_min == "0") - $pfb_min = "00"; - $nextcron = (date('H') +1) . ":{$pfb_min}"; + if (strlen($sec_final) == 1) { + $sec_final = '0' . $sec_final; + } + if (strlen($min_final) == 1) { + $min_final = '0' . $min_final; + } + if (strlen($cron_hour_next) == 1) { + $cron_hour_next = '0' . $cron_hour_next; + } + + if ($min_remain > 59) { + $nextcron = floor($min_remain / 60) . ':' . $min_final . ':' . $sec_final; + } else { + $nextcron = '00:' . $min_final . ':' . $sec_final; + } + + if ($pfb['min'] == 0) { + $pfb['min'] = '00'; + } + $cronreal = "{$cron_hour_next}:{$pfb['min']}"; + } - // If pfBlockerNG is Disabled or Cron Task is Missing - if (empty($pfb['enable']) || empty($pfb_min)) { - $min_remain = " -- "; - $nextcron = " [ Disabled ] "; + if (empty($pfb['enable']) || empty($cron_hour_next)) { + $cronreal = ' [ Disabled ]'; + $nextcron = '--'; } - echo "NEXT Scheduled CRON Event will run at <font size=\"3\"> {$nextcron}</font> in<font size=\"3\"> - <span class=\"red\"> {$min_remain} </span></font> Minutes."; + echo "NEXT Scheduled CRON Event will run at <font size=\"3\"> {$cronreal}</font> with + <font size=\"3\"><span class=\"red\"> {$nextcron} </span></font> time remaining."; // Query for any Active pfBlockerNG CRON Jobs $result_cron = array(); @@ -272,7 +323,7 @@ include_once("head.inc"); echo "<img src = '/themes/{$g['theme']}/images/icons/icon_pass.gif' width='15' height='15' border='0' title='pfBockerNG Cron Task is Running.'/>"; } - echo "<br /><font size=\"3\"><span class=\"red\">Refresh</span></font> to update current Status and Minute(s) remaining"; + echo "<br /><font size=\"3\"><span class=\"red\">Refresh</span></font> to update current Status and time remaining"; ?> </td> </tr> @@ -348,8 +399,9 @@ include("fend.inc"); // Execute the Viewer output Window if (isset($_POST['pfbview'])) { - if (!file_exists("{$pfb['log']}")) + if (!file_exists("{$pfb['log']}")) { touch("{$pfb['log']}"); + } // Reference: http://stackoverflow.com/questions/3218895/php-how-to-read-a-file-live-that-is-constantly-being-written-to pfbupdate_status(gettext("Log Viewing in progress. ** Press 'END VIEW' to Exit ** ")); @@ -372,8 +424,9 @@ if (isset($_POST['pfbview'])) { $lastpos = $len; } else { $f = fopen($pfb['log'], "rb"); - if ($f === false) + if ($f === false) { die(); + } fseek($f, $lastpos); while (!feof($f)) { @@ -415,8 +468,9 @@ if (isset($_POST['pfbcron']) && $pfb['enable'] == "on") { // Execute a Reload of all Aliases and Lists if (isset($_POST['pfbreload']) && $pfb['enable'] == "on") { + // Set 'Reuse' Flag for Reload process $config['installedpackages']['pfblockerng']['config'][0]['pfb_reuse'] = "on"; - write_config(); + write_config("pfBlockerNG: Executing Force Reload"); pfb_cron_update(reload); } diff --git a/config/pfblockerng/pfblockerng_v4lists.xml b/config/pfblockerng/pfblockerng_v4lists.xml index febfd597..00747a24 100644 --- a/config/pfblockerng/pfblockerng_v4lists.xml +++ b/config/pfblockerng/pfblockerng_v4lists.xml @@ -54,6 +54,7 @@ <version>1.0</version> <title>pfBlockerNG: IPv4 Alias/List Configuration</title> <include_file>/usr/local/pkg/pfblockerng/pfblockerng.inc</include_file> + <addedit_string>pfBlockerNG: Save IPv4 settings</addedit_string> <menu> <name>pfBlockerNG</name> <tooltiptext></tooltiptext> @@ -149,6 +150,8 @@ <fielddescr>Logging</fielddescr> <fieldname>aliaslog</fieldname> </columnitem> + <addtext>Add a new Alias</addtext> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> @@ -158,15 +161,15 @@ </field> <field> <fielddescr>LINKS</fielddescr> - <fieldname>none</fieldname> - <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> + <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> + <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> </description> <type>info</type> </field> <field> <fielddescr>Alias Name</fielddescr> <fieldname>aliasname</fieldname> - <description><![CDATA[Enter lists Alias Names.<br /> + <description><![CDATA[Enter Alias Name.<br /> Example: Badguys<br /> Do not include <strong>'pfBlocker' or 'pfB_'</strong> in the Alias Name, it's done by package.<br /> <strong>International, special or space characters will be ignored in firewall alias names. @@ -182,40 +185,37 @@ <size>90</size> </field> <field> - <fieldname>InfoLists</fieldname> <type>info</type> - <description><![CDATA[<strong><u>'Format'</u></strong> : Select the Format Type<br /><br /> - <strong><u>'URL'</u></strong> : Add direct link to list: + <description><![CDATA[<strong><u>'Format'</u></strong>: Select the Format Type<br /><br /> + <strong><u>'URL'</u></strong>: Add direct link to list: Example: <a target=_new href='http://list.iblocklist.com/?list=bt_ads&fileformat=p2p&archiveformat=gz'>Ads</a>, <a target=_new href='http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p&archiveformat=gz'>Spyware</a>, - <a target=_new href='http://list.iblocklist.com/?list=bt_proxy&fileformat=p2p&archiveformat=gz'>Proxies</a> )<br /><br /> - <strong><u>'pfSense Local File'</u></strong> Format :<br /><br /> - http(s)://127.0.0.1/NAME_OF_FILE <strong>or</strong> + <a target=_new href='http://list.iblocklist.com/?list=bt_proxy&fileformat=p2p&archiveformat=gz'>Proxies</a><br /><br /> + <strong><u>'pfSense Local File'</u></strong> Format:<br /><br /> + http(s)://127.0.0.1/NAME_OF_FILE <strong>or</strong> /usr/local/www/NAME_OF_FILE (Files can also be placed in the /var/db/pfblockerng folders)<br /><br /> - <strong><u>'Header'</u></strong> : The <u>'Header' Field</u> must be <u>Unique</u>, it will + <strong><u>'Header'</u></strong>: The <u>'Header' Field</u> must be <u>Unique</u>, it will name the List File and it will be referenced in the pfBlockerNG Widget. Use a Unique Prefix per 'Alias Category' followed by a unique descriptor for each List.<br /><br />]]> </description> </field> <field> <fielddescr><![CDATA[<strong>IPv4</strong> Lists]]></fielddescr> - <fieldname>none</fieldname> <description><![CDATA[<br /><strong>'Format'</strong> - Select the file format that URL will retrieve.<br /> - - <ul><li><strong>'txt'</strong> Plain txt Lists</li><br /> - <li><strong>'gz'</strong> - IBlock GZ Lists in Range Format only.</li><br /> - <li><strong>'gz_2'</strong> - Other GZ Lists in IP or CIDR only.</li><br /> - <li><strong>'gz_lg'</strong> - Large IBlock GZ Lists in Range Format only.</li><br /> - <li><strong>'zip'</strong> - ZIP'd Lists</li><br /> - <li><strong>'block'</strong>- IP x.x.x.0 Block type</li><br /> - <li><strong>'html'</strong> - Web Links</li><br /> - <li><strong>'xlsx'</strong> - Excel Lists</li><br /> - <li><strong>'rsync'</strong> - RSync Lists</li><br /> + <ul><li><strong>'txt'</strong> Plain txt Lists</li> + <li><strong>'gz'</strong> - IBlock GZ Lists in Range Format only</li> + <li><strong>'gz_2'</strong> - Other GZ Lists in IP or CIDR only</li> + <li><strong>'gz_lg'</strong> - Large IBlock GZ Lists in Range Format only</li> + <li><strong>'zip'</strong> - ZIP'd Lists</li> + <li><strong>'block'</strong>- IP x.x.x.0 Block type</li> + <li><strong>'html'</strong> - Web Links</li> + <li><strong>'xlsx'</strong> - Excel Lists</li> + <li><strong>'rsync'</strong> - RSync Lists</li> <li><strong>'ET' IQRisk</strong> - Only</li></ul> - <strong>'State'</strong> - Select the Run State for each list.<br /> - <ul><li><strong>'ON/OFF'</strong> - Enabled / Disabled</li><br /> - <li><strong>'HOLD'</strong> - Once a List has been Downloaded, list will remain Static.</li></ul> + <strong>'State'</strong> - Select the Run State for each list<br /> + <ul><li><strong>'ON/OFF'</strong> - Enabled / Disabled</li> + <li><strong>'HOLD'</strong> - Once a List has been Downloaded, list will remain Static</li></ul> <strong>'Note' -</strong> Downloaded or pfsense local file must have only one network per line and follows the syntax below: <ul>Network ranges: <strong>172.16.1.0-172.16.1.255</strong><br /> IP Address: <strong>172.16.1.10</strong><br /> @@ -223,50 +223,50 @@ </description> <type>rowhelper</type> <rowhelper> - <rowhelperfield> - <fielddescr>Format</fielddescr> - <fieldname>format</fieldname> - <type>select</type> - <options> - <option><name>txt</name><value>txt</value></option> - <option><name>gz</name><value>gz</value></option> - <option><name>gz_2</name><value>gz_2</value></option> - <option><name>gz_lg</name><value>gz_lg</value></option> - <option><name>zip</name><value>zip</value></option> - <option><name>block</name><value>block</value></option> - <option><name>html</name><value>html</value></option> - <option><name>xlsx</name><value>xlsx</value></option> - <option><name>RSync</name><value>rsync</value></option> - <option><name>ET</name><value>et</value></option> - </options> - </rowhelperfield> - <rowhelperfield> - <fielddescr>State</fielddescr> - <fieldname>state</fieldname> - <type>select</type> - <options> - <option><name>ON</name><value>Enabled</value></option> - <option><name>OFF</name><value>Disabled</value></option> - <option><name>HOLD</name><value>Hold</value></option> - </options> - </rowhelperfield> - <rowhelperfield> - <fielddescr>URL or pfSense local file</fielddescr> - <fieldname>url</fieldname> - <type>input</type> - <size>50</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr>Header</fielddescr> - <fieldname>header</fieldname> - <type>input</type> - <size>15</size> - </rowhelperfield> + <rowhelperfield> + <fielddescr>Format</fielddescr> + <fieldname>format</fieldname> + <type>select</type> + <options> + <option><name>txt</name><value>txt</value></option> + <option><name>gz</name><value>gz</value></option> + <option><name>gz_2</name><value>gz_2</value></option> + <option><name>gz_lg</name><value>gz_lg</value></option> + <option><name>zip</name><value>zip</value></option> + <option><name>block</name><value>block</value></option> + <option><name>html</name><value>html</value></option> + <option><name>xlsx</name><value>xlsx</value></option> + <option><name>RSync</name><value>rsync</value></option> + <option><name>ET</name><value>et</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>State</fielddescr> + <fieldname>state</fieldname> + <type>select</type> + <options> + <option><name>ON</name><value>Enabled</value></option> + <option><name>OFF</name><value>Disabled</value></option> + <option><name>HOLD</name><value>Hold</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>URL or pfSense local file</fielddescr> + <fieldname>url</fieldname> + <type>input</type> + <size>50</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Header</fielddescr> + <fieldname>header</fieldname> + <type>input</type> + <size>15</size> + </rowhelperfield> </rowhelper> </field> <field> <fielddescr>List Action</fielddescr> - <description><![CDATA[<br />Default : <strong>Disabled</strong><br /><br /> + <description><![CDATA[<br />Default: <strong>Disabled</strong><br /><br /> Select the <strong>Action</strong> for Firewall Rules on lists you have selected.<br /><br /> <strong><u>'Disabled' Rules:</u></strong> Disables selection and does nothing to selected Alias.<br /><br /> @@ -292,12 +292,12 @@ <strong><u>'Alias' Rules:</u></strong><br /> <strong>'Alias'</strong> rules create an <a href="/firewall_aliases.php">alias</a> for the list (and do nothing else). This enables a pfBlockerNG list to be used by name, in any firewall rule or pfSense function, as desired. - <ul><li><strong>Options - Alias Deny, Alias Permit, Alias Match, Alias Native</strong></li><br /> + <ul><li><strong>Options - Alias Deny, Alias Permit, Alias Match, Alias Native</strong></li><br /> <li>'Alias Deny' can use De-Duplication and Reputation Processes if configured.</li><br /> <li>'Alias Permit' and 'Alias Match' will be saved in the Same folder as the other Permit/Match Auto-Rules</li><br /> <li>'Alias Native' lists are kept in their Native format without any modifications.</li></ul> <strong>When using 'Alias' rules, change (pfB_) to ( pfb_ ) in the beginning of rule description and Use the 'Exact' spelling of - the Alias (no trailing Whitespace) </strong> Custom 'Alias' rules with 'pfB_ xxx' description will be removed by package if + the Alias (no trailing Whitespace)</strong> Custom 'Alias' rules with 'pfB_ xxx' description will be removed by package if using Auto Rule Creation.<br /><br /><strong>Tip</strong>: You can create the Auto Rules and remove "<u>auto rule</u>" from the Rule Descriptions, then disable Auto Rules. This method will 'KEEP' these rules from being 'Deleted' which will allow editing for a Custom Alias Configuration<br />]]> @@ -324,8 +324,8 @@ <field> <fielddescr>Update Frequency</fielddescr> <fieldname>cron</fieldname> - <description><![CDATA[Default:<strong>Never</strong><br /> - Select how often List files will be downloaded]]> + <description><![CDATA[Default: <strong>Never</strong><br /> + Select how often List files will be downloaded. <strong>This must be within the Cron Interval/Start Hour settings.</strong>]]> </description> <type>select</type> <options> @@ -344,7 +344,7 @@ <field> <fielddescr>Weekly (Day of Week)</fielddescr> <fieldname>dow</fieldname> - <description><![CDATA[Default:<strong>1</strong><br /> + <description><![CDATA[Default: <strong>Monday</strong><br /> Select the 'Weekly' ( Day of the Week ) to Update <br /> This is only required for the 'Weekly' Frequency Selection. The 24 Hour Download 'Time' will be used.]]> </description> @@ -362,7 +362,7 @@ <field> <fielddescr>Enable Logging</fielddescr> <fieldname>aliaslog</fieldname> - <description><![CDATA[Default:<strong>Enable</strong><br /> + <description><![CDATA[Default: <strong>Enable</strong><br /> Select - Logging to Status: System Logs: FIREWALL ( Log )<br /> This can be overriden by the 'Global Logging' Option in the General Tab.]]> </description> @@ -373,6 +373,85 @@ </options> </field> <field> + <name>Advanced Inbound Firewall Rule Settings</name> + <type>listtopic</type> + </field> + <field> + <type>info</type> + <description><![CDATA[<font color='red'>Note: </font>In general Auto-Rules are created as follows:<br /> + <ul>Inbound - 'any' port, 'any' protocol and 'any' destination<br /> + Outbound - 'any' port, 'any' protocol and 'any' destination address in the lists</ul> + Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.<br /> + <strong>Select the pfSense 'Port' and/or 'Destination' Alias below:</strong>]]> + </description> + </field> + <field> + <fieldname>autoports</fieldname> + <fielddescr>Enable Custom Port</fielddescr> + <type>checkbox</type> + <enablefields>aliasports</enablefields> + <usecolspan2/> + <combinefields>begin</combinefields> + </field> + <field> + <fielddescr>Define Alias</fielddescr> + <fieldname>aliasports</fieldname> + <description><![CDATA[<a href="/firewall_aliases.php?tab=port">Click Here to add/edit Aliases</a> + Do not manually enter port numbers. <br />Do not use 'pfB_' in the Port Alias name.]]> + </description> + <size>21</size> + <type>aliases</type> + <typealiases>port</typealiases> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fieldname>autodest</fieldname> + <fielddescr>Enable Custom Destination</fielddescr> + <type>checkbox</type> + <enablefields>aliasdest,autonot</enablefields> + <usecolspan2/> + <combinefields>begin</combinefields> + </field> + <field> + <fieldname>aliasdest</fieldname> + <description><![CDATA[<a href="/firewall_aliases.php?tab=ip">Click Here to add/edit Aliases</a> + Do not manually enter Addresses(es). <br />Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> + </description> + <size>21</size> + <type>aliases</type> + <typealiases>network</typealiases> + <dontdisplayname/> + <usecolspan2/> + <combinefields/> + </field> + <field> + <fielddescr>Invert</fielddescr> + <fieldname>autonot</fieldname> + <description><![CDATA[<div style="padding-left: 22px;"><strong>Invert</strong> - Option to invert the sense of the match.<br /> + ie - Not (!) Destination Address(es)</div>]]> + </description> + <type>checkbox</type> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fielddescr>Custom Protocol</fielddescr> + <fieldname>autoproto</fieldname> + <description><![CDATA[<strong>Default: any</strong><br />Select the Protocol used for Inbound Firewall Rule(s).]]></description> + <type>select</type> + <options> + <option><name>any</name><value></value></option> + <option><name>TCP</name><value>tcp</value></option> + <option><name>UDP</name><value>udp</value></option> + <option><name>TCP/UDP</name><value>tcp/udp</value></option> + </options> + <size>4</size> + <default_value></default_value> + </field> + <field> <name>IPv4 Custom list</name> <type>listtopic</type> </field> @@ -394,18 +473,19 @@ <field> <fielddescr>Update Custom List</fielddescr> <fieldname>custom_update</fieldname> - <description><![CDATA[Default:<strong>Disable</strong><br /> - select - Enable Update if changes are made to this List. Cron will also resync this list at the next Scheduled Update.]]> + <description><![CDATA[Select - '<strong>Default</strong>' to update Custom List as per Update Frequency setting.<br /> + Select - '<strong>Update Custom List</strong>' followed by a 'Force Update' to apply Custom List Changes.<br /> + Cron will also resync this Custom List at the next Update Frequency.]]> </description> <type>select</type> <options> - <option><name>Disable</name><value>disabled</value></option> - <option><name>Enable</name><value>enabled</value></option> + <option><name>Default</name><value>disabled</value></option> + <option><name>Update Custom List</name><value>enabled</value></option> </options> </field> <field> - <name><![CDATA[<ul>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or - 'Force Update'</ul>]]></name> + <name><![CDATA[<center>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or + 'Force Update'</center>]]></name> <type>listtopic</type> </field> </fields> diff --git a/config/pfblockerng/pfblockerng_v6lists.xml b/config/pfblockerng/pfblockerng_v6lists.xml index 10a866c0..3e9dbe6f 100644 --- a/config/pfblockerng/pfblockerng_v6lists.xml +++ b/config/pfblockerng/pfblockerng_v6lists.xml @@ -54,6 +54,7 @@ <version>1.0</version> <title>pfBlockerNG: IPv6 Alias/List Configuration</title> <include_file>/usr/local/pkg/pfblockerng/pfblockerng.inc</include_file> + <addedit_string>pfBlockerNG: Save IPv6 settings</addedit_string> <menu> <name>pfBlockerNG</name> <tooltiptext></tooltiptext> @@ -118,7 +119,7 @@ <tab> <text>P.S.</text> <url>/pkg_edit.php?xml=/pfblockerng/pfblockerng_ProxyandSatellite.xml&id=0</url> - </tab> + </tab> <tab> <text>Logs</text> <url>/pfblockerng/pfblockerng_log.php</url> @@ -149,6 +150,8 @@ <fielddescr>Logging</fielddescr> <fieldname>aliaslog</fieldname> </columnitem> + <addtext>Add a new Alias</addtext> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> @@ -157,15 +160,15 @@ </field> <field> <fielddescr>LINKS</fielddescr> - <fieldname>none</fieldname> - <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> + <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> + <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> </description> <type>info</type> </field> <field> <fielddescr>Alias Name</fielddescr> <fieldname>aliasname</fieldname> - <description><![CDATA[Enter lists Alias Names.<br /> + <description><![CDATA[Enter Alias Name.<br /> Example: Badguys<br /> Do not include <strong>'pfBlocker' or 'pfB_'</strong> in the Alias Name, it's done by package.<br /> <strong>International, special or space characters will be ignored in firewall alias names. @@ -181,38 +184,35 @@ <size>90</size> </field> <field> - <fieldname>InfoLists</fieldname> <type>info</type> - <description><![CDATA[<strong><u>'Format'</u></strong> : Select the Format Type<br /><br /> - <strong><u>'URL'</u></strong> : Add direct link to list: + <description><![CDATA[<strong><u>'Format'</u></strong>: Select the Format Type<br /><br /> + <strong><u>'URL'</u></strong>: Add direct link to list: Example: <a target=_new href='http://list.iblocklist.com/?list=bt_ads&fileformat=p2p&archiveformat=gz'>Ads</a>, <a target=_new href='http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p&archiveformat=gz'>Spyware</a>, <a target=_new href='http://list.iblocklist.com/?list=bt_proxy&fileformat=p2p&archiveformat=gz'>Proxies</a><br /><br /> - <strong><u>'pfSense Local File'</u></strong> Format :<br /><br /> - http(s)://127.0.0.1/NAME_OF_FILE <strong>or</strong> + <strong><u>'pfSense Local File'</u></strong> Format:<br /><br /> + http(s)://127.0.0.1/NAME_OF_FILE <strong>or</strong> /usr/local/www/NAME_OF_FILE (Files can also be placed in the /var/db/pfblockerng folders)<br /><br /> - <strong><u>'Header'</u></strong> : The <u>'Header' Field</u> must be <u>Unique</u>, it will + <strong><u>'Header'</u></strong>: The <u>'Header' Field</u> must be <u>Unique</u>, it will name the List File and it will be referenced in the pfBlockerNG Widget. Use a Unique Prefix per 'Alias Category' followed by a unique descriptor for each List.<br /><br />]]> </description> </field> <field> <fielddescr><![CDATA[<strong>IPv6</strong> Lists]]></fielddescr> - <fieldname>none</fieldname> - <description><![CDATA[<br /><strong>'Format'</strong> - Choose the file format that URL will retrieve.<br /> - - <ul><li><strong>'txt'</strong> Plain txt Lists</li><br /> - <li><strong>'gz'</strong> - IBlock GZ Lists in Range Format only.</li><br /> - <li><strong>'gz_2'</strong> - Other GZ Lists in IP or CIDR only.</li><br /> - <li><strong>'zip'</strong> - ZIP'd Lists</li><br /> - <li><strong>'block'</strong>- IP x.x.x.0 Block type</li><br /> - <li><strong>'html'</strong> - Web Links</li><br /> - <li><strong>'xlsx'</strong> - Excel Lists</li><br /> - <li><strong>'rsync'</strong> - RSync Lists</li><br /> - <strong>'State'</strong> - Select the Run State for each list.<br /> - <ul><li><strong>'ON/OFF'</strong> - Enabled / Disabled</li><br /> - <li><strong>'HOLD'</strong> - Once a List has been Downloaded, list will remain Static.</li></ul> + <description><![CDATA[<br /><strong>'Format'</strong> - Select the file format that URL will retrieve.<br /> + <ul><li><strong>'txt'</strong> Plain txt Lists</li> + <li><strong>'gz'</strong> - IBlock GZ Lists in Range Format only</li> + <li><strong>'gz_2'</strong> - Other GZ Lists in IP or CIDR only</li> + <li><strong>'zip'</strong> - ZIP'd Lists</li> + <li><strong>'block'</strong>- IP x.x.x.0 Block type</li> + <li><strong>'html'</strong> - Web Links</li> + <li><strong>'xlsx'</strong> - Excel Lists</li> + <li><strong>'rsync'</strong> - RSync Lists</li> + <strong>'State'</strong> - Select the Run State for each list<br /> + <ul><li><strong>'ON/OFF'</strong> - Enabled / Disabled</li> + <li><strong>'HOLD'</strong> - Once a List has been Downloaded, list will remain Static</li></ul> <strong>'Note' -</strong> Downloaded or pfsense local file must have only one network per line and follows the syntax below: <ul>Network ranges: <strong> TBC </strong><br /> IP Address: <strong> TBC </strong><br /> @@ -220,48 +220,48 @@ </description> <type>rowhelper</type> <rowhelper> - <rowhelperfield> - <fielddescr>Format</fielddescr> - <fieldname>format</fieldname> - <type>select</type> - <options> - <option><name>txt</name><value>txt</value></option> - <option><name>gz</name><value>gz</value></option> - <option><name>gz_2</name><value>gz_2</value></option> - <option><name>zip</name><value>zip</value></option> - <option><name>block</name><value>block</value></option> - <option><name>html</name><value>html</value></option> - <option><name>xlsx</name><value>xlsx</value></option> - <option><name>RSync</name><value>rsync</value></option> - </options> - </rowhelperfield> - <rowhelperfield> - <fielddescr>State</fielddescr> - <fieldname>state</fieldname> - <type>select</type> - <options> - <option><name>ON</name><value>Enabled</value></option> - <option><name>OFF</name><value>Disabled</value></option> - <option><name>HOLD</name><value>Hold</value></option> - </options> - </rowhelperfield> - <rowhelperfield> - <fielddescr>URL or pfSense local file</fielddescr> - <fieldname>url</fieldname> - <type>input</type> - <size>50</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr>Header</fielddescr> - <fieldname>header</fieldname> - <type>input</type> - <size>15</size> - </rowhelperfield> + <rowhelperfield> + <fielddescr>Format</fielddescr> + <fieldname>format</fieldname> + <type>select</type> + <options> + <option><name>txt</name><value>txt</value></option> + <option><name>gz</name><value>gz</value></option> + <option><name>gz_2</name><value>gz_2</value></option> + <option><name>zip</name><value>zip</value></option> + <option><name>block</name><value>block</value></option> + <option><name>html</name><value>html</value></option> + <option><name>xlsx</name><value>xlsx</value></option> + <option><name>RSync</name><value>rsync</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>State</fielddescr> + <fieldname>state</fieldname> + <type>select</type> + <options> + <option><name>ON</name><value>Enabled</value></option> + <option><name>OFF</name><value>Disabled</value></option> + <option><name>HOLD</name><value>Hold</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>URL or pfSense local file</fielddescr> + <fieldname>url</fieldname> + <type>input</type> + <size>50</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Header</fielddescr> + <fieldname>header</fieldname> + <type>input</type> + <size>15</size> + </rowhelperfield> </rowhelper> </field> <field> <fielddescr>List Action</fielddescr> - <description><![CDATA[<br />Default : <strong>Disabled</strong><br /><br /> + <description><![CDATA[<br />Default: <strong>Disabled</strong><br /><br /> Select the <strong>Action</strong> for Firewall Rules on lists you have selected.<br /><br /> <strong><u>'Disabled' Rules:</u></strong> Disables selection and does nothing to selected Alias.<br /><br /> @@ -287,7 +287,7 @@ <strong><u>'Alias' Rules:</u></strong><br /> <strong>'Alias'</strong> rules create an <a href="/firewall_aliases.php">alias</a> for the list (and do nothing else). This enables a pfBlockerNG list to be used by name, in any firewall rule or pfSense function, as desired. - <ul><li><strong>Options - Alias Deny, Alias Permit, Alias Match, Alias Native</strong></li><br /> + <ul><li><strong>Options - Alias Deny, Alias Permit, Alias Match, Alias Native</strong></li><br /> <li>'Alias Deny' can use De-Duplication and Reputation Processes if configured.</li><br /> <li>'Alias Permit' and 'Alias Match' will be saved in the Same folder as the other Permit/Match Auto-Rules</li><br /> <li>'Alias Native' lists are kept in their Native format without any modifications.</li></ul> @@ -319,8 +319,8 @@ <field> <fielddescr>Update Frequency</fielddescr> <fieldname>cron</fieldname> - <description><![CDATA[Default:<strong>Never</strong><br /> - Select how often List files will be downloaded]]> + <description><![CDATA[Default: <strong>Never</strong><br /> + Select how often List files will be downloaded. <strong>This must be within the Cron Interval/Start Hour settings.</strong>]]> </description> <type>select</type> <options> @@ -339,7 +339,7 @@ <field> <fielddescr>Weekly (Day of Week)</fielddescr> <fieldname>dow</fieldname> - <description><![CDATA[Default:<strong>1</strong><br /> + <description><![CDATA[Default: <strong>Monday</strong><br /> Select the 'Weekly' ( Day of the Week ) to Update <br /> This is only required for the 'Weekly' Frequency Selection. The 24 Hour Download 'Time' will be used.]]> </description> @@ -357,7 +357,7 @@ <field> <fielddescr>Enable Logging</fielddescr> <fieldname>aliaslog</fieldname> - <description><![CDATA[Default:<strong>Enable</strong><br /> + <description><![CDATA[Default: <strong>Enable</strong><br /> Select - Logging to Status: System Logs: FIREWALL ( Log )<br /> This can be overriden by the 'Global Logging' Option in the General Tab.]]> </description> @@ -368,6 +368,85 @@ </options> </field> <field> + <name>Advanced Inbound Firewall Rule Settings</name> + <type>listtopic</type> + </field> + <field> + <type>info</type> + <description><![CDATA[<font color='red'>Note: </font>In general Auto-Rules are created as follows:<br /> + <ul>Inbound - 'any' port, 'any' protocol and 'any' destination<br /> + Outbound - 'any' port, 'any' protocol and 'any' destination address in the lists</ul> + Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.<br /> + <strong>Select the pfSense 'Port' and/or 'Destination' Alias below:</strong>]]> + </description> + </field> + <field> + <fieldname>autoports</fieldname> + <fielddescr>Enable Custom Port</fielddescr> + <type>checkbox</type> + <enablefields>aliasports</enablefields> + <usecolspan2/> + <combinefields>begin</combinefields> + </field> + <field> + <fielddescr>Define Alias</fielddescr> + <fieldname>aliasports</fieldname> + <description><![CDATA[<a href="/firewall_aliases.php?tab=port">Click Here to add/edit Aliases</a> + Do not manually enter port numbers. <br />Do not use 'pfB_' in the Port Alias name.]]> + </description> + <size>21</size> + <type>aliases</type> + <typealiases>port</typealiases> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fieldname>autodest</fieldname> + <fielddescr>Enable Custom Destination</fielddescr> + <type>checkbox</type> + <enablefields>aliasdest,autonot</enablefields> + <usecolspan2/> + <combinefields>begin</combinefields> + </field> + <field> + <fieldname>aliasdest</fieldname> + <description><![CDATA[<a href="/firewall_aliases.php?tab=ip">Click Here to add/edit Aliases</a> + Do not manually enter Addresses(es). <br />Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> + </description> + <size>21</size> + <type>aliases</type> + <typealiases>network</typealiases> + <dontdisplayname/> + <usecolspan2/> + <combinefields/> + </field> + <field> + <fielddescr>Invert</fielddescr> + <fieldname>autonot</fieldname> + <description><![CDATA[<div style="padding-left: 22px;"><strong>Invert</strong> - Option to invert the sense of the match.<br /> + ie - Not (!) Destination Address(es)</div>]]> + </description> + <type>checkbox</type> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fielddescr>Custom Protocol</fielddescr> + <fieldname>autoproto</fieldname> + <description><![CDATA[<strong>Default: any</strong><br />Select the Protocol used for Inbound Firewall Rule(s).]]></description> + <type>select</type> + <options> + <option><name>any</name><value></value></option> + <option><name>TCP</name><value>tcp</value></option> + <option><name>UDP</name><value>udp</value></option> + <option><name>TCP/UDP</name><value>tcp/udp</value></option> + </options> + <size>4</size> + <default_value></default_value> + </field> + <field> <name>IPv6 Custom list</name> <type>listtopic</type> </field> @@ -389,18 +468,19 @@ <field> <fielddescr>Update Custom List</fielddescr> <fieldname>custom_update</fieldname> - <description><![CDATA[Default:<strong>Disable</strong><br /> - Select - Enable Update if changes are made to this List. Cron will also resync this list at the next Scheduled Update.]]> + <description><![CDATA[Select - '<strong>Default</strong>' to update Custom List as per Update Frequency setting.<br /> + Select - '<strong>Update Custom List</strong>' followed by a 'Force Update' to apply Custom List Changes.<br /> + Cron will also resync this Custom List at the next Update Frequency.]]> </description> <type>select</type> <options> - <option><name>Disable</name><value>disabled</value></option> - <option><name>Enable</name><value>enabled</value></option> + <option><name>Default</name><value>disabled</value></option> + <option><name>Update Custom List</name><value>enabled</value></option> </options> </field> <field> - <name><![CDATA[<ul>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or - 'Force Update'</ul>]]></name> + <name><![CDATA[<center>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or + 'Force Update'</center>]]></name> <type>listtopic</type> </field> </fields> diff --git a/config/pfflowd/pfflowd.xml b/config/pfflowd/pfflowd.xml index 2470e2b2..0a683bba 100644 --- a/config/pfflowd/pfflowd.xml +++ b/config/pfflowd/pfflowd.xml @@ -1,6 +1,6 @@ <packagegui> <name>pfflowd</name> - <version>0.8.3 pkg v1.0.1</version> + <version>1.0.3</version> <title>pfflowd: Settings</title> <aftersaveredirect>pkg_edit.php?xml=pfflowd.xml&id=0</aftersaveredirect> <menu> diff --git a/config/siproxd/siproxd.inc b/config/siproxd/siproxd.inc index e873e08d..53dc7a2d 100644 --- a/config/siproxd/siproxd.inc +++ b/config/siproxd/siproxd.inc @@ -81,7 +81,7 @@ function siproxd_generate_rules($type) { $ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ifaces); $rtplower = ($siproxd_conf['rtplower'] ? $siproxd_conf['rtplower'] : 7070); $rtpupper = ($siproxd_conf['rtpupper'] ? $siproxd_conf['rtpupper'] : 7079); - $port = ($siproxd_conf['proxy_port'] ? $siproxd_conf['proxy_port'] : 5060); + $port = ($siproxd_conf['port'] ? $siproxd_conf['port'] : 5060); switch($type) { case 'nat': diff --git a/config/snort/deprecated_rules b/config/snort/deprecated_rules new file mode 100644 index 00000000..3d8b2c3f --- /dev/null +++ b/config/snort/deprecated_rules @@ -0,0 +1,62 @@ +# +# Obsoleted Snort VRT rule categories +# +snort_attack-responses.rules +snort_backdoor.rules +snort_bad-traffic.rules +snort_botnet-cnc.rules +snort_chat.rules +snort_ddos.rules +snort_dns.rules +snort_dos.rules +snort_experimental.rules +snort_exploit.rules +snort_finger.rules +snort_ftp.rules +snort_icmp-info.rules +snort_icmp.rules +snort_imap.rules +snort_info.rules +snort_misc.rules +snort_multimedia.rules +snort_mysql.rules +snort_nntp.rules +snort_oracle.rules +snort_other-ids.rules +snort_p2p.rules +snort_phishing-spam.rules +snort_policy.rules +snort_pop2.rules +snort_pop3.rules +snort_rpc.rules +snort_rservices.rules +snort_scada.rules +snort_scan.rules +snort_shellcode.rules +snort_smtp.rules +snort_snmp.rules +snort_specific-threats.rules +snort_spyware-put.rules +snort_telnet.rules +snort_tftp.rules +snort_virus.rules +snort_voip.rules +snort_web-activex.rules +snort_web-attacks.rules +snort_web-cgi.rules +snort_web-client.rules +snort_web-coldfusion.rules +snort_web-frontpage.rules +snort_web-iis.rules +snort_web-misc.rules +snort_web-php.rules +# +# Obsoleted Emerging Threats Categories +# +emerging-rbn-malvertisers.rules +emerging-rbn.rules +# +# Obsoleted Emerging Threats PRO Categories +# +etpro-rbn-malvertisers.rules +etpro-rbn.rules diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 64ab6ea5..027207b1 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -40,19 +40,16 @@ require_once("filter.inc"); require("/usr/local/pkg/snort/snort_defs.inc"); // Snort GUI needs some extra PHP memory space to manipulate large rules arrays -ini_set("memory_limit", "256M"); +ini_set("memory_limit", "384M"); // Explicitly declare this as global so it works through function call includes -global $g, $config, $rebuild_rules, $pfSense_snort_version; +global $g, $config, $rebuild_rules; // Grab the Snort binary version programmatically, but if that fails use a safe default $snortver = array(); $snortbindir = SNORT_PBI_BINDIR; exec("{$snortbindir}snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); -/* get installed package version for display */ -$snort_package_version = "Snort {$config['installedpackages']['package'][get_pkg_id("snort")]['version']}"; - /* Rebuild Rules Flag -- if "true", rebuild enforcing rules and flowbit-rules files */ $rebuild_rules = false; @@ -3671,6 +3668,73 @@ function snort_generate_conf($snortcfg) { unset($home_net, $external_net, $ipvardef, $portvardef); } +function snort_remove_dead_rules() { + + /********************************************************/ + /* This function removes dead and deprecated rules */ + /* category files from the base Snort rules directory */ + /* and from the RULESETS setting of each interface. */ + /* The file "deprecated_rules", if it exists, is used */ + /* to determine which rules files to remove. */ + /********************************************************/ + + global $config, $g; + $rulesdir = SNORTDIR . "/rules/"; + $count = 0; + $cats = array(); + + // If there is no "deprecated_rules" file, then exit + if (!file_exists("{$rulesdir}deprecated_rules")) + return; + + // Open a SplFileObject to read in deprecated rules + $file = new SplFileObject("{$rulesdir}/deprecated_rules"); + $file->setFlags(SplFileObject::READ_AHEAD | SplFileObject::SKIP_EMPTY | SplFileObject::DROP_NEW_LINE); + while (!$file->eof()) { + $line = $file->fgets(); + + // Skip any lines with just spaces + if (trim($line) == "") + continue; + + // Skip any comment lines starting with '#' + if (preg_match('/^\s*\#+/', $line)) + continue; + + $cats[] = $line; + } + + // Close the SplFileObject since we are finished with it + $file = null; + + // Delete any dead rules files from the Snort RULES directory + foreach ($cats as $file) { + if (file_exists("{$rulesdir}{$file}")) + $count++; + unlink_if_exists("{$rulesdir}{$file}"); + } + + // Log how many obsoleted files were removed + log_error(gettext("[Snort] Removed {$count} obsoleted rules category files.")); + + // Now remove any dead rules files from the interface configurations + if (!empty($cats) && is_array($config['installedpackages']['snortglobal']['rule'])) { + foreach ($config['installedpackages']['snortglobal']['rule'] as &$iface) { + $enabled_rules = explode("||", $iface['rulesets']); + foreach ($enabled_rules as $k => $v) { + foreach ($cats as $d) { + if (strpos(trim($v), $d) !== false) + unset($enabled_rules[$k]); + } + } + $iface['rulesets'] = implode("||", $enabled_rules); + } + } + + // Clean up + unset($cats, $enabled_rules); +} + /* Uses XMLRPC to synchronize the changes to a remote node */ function snort_sync_on_changes() { global $config, $g; @@ -3807,6 +3871,38 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $username, if (!empty($sid_files) && $error == "") log_error("[snort] Snort pkg XMLRPC CARP sync auto-SID conf files success with {$url}:{$port} (pfsense.exec_php)."); + /*************************************************/ + /* Send over any IPREP IP List files */ + /*************************************************/ + $sid_files = glob(SNORT_IPREP_PATH . '*'); + foreach ($sid_files as $file) { + $content = base64_encode(file_get_contents($file)); + $payload = "@file_put_contents('{$file}', base64_decode('{$content}'));"; + + /* assemble xmlrpc payload */ + $method = 'pfsense.exec_php'; + $params = array( XML_RPC_encode($password), XML_RPC_encode($payload) ); + + log_error("[snort] Snort XMLRPC CARP sync sending IPREP files to {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + $error = ""; + if(!$resp) { + $error = "A communications error occurred while attempting Snort XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file); + log_error($error); + file_notice("sync_settings", $error, "Snort Settings Sync", ""); + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting Snort XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "Snort Settings Sync", ""); + } + } + + if (!empty($sid_files) && $error == "") + log_error("[snort] Snort pkg XMLRPC CARP sync IPREP files success with {$url}:{$port} (pfsense.exec_php)."); + /**************************************************/ /* Send over the <snortglobal> portion of the */ /* config.xml. $xml will hold section to sync. */ diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 1f1a7d24..6c70b39e 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -46,8 +46,8 @@ <requirements>None</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> - <version>2.9.7.2</version> - <title>Services:2.9.7.2 pkg v3.2.4</title> + <version>2.9.7.3</version> + <title>Services:2.9.7.3 pkg v3.2.6</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> @@ -94,6 +94,11 @@ <item>https://packages.pfsense.org/packages/config/snort/snort_sync.xml</item> </additional_files_needed> <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> + <chmod>077</chmod> + <item>https://packages.pfsense.org/packages/config/snort/deprecated_rules</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> <item>https://packages.pfsense.org/packages/config/snort/snort_alerts.php</item> diff --git a/config/snort/snort_alerts.widget.php b/config/snort/snort_alerts.widget.php index 96c70562..2b7a10c7 100644 --- a/config/snort/snort_alerts.widget.php +++ b/config/snort/snort_alerts.widget.php @@ -125,7 +125,10 @@ function snort_widget_get_alerts() { /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ /* File format: timestamp,generator_id,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */ - $fd = fopen("/tmp/alert_snort{$snort_uuid}", "r"); + if (!$fd = fopen("/tmp/alert_snort{$snort_uuid}", "r")) { + log_error(gettext("[Snort Widget] Failed to open file /tmp/alert_snort{$snort_uuid}")); + continue; + } while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { if(count($fields) < 13) continue; diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 842e39d5..0c4543cd 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -203,9 +203,11 @@ function snort_download_file_url($url, $file_out) { } curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); - curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)"); - curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); - curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30); + curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 Chrome/43.0.2357.65 Safari/537.36"); + curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, "TLSv1.2, TLSv1"); + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true); + curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 15); curl_setopt($ch, CURLOPT_TIMEOUT, 0); // Use the system proxy server setttings if configured @@ -680,6 +682,12 @@ if ($emergingthreats == 'on') { } } +// If removing deprecated rules categories, then do it +if ($config['installedpackages']['snortglobal']['hide_deprecated_rules'] == "on") { + log_error(gettext("[Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.")); + snort_remove_dead_rules(); +} + function snort_apply_customizations($snortcfg, $if_real) { global $vrt_enabled, $rebuild_rules; diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index ee463ac9..0d24f197 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -107,11 +107,15 @@ if ($_POST['save']) { foreach ($snort_servers as $key => $server) { if ($_POST["def_{$key}"] && !is_alias($_POST["def_{$key}"])) - $input_errors[] = "Only aliases are allowed"; + $input_errors[] = "Only aliases are allowed."; + if ($_POST["def_{$key}"] && is_alias($_POST["def_{$key}"]) && trim(filter_expand_alias($_POST["def_{$key}"])) == "") + $input_errors[] = "FQDN aliases are not allowed in Snort."; } foreach ($snort_ports as $key => $server) { if ($_POST["def_{$key}"] && !is_alias($_POST["def_{$key}"])) - $input_errors[] = "Only aliases are allowed"; + $input_errors[] = "Only aliases are allowed."; + if ($_POST["def_{$key}"] && is_alias($_POST["def_{$key}"]) && trim(filter_expand_alias($_POST["def_{$key}"])) == "") + $input_errors[] = "FQDN aliases are not allowed in Snort."; } /* if no errors write to conf */ if (!$input_errors) { @@ -142,6 +146,9 @@ if ($_POST['save']) { /* Soft-restart Snort to live-load new variables. */ snort_reload_config($a_nat[$id]); + /* Sync to configured CARP slaves if any are enabled */ + snort_sync_on_changes(); + /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); diff --git a/config/snort/snort_defs.inc b/config/snort/snort_defs.inc index 912fa3d3..3f5c82e5 100644 --- a/config/snort/snort_defs.inc +++ b/config/snort/snort_defs.inc @@ -5,7 +5,7 @@ * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009-2010 Robert Zelaya * Copyright (C) 2011-2012 Ermal Luci - * Copyright (C) 2013,2014 Bill Meeks + * Copyright (C) 2013-2015 Bill Meeks * part of pfSense * All rights reserved. * @@ -55,7 +55,7 @@ if (!defined("SNORT_BIN_VERSION")) { if (!empty($snortver[0])) define("SNORT_BIN_VERSION", $snortver[0]); else - define("SNORT_BIN_VERSION", "2.9.7.2"); + define("SNORT_BIN_VERSION", "2.9.7.3"); } if (!defined("SNORT_SID_MODS_PATH")) define('SNORT_SID_MODS_PATH', "{$g['vardb_path']}/snort/sidmods/"); diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php index 297e833b..646697bf 100644 --- a/config/snort/snort_generate_conf.php +++ b/config/snort/snort_generate_conf.php @@ -876,9 +876,9 @@ if (is_array($snortcfg['wlist_files']['item'])) { } } if (!empty($blist_files)) - $ip_lists = $blist_files; + $ip_lists = ", \\ \n\t" . $blist_files; if (!empty($wlist_files)) - $ip_lists .= ", \\ \n" . $wlist_files; + $ip_lists .= ", \\ \n\t" . $wlist_files; if ($snortcfg['iprep_scan_local'] == 'on') $ip_lists .= ", \\ \n\tscan_local"; @@ -888,8 +888,7 @@ preprocessor reputation: \ memcap {$snortcfg['iprep_memcap']}, \ priority {$snortcfg['iprep_priority']}, \ nested_ip {$snortcfg['iprep_nested_ip']}, \ - white {$snortcfg['iprep_white']}, \ - {$ip_lists} + white {$snortcfg['iprep_white']}{$ip_lists} EOD; diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index 38471ef0..803c1491 100755 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -125,7 +125,7 @@ if ($_POST['toggle'] && is_numericint($_POST['id'])) { sleep(3); // So the GUI reports correctly } -$pgtitle = "Services: $snort_package_version"; +$pgtitle = "Services: Snort " . SNORT_BIN_VERSION . " pkg v{$config['installedpackages']['package'][get_pkg_id("snort")]['version']}"; include_once("head.inc"); ?> diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index 6c1d56ac..b2ecefee 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -60,6 +60,7 @@ else { $pconfig['clearblocks'] = $config['installedpackages']['snortglobal']['clearblocks'] == "on" ? 'on' : 'off'; $pconfig['verbose_logging'] = $config['installedpackages']['snortglobal']['verbose_logging'] == "on" ? 'on' : 'off'; $pconfig['openappid_detectors'] = $config['installedpackages']['snortglobal']['openappid_detectors'] == "on" ? 'on' : 'off'; + $pconfig['hide_deprecated_rules'] = $config['installedpackages']['snortglobal']['hide_deprecated_rules'] == "on" ? 'on' : 'off'; } /* Set sensible values for any empty default params */ @@ -100,6 +101,7 @@ if (!$input_errors) { $config['installedpackages']['snortglobal']['clearblocks'] = $_POST['clearblocks'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['verbose_logging'] = $_POST['verbose_logging'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['openappid_detectors'] = $_POST['openappid_detectors'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['hide_deprecated_rules'] = $_POST['hide_deprecated_rules'] ? 'on' : 'off'; // If any rule sets are being turned off, then remove them // from the active rules section of each interface. Start @@ -136,6 +138,12 @@ if (!$input_errors) { } } + // If deprecated rules should be removed, then do it + if ($config['installedpackages']['snortglobal']['hide_deprecated_rules'] == "on") { + log_error(gettext("[Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.")); + snort_remove_dead_rules(); + } + $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; $config['installedpackages']['snortglobal']['etpro_code'] = $_POST['etpro_code']; @@ -334,6 +342,13 @@ if ($input_errors) </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Hide Deprecated Rules Categories"); ?></td> + <td width="78%" class="vtable"><input name="hide_deprecated_rules" id="hide_deprecated_rules" type="checkbox" value="yes" + <?php if ($pconfig['hide_deprecated_rules']=="on") echo "checked"; ?> /> + <?php echo gettext("Hide deprecated rules categories in the GUI and remove them from the configuration. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>" . gettext("."); ?></td> +</tr> +<tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Rules Update Settings"); ?></td> </tr> <tr> diff --git a/config/snort/snort_ip_reputation.php b/config/snort/snort_ip_reputation.php index 4c3065a0..c190b0e6 100644 --- a/config/snort/snort_ip_reputation.php +++ b/config/snort/snort_ip_reputation.php @@ -170,6 +170,9 @@ if ($_POST['save'] || $_POST['apply']) { snort_reload_config($a_nat[$id]); $pconfig = $natent; + // Sync to configured CARP slaves if any are enabled + snort_sync_on_changes(); + // We have saved changes and done a soft restart, so clear "dirty" flag clear_subsystem_dirty('snort_iprep'); } diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php index 941a8151..ae1daf6a 100644 --- a/config/snort/snort_migrate_config.php +++ b/config/snort/snort_migrate_config.php @@ -117,6 +117,14 @@ if (empty($config['installedpackages']['snortglobal']['openappid_detectors'])) { } /**********************************************************/ +/* Create new HIDE_DEPRECATED_RULES setting if not set */ +/**********************************************************/ +if (empty($config['installedpackages']['snortglobal']['hide_deprecated_rules'])) { + $config['installedpackages']['snortglobal']['hide_deprecated_rules'] = "off"; + $updated_cfg = true; +} + +/**********************************************************/ /* Migrate per interface settings if required. */ /**********************************************************/ foreach ($rule as &$r) { @@ -533,7 +541,7 @@ unset($r); // Log a message if we changed anything if ($updated_cfg) { - $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.2.4"; + $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.2.6"; log_error("[Snort] Settings successfully migrated to new configuration format..."); } else diff --git a/config/snort/snort_passlist_edit.php b/config/snort/snort_passlist_edit.php index 9f95adb4..75724344 100644 --- a/config/snort/snort_passlist_edit.php +++ b/config/snort/snort_passlist_edit.php @@ -155,9 +155,12 @@ if ($_POST['save']) { } } - if ($_POST['address']) + if ($_POST['address']) { if (!is_alias($_POST['address'])) - $input_errors[] = gettext("A valid alias must be provided"); + $input_errors[] = gettext("A valid alias must be provided."); + if (is_alias($_POST['address']) && trim(filter_expand_alias($_POST['address'])) == "") + $input_errors[] = gettext("FQDN aliases are not supported in Snort."); + } if (!$input_errors) { $p_list = array(); diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php index f93f1c87..280f0efe 100644 --- a/config/snort/snort_post_install.php +++ b/config/snort/snort_post_install.php @@ -85,6 +85,9 @@ conf_mount_rw(); @rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map"); //@rename("{$snortdir}/attribute_table.dtd-sample", "{$snortdir}/attribute_table.dtd"); +/* Move deprecated_rules file to SNORTDIR/rules directory */ +@rename("/usr/local/pkg/snort/deprecated_rules", "{$snortdir}/rules/deprecated_rules"); + /* fix up the preprocessor rules filenames from a PBI package install */ $preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules"); foreach ($preproc_rules as $file) { @@ -245,9 +248,8 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { if (!($g['booting'])) { if ($pkg_interface <> "console") { update_status(gettext("Starting Snort using rebuilt configuration...")); - update_output_window(gettext("Please wait while Snort is started...")); - mwexec("{$rcdir}snort.sh start"); - update_output_window(gettext("Snort has been started using the rebuilt configuration...")); + mwexec_bg("{$rcdir}snort.sh start"); + update_output_window(gettext("Snort is starting as a background task using the rebuilt configuration...")); } else mwexec_bg("{$rcdir}snort.sh start"); @@ -263,8 +265,8 @@ if (stristr($config['widgets']['sequence'], "snort_alerts-container") === FALSE) $config['widgets']['sequence'] .= ",{$snort_widget_container}"; /* Update Snort package version in configuration */ -$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.2.4"; -write_config("Snort pkg v3.2.4: post-install configuration saved."); +$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.2.6"; +write_config("Snort pkg v3.2.6: post-install configuration saved."); /* Done with post-install, so clear flag */ unset($g['snort_postinstall']); diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 9f6879ef..dd8ec660 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -80,6 +80,18 @@ $pconfig = array(); if (isset($id) && isset($a_nat[$id])) { $pconfig = $a_nat[$id]; + // Initialize multiple config engine arrays for supported preprocessors if necessary + if (!is_array($pconfig['frag3_engine']['item'])) + $pconfig['frag3_engine']['item'] = array(); + if (!is_array($pconfig['stream5_tcp_engine']['item'])) + $pconfig['stream5_tcp_engine']['item'] = array(); + if (!is_array($pconfig['http_inspect_engine']['item'])) + $pconfig['http_inspect_engine']['item'] = array(); + if (!is_array($pconfig['ftp_server_engine']['item'])) + $pconfig['ftp_server_engine']['item'] = array(); + if (!is_array($pconfig['ftp_client_engine']['item'])) + $pconfig['ftp_client_engine']['item'] = array(); + /************************************************************/ /* To keep new users from shooting themselves in the foot */ /* enable the most common required preprocessors by default */ @@ -451,6 +463,12 @@ if ($_POST['save']) { $input_errors[] = gettext("The value for Application ID Stats Period must be between 60 and 3600."); } + // Validate Portscan Ignore_Scanners parameter + if ($_POST['sf_portscan'] == 'on' && is_alias($_POST['pscan_ignore_scanners'])) { + if (trim(filter_expand_alias($_POST["def_{$key}"])) == "") + $input_errors[] = gettext("FQDN aliases are not supported in Snort for the PORTSCAN IGNORE_SCANNERS parameter."); + } + /* if no errors write to conf */ if (!$input_errors) { /* post new options */ @@ -569,6 +587,9 @@ if ($_POST['save']) { !empty($natent['host_attribute_data'])) snort_reload_config($natent, "SIGURG"); + /* Sync to configured CARP slaves if any are enabled */ + snort_sync_on_changes(); + /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); @@ -1500,10 +1521,10 @@ if ($savemsg) { <?php $values = array('Credit Card', 'Email Addresses', 'U.S. Phone Numbers', 'U.S. Social Security Numbers'); foreach ($values as $val): ?> - <option value="<?=$val;?>" - <?php if (preg_match("/$val/",$pconfig['sdf_alert_data_type'])) echo "selected"; ?>> + <option value="<?=$val;?>" + <?php if (strpos($pconfig['sdf_alert_data_type'], $val) !== FALSE) echo "selected"; ?>> <?=gettext($val);?></option> - <?php endforeach; ?> + <?php endforeach; ?> </select><br/><?php echo gettext("Choose which types of sensitive data to detect. Use CTRL + Click for multiple selections."); ?><br/> </td> </tr> diff --git a/config/squid/squid.inc b/config/squid/squid.inc index 0ddd1645..8e87c7a1 100644 --- a/config/squid/squid.inc +++ b/config/squid/squid.inc @@ -94,7 +94,7 @@ function squid_dash_z() { if(!is_dir($cachedir.'/')) { log_error("Creating Squid cache dir $cachedir"); - make_dirs($cachedir); + @mkdir($cachedir, 0755, true); // Double check permissions here, should be safe to recurse cache dir if it's small here. mwexec("/usr/sbin/chown -R proxy:proxy $cachedir"); } @@ -223,7 +223,7 @@ function squid_install_command() { foreach (array( SQUID_CONFBASE, SQUID_ACLDIR, SQUID_BASE ) as $dir) { - make_dirs($dir); + @mkdir($dir, 0755, true); squid_chown_recursive($dir, 'proxy', 'proxy'); } @@ -1153,7 +1153,7 @@ function squid_resync() { foreach (array( SQUID_CONFBASE, SQUID_ACLDIR, SQUID_BASE ) as $dir) { - make_dirs($dir); + @mkdir($dir, 0755, true); squid_chown_recursive($dir, 'proxy', 'proxy'); } @@ -1163,7 +1163,7 @@ function squid_resync() { if(!is_dir($log_dir)) { log_error("Creating squid log dir $log_dir"); - make_dirs($log_dir); + @mkdir($log_dir, 0755, true); squid_chown_recursive($log_dir, 'proxy', 'proxy'); } diff --git a/config/squid3/31/squid.inc b/config/squid3/31/squid.inc index ef346e1a..e6de88c4 100644 --- a/config/squid3/31/squid.inc +++ b/config/squid3/31/squid.inc @@ -112,7 +112,7 @@ function squid_dash_z() { if(!is_dir($cachedir.'/')) { log_error("Creating Squid cache dir $cachedir"); - make_dirs($cachedir); + @mkdir($cachedir, 0755, true); // Double check permissions here, should be safe to recurse cache dir if it's small here. mwexec("/usr/sbin/chown -R proxy:proxy $cachedir"); } @@ -307,7 +307,7 @@ function squid_install_command() { SQUID_BASE, SQUID_LIB, SQUID_SSL_DB ) as $dir) { - make_dirs($dir); + @mkdir($dir, 0755, true); squid_chown_recursive($dir, 'proxy', 'proxy'); } @@ -806,7 +806,7 @@ function squid_resync_general() { $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); if (! is_dir($logdir)){ - make_dirs($logdir); + @mkdir($logdir, 0755, true); squid_chown_recursive($logdir, 'proxy', 'proxy'); } $logdir_cache = $logdir . '/cache.log'; @@ -1445,7 +1445,7 @@ function squid_resync() { SQUID_BASE, SQUID_LIB, SQUID_SSL_DB ) as $dir) { - make_dirs($dir); + @mkdir($dir, 0755, true); chown($dir, 'proxy'); chgrp($dir, 'proxy'); squid_chown_recursive($dir, 'proxy', 'proxy'); @@ -1486,7 +1486,7 @@ function squid_resync() { if ($log_dir != ""){ if(!is_dir($log_dir)) { log_error("Creating squid log dir $log_dir"); - make_dirs($log_dir); + @mkdir($log_dir, 0755, true); squid_chown_recursive($log_dir, 'proxy', 'proxy'); } diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc index d9bb1549..669ae2f3 100755 --- a/config/squid3/33/squid.inc +++ b/config/squid3/33/squid.inc @@ -127,7 +127,7 @@ function squid_dash_z($cache_action='none') { if(!is_dir($cachedir.'/')) { log_error("Creating Squid cache dir $cachedir"); - make_dirs($cachedir); + @mkdir($cachedir, 0755, true); // Double check permissions here, should be safe to recurse cache dir if it's small here. mwexec("/usr/sbin/chown -R proxy:proxy $cachedir"); } @@ -324,7 +324,7 @@ function squid_install_command() { SQUID_BASE, SQUID_LIB, SQUID_SSL_DB ) as $dir) { - make_dirs($dir); + @mkdir($dir, 0755, true); squid_chown_recursive($dir, 'proxy', 'proxy'); } @@ -946,7 +946,7 @@ function squid_resync_general() { $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); if (! is_dir($logdir)){ - make_dirs($logdir); + @mkdir($logdir, 0755, true); squid_chown_recursive($logdir, 'proxy', 'proxy'); } $logdir_cache = $logdir . '/cache.log'; @@ -1430,7 +1430,7 @@ EOF; "/var/db/clamav" => "clamav"); foreach ($dirs as $dir_path => $dir_user){ if (!is_dir($dir_path)) - make_dirs($dir_path); + @mkdir($dir_path, 0755, true); squid_chown_recursive($dir_path, $dir_user, "wheel"); } #Check clamav database @@ -1844,7 +1844,7 @@ function squid_resync($via_rpc="no") { SQUID_BASE, SQUID_LIB, SQUID_SSL_DB ) as $dir) { - make_dirs($dir); + @mkdir($dir, 0755, true); chown($dir, 'proxy'); chgrp($dir, 'proxy'); squid_chown_recursive($dir, 'proxy', 'proxy'); @@ -1886,7 +1886,7 @@ function squid_resync($via_rpc="no") { if ($log_dir != ""){ if(!is_dir($log_dir)) { log_error("Creating squid log dir $log_dir"); - make_dirs($log_dir); + @mkdir($log_dir, 0755, true); squid_chown_recursive($log_dir, 'proxy', 'proxy'); } diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index cce9bddd..7155d560 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -38,43 +38,52 @@ require_once('pfsense-utils.inc'); require_once('pkg-utils.inc'); require_once('service-utils.inc'); -if(!function_exists("filter_configure")) +if (!function_exists("filter_configure")) require_once("filter.inc"); $shortcut_section = "squid"; -define('SQUID_BASE', '/usr/pbi/squid-' . php_uname("m")); -define('SQUID_LOCALBASE', SQUID_BASE . "/local"); + +global $pfs_version; +$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pfs_version == "2.1" || $pfs_version == "2.2") { + define('SQUID_BASE', '/usr/pbi/squid-' . php_uname("m")); + define('SQUID_LOCALBASE', SQUID_BASE . "/local"); + define('SQUID_UID', 'proxy'); + define('SQUID_GID', 'proxy'); +} else { + define('SQUID_BASE', '/usr/local'); + define('SQUID_LOCALBASE', '/usr/local'); + define('SQUID_UID', 'squid'); + define('SQUID_GID', 'squid'); +} define('SQUID_CONFBASE', SQUID_LOCALBASE .'/etc/squid'); define('SQUID_CONFFILE', SQUID_CONFBASE . '/squid.conf'); -define('SQUID_BASE', '/var/squid/'); define('SQUID_ACLDIR', '/var/squid/acl'); define('SQUID_PASSWD', '/var/etc/squid.passwd'); -define('SQUID_LIB','/var/squid/lib'); define('SQUID_SSL_DB','/var/squid/lib/ssl_db'); $valid_acls = array(); $uname=posix_uname(); if ($uname['machine']=='amd64') - ini_set('memory_limit', '250M'); + ini_set('memory_limit', '250M'); - function sq_text_area_decode($text){ +function sq_text_area_decode($text) { return preg_replace('/\r\n/', "\n",base64_decode($text)); } - function squid_get_real_interface_address($iface) { - global $config; - - $iface = convert_friendly_interface_to_real_interface_name($iface); - $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6")); - list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line); + if (!function_exists("get_interface_ip")) + require_once("interfaces.inc"); - return array($ip, long2ip(hexdec($netmask))); + return array(get_interface_ip($iface), gen_subnet_mask(get_interface_subnet($iface))); } function squid_chown_recursive($dir, $user, $group) { + if ($dir == '/usr/local') + return; + chown($dir, $user); chgrp($dir, $group); $handle = opendir($dir) ; @@ -82,9 +91,9 @@ function squid_chown_recursive($dir, $user, $group) { if (($item != ".") && ($item != "..")) { $path = "$dir/$item"; // Recurse unless it's the cache dir, that is slow and rarely necessary. - if (is_dir($path) && (basename($dir) != "cache")) + if (is_dir($path) && (basename($dir) != "cache")) { squid_chown_recursive($path, $user, $group); - elseif (is_file($path)) { + } elseif (is_file($path)) { chown($path, $user); chgrp($path, $group); } @@ -92,14 +101,16 @@ function squid_chown_recursive($dir, $user, $group) { } } -function squid_check_clamav_user($user) - { - exec("/usr/sbin/pw usershow {$user}",$sq_ex_output,$sq_ex_return); - $user_arg=($sq_ex_return == 0?"mod":"add"); - exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin",$sq_ex_output,$sq_ex_return); - if ($sq_ex_return != 0) - log_error("Squid - Could not change clamav user settings. ".serialize($sq_ex_output)); - } +function squid_check_clamav_user($user) { + if (SQUID_BASE == '/usr/local') + return; + + $_gc = exec("/usr/sbin/pw usershow {$user}",$sq_ex_output,$sq_ex_return); + $user_arg=($sq_ex_return == 0?"mod":"add"); + $_gc = exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin",$sq_ex_output,$sq_ex_return); + if ($sq_ex_return != 0) + log_error("Squid - Could not change clamav user settings. ".serialize($sq_ex_output)); +} /* setup cache */ function squid_dash_z($cache_action='none') { @@ -115,48 +126,49 @@ function squid_dash_z($cache_action='none') { if ($settings['harddisk_cache_system'] == "null") return; - $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + $cachedir = ($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); - if ($cache_action=="clean"){ - rename ($cachedir,"{$cachedir}.old"); + if ($cache_action == "clean" && file_exists($cachedir)) { + rename ($cachedir, "{$cachedir}.old"); mwexec_bg("/bin/rm -rf {$cachedir}.old"); } - if(!is_dir($cachedir.'/')) { - log_error("Creating Squid cache dir $cachedir"); - make_dirs($cachedir); - // Double check permissions here, should be safe to recurse cache dir if it's small here. - mwexec("/usr/sbin/chown -R proxy:proxy $cachedir"); + if (!is_dir($cachedir)) { + log_error("Creating Squid cache dir {$cachedir}"); + @mkdir($cachedir, 0755, true); + @chown($cachedir, SQUID_UID); + @chgrp($cachedir, SQUID_GID); } - if(!is_dir($cachedir.'/00/')) { + if (!is_dir($cachedir.'/00')) { log_error("Creating squid cache subdirs in $cachedir"); mwexec(SQUID_BASE. "/sbin/squid -k shutdown -f " . SQUID_CONFFILE); sleep(5); mwexec(SQUID_BASE. "/sbin/squid -k kill -f " . SQUID_CONFFILE); // Double check permissions here, should be safe to recurse cache dir if it's small here. - mwexec("/usr/sbin/chown -R proxy:proxy $cachedir"); + mwexec("/usr/sbin/chown -R " . SQUID_UID . ":" . SQUID_GID . " $cachedir"); mwexec(SQUID_BASE. "/sbin/squid -z -f " . SQUID_CONFFILE); } - if(file_exists("/var/squid/cache/swap.state")) { - chown("/var/squid/cache/swap.state", "proxy"); - chgrp("/var/squid/cache/swap.state", "proxy"); - exec("chmod a+rw /var/squid/cache/swap.state"); + if (file_exists("/var/squid/cache/swap.state")) { + chown("/var/squid/cache/swap.state", SQUID_UID); + chgrp("/var/squid/cache/swap.state", SQUID_GID); + chmod("/var/squid/cache/swap.state", "a+rw"); } - } function squid_is_valid_acl($acl) { global $valid_acls; - if(!is_array($valid_acls)) + + if (!is_array($valid_acls)) return; + return in_array($acl, $valid_acls); } function squid_install_command() { - global $config; - global $g; + global $config, $g; + update_status("Checking if there is configuration to migrate... One moment please..."); /* migrate existing csv config fields */ if (is_array($config['installedpackages']['squidauth']['config'])) @@ -168,132 +180,122 @@ function squid_install_command() { if (is_array($config['installedpackages']['squid']['config'])) $settingsgen = $config['installedpackages']['squid']['config'][0]; - if (file_exists("/usr/local/pkg/check_ip.php")) - rename("/usr/local/pkg/check_ip.php",SQUID_BASE . "/bin/check_ip.php"); + if (SQUID_BASE != '/usr/local' && + file_exists('/usr/local/bin/check_ip.php') && + !file_exists(SQUID_BASE . '/bin/check_ip.php')) + symlink("/usr/local/bin/check_ip.php", SQUID_BASE . "/bin/check_ip.php"); + /* Set storage system */ if ($g['platform'] == "nanobsd") { $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_system'] = 'null'; } /* migrate auth settings */ - if (!empty($settingsauth['no_auth_hosts'])) { - if(strstr($settingsauth['no_auth_hosts'], ",")) { - $settingsauth['no_auth_hosts'] = base64_encode(implode("\n", explode(",", $settingsauth['no_auth_hosts']))); - $config['installedpackages']['squidauth']['config'][0]['no_auth_hosts'] = $settingsauth['no_auth_hosts']; - } + if (!empty($settingsauth['no_auth_hosts']) && strstr($settingsauth['no_auth_hosts'], ",")) { + $settingsauth['no_auth_hosts'] = base64_encode(implode("\n", explode(",", $settingsauth['no_auth_hosts']))); + $config['installedpackages']['squidauth']['config'][0]['no_auth_hosts'] = $settingsauth['no_auth_hosts']; } /* migrate cache settings */ - if (!empty($settingscache['donotcache'])) { - if(strstr($settingscache['donotcache'], ",")) { - $settingscache['donotcache'] = base64_encode(implode("\n", explode(",", $settingscache['donotcache']))); - $config['installedpackages']['squidcache']['config'][0]['donotcache'] = $settingscache['donotcache']; - } + if (!empty($settingscache['donotcache']) && strstr($settingscache['donotcache'], ",")) { + $settingscache['donotcache'] = base64_encode(implode("\n", explode(",", $settingscache['donotcache']))); + $config['installedpackages']['squidcache']['config'][0]['donotcache'] = $settingscache['donotcache']; } /* migrate nac settings */ - if(! empty($settingsnac['allowed_subnets'])) { - if(strstr($settingsnac['allowed_subnets'], ",")) { - $settingsnac['allowed_subnets'] = base64_encode(implode("\n", explode(",", $settingsnac['allowed_subnets']))); - $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'] = $settingsnac['allowed_subnets']; - } + if (!empty($settingsnac['allowed_subnets']) && strstr($settingsnac['allowed_subnets'], ",")) { + $settingsnac['allowed_subnets'] = base64_encode(implode("\n", explode(",", $settingsnac['allowed_subnets']))); + $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'] = $settingsnac['allowed_subnets']; } - if(! empty($settingsnac['banned_hosts'])) { - if(strstr($settingsnac['banned_hosts'], ",")) { - $settingsnac['banned_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_hosts']))); - $config['installedpackages']['squidnac']['config'][0]['banned_hosts'] = $settingsnac['banned_hosts']; - } + + if (!empty($settingsnac['banned_hosts']) && strstr($settingsnac['banned_hosts'], ",")) { + $settingsnac['banned_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_hosts']))); + $config['installedpackages']['squidnac']['config'][0]['banned_hosts'] = $settingsnac['banned_hosts']; } - if(! empty($settingsnac['banned_macs'])) { - if(strstr($settingsnac['banned_macs'], ",")) { - $settingsnac['banned_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_macs']))); - $config['installedpackages']['squidnac']['config'][0]['banned_macs'] = $settingsnac['banned_macs']; - } + if (!empty($settingsnac['banned_macs']) && strstr($settingsnac['banned_macs'], ",")) { + $settingsnac['banned_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_macs']))); + $config['installedpackages']['squidnac']['config'][0]['banned_macs'] = $settingsnac['banned_macs']; } - if(! empty($settingsnac['unrestricted_hosts'])) { - if(strstr($settingsnac['unrestricted_hosts'], ",")) { - $settingsnac['unrestricted_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_hosts']))); - $config['installedpackages']['squidnac']['config'][0]['unrestricted_hosts'] = $settingsnac['unrestricted_hosts']; - } + if (!empty($settingsnac['unrestricted_hosts']) && strstr($settingsnac['unrestricted_hosts'], ",")) { + $settingsnac['unrestricted_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_hosts']))); + $config['installedpackages']['squidnac']['config'][0]['unrestricted_hosts'] = $settingsnac['unrestricted_hosts']; } - if(! empty($settingsnac['unrestricted_macs'])) { - if(strstr($settingsnac['unrestricted_macs'], ",")) { - $settingsnac['unrestricted_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_macs']))); - $config['installedpackages']['squidnac']['config'][0]['unrestricted_macs'] = $settingsnac['unrestricted_macs']; - } + if (!empty($settingsnac['unrestricted_macs']) && strstr($settingsnac['unrestricted_macs'], ",")) { + $settingsnac['unrestricted_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_macs']))); + $config['installedpackages']['squidnac']['config'][0]['unrestricted_macs'] = $settingsnac['unrestricted_macs']; } - if(! empty($settingsnac['whitelist'])) { - if(strstr($settingsnac['whitelist'], ",")) { - $settingsnac['whitelist'] = base64_encode(implode("\n", explode(",", $settingsnac['whitelist']))); - $config['installedpackages']['squidnac']['config'][0]['whitelist'] = $settingsnac['whitelist']; - } + if (!empty($settingsnac['whitelist']) && strstr($settingsnac['whitelist'], ",")) { + $settingsnac['whitelist'] = base64_encode(implode("\n", explode(",", $settingsnac['whitelist']))); + $config['installedpackages']['squidnac']['config'][0]['whitelist'] = $settingsnac['whitelist']; } - if(! empty($settingsnac['blacklist'])) { - if(strstr($settingsnac['blacklist'], ",")) { - $settingsnac['blacklist'] = base64_encode(implode("\n", explode(",", $settingsnac['blacklist']))); - $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist']; - } + if (!empty($settingsnac['blacklist']) && strstr($settingsnac['blacklist'], ",")) { + $settingsnac['blacklist'] = base64_encode(implode("\n", explode(",", $settingsnac['blacklist']))); + $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist']; } - if(! empty($settingsnac['block_user_agent'])) { - if(strstr($settingsnac['block_user_agent'], ",")) { - $settingsnac['block_user_agent'] = base64_encode(implode("\n", explode(",", $settingsnac['block_user_agent']))); - $config['installedpackages']['squidnac']['config'][0]['block_user_agent'] = $settingsnac['block_user_agent']; - } + if (!empty($settingsnac['block_user_agent']) && strstr($settingsnac['block_user_agent'], ",")) { + $settingsnac['block_user_agent'] = base64_encode(implode("\n", explode(",", $settingsnac['block_user_agent']))); + $config['installedpackages']['squidnac']['config'][0]['block_user_agent'] = $settingsnac['block_user_agent']; } - if(! empty($settingsnac['block_reply_mime_type'])) { - if(strstr($settingsnac['block_reply_mime_type'], ",")) { - $settingsnac['block_reply_mime_type'] = base64_encode(implode("\n", explode(",", $settingsnac['block_reply_mime_type']))); - $config['installedpackages']['squidnac']['config'][0]['block_reply_mime_type'] = $settingsnac['block_reply_mime_type']; - } + if (!empty($settingsnac['block_reply_mime_type']) && strstr($settingsnac['block_reply_mime_type'], ",")) { + $settingsnac['block_reply_mime_type'] = base64_encode(implode("\n", explode(",", $settingsnac['block_reply_mime_type']))); + $config['installedpackages']['squidnac']['config'][0]['block_reply_mime_type'] = $settingsnac['block_reply_mime_type']; } /*Migrate reverse settings*/ - if (is_array($config['installedpackages']['squidreverse'])){ + if (is_array($config['installedpackages']['squidreverse'])) { $old_reverse_settings=$config['installedpackages']['squidreverse']['config'][0]; //Settings - if (!is_array($config['installedpackages']['squidreversegeneral'])){ + if (!is_array($config['installedpackages']['squidreversegeneral'])) { $config['installedpackages']['squidreversegeneral']['config'][0]=$old_reverse_settings; unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_cache_peer']); unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_uri']); unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_acl']); - } + } //PEERS - if (!is_array($config['installedpackages']['squidreversepeer'])){ - foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) - foreach (explode(";",$cache_peers) as $cache_peer) - $config['installedpackages']['squidreversepeer']['config'][]=array('description'=>'migrated', - 'enable'=> 'on', - 'name'=> $cache_peer[0], - 'port'=> $cache_peer[1], - 'protocol' => $cache_peer[2]); + if (!is_array($config['installedpackages']['squidreversepeer'])) { + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) { + foreach (explode(";",$cache_peers) as $cache_peer) { + $config['installedpackages']['squidreversepeer']['config'][] = array( + 'description' => 'migrated', + 'enable' => 'on', + 'name' => $cache_peer[0], + 'port' => $cache_peer[1], + 'protocol' => $cache_peer[2] + ); + } } + } //MAPPINGS - if (!is_array($config['installedpackages']['squidreverseuri'])){ - foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls){ - foreach (explode(";",$acls) as $acl) + if (!is_array($config['installedpackages']['squidreverseuri'])) { + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls) { + foreach (explode(";",$acls) as $acl) { array_push(${'peer_'.$acl[0]},$acl[1]); } - foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) - foreach (explode(";",$uris) as $uri){ + } + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) { + foreach (explode(";",$uris) as $uri) { $peer_list=(is_array(${'peer_'.$uri[0]})?implode(",",${'peer_'.$uri[0]}):""); - $config['installedpackages']['squidreverseuri']['config'][]=array('description'=>'migrated', - 'enable'=> 'on', - 'name'=> $uri[0], - 'uri'=> $uri[1], - 'vhost' => $uri[2], - 'peers'=>$peer_list); + $config['installedpackages']['squidreverseuri']['config'][] = array( + 'description' => 'migrated', + 'enable' => 'on', + 'name' => $uri[0], + 'uri' => $uri[1], + 'vhost' => $uri[2], + 'peers' => $peer_list + ); } } + } } update_status("Writing configuration... One moment please..."); @@ -303,26 +305,32 @@ function squid_install_command() { /* create cache */ update_status("Creating squid cache pools... One moment please..."); squid_dash_z(); + /* make sure pinger is executable */ - if(file_exists(SQUID_LOCALBASE. "/libexec/squid/pinger")) - exec("/bin/chmod a+x ". SQUID_LOCALBASE. "/libexec/squid/pinger"); - if(file_exists("/usr/local/etc/rc.d/squid")) - exec("/bin/rm /usr/local/etc/rc.d/squid"); + if (file_exists(SQUID_LOCALBASE. "/libexec/squid/pinger")) + @chmod(SQUID_LOCALBASE. "/libexec/squid/pinger", "a+x"); + + // XXX: Is it really necessary? + if (file_exists("/usr/local/etc/rc.d/squid")) + unlink_if_exists("/usr/local/etc/rc.d/squid"); + squid_write_rcfile(); - if(file_exists("/usr/local/pkg/swapstate_check.php")) - exec("/bin/chmod a+x /usr/local/pkg/swapstate_check.php"); + + // XXX: Is it really necessary? mode is set to 0755 in squid.xml + if (file_exists("/usr/local/pkg/swapstate_check.php")) + @chmod("/usr/local/pkg/swapstate_check.php", "a+x"); + write_rcfile(array( "file" => "sqp_monitor.sh", "start" => "/usr/local/pkg/sqpmon.sh &", - "stop" => "ps awux | grep \"sqpmon\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill")); + "stop" => "ps awux | grep \"sqpmon\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill") + ); foreach (array( SQUID_CONFBASE, SQUID_ACLDIR, - SQUID_BASE, - SQUID_LIB, SQUID_SSL_DB ) as $dir) { - make_dirs($dir); - squid_chown_recursive($dir, 'proxy', 'proxy'); + @mkdir($dir, 0755, true); + squid_chown_recursive($dir, SQUID_UID, SQUID_GID); } /* kill any running proxy alarm scripts */ @@ -357,6 +365,7 @@ function squid_install_command() { function squid_deinstall_command() { global $config, $g; + $plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."; squid_install_cron(false); if (is_array($config['installedpackages']['squidcache'])) @@ -367,11 +376,12 @@ function squid_deinstall_command() { $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); update_status("Removing cache ... One moment please..."); update_output_window("$plswait_txt"); - mwexec_bg('rm -rf $cachedir'); - mwexec('rm -rf $logdir'); + // XXX: Is it ok to remove cache and logs? It's going to happen every time package is updated + mwexec_bg("rm -rf {$cachedir}"); + mwexec("rm -rf {$logdir}"); update_status("Finishing package cleanup."); mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); - mwexec('rm -f /usr/local/etc/rc.d/sqp_monitor.sh'); + unlink_if_exists('/usr/local/etc/rc.d/sqp_monitor.sh'); mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); @@ -381,6 +391,15 @@ function squid_deinstall_command() { function squid_before_form_general(&$pkg) { $values = get_dir(SQUID_CONFBASE . '/errors/'); + /* + * XXX: This logic is broken. Probably the idea in the past + * was to skip '.', '..'. 'COPYRIGHT' and 'TRANSLATORS' and + * errors subdirectories used to be more meaning, like 'English' + * or Brazillian_Portuguese. + * + * Nowadays they are 'en', 'pt-br', ... and also there is a + * 'templates' directory to be skipped + */ // Get rid of '..' and '.' and ... array_shift($values); array_shift($values); @@ -402,31 +421,36 @@ function squid_before_form_general(&$pkg) { for ($i = 0; $i < count($values) - 1; $i++) $field['options']['option'][] = array('name' => $names[$i], 'value' => $values[$i]); } + function squid_validate_antivirus($post, &$input_errors) { global $config; - if ($post['enable']=="on"){ - if($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/",$post['squidclamav'],$a_match)){ - $input_errors[] ="Squidclamav warns redirect points to sample config domain ({$a_match[1]})"; - $input_errors[] ="Change redirect info on 'squidclamav.conf' field to pfsense gui or an external host. "; - } - if($post['c-icap_conf']) { - if( !preg_match("/squid_clamav/",$post['c-icap_conf'])){ - $input_errors[] ="c-icap Squidclamav service definition is no present."; - $input_errors[] ="Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working."; - } - if (preg_match("/(Manager:Apassword\S+)/",$post['c-icap_conf'],$c_match)){ - $input_errors[] ="Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field."; - } + + if ($post['enable'] != "on") + return; + + if ($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/",$post['squidclamav'],$a_match)) { + $input_errors[] ="Squidclamav warns redirect points to sample config domain ({$a_match[1]})"; + $input_errors[] ="Change redirect info on 'squidclamav.conf' field to pfsense gui or an external host. "; + } + if ($post['c-icap_conf']) { + if (!preg_match("/squid_clamav/",$post['c-icap_conf'])) { + $input_errors[] ="c-icap Squidclamav service definition is no present."; + $input_errors[] ="Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working."; + } + if (preg_match("/(Manager:Apassword\S+)/",$post['c-icap_conf'],$c_match)) { + $input_errors[] ="Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field."; } } } function squid_validate_general($post, &$input_errors) { global $config; + if (is_array($config['installedpackages']['squid'])) $settings = $config['installedpackages']['squid']['config'][0]; else $settings = array(); + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $port = $post['proxy_port'] ? $post['proxy_port'] : $port; @@ -439,19 +463,21 @@ function squid_validate_general($post, &$input_errors) { if ($post['log_dir']{0} != '/') $input_errors[] = 'You must start log location with a / mark'; + if (strlen($post['log_dir']) <= 3) $input_errors[] = "That is not a valid log location dir"; $log_rotate = trim($post['log_rotate']); - if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1))) + if (!empty($log_rotate) && (!is_numericint($log_rotate) or ($log_rotate < 1))) $input_errors[] = 'You must enter a valid number of days in the \'Log rotate\' field'; $webgui_port = $config['system']['webgui']['port']; - if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { + + if (($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { $webgui_port = 80; } - if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { + if (($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { $webgui_port = 443; } @@ -478,63 +504,68 @@ function squid_validate_general($post, &$input_errors) { } } - if(!empty($post['dns_nameservers'])) { - $altdns = explode(";", ($post['dns_nameservers'])); - foreach ($altdns as $dnssrv) { - if (!is_ipaddr($dnssrv)) - $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; - break; - }} + if (!empty($post['dns_nameservers'])) { + $altdns = explode(";", ($post['dns_nameservers'])); + foreach ($altdns as $dnssrv) { + if (!is_ipaddr($dnssrv)) { + $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; + break; + } + } + } } function squid_validate_upstream($post, &$input_errors) { - if ($post['enabled'] == 'on') { - $addr = trim($post['proxyaddr']); - if (empty($addr)) - $input_errors[] = 'The field \'Hostname\' is required'; - else { - if (!is_ipaddr($addr) && !is_domain($addr)) - $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; - } - - foreach (array('proxyport' => 'TCP port', 'icpport' => 'ICP port') as $field => $name) { - $port = trim($post[$field]); - if (empty($port)) - $input_errors[] = "The field '$name' is required"; - else { - if (!is_port($port)) - $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; - } + if ($post['enabled'] != 'on') + return; + + $addr = trim($post['proxyaddr']); + if (empty($addr)) { + $input_errors[] = 'The field \'Hostname\' is required'; + } else { + if (!is_ipaddr($addr) && !is_domain($addr)) + $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; + } + + foreach (array('proxyport' => 'TCP port', 'icpport' => 'ICP port') as $field => $name) { + $port = trim($post[$field]); + if (empty($port)) { + $input_errors[] = "The field '$name' is required"; + } else { + if (!is_port($port)) + $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; } } } function squid_validate_cache($post, &$input_errors) { - $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size', - 'memory_cache_size' => 'Memory cache size', - 'maximum_object_size' => 'Maximum object size', + $num_fields = array( + 'harddisk_cache_size' => 'Hard disk cache size', + 'memory_cache_size' => 'Memory cache size', + 'maximum_object_size' => 'Maximum object size', ); + foreach ($num_fields as $field => $name) { $value = trim($post[$field]); - if (!is_numeric($value) || ($value < 0)) + if (!is_numericint($value)) $input_errors[] = "You must enter a valid value for '$field'"; } $value = trim($post['minimum_object_size']); - if (!is_numeric($value) || ($value < 0)) + if (!is_numericint($value)) $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; - if (!empty($post['cache_swap_low'])) { - $value = trim($post['cache_swap_low']); - if (!is_numeric($value) || ($value > 100)) - $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; + if (!empty($post['cache_swap_low'])) { + $value = trim($post['cache_swap_low']); + if (!is_numericint($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; } - if (!empty($post['cache_swap_high'])) { - $value = trim($post['cache_swap_high']); - if (!is_numeric($value) || ($value > 100)) - $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; - } + if (!empty($post['cache_swap_high'])) { + $value = trim($post['cache_swap_high']); + if (!is_numericint($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; + } if ($post['donotcache'] != "") { foreach (split("\n", $post['donotcache']) as $host) { @@ -545,7 +576,6 @@ function squid_validate_cache($post, &$input_errors) { } squid_dash_z(); - } function squid_validate_nac($post, &$input_errors) { @@ -556,19 +586,17 @@ function squid_validate_nac($post, &$input_errors) { $input_errors[] = "The subnet '$subnet' is not a valid CIDR range"; } - foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) { - - if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@",$_POST[$hosts],$matches)){ - for ($x=0;$x < count($matches[1]);$x++){ - if ($matches[2][$x] == ""){ + foreach (array('unrestricted_hosts', 'banned_hosts') as $hosts) { + if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@",$_POST[$hosts],$matches)) { + for ($x=0; $x < count($matches[1]); $x++) { + if ($matches[2][$x] == "") { if (!is_ipaddr($matches[1][$x])) $input_errors[] = "'{$matches[1][$x]}' is not a valid IP address"; - } - else{ + } else { if (!is_subnet($matches[0][$x])) $input_errors[] = "The subnet '{$matches[0][$x]}' is not a valid CIDR range"; - } } + } } } @@ -586,107 +614,115 @@ function squid_validate_nac($post, &$input_errors) { $input_errors[] = "The time range '$time' is not a valid time range"; } - if(!empty($post['ext_cachemanager'])) { - $extmgr = explode(";", ($post['ext_cachemanager'])); - foreach ($extmgr as $mgr) { - if (!is_ipaddr($mgr)) - $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; - }} + if (!empty($post['ext_cachemanager'])) { + $extmgr = explode(";", ($post['ext_cachemanager'])); + foreach ($extmgr as $mgr) { + if (!is_ipaddr($mgr)) + $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; + } + } } function squid_validate_traffic($post, &$input_errors) { - $num_fields = array( 'max_download_size' => 'Maximum download size', - 'max_upload_size' => 'Maximum upload size', - 'perhost_throttling' => 'Per-host bandwidth throttling', - 'overall_throttling' => 'Overall bandwidth throttling', + $num_fields = array( + 'max_download_size' => 'Maximum download size', + 'max_upload_size' => 'Maximum upload size', + 'perhost_throttling' => 'Per-host bandwidth throttling', + 'overall_throttling' => 'Overall bandwidth throttling', ); + foreach ($num_fields as $field => $name) { $value = trim($post[$field]); - if (!is_numeric($value) || ($value < 0)) + if (!is_numericint($value)) $input_errors[] = "The field '$name' must contain a positive number"; } - if (!empty($post['quick_abort_min'])) { - $value = trim($post['quick_abort_min']); - if (!is_numeric($value)) - $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; - } + if (!empty($post['quick_abort_min'])) { + $value = trim($post['quick_abort_min']); + if (!is_numericint($value)) + $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; + } - if (!empty($post['quick_abort_max'])) { - $value = trim($post['quick_abort_max']); - if (!is_numeric($value)) - $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; - } + if (!empty($post['quick_abort_max'])) { + $value = trim($post['quick_abort_max']); + if (!is_numericint($value)) + $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; + } - if (!empty($post['quick_abort_pct'])) { - $value = trim($post['quick_abort_pct']); - if (!is_numeric($value) || ($value > 100)) - $input_errors[] = "The field 'Finish when remaining %' must contain a percentage"; - } + if (!empty($post['quick_abort_pct'])) { + $value = trim($post['quick_abort_pct']); + if (!is_numericint($value) || ($value > 100)) + $input_errors[] = "The field 'Finish when remaining %' must contain a percentage"; + } } function squid_validate_reverse($post, &$input_errors) { global $config; - if(!empty($post['reverse_ip'])) { + + if (!empty($post['reverse_ip'])) { $reverse_ip = explode(";", ($post['reverse_ip'])); foreach ($reverse_ip as $reip) { - if (!is_ipaddr(trim($reip))) - $input_errors[] = 'You must enter a valid IP address in the \'User-defined reverse-proxy IPs\' field'.' -> \''.$reip.'\' is invalid.'; - }} + if (!is_ipaddr(trim($reip))) + $input_errors[] = 'You must enter a valid IP address in the \'User-defined reverse-proxy IPs\' field'.' -> \''.$reip.'\' is invalid.'; + } + } $fqdn = trim($post['reverse_external_fqdn']); if (!empty($fqdn) && !is_domain($fqdn)) $input_errors[] = 'The field \'external FQDN\' must contain a valid domain name'; $port = trim($post['reverse_http_port']); + // XXX: Where is $portrange being defined ??? preg_match("/(\d+)/",`sysctl net.inet.ip.portrange.reservedhigh`,$portrange); if (!empty($port) && !is_port($port)) $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; - if (!empty($port) && is_port($port) && $port <= $portrange[1]){ + if (!empty($port) && is_port($port) && $port <= $portrange[1]) { $input_errors[] = "The field 'reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 on system tunable options and restart squid daemon."; } $port = trim($post['reverse_https_port']); if (!empty($port) && !is_port($port)) $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number'; - if (!empty($port) && is_port($port) && $port <= $portrange[1]){ + if (!empty($port) && is_port($port) && $port <= $portrange[1]) { $input_errors[] = "The field 'reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 on system tunable options and restart squid daemon."; } if ($post['reverse_ssl_cert'] == 'none') $input_errors[] = 'A valid certificate for the external interface must be selected'; - if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { - $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; - } + if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { + $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; + } - if(!empty($post['reverse_owa_ip'])) { + if (!empty($post['reverse_owa_ip'])) { $reverse_owa_ip = explode(";", ($post['reverse_owa_ip'])); foreach ($reverse_owa_ip as $reowaip) { - if (!is_ipaddr(trim($reowaip))) - $input_errors[] = 'You must enter a valid IP address in the \'CAS-Array / OWA frontend IP address\' field'.' -> \''.$reowaip.'\' is invalid.'; - }} - - $contents = $post['reverse_cache_peer']; - if(!empty($contents)) { - $defs = explode("\r\n", ($contents)); - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (!is_ipaddr($cfg[1])) - $input_errors[] = "please choose a valid IP in the cache peer configuration."; - if (!is_port($cfg[2])) - $input_errors[] = "please choose a valid port in the cache peer configuration."; - if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) - $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; - }} - + if (!is_ipaddr(trim($reowaip))) + $input_errors[] = 'You must enter a valid IP address in the \'CAS-Array / OWA frontend IP address\' field'.' -> \''.$reowaip.'\' is invalid.'; + } + } + $contents = $post['reverse_cache_peer']; + if (!empty($contents)) { + $defs = explode("\r\n", ($contents)); + foreach ($defs as $def) { + $cfg = explode(";",($def)); + if (!is_ipaddr($cfg[1])) + $input_errors[] = "please choose a valid IP in the cache peer configuration."; + if (!is_port($cfg[2])) + $input_errors[] = "please choose a valid port in the cache peer configuration."; + if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) + $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; + } + } } function squid_validate_auth($post, &$input_errors) { - $num_fields = array( array('auth_processes', 'Authentication processes', 1), - array('auth_ttl', 'Authentication TTL', 0), + $num_fields = array( + array('auth_processes', 'Authentication processes', 1), + array('auth_ttl', 'Authentication TTL', 0), ); + foreach ($num_fields as $field) { $value = trim($post[$field[0]]); if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) @@ -706,24 +742,24 @@ function squid_validate_auth($post, &$input_errors) { $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number'; switch ($auth_method) { - case 'ldap': - $user = trim($post['ldap_user']); - if (empty($user)) - $input_errors[] = 'The field \'LDAP server user DN\' is required'; - else if (!$user) - $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; - break; - case 'radius': - $secret = trim($post['radius_secret']); - if (empty($secret)) - $input_errors[] = 'The field \'RADIUS secret\' is required'; - break; - case 'msnt': - foreach (explode(",", trim($post['msnt_secondary'])) as $server) { - if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) - $input_errors[] = "The host '$server' is not a valid IP address or domain name"; - } - break; + case 'ldap': + $user = trim($post['ldap_user']); + if (empty($user)) + $input_errors[] = 'The field \'LDAP server user DN\' is required'; + else if (!$user) + $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; + break; + case 'radius': + $secret = trim($post['radius_secret']); + if (empty($secret)) + $input_errors[] = 'The field \'RADIUS secret\' is required'; + break; + case 'msnt': + foreach (explode(",", trim($post['msnt_secondary'])) as $server) { + if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) + $input_errors[] = "The host '$server' is not a valid IP address or domain name"; + } + break; } $no_auth = explode("\n", $post['no_auth_hosts']); @@ -737,12 +773,13 @@ function squid_validate_auth($post, &$input_errors) { function squid_install_cron($should_install) { global $config, $g; - if($g['booting']==true) + + if ($g['booting']==true) return; $rotate_is_installed = false; $swapstate_is_installed = false; - if(!$config['cron']['item']) + if (!$config['cron']['item']) return; if (is_array($config['installedpackages']['squidcache'])) @@ -756,106 +793,105 @@ function squid_install_cron($should_install) { $cron_cmd=($settings['clear_cache']=='on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); $cron_cmd .= SQUID_BASE."/sbin/squid -k rotate -f " . SQUID_CONFFILE; $need_write = false; - foreach($config['cron']['item'] as $item) { - if(strstr($item['task_name'], "squid_rotate_logs")) { + foreach ($config['cron']['item'] as $item) { + if (strstr($item['task_name'], "squid_rotate_logs")) { $rotate_job_id = $x; - if ($item['command'] != $cron_cmd){ + if ($item['command'] != $cron_cmd) { $config['cron']['item'][$x]['command']=$cron_cmd; $need_write = true; } - } elseif(strstr($item['task_name'], "squid_check_swapstate")) { - $swapstate_job_id = $x; + } elseif (strstr($item['task_name'], "squid_check_swapstate")) { + $swapstate_job_id = $x; } $x++; } - switch($should_install) { - case true: - $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); - if($rotate_job_id < 0) { - $cron_item['command']=($settings['clear_cache']=='on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); - $cron_item = array(); - $cron_item['task_name'] = "squid_rotate_logs"; - $cron_item['minute'] = "0"; - $cron_item['hour'] = "0"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] .= $cron_cmd; - /* Add this cron_item as a new entry at the end of the item array. */ - $config['cron']['item'][] = $cron_item; - $need_write = true; - } - if($swapstate_job_id < 0) { - $cron_item = array(); - $cron_item['task_name'] = "squid_check_swapstate"; - $cron_item['minute'] = "*/15"; - $cron_item['hour'] = "*"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/local/pkg/swapstate_check.php"; - /* Add this cron_item as a new entry at the end of the item array. */ - $config['cron']['item'][] = $cron_item; - $need_write = true; - } - if ($need_write) { - parse_config(true); - write_config("Adding Squid Cron Jobs"); - } - break; - case false: - if($rotate_job_id >= 0) { - unset($config['cron']['item'][$rotate_job_id]); - $need_write = true; - } - if($swapstate_job_id >= 0) { - unset($config['cron']['item'][$swapstate_job_id]); - $need_write = true; - } - if ($need_write) { - parse_config(true); - write_config("Removing Squid Cron Jobs"); - } - break; + if ($should_install) { + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + if ($rotate_job_id < 0) { + $cron_item['command']=($settings['clear_cache']=='on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); + $cron_item = array(); + $cron_item['task_name'] = "squid_rotate_logs"; + $cron_item['minute'] = "0"; + $cron_item['hour'] = "0"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] .= $cron_cmd; + /* Add this cron_item as a new entry at the end of the item array. */ + $config['cron']['item'][] = $cron_item; + $need_write = true; + } + if ($swapstate_job_id < 0) { + $cron_item = array(); + $cron_item['task_name'] = "squid_check_swapstate"; + $cron_item['minute'] = "*/15"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/local/pkg/swapstate_check.php"; + /* Add this cron_item as a new entry at the end of the item array. */ + $config['cron']['item'][] = $cron_item; + $need_write = true; + } + if ($need_write) { + parse_config(true); + write_config("Adding Squid Cron Jobs"); + } + } else { + if ($rotate_job_id >= 0) { + unset($config['cron']['item'][$rotate_job_id]); + $need_write = true; + } + if ($swapstate_job_id >= 0) { + unset($config['cron']['item'][$swapstate_job_id]); + $need_write = true; + } + if ($need_write) { + parse_config(true); + write_config("Removing Squid Cron Jobs"); + } } configure_cron(); } -function squid_check_ca_hashes(){ +function squid_check_ca_hashes() { global $config,$g; - #check certificates - $cert_count=0; - if (is_dir(SQUID_LOCALBASE. '/share/certs')) + // check certificates + $cert_count = 0; + if (is_dir(SQUID_LOCALBASE. '/share/certs')) { if ($handle = opendir(SQUID_LOCALBASE.'/share/certs')) { - while (false !== ($file = readdir($handle))) - if (preg_match ("/\d+.0/",$file)) - $cert_count++; - } - closedir($handle); - if ($cert_count < 10){ + while (false !== ($file = readdir($handle))) { + if (preg_match ("/\d+.0/",$file)) + $cert_count++; + } + closedir($handle); + } + } + if ($cert_count < 10) { conf_mount_rw(); - #create ca-root hashes from ca-root-nss package + // create ca-root hashes from ca-root-nss package log_error("Creating root certificate bundle hashes from the Mozilla Project"); $cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt'); $cert=0; - foreach ($cas as $ca){ - if (preg_match("/--BEGIN CERTIFICATE--/",$ca)) + foreach ($cas as $ca) { + if (preg_match("/--BEGIN CERTIFICATE--/",$ca)) $cert=1; if ($cert == 1) $crt.=$ca; - if (preg_match("/-END CERTIFICATE-/",$ca)){ + if (preg_match("/-END CERTIFICATE-/",$ca)) { file_put_contents("/tmp/cert.pem",$crt, LOCK_EX); $cert_hash=array(); exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash); file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX); $crt=""; $cert=0; - } } } + } } function squid_resync_general() { @@ -865,96 +901,94 @@ function squid_resync_general() { $settings = $config['installedpackages']['squid']['config'][0]; else $settings=array(); + $conf = "# This file is automatically generated by pfSense\n"; $conf .= "# Do not edit manually !\n\n"; - #Check ssl interception + // Check ssl interception if (($settings['ssl_proxy'] == 'on')) { squid_check_ca_hashes(); $srv_cert = lookup_ca($settings["dca"]); if ($srv_cert != false) { - if(base64_decode($srv_cert['prv'])) { - #check if ssl_db was initilized by squid - if (! file_exists("/var/squid/lib/ssl_db/serial")){ - if (is_dir("/var/squid/lib/ssl_db")){ - mwexec("/bin/rm -rf /var/squid/lib/ssl_db"); - } - mwexec(SQUID_LOCALBASE."/libexec/squid/ssl_crtd -c -s /var/squid/lib/ssl_db/"); + if (base64_decode($srv_cert['prv'])) { + // check if ssl_db was initilized by squid + if (!file_exists(SQUID_SSL_DB . "/serial")) { + if (is_dir(SQUID_SSL_DB)) { + mwexec("/bin/rm -rf " . SQUID_SSL_DB); + } + mwexec(SQUID_LOCALBASE."/libexec/squid/ssl_crtd -c -s " . SQUID_SSL_DB); } - #force squid user permission on /var/squid/lib/ssl_db/ - squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy'); - # cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext + // force squid user permission on /var/squid/lib/ssl_db/ + squid_chown_recursive(SQUID_SSL_DB, SQUID_UID, SQUID_GID); + // cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext $crt_pk=SQUID_CONFBASE."/serverkey.pem"; $crt_capath=SQUID_LOCALBASE."/share/certs/"; file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt'])); $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n"; - $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n"; + $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s " . SQUID_SSL_DB . " -M 4MB -b 2048\n"; $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n"; $interception_checks .= "sslproxy_capath {$crt_capath}\n"; if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"])) $interception_checks.="sslproxy_cert_error allow all\n"; if (preg_match("/sslproxy_flags/",$settings["interception_checks"])) $interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n"; - if ($settings["interception_adapt"] != ""){ + if ($settings["interception_adapt"] != "") { foreach (explode(",",$settings["interception_adapt"]) as $adapt) $interception_checks.="sslproxy_cert_adapt {$adapt} all\n"; - } + } } } } $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127); -#Read assigned interfaces + // Read assigned interfaces $real_ifaces = array(); - if($settings['active_interface']) + if ($settings['active_interface']) $proxy_ifaces = explode(",", $settings['active_interface']); else $proxy_ifaces=array("lan"); - if ($settings['transparent_proxy']=="on"){ + if ($settings['transparent_proxy']=="on") { $transparent_ifaces = explode(",", $settings['transparent_active_interface']); - foreach ($transparent_ifaces as $t_iface){ + foreach ($transparent_ifaces as $t_iface) { $t_iface_ip = squid_get_real_interface_address($t_iface); - if($t_iface_ip[0]) + if ($t_iface_ip[0]) $real_ifaces[]=$t_iface_ip; - } } - else{ + } else { $transparent_ifaces=array(); } - if ($settings['ssl_proxy']=="on"){ + if ($settings['ssl_proxy']=="on") { $ssl_ifaces = explode(",", $settings['ssl_active_interface']); - foreach ($ssl_ifaces as $s_iface){ + foreach ($ssl_ifaces as $s_iface) { $s_iface_ip = squid_get_real_interface_address($s_iface); - if($s_iface_ip[0]) + if ($s_iface_ip[0]) $real_ifaces[]=$s_iface_ip; - } } - else{ + } else { $ssl_ifaces=array(); } - #check all proxy interfaces selected + // check all proxy interfaces selected foreach ($proxy_ifaces as $iface) { $iface_ip = squid_get_real_interface_address($iface); - if($iface_ip[0]) { + if ($iface_ip[0]) { $real_ifaces[]=$iface_ip; if (in_array($iface,$ssl_ifaces)) $conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n"; else $conf .= "http_port {$iface_ip[0]}:{$port}\n"; - } } + } if (($settings['transparent_proxy'] == 'on')) { - if ($settings['ssl_proxy'] == "on" && count($ssl_ifaces)>0){ + if ($settings['ssl_proxy'] == "on" && count($ssl_ifaces)>0) { $conf .= "http_port 127.0.0.1:{$port} intercept {$ssl_interception}\n"; $conf .= "https_port 127.0.0.1:{$ssl_port} intercept {$ssl_interception}\n"; - } - else{ + } else { $conf .= "http_port 127.0.0.1:{$port} intercept\n"; } } @@ -962,31 +996,34 @@ function squid_resync_general() { $dns_v4_first= ($settings['dns_v4_first'] == "on" ? "on" : "off" ); $piddir="{$g['varrun_path']}/squid"; $pidfile = "{$piddir}/squid.pid"; - if (!is_dir($piddir)){ - make_dirs($piddir); - squid_chown_recursive($piddir, 'proxy', 'wheel'); - } + if (!is_dir($piddir)) { + @mkdir($piddir, 0755, true); + squid_chown_recursive($piddir, SQUID_UID, 'wheel'); + } $language = ($settings['error_language'] ? $settings['error_language'] : 'en'); $icondir = SQUID_CONFBASE . '/icons'; $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost'); $email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost'); $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); - if (! is_dir($logdir)){ - make_dirs($logdir); - squid_chown_recursive($logdir, 'proxy', 'proxy'); - } + if (!is_dir($logdir)) { + @mkdir($logdir, 0755, true); + squid_chown_recursive($logdir, SQUID_UID, SQUID_GID); + } $logdir_cache = $logdir . '/cache.log'; $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); $pinger_helper = ($settings['disable_pinger']) =='on' ? 'off' : 'on'; $pinger_program=SQUID_LOCALBASE."/libexec/squid/pinger"; + $squid_uid = SQUID_UID; + $squid_gid = SQUID_GID; + $conf .= <<< EOD icp_port {$icp_port} dns_v4_first {$dns_v4_first} pid_filename {$pidfile} -cache_effective_user proxy -cache_effective_group proxy +cache_effective_user {$squid_uid} +cache_effective_group {$squid_gid} error_default_language {$language} icon_directory {$icondir} visible_hostname {$hostname} @@ -1001,11 +1038,11 @@ pinger_program {$pinger_program} EOD; -// Per squid docs, setting logfile_rotate to 0 is safe and causes a simple close/reopen. -$rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate']; -$conf .= "logfile_rotate {$rotate}\n"; -$conf .= "debug_options rotate={$rotate}\n"; -squid_install_cron(true); + // Per squid docs, setting logfile_rotate to 0 is safe and causes a simple close/reopen. + $rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate']; + $conf .= "logfile_rotate {$rotate}\n"; + $conf .= "debug_options rotate={$rotate}\n"; + squid_install_cron(true); $conf .= <<< EOD shutdown_lifetime 3 seconds @@ -1025,32 +1062,42 @@ EOD; $conf .= "acl localnet src $src\n"; $valid_acls[] = 'localnet'; } - if ($settings['xforward_mode']) $conf .= "forwarded_for {$settings['xforward_mode']}\n"; - else $conf .= "forwarded_for on\n"; //only used for first run - if ($settings['disable_via']) $conf .= "via off\n"; - if ($settings['disable_squidversion']) $conf .= "httpd_suppress_version_string on\n"; - if (!empty($settings['uri_whitespace'])) $conf .= "uri_whitespace {$settings['uri_whitespace']}\n"; - else $conf .= "uri_whitespace strip\n"; //only used for first run - - if(!empty($settings['dns_nameservers'])) { - $altdns = explode(";", ($settings['dns_nameservers'])); - $conf .= "dns_nameservers "; - foreach ($altdns as $dnssrv) { - $conf .= $dnssrv." "; - } -// $conf .= "\n"; //Kill blank line after DNS-Servers - } - - return $conf; -} + if ($settings['xforward_mode']) + $conf .= "forwarded_for {$settings['xforward_mode']}\n"; + else + $conf .= "forwarded_for on\n"; //only used for first run + + if ($settings['disable_via']) + $conf .= "via off\n"; + + if ($settings['disable_squidversion']) + $conf .= "httpd_suppress_version_string on\n"; + + if (!empty($settings['uri_whitespace'])) + $conf .= "uri_whitespace {$settings['uri_whitespace']}\n"; + else + $conf .= "uri_whitespace strip\n"; //only used for first run + + if (!empty($settings['dns_nameservers'])) { + $altdns = explode(";", ($settings['dns_nameservers'])); + $conf .= "dns_nameservers "; + foreach ($altdns as $dnssrv) { + $conf .= $dnssrv." "; + } + } + + return $conf; +} function squid_resync_cache() { global $config, $g; + if (is_array($config['installedpackages']['squidcache'])) $settings = $config['installedpackages']['squidcache']['config'][0]; else $settings = array(); + //apply cache settings $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); $disk_cache_size = ($settings['harddisk_cache_size'] ? $settings['harddisk_cache_size'] : 100); @@ -1064,25 +1111,23 @@ function squid_resync_cache() { $offline_mode = ($settings['enable_offline'] == 'on' ? 'on' : 'off'); $conf = ''; if (!isset($settings['harddisk_cache_system'])) { - if ($g['platform'] == "nanobsd" || !is_array ($config['installedpackages']['squidcache']['config'])) + if ($g['platform'] == "nanobsd" || !is_array ($config['installedpackages']['squidcache']['config'])) { $disk_cache_system = 'null'; - else + } else { $disk_cache_system = 'ufs'; } - else{ + } else { $disk_cache_system = $settings['harddisk_cache_system']; - } - #'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching. + } + // 'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching. if ($disk_cache_system != "null") { $disk_cache_opts = "cache_dir {$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256"; } -//check dynamic content -if(empty($settings['cache_dynamic_content'])){ - $conf.='acl dynamic urlpath_regex cgi-bin \?'."\n"; - $conf.="cache deny dynamic\n"; -} -else{ - if(preg_match('/youtube/',$settings['refresh_patterns'])){ + //check dynamic content + if (empty($settings['cache_dynamic_content'])) { + $conf.='acl dynamic urlpath_regex cgi-bin \?'."\n"; + $conf.="cache deny dynamic\n"; + } else if (preg_match('/youtube/',$settings['refresh_patterns'])) { $conf.=<<< EOC # Break HTTP standard for flash videos. Keep them in cache even if asked not to. refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private @@ -1093,7 +1138,7 @@ cache allow youtube EOC; } - if(preg_match('/windows/',$settings['refresh_patterns'])){ + if (preg_match('/windows/',$settings['refresh_patterns'])) { $conf.=<<< EOC # Windows Update refresh_pattern @@ -1103,9 +1148,9 @@ refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims EOC; - } + } -if(preg_match('/symantec/',$settings['refresh_patterns'])){ + if (preg_match('/symantec/',$settings['refresh_patterns'])) { $conf.=<<< EOC # Symantec refresh_pattern @@ -1114,8 +1159,8 @@ refresh_pattern liveupdate.symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 10 refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims EOC; - } -if(preg_match('/avast/',$settings['refresh_patterns'])){ + } + if (preg_match('/avast/',$settings['refresh_patterns'])) { $conf.=<<< EOC # Avast refresh_pattern @@ -1123,8 +1168,8 @@ range_offset_limit -1 refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims EOC; - } -if(preg_match('/avira/',$settings['refresh_patterns'])){ + } + if (preg_match('/avira/',$settings['refresh_patterns'])) { $conf.=<<< EOC # Avira refresh_pattern @@ -1142,9 +1187,8 @@ refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 EOC; -} - If ($settings['custom_refresh_patterns'] !="") + if ($settings['custom_refresh_patterns'] !="") $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n"; $conf .= <<< EOD @@ -1170,31 +1214,34 @@ EOD; $conf .= "cache deny donotcache\n"; } elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) { - unlink(SQUID_ACLDIR . '/donotcache.acl'); - } - $conf .= "cache allow all\n"; + unlink(SQUID_ACLDIR . '/donotcache.acl'); + } + $conf .= "cache allow all\n"; + return $conf.$refresh_conf; } function squid_resync_upstream() { global $config; + + if (!is_array($config['installedpackages']['squidremote']['config'])) + $config['installedpackages']['squidremote']['config'] = array(); + $conf = "\n#Remote proxies\n"; - if (is_array($config['installedpackages']['squidremote']['config'])) - foreach ($config['installedpackages']['squidremote']['config'] as $settings){ + foreach ($config['installedpackages']['squidremote']['config'] as $settings) { if ($settings['enable'] == 'on') { $conf .= "cache_peer {$settings['proxyaddr']} {$settings['hierarchy']} {$settings['proxyport']} "; if ($settings['icpport'] == '7') - $conf .= "{$settings['icpport']} {$settings['icpoptions']} {$settings['peermethod']} {$settings['allowmiss']} "; - else - $conf .= "{$settings['icpport']} "; - #auth settings - if (!empty($settings['username']) && !empty($settings['password'])){ + $conf .= "{$settings['icpport']} {$settings['icpoptions']} {$settings['peermethod']} {$settings['allowmiss']} "; + else + $conf .= "{$settings['icpport']} "; + // auth settings + if (!empty($settings['username']) && !empty($settings['password'])) { $conf .= " login={$settings['username']}:{$settings['password']}"; - } - else{ + } else { $conf .= "{$settings['authoption']} "; } - #other options settings + // other options settings if (!empty($settings['weight'])) $conf .= "weight={$settings['weight']} "; if (!empty($settings['basetime'])) @@ -1205,13 +1252,14 @@ function squid_resync_upstream() { $conf .= "no-delay"; } $conf .= "\n"; - } + } return $conf; } function squid_resync_redirector() { global $config; + // XXX: What port provide squirm binary? It's not present $httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on'); if ($httpav_enabled) { $conf = "url_rewrite_program /usr/local/bin/squirm\n"; @@ -1256,25 +1304,20 @@ acl HTTPS proto HTTPS EOD; $allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets'])); - #$allowed = ""; - #foreach ($allowed_subnets as $subnet) { - # if(!empty($subnet)) { - # $subnet = trim($subnet); - # $allowed .= "$subnet "; - # } - #} if (!empty($allowed_subnets)) { $conf .= "acl allowed_subnets src $allowed_subnets\n"; $valid_acls[] = 'allowed_subnets'; } - $options = array( 'unrestricted_hosts' => 'src', - 'banned_hosts' => 'src', - 'whitelist' => 'dstdom_regex -i', - 'blacklist' => 'dstdom_regex -i', - 'block_user_agent' => 'browser -i', - 'block_reply_mime_type' => 'rep_mime_type -i', + $options = array( + 'unrestricted_hosts' => 'src', + 'banned_hosts' => 'src', + 'whitelist' => 'dstdom_regex -i', + 'blacklist' => 'dstdom_regex -i', + 'block_user_agent' => 'browser -i', + 'block_reply_mime_type' => 'rep_mime_type -i', ); + foreach ($options as $option => $directive) { $contents = sq_text_area_decode($settings[$option]); if (!empty($contents)) { @@ -1283,8 +1326,8 @@ EOD; $valid_acls[] = $option; } elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) { - unlink(SQUID_ACLDIR . "/$option.acl"); - } + unlink(SQUID_ACLDIR . "/$option.acl"); + } } $conf .= <<< EOD @@ -1292,19 +1335,19 @@ http_access allow manager localhost EOD; - if (is_array($config['installedpackages']['squidcache'])){ + if (is_array($config['installedpackages']['squidcache'])) { $settings_ch = $config['installedpackages']['squidcache']['config'][0]; - if(!empty($settings_ch['ext_cachemanager'])) { - $extmgr = explode(";", ($settings_ch['ext_cachemanager'])); - $conf .= "\n# Allow external cache managers\n"; - foreach ($extmgr as $mgr) { - $conf .= "acl ext_manager src {$mgr}\n"; - } - $conf .= "http_access allow manager ext_manager\n"; + if (!empty($settings_ch['ext_cachemanager'])) { + $extmgr = explode(";", ($settings_ch['ext_cachemanager'])); + $conf .= "\n# Allow external cache managers\n"; + foreach ($extmgr as $mgr) { + $conf .= "acl ext_manager src {$mgr}\n"; } + $conf .= "http_access allow manager ext_manager\n"; } + } - $conf .= <<< EOD + $conf .= <<< EOD http_access deny manager http_access allow purge localhost @@ -1322,7 +1365,7 @@ EOD; return $conf; } -function squid_resync_antivirus(){ +function squid_resync_antivirus() { global $config; if (is_array($config['installedpackages']['squidantivirus'])) @@ -1330,24 +1373,24 @@ function squid_resync_antivirus(){ else $antivirus_config = array(); - if ($antivirus_config['enable']=="on"){ - switch ($antivirus_config['client_info']){ - case "both": - $icap_send_client_ip="on"; - $icap_send_client_username="on"; - break; - case "IP": - $icap_send_client_ip="on"; - $icap_send_client_username="off"; - break; - case "username": - $icap_send_client_ip="off"; - $icap_send_client_username="on"; - break; - case "none": - $icap_send_client_ip="off"; - $icap_send_client_username="off"; - break; + if ($antivirus_config['enable']=="on") { + switch ($antivirus_config['client_info']) { + case "both": + $icap_send_client_ip="on"; + $icap_send_client_username="on"; + break; + case "IP": + $icap_send_client_ip="on"; + $icap_send_client_username="off"; + break; + case "username": + $icap_send_client_ip="off"; + $icap_send_client_username="on"; + break; + case "none": + $icap_send_client_ip="off"; + $icap_send_client_username="off"; + break; } if (is_array($config['installedpackages']['squid'])) $squid_config=$config['installedpackages']['squid']['config'][0]; @@ -1367,11 +1410,12 @@ icap_service service_avi_resp respmod_precache icap://[::1]:1344/squid_clamav by adaptation_access service_avi_resp allow all EOF; - #check if icap is enabled on rc.conf.local - if (file_exists("/etc/rc.conf.local")){ + + // check if icap is enabled on rc.conf.local + if (file_exists("/etc/rc.conf.local")) { $rc_old_file=file("/etc/rc.conf.local"); - foreach ($rc_old_file as $rc_line){ - if (preg_match("/^(c_icap_enable|clamav_clamd_enable)/",$rc_line,$matches)){ + foreach ($rc_old_file as $rc_line) { + if (preg_match("/^(c_icap_enable|clamav_clamd_enable)/",$rc_line,$matches)) { $rc_file.=$matches[1].'="YES"'."\n"; ${$matches[1]}="ok"; } @@ -1385,10 +1429,10 @@ EOF; $rc_file.='clamav_clamd_enable="YES"'."\n"; file_put_contents("/etc/rc.conf.local",$rc_file,LOCK_EX); squid_check_clamav_user('clamav'); - #patch sample files to pfsense dirs - #squidclamav.conf - if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) - if (file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default")){ + // patch sample files to pfsense dirs + // squidclamav.conf + if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) { + if (file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default")) { $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default"); $clamav_m[0]="@/var/run/clamav/clamd.ctl@"; $clamav_m[1]="@cgi-bin/clwarn.cgi@"; @@ -1396,19 +1440,21 @@ EOF; $clamav_r[1]="squid_clwarn.php"; file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample",preg_replace($clamav_m,$clamav_r,$sample_file),LOCK_EX); } - #c-icap.conf - if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) - if (file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default")){ + } + // c-icap.conf + if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) { + if (file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default")) { $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default"); - if (! preg_match("/squid_clamav/",$sample_file)) + if (!preg_match("/squid_clamav/",$sample_file)) $sample_file.="\nService squid_clamav squidclamav.so\n"; $cicap_m[0]="@Manager:Apassword\S+@"; $cicap_r[0]=""; file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample",preg_replace($cicap_m,$cicap_r,$sample_file),LOCK_EX); } + } //check squidclamav files until pbis are gone(https://redmine.pfsense.org/issues/4197) $ln_icap= array('bin/c-icap','bin/c-icap-client','c-icap-config','c-icap-libicapapi-config','c-icap-stretch','lib/c_icap','share/c_icap','etc/c-icap'); - foreach ($ln_icap as $ln){ + foreach ($ln_icap as $ln) { if (!file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE."/{$ln}")) symlink(SQUID_LOCALBASE."/{$ln}","/usr/local/{$ln}"); } @@ -1416,67 +1462,68 @@ EOF; symlink(SQUID_LOCALBASE."/lib/libicapapi.so.3.0.5","/usr/local/lib/libicapapi.so.3"); $loadsample=0; - if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")){ + if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) { $config['installedpackages']['squidantivirus']['config'][0]['squidclamav']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample"))); $loadsample++; } - if ($antivirus_config['c-icap_conf'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")){ + if ($antivirus_config['c-icap_conf'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) { $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample"))); $loadsample++; } - if ($antivirus_config['c-icap_magic'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample")){ + if ($antivirus_config['c-icap_magic'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample")) { $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample"))); $loadsample++; } - if($loadsample > 0){ + if ($loadsample > 0) { write_config(); $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; } - #check dirs - $dirs=array("/var/run/c-icap" => "clamav", - "/var/log/c-icap" => "clamav", - "/var/log/clamav" => "clamav", - "/var/run/clamav" => "clamav", - "/var/db/clamav" => "clamav"); - foreach ($dirs as $dir_path => $dir_user){ - if (!is_dir($dir_path)) - make_dirs($dir_path); - squid_chown_recursive($dir_path, $dir_user, "wheel"); - } - #Check clamav database - if (count(glob("/var/db/clamav/*d"))==0){ + // check dirs + $dirs = array( + "/var/run/c-icap" => "clamav", + "/var/log/c-icap" => "clamav", + "/var/log/clamav" => "clamav", + "/var/run/clamav" => "clamav", + "/var/db/clamav" => "clamav" + ); + foreach ($dirs as $dir_path => $dir_user) { + if (!is_dir($dir_path)) + @mkdir($dir_path, 0755, true); + squid_chown_recursive($dir_path, $dir_user, "wheel"); + } + // Check clamav database + if (count(glob("/var/db/clamav/*d"))==0) { log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam on background."); mwexec_bg(SQUID_BASE."/bin/freshclam"); } $rcd_files = scandir(SQUID_LOCALBASE."/etc/rc.d"); - foreach($rcd_files as $rcd_file) + foreach ($rcd_files as $rcd_file) if (!file_exists("/usr/local/etc/rc.d/{$rcd_file}")) symlink (SQUID_LOCALBASE."/etc/rc.d/{$rcd_file}","/usr/local/etc/rc.d/{$rcd_file}"); - #write advanced icap config files + // write advanced icap config files file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf",base64_decode($antivirus_config['squidclamav']),LOCK_EX); file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf",base64_decode($antivirus_config['c-icap_conf']),LOCK_EX); file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic",base64_decode($antivirus_config['c-icap_magic']),LOCK_EX); - #check antivirus daemons - #check icap - if (is_process_running("c-icap")){ + // check antivirus daemons + // check icap + if (is_process_running("c-icap")) { mwexec_bg('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl'); - } - else{ - #check c-icap user on startup file - $c_icap_rcfile="/usr/local/etc/rc.d/c-icap"; - if (file_exists($c_icap_rcfile)){ + } else { + // check c-icap user on startup file + $c_icap_rcfile="/usr/local/etc/rc.d/c-icap"; + if (file_exists($c_icap_rcfile)) { $sample_file=file_get_contents($c_icap_rcfile); $cicapm[0]="@c_icap_user=.*}@"; $cicapr[0]='c_icap_user="clamav"}'; $cicapm[1]="@/usr/local@"; $cicapr[1]=SQUID_LOCALBASE; file_put_contents($c_icap_rcfile,preg_replace($cicapm,$cicapr,$sample_file),LOCK_EX); - } - mwexec_bg("/usr/local/etc/rc.d/c-icap start"); } - #check clamav/freshclam + mwexec_bg("/usr/local/etc/rc.d/c-icap start"); + } + // check clamav/freshclam $rc_files=array("clamav-freshclam","clamav-clamd"); $clamm[0]="@/usr/local/(bin|sbin)@"; $clamm[1]="@/local/(bin|sbin)@"; @@ -1486,25 +1533,25 @@ EOF; $clamr[1]="/bin"; $clamr[2]=SQUID_LOCALBASE."/etc"; $clamr[3]="enable:=YES"; - foreach ($rc_files as $rc_file){ + foreach ($rc_files as $rc_file) { $clamav_rcfile="/usr/local/etc/rc.d/{$rc_file}"; - if (file_exists($clamav_rcfile)){ + if (file_exists($clamav_rcfile)) { $sample_file=file_get_contents($clamav_rcfile); file_put_contents($clamav_rcfile,preg_replace($clamm,$clamr,$sample_file),LOCK_EX); - } } + } if (is_process_running("clamd")) mwexec_bg("/usr/local/etc/rc.d/clamav-clamd reload"); else mwexec_bg("/usr/local/etc/rc.d/clamav-clamd start"); - } -return $conf; + } + return $conf; } function squid_resync_traffic() { global $config, $valid_acls; - if(!is_array($valid_acls)) + if (!is_array($valid_acls)) return; if (is_array($config['installedpackages']['squidtraffic'])) $settings = $config['installedpackages']['squidtraffic']['config'][0]; @@ -1525,7 +1572,6 @@ function squid_resync_traffic() { if ($down_limit != 0) $conf .= 'reply_body_max_size ' . $down_limit . " KB allsrc \n"; - // Only apply throttling past 10MB // XXX: Should this really be hardcoded? $threshold = 10 * 1024 * 1024; @@ -1547,11 +1593,12 @@ delay_initial_bucket_level 100 EOD; - if(! empty($settings['unrestricted_hosts'])) { + if (!empty($settings['unrestricted_hosts'])) { foreach (array('unrestricted_hosts') as $item) { - if (in_array($item, $valid_acls)) + if (in_array($item, $valid_acls)) { $conf .= "# Do not throttle unrestricted hosts\n"; $conf .= "delay_access 1 deny $item\n"; + } } } @@ -1568,7 +1615,8 @@ EOD; } foreach (explode(",", $settings['throttle_others']) as $ext) { - if (!empty($ext)) $exts[] = $ext; + if (!empty($ext)) + $exts[] = $ext; } $contents = ''; @@ -1580,9 +1628,9 @@ EOD; $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; $conf .= "delay_access 1 allow throttle_exts\n"; $conf .= "delay_access 1 deny allsrc\n"; - } - else + } else { $conf .= "delay_access 1 allow allsrc\n"; + } return $conf; } @@ -1597,16 +1645,16 @@ function squid_get_server_certs() { return $cert_arr; } -#squid reverse +// squid reverse include('/usr/local/pkg/squid_reverse.inc'); function squid_resync_auth() { global $config, $valid_acls; $write_config=0; - if (!is_array($config['installedpackages']['squidauth']['config'])){ + if (!is_array($config['installedpackages']['squidauth']['config'])) { $config['installedpackages']['squidauth']['config'][]=array('auth_method'=> "none"); $write_config++; - } + } $settings = $config['installedpackages']['squidauth']['config'][0]; if (is_array($config['installedpackages']['squidnac']['config'])) $settingsnac = $config['installedpackages']['squidnac']['config'][0]; @@ -1624,13 +1672,13 @@ function squid_resync_auth() { $conf = ''; // SSL interception acl options part 1 - if ($settingsconfig['ssl_proxy'] == "on" && ! empty($settingsnac['whitelist'])){ + if ($settingsconfig['ssl_proxy'] == "on" && ! empty($settingsnac['whitelist'])) { $conf .= "always_direct allow whitelist\n"; $conf .= "ssl_bump none whitelist\n"; - } + } // Package integration - if(!empty($settingsconfig['custom_options'])){ + if (!empty($settingsconfig['custom_options'])) { $co_preg[0]='/;/'; $co_rep[0]="\n"; $co_preg[1]="/redirect_program/"; @@ -1638,19 +1686,19 @@ function squid_resync_auth() { $co_preg[2]="/redirector_bypass/"; $co_rep[2]="url_rewrite_bypass"; $conf.="# Package Integration\n".preg_replace($co_preg,$co_rep,$settingsconfig['custom_options'])."\n\n"; - } + } // Custom User Options before authentication acls $conf .= "# Custom options before auth\n".sq_text_area_decode($settingsconfig['custom_options_squid3'])."\n\n"; // Deny the banned guys before allowing the good guys - if(! empty($settingsnac['banned_hosts'])) { + if (!empty($settingsnac['banned_hosts'])) { if (squid_is_valid_acl('banned_hosts')) { $conf .= "# These hosts are banned\n"; $conf .= "http_access deny banned_hosts\n"; } } - if(! empty($settingsnac['banned_macs'])) { + if (!empty($settingsnac['banned_macs'])) { if (squid_is_valid_acl('banned_macs')) { $conf .= "# These macs are banned\n"; $conf .= "http_access deny banned_macs\n"; @@ -1658,13 +1706,13 @@ function squid_resync_auth() { } // Unrestricted hosts take precedence over blacklist - if(! empty($settingsnac['unrestricted_hosts'])) { + if (!empty($settingsnac['unrestricted_hosts'])) { if (squid_is_valid_acl('unrestricted_hosts') && $settings['unrestricted_auth']!= "on") { $conf .= "# These hosts do not have any restrictions\n"; $conf .= "http_access allow unrestricted_hosts\n"; } } - if(! empty($settingsnac['unrestricted_macs'])) { + if (!empty($settingsnac['unrestricted_macs'])) { if (squid_is_valid_acl('unrestricted_macs')) { $conf .= "# These hosts do not have any restrictions\n"; $conf .= "http_access allow unrestricted_macs\n"; @@ -1672,49 +1720,42 @@ function squid_resync_auth() { } // Whitelist and blacklist also take precedence over other allow rules - if(! empty($settingsnac['whitelist'])) { + if (!empty($settingsnac['whitelist'])) { if (squid_is_valid_acl('whitelist')) { $conf .= "# Always allow access to whitelist domains\n"; $conf .= "http_access allow whitelist\n"; } } - if(! empty($settingsnac['blacklist'])) { + if (!empty($settingsnac['blacklist'])) { if (squid_is_valid_acl('blacklist')) { $conf .= "# Block access to blacklist domains\n"; $conf .= "http_access deny blacklist\n"; } } - if(! empty($settingsnac['block_user_agent'])) { + if (!empty($settingsnac['block_user_agent'])) { if (squid_is_valid_acl('block_user_agent')) { $conf .= "# Block access with user agents and browsers\n"; $conf .= "http_access deny block_user_agent\n"; } } - if(! empty($settingsnac['block_reply_mime_type'])) { + if (!empty($settingsnac['block_reply_mime_type'])) { if (squid_is_valid_acl('block_reply_mime_type')) { $conf .= "# Block access with mime type in the reply\n"; $conf .= "http_reply_access deny block_reply_mime_type\n"; } } - // SSL interception acl options part 2 - /*if ($settingsconfig['ssl_proxy'] == "on"){ - $conf .= "always_direct allow all\n"; - $conf .= "ssl_bump server-first all\n"; - }*/ - // Include squidguard denied acl log in squid if ($settingsconfig['log_sqd']) $conf .= "acl sglog url_regex -i sgr=ACCESSDENIED\n"; $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); - if ($transparent_proxy){ + if ($transparent_proxy) { if (preg_match ("/(none|cp)/",$settings['auth_method'])) $auth_method=$settings['auth_method']; else $auth_method="none"; - } - else{ + } else { $auth_method=$settings['auth_method']; } // Allow the remaining ACLs if no authentication is set @@ -1725,10 +1766,10 @@ function squid_resync_auth() { } if ($auth_method == 'none' ) { // SSL interception acl options part 2 without authentication - if ($settingsconfig['ssl_proxy'] == "on"){ + if ($settingsconfig['ssl_proxy'] == "on") { $conf .= "always_direct allow all\n"; $conf .= "ssl_bump server-first all\n"; - } + } $conf .="# Setup allowed acls\n"; $allowed = array('allowed_subnets'); if ($settingsconfig['allow_interface'] == 'on') { @@ -1738,8 +1779,7 @@ function squid_resync_auth() { $allowed = array_filter($allowed, 'squid_is_valid_acl'); foreach ($allowed as $acl) $conf .= "http_access allow $acl\n"; - } - else { + } else { $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); if (!empty($noauth)) { $conf .= "acl noauth src $noauth\n"; @@ -1751,28 +1791,28 @@ function squid_resync_auth() { $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); switch ($auth_method) { - case 'local': - $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n"; - break; - case 'ldap': - $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); - $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); - $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; - break; - case 'radius': - $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); - $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; - break; - case 'cp': - $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_BASE . "/bin/check_ip.php\n"; - $conf .= "acl password external check_cp\n"; - break; - case 'msnt': - $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; - squid_resync_msnt(); - break; + case 'local': + $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n"; + break; + case 'ldap': + $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); + $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); + $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; + break; + case 'radius': + $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; + break; + case 'cp': + $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_BASE . "/bin/check_ip.php\n"; + $conf .= "acl password external check_cp\n"; + break; + case 'msnt': + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; + squid_resync_msnt(); + break; } - if ($auth_method != 'cp'){ + if ($auth_method != 'cp') { $conf .= <<< EOD auth_param basic children $processes auth_param basic realm $prompt @@ -1785,10 +1825,10 @@ EOD; $conf .= "# Custom options after auth\n".sq_text_area_decode($settingsconfig['custom_options2_squid3'])."\n\n"; // SSL interception acl options part 2 - if ($settingsconfig['ssl_proxy'] == "on"){ + if ($settingsconfig['ssl_proxy'] == "on") { $conf .= "always_direct allow all\n"; $conf .= "ssl_bump server-first all\n"; - } + } // Onto the ACLs $password = array('localnet', 'allowed_subnets'); $passwordless = array('unrestricted_hosts'); @@ -1805,15 +1845,13 @@ EOD; foreach ($passwordless as $acl) $conf .= "http_access allow $acl\n"; - //if ($auth_method != 'cp'){ - // Include squidguard denied acl log in squid - if ($settingsconfig['log_sqd']) - $conf .="http_access deny password sglog\n"; + // Include squidguard denied acl log in squid + if ($settingsconfig['log_sqd']) + $conf .="http_access deny password sglog\n"; - // Allow the other ACLs as long as they authenticate - foreach ($password as $acl) - $conf .= "http_access allow password $acl\n"; - // } + // Allow the other ACLs as long as they authenticate + foreach ($password as $acl) + $conf .= "http_access allow password $acl\n"; } $conf .= "# Default block all to be sure\n"; @@ -1832,7 +1870,7 @@ function squid_resync_users() { $contents .= $user['username'] . ':' . crypt($user['password'], base64_encode($user['password'])) . "\n"; } file_put_contents(SQUID_PASSWD, $contents); - chown(SQUID_PASSWD, 'proxy'); + chown(SQUID_PASSWD, SQUID_UID); chmod(SQUID_PASSWD, 0600); } @@ -1848,15 +1886,15 @@ function squid_resync_msnt() { $ntdomain = $settings['auth_ntdomain']; file_put_contents(SQUID_CONFBASE."/msntauth.conf","server {$pdcserver} {$bdcserver} {$ntdomain}"); - chown(SQUID_CONFBASE."/msntauth.conf", 'proxy'); + chown(SQUID_CONFBASE."/msntauth.conf", SQUID_UID); chmod(SQUID_CONFBASE."/msntauth.conf", 0600); } function squid_resync($via_rpc="no") { global $config; - # detect boot process - if (is_array($_POST)){ + // detect boot process + if (is_array($_POST)) { if (preg_match("/\w+/",$_POST['__csrf_magic'])) unset($boot_process); else @@ -1871,13 +1909,9 @@ function squid_resync($via_rpc="no") { conf_mount_rw(); foreach (array( SQUID_CONFBASE, SQUID_ACLDIR, - SQUID_BASE, - SQUID_LIB, SQUID_SSL_DB ) as $dir) { - make_dirs($dir); - chown($dir, 'proxy'); - chgrp($dir, 'proxy'); - squid_chown_recursive($dir, 'proxy', 'proxy'); + @mkdir($dir, 0755, true); + squid_chown_recursive($dir, SQUID_UID, SQUID_GID); } $conf = squid_resync_general() . "\n"; $conf .= squid_resync_cache() . "\n"; @@ -1891,46 +1925,44 @@ function squid_resync($via_rpc="no") { squid_resync_users(); squid_write_rcfile(); - if(!isset($boot_process) || $via_rpc="yes") + if (!isset($boot_process) || $via_rpc="yes") squid_sync_on_changes(); - #write config file - file_put_contents(SQUID_CONFBASE . '/squid.conf', $conf); + // write config file + file_put_contents(SQUID_CONFFILE, $conf); /* make sure pinger is executable */ - if(file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) + // XXX: Is it really necessary? Who could change its permission? + if (file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) exec("chmod a+x " . SQUID_LOCALBASE . "/libexec/squid/pinger"); $log_dir=""; - #check if squid is enabled - if (is_array($config['installedpackages']['squid']['config'])){ + // check if squid is enabled + if (is_array($config['installedpackages']['squid']['config'])) { if ($config['installedpackages']['squid']['config'][0]['active_interface']!= "") $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'].'/'; - } - #check if squidreverse is enabled - else if (is_array($config['installedpackages']['squidreversegeneral']['config'])){ + } + // check if squidreverse is enabled + else if (is_array($config['installedpackages']['squidreversegeneral']['config'])) { if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") $log_dir="/var/squid/logs/"; - } - #do not start squid if there is no log dir - if ($log_dir != ""){ - if(!is_dir($log_dir)) { + } + // do not start squid if there is no log dir + if ($log_dir != "") { + if (!is_dir($log_dir)) { log_error("Creating squid log dir $log_dir"); - make_dirs($log_dir); - squid_chown_recursive($log_dir, 'proxy', 'proxy'); - } + @mkdir($log_dir, 0755, true); + squid_chown_recursive($log_dir, SQUID_UID, SQUID_GID); + } squid_dash_z(); if (!is_service_running('squid')) { log_error("Starting Squid"); mwexec(SQUID_BASE . "/sbin/squid -f " . SQUID_CONFFILE); - } - else { - if (!isset($boot_process)){ - log_error("Reloading Squid for configuration sync"); - mwexec(SQUID_BASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); - } + } else if (!isset($boot_process)) { + log_error("Reloading Squid for configuration sync"); + mwexec(SQUID_BASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); } // Sleep for a couple seconds to give squid a chance to fire up fully. @@ -1975,8 +2007,7 @@ function on_auth_method_changed() { </script> EOD; - } - else { + } else { $javascript = <<< EOD <script language="JavaScript"> <!-- @@ -2001,8 +2032,7 @@ function on_auth_method_changed() { document.iform.auth_ttl.disabled = 1; document.iform.unrestricted_auth.disabled = 1; document.iform.no_auth_hosts.disabled = 1; - } - else { + } else { document.iform.auth_prompt.disabled = 0; document.iform.auth_processes.disabled = 0; document.iform.auth_ttl.disabled = 0; @@ -2011,76 +2041,76 @@ function on_auth_method_changed() { } switch (auth_method) { - case 'local': - document.iform.auth_server.disabled = 1; - document.iform.auth_server_port.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 1; - break; - case 'ldap': - document.iform.auth_server.disabled = 0; - document.iform.auth_server_port.disabled = 0; - document.iform.ldap_user.disabled = 0; - document.iform.ldap_pass.disabled = 0; - document.iform.ldap_version.disabled = 0; - document.iform.ldap_userattribute.disabled = 0; - document.iform.ldap_filter.disabled = 0; - document.iform.ldap_basedomain.disabled = 0; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - break; - case 'radius': - document.iform.auth_server.disabled = 0; - document.iform.auth_server_port.disabled = 0; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 0; - document.iform.msnt_secondary.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - break; - case 'msnt': - document.iform.auth_server.disabled = 0; - document.iform.auth_server_port.disabled = 1; - document.iform.auth_ntdomain.disabled = 0; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 0; - break; - case 'cp': - document.iform.auth_server.disabled = 1; - document.iform.auth_server_port.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 1; - document.iform.auth_prompt.disabled = 1; - document.iform.auth_processes.disabled = 0; - document.iform.auth_ttl.disabled = 0; - document.iform.unrestricted_auth.disabled = 1; - document.iform.no_auth_hosts.disabled = 1; - break; + case 'local': + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + break; + case 'ldap': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 0; + document.iform.ldap_user.disabled = 0; + document.iform.ldap_pass.disabled = 0; + document.iform.ldap_version.disabled = 0; + document.iform.ldap_userattribute.disabled = 0; + document.iform.ldap_filter.disabled = 0; + document.iform.ldap_basedomain.disabled = 0; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + break; + case 'radius': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 0; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 0; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + break; + case 'msnt': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 0; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 0; + break; + case 'cp': + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_prompt.disabled = 1; + document.iform.auth_processes.disabled = 0; + document.iform.auth_ttl.disabled = 0; + document.iform.unrestricted_auth.disabled = 1; + document.iform.no_auth_hosts.disabled = 1; + break; } } --> @@ -2098,50 +2128,50 @@ function squid_print_javascript_auth2() { function squid_generate_rules($type) { global $config; + $squid_conf = $config['installedpackages']['squid']['config'][0]; //check captive portal option $cp_file='/etc/inc/captiveportal.inc'; $pfsense_version=preg_replace("/\s/","",file_get_contents("/etc/version")); $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $cp_inc = file($cp_file); - $new_cp_inc=""; - $found_rule=0; - foreach ($cp_inc as $line){ - $new_line=$line; - //remove applied squid patch - if (preg_match('/skipto 65314 ip/',$line)){ + $cp_inc = file($cp_file); + $new_cp_inc=""; + $found_rule=0; + foreach ($cp_inc as $line) { + $new_line=$line; + //remove applied squid patch + if (preg_match('/skipto 65314 ip/',$line)) { + $found_rule++; + $new_line =""; + } + + if (substr($pfsense_version,0,3) > 2.0) { + if (preg_match('/255.255.255.255/',$line) && $squid_conf['patch_cp']) { $found_rule++; - $new_line =""; - } - - if (substr($pfsense_version,0,3) > 2.0){ - if (preg_match('/255.255.255.255/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line .= "\n\t".'$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; - $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; - } - } - else{ - //add squid patch option based on current config - if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; - $new_line .= $line; - } - if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; - $new_line .= $line; - } - } - $new_cp_inc .= $new_line; + $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; } - if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { - copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); + } else { + //add squid patch option based on current config + if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']) { + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= $line; } - if($found_rule > 0){ - file_put_contents($cp_file,$new_cp_inc, LOCK_EX); + if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']) { + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; + $new_line .= $line; } + } + $new_cp_inc .= $new_line; + } + if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { + copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); + } + if ($found_rule > 0) { + file_put_contents($cp_file,$new_cp_inc, LOCK_EX); + } //normal squid rule check if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { return; @@ -2151,21 +2181,19 @@ function squid_generate_rules($type) { log_error("SQUID is installed but not started. Not installing \"{$type}\" rules."); return; } - #Read assigned interfaces + // Read assigned interfaces $proxy_ifaces = explode(",", $squid_conf['active_interface']); $proxy_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $proxy_ifaces); - if ($squid_conf['transparent_proxy']=="on"){ + if ($squid_conf['transparent_proxy']=="on") { $transparent_ifaces = explode(",", $squid_conf['transparent_active_interface']); $transparent_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $transparent_ifaces); - } - else{ + } else { $transparent_ifaces=array(); } - if ($squid_conf['ssl_proxy'] == "on"){ + if ($squid_conf['ssl_proxy'] == "on") { $ssl_ifaces = explode(",", $squid_conf['ssl_active_interface']); $ssl_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ssl_ifaces); - } - else{ + } else { $ssl_ifaces=array(); } @@ -2173,118 +2201,118 @@ function squid_generate_rules($type) { $ssl_port = ($squid_conf['ssl_proxy_port'] ? $squid_conf['ssl_proxy_port'] : 3127); $fw_aliases = filter_generate_aliases(); - if(strstr($fw_aliases, "pptp =")) + if (strstr($fw_aliases, "pptp =")) $PPTP_ALIAS = "\$pptp"; else $PPTP_ALIAS = "\$PPTP"; - if(strstr($fw_aliases, "PPPoE =")) + if (strstr($fw_aliases, "PPPoE =")) $PPPOE_ALIAS = "\$PPPoE"; else $PPPOE_ALIAS = "\$pppoe"; - #define ports based on transparent options and ssl filtering + // define ports based on transparent options and ssl filtering $pf_rule_port=($squid_conf['ssl_proxy'] == "on" ? "{80,443}" : "80"); switch($type) { - case 'nat': - $rules .= "\n# Setup Squid proxy redirect\n"; - if ($squid_conf['private_subnet_proxy_off'] == 'on') { - foreach ($transparent_ifaces as $iface) { - $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); - $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}\n"; - } - /* Handle PPPOE case */ - if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { - $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; - } - /* Handle PPTP case */ - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; - } + case 'nat': + $rules .= "\n# Setup Squid proxy redirect\n"; + if ($squid_conf['private_subnet_proxy_off'] == 'on') { + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}\n"; } - if (!empty($squid_conf['defined_ip_proxy_off'])) { - $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); - $exempt_ip = ""; - foreach ($defined_ip_proxy_off as $ip_proxy_off) { - if(!empty($ip_proxy_off)) { - $ip_proxy_off = trim($ip_proxy_off); - if (is_alias($ip_proxy_off)) - $ip_proxy_off = '$'.$ip_proxy_off; - $exempt_ip .= ", $ip_proxy_off"; - } - } - $exempt_ip = substr($exempt_ip,2); - foreach ($transparent_ifaces as $iface) { - $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); - $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port {$pf_transparent_rule_port}\n"; - } - /* Handle PPPOE case */ - if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { - $rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; - } - /* Handle PPTP case */ - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; - } + /* Handle PPPOE case */ + if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; } - if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { - $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); - $exempt_dest = ""; - foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { - if(!empty($ip_proxy_off_dest)) { - $ip_proxy_off_dest = trim($ip_proxy_off_dest); - if (is_alias($ip_proxy_off_dest)) - $ip_proxy_off_dest = '$'.$ip_proxy_off_dest; - $exempt_dest .= ", $ip_proxy_off_dest"; - } - } - $exempt_dest = substr($exempt_dest,2); - foreach ($transparent_ifaces as $iface) { - $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); - $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port {$pf_transparent_rule_port}\n"; - } - /* Handle PPPOE case */ - if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { - $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; - } - /* Handle PPTP case */ - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; + /* Handle PPTP case */ + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; + } + } + if (!empty($squid_conf['defined_ip_proxy_off'])) { + $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); + $exempt_ip = ""; + foreach ($defined_ip_proxy_off as $ip_proxy_off) { + if (!empty($ip_proxy_off)) { + $ip_proxy_off = trim($ip_proxy_off); + if (is_alias($ip_proxy_off)) + $ip_proxy_off = '$'.$ip_proxy_off; + $exempt_ip .= ", $ip_proxy_off"; } } - foreach ($transparent_ifaces as $t_iface) { - $pf_transparent_rule_port=(in_array($t_iface,$ssl_ifaces) ? "{80,443}" : "80"); - $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 80 -> 127.0.0.1 port {$port}\n"; - if (in_array($t_iface,$ssl_ifaces)) - $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 443 -> 127.0.0.1 port {$ssl_port}\n"; + $exempt_ip = substr($exempt_ip,2); + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port {$pf_transparent_rule_port}\n"; } /* Handle PPPOE case */ - if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { - $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; + if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; } /* Handle PPTP case */ - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; } - $rules .= "\n"; - break; - case 'filter': - case 'rule': + } + if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { + $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); + $exempt_dest = ""; + foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { + if (!empty($ip_proxy_off_dest)) { + $ip_proxy_off_dest = trim($ip_proxy_off_dest); + if (is_alias($ip_proxy_off_dest)) + $ip_proxy_off_dest = '$'.$ip_proxy_off_dest; + $exempt_dest .= ", $ip_proxy_off_dest"; + } + } + $exempt_dest = substr($exempt_dest,2); foreach ($transparent_ifaces as $iface) { - $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443,{$port},{$ssl_port}}" : "{80,{$port}}"); - $rules .= "# Setup squid pass rules for proxy\n"; - $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$pf_transparent_rule_port} flags S/SA keep state\n"; - #$rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$port} flags S/SA keep state\n"; - $rules .= "\n"; - }; - if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { - $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port {$pf_transparent_rule_port}\n"; } - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; + /* Handle PPPOE case */ + if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; } - break; - default: - break; + /* Handle PPTP case */ + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; + } + } + foreach ($transparent_ifaces as $t_iface) { + $pf_transparent_rule_port=(in_array($t_iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 80 -> 127.0.0.1 port {$port}\n"; + if (in_array($t_iface,$ssl_ifaces)) + $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 443 -> 127.0.0.1 port {$ssl_port}\n"; + } + /* Handle PPPOE case */ + if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; + } + /* Handle PPTP case */ + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; + } + $rules .= "\n"; + break; + case 'filter': + case 'rule': + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443,{$port},{$ssl_port}}" : "{80,{$port}}"); + $rules .= "# Setup squid pass rules for proxy\n"; + $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$pf_transparent_rule_port} flags S/SA keep state\n"; + // $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$port} flags S/SA keep state\n"; + $rules .= "\n"; + }; + if ($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { + $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; + } + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; + } + break; + default: + break; } return $rules; @@ -2335,82 +2363,80 @@ EOD; /* Uses XMLRPC to synchronize the changes to a remote node */ function squid_sync_on_changes() { global $config, $g; - if (is_array($config['installedpackages']['squidsync']['config'])){ + if (is_array($config['installedpackages']['squidsync']['config'])) { $squid_sync=$config['installedpackages']['squidsync']['config'][0]; $synconchanges = $squid_sync['synconchanges']; $synctimeout = $squid_sync['synctimeout']; - switch ($synconchanges){ - case "manual": - if (is_array($squid_sync[row])){ - $rs=$squid_sync[row]; - } - else{ - log_error("[squid] xmlrpc sync is enabled but there is no hosts to push on squid config."); - return; - } - break; - case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ - $system_carp=$config['installedpackages']['carpsettings']['config'][0]; - $rs[0]['ipaddress']=$system_carp['synchronizetoip']; - $rs[0]['username']=$system_carp['username']; - $rs[0]['password']=$system_carp['password']; - } - else{ - log_error("[squid] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); - return; - } - break; - default: + switch ($synconchanges) { + case "manual": + if (is_array($squid_sync[row])) { + $rs=$squid_sync[row]; + } else { + log_error("[squid] xmlrpc sync is enabled but there is no hosts to push on squid config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])) { + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['ipaddress']=$system_carp['synchronizetoip']; + $rs[0]['username']=$system_carp['username']; + $rs[0]['password']=$system_carp['password']; + } else { + log_error("[squid] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); return; + } + break; + default: + return; break; } - if (is_array($rs)){ + if (is_array($rs)) { log_error("[squid] xmlrpc sync is starting."); - foreach($rs as $sh){ + foreach ($rs as $sh) { $sync_to_ip = $sh['ipaddress']; $password = $sh['password']; - if($sh['username']) + if ($sh['username']) $username = $sh['username']; else $username = 'admin'; - if($password && $sync_to_ip) + if ($password && $sync_to_ip) squid_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout); - } - log_error("[squid] xmlrpc sync is ending."); } - } + log_error("[squid] xmlrpc sync is ending."); + } + } } /* Do the actual XMLRPC sync */ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { global $config, $g; - if(!$username) + if (!$username) return; - if(!$password) + if (!$password) return; - if(!$sync_to_ip) + if (!$sync_to_ip) return; - if(!$synctimeout) + if (!$synctimeout) $synctimeout=250; $xmlrpc_sync_neighbor = $sync_to_ip; - if($config['system']['webgui']['protocol'] != "") { + if ($config['system']['webgui']['protocol'] != "") { $synchronizetoip = $config['system']['webgui']['protocol']; $synchronizetoip .= "://"; - } - $port = $config['system']['webgui']['port']; - /* if port is empty lets rely on the protocol selection */ - if($port == "") { - if($config['system']['webgui']['protocol'] == "http") + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if ($port == "") { + if ($config['system']['webgui']['protocol'] == "http") $port = "80"; else $port = "443"; - } + } $synchronizetoip .= $sync_to_ip; /* xml will hold the sections to sync */ @@ -2439,15 +2465,15 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); - if($g['debug']) + if ($g['debug']) $cli->setDebug(1); /* send our XMLRPC message and timeout after defined sync timeout value*/ $resp = $cli->send($msg, $synctimeout); - if(!$resp) { + if (!$resp) { $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "squid Settings Sync", ""); - } elseif($resp->faultCode()) { + } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); @@ -2472,11 +2498,11 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); - if(!$resp) { + if (!$resp) { $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "squid Settings Sync", ""); - } elseif($resp->faultCode()) { + } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); $error = "[Squid] An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); @@ -2485,6 +2511,6 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { } else { log_error("squid XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); } - } + ?> diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index 57dfc938..96f2610c 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -46,7 +46,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>squid</name> - <version>3.4.10_2 pkg 0.2.6</version> + <version>0.2.8</version> <title>Proxy server: General settings</title> <include_file>/usr/local/pkg/squid.inc</include_file> <menu> @@ -166,16 +166,6 @@ <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_ng.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_ng.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> <item>https://packages.pfsense.org/packages/config/squid3/34/squid_traffic.xml</item> </additional_files_needed> <additional_files_needed> @@ -249,7 +239,7 @@ <item>https://packages.pfsense.org/packages/config/squid3/34/pkg_squid.inc</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/bin/</prefix> <chmod>0755</chmod> <item>https://packages.pfsense.org/packages/config/squid3/34/check_ip.php</item> </additional_files_needed> diff --git a/config/squid3/34/squid_auth.inc b/config/squid3/34/squid_auth.inc deleted file mode 100644 index cc511607..00000000 --- a/config/squid3/34/squid_auth.inc +++ /dev/null @@ -1,446 +0,0 @@ -<?php -/* $Id$ */ - -/* - squid_auth.inc - part of pfSense (www.pfSense.com) - - Copyright (C) 2005 Michael Capp <michael.capp@gmail.com> - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - -*/ - -function global_eval_auth_options() -{ - global $config; - conf_mount_rw(); - config_lock(); - - switch ($config['installedpackages']['squidauth']['config'][0]['auth_method']) { - case "none": - dynamic_auth_content("pkg_edit"); - dynamic_no_auth(); - break; - case "local_auth": - dynamic_auth_content("pkg"); - /* create empty passwd file to prevent stat error with squid reload */ - touch ("/usr/local/etc/squid/advanced/ncsa/passwd"); - dynamic_local_auth(); - break; - case "ldap_bind": - dynamic_auth_content("pkg_edit"); - dynamic_ldap_auth(); - break; - case "domain_auth": - $filecontents = file("/usr/local/pkg/squid_auth.xml"); - dynamic_auth_content("pkg_edit"); - dynamic_domain_auth(); - break; - case "radius_auth": - $filecontents = file("/usr/local/pkg/squid_auth.xml"); - dynamic_auth_content("pkg_edit"); - dynamic_radius_auth(); - break; - default: - $filecontents = file("/usr/local/pkg/squid_auth.xml"); - dynamic_auth_content("pkg_edit"); - dynamic_no_auth(); - break; - } - - config_unlock(); - conf_mount_ro(); - -} /* end function global_eval_auth_options */ - -function dynamic_no_auth() { - global $config; - conf_mount_rw(); - $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); - fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); - fwrite($fout, "<packagegui>\n"); - fwrite($fout, " <name>squidextnoauth</name>\n"); - fwrite($fout, " <title>Services: Proxy Server -> Extended Authentication Settings</title>\n"); - fwrite($fout, " <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tabs>\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>General Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Upstream Proxy</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Cache Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Network Access Control</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Traffic Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Extended Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); - fwrite($fout, " <active/>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " </tabs>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <fields>\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>No Authentication Defined</fielddescr>\n"); - fwrite($fout, " <fieldname>no_auth</fieldname>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, " </fields>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <custom_add_php_command_late>\n"); - fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");"); - fwrite($fout, "\n"); - fwrite($fout, " global_write_squid_config();\n"); - fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); - fwrite($fout, " </custom_add_php_command_late>\n"); - fwrite($fout, "\n"); - fwrite($fout, "</packagegui>\n"); - fclose($fout); - - /* mount filesystem read-only */ - conf_mount_ro(); -} - -function dynamic_local_auth() { - global $config; - conf_mount_rw(); - - $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); - - fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); - fwrite($fout, "\n"); - fwrite($fout, "<packagegui>\n"); - fwrite($fout, " <name>squidextlocalauth</name>\n"); - fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n"); - fwrite($fout, " <version>2.5.10_4</version>\n"); - fwrite($fout, " <configpath>installedpackages->package->squidextlocalauth->configuration->settings</configpath>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <files></files>\n"); - fwrite($fout, " <menu></menu>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <aftersaveredirect>/pkg.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tabs>\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>General Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Upstream Proxy</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Cache Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Network Access Control</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Traffic Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Extended Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&id=0</url>\n"); - fwrite($fout, " <active/>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " </tabs>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <adddeleteeditpagefields>\n"); - fwrite($fout, " <columnitem>\n"); - fwrite($fout, " <fielddescr>Username</fielddescr>\n"); - fwrite($fout, " <fieldname>username</fieldname>\n"); - fwrite($fout, " </columnitem>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <columnitem>\n"); - fwrite($fout, " <fielddescr>Description</fielddescr>\n"); - fwrite($fout, " <fieldname>description</fieldname>\n"); - fwrite($fout, " </columnitem>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <columnitem>\n"); - fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n"); - fwrite($fout, " <fieldname>group</fieldname>\n"); - fwrite($fout, " </columnitem>\n"); - fwrite($fout, " </adddeleteeditpagefields>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <fields>\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Username</fielddescr>\n"); - fwrite($fout, " <fieldname>username</fieldname>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>15</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Password</fielddescr>\n"); - fwrite($fout, " <fieldname>password</fieldname>\n"); - fwrite($fout, " <type>password</type>\n"); - fwrite($fout, " <size>8</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Description (Optional)</fielddescr>\n"); - fwrite($fout, " <fieldname>description</fieldname>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>30</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n"); - fwrite($fout, " <fieldname>group</fieldname>\n"); - fwrite($fout, " <type>select</type>\n"); - fwrite($fout, " <options>\n"); - fwrite($fout, " <option><name>Standard</name><value>Standard</value></option>\n"); - fwrite($fout, " <option><name>Extended</name><value>Extended</value></option>\n"); - fwrite($fout, " </options>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " </fields>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <custom_add_php_command_late>\n"); - fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n"); - fwrite($fout, "\n"); - fwrite($fout, " mod_htpasswd();\n"); - fwrite($fout, " global_write_squid_config();\n"); - fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); - fwrite($fout, " </custom_add_php_command_late>\n"); - fwrite($fout, "\n"); - fwrite($fout, "</packagegui>\n"); - - fclose($fout); - - /* mount filesystem read-only */ - conf_mount_ro(); -} - -function dynamic_ldap_auth() { - global $config; - conf_mount_rw(); - - $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); - - fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); - fwrite($fout, "\n"); - fwrite($fout, "<packagegui>\n"); - fwrite($fout, " <name>squidextldapauth</name>\n"); - fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n"); - fwrite($fout, " <version>2.5.11</version>\n"); - fwrite($fout, " <configpath>installedpackages->package->squidextldapauth->configuration->settings</configpath>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <files></files>\n"); - fwrite($fout, " <menu></menu>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tabs>\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>General Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Upstream Proxy</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Cache Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Network Access Control</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Traffic Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Extended Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); - fwrite($fout, " <active/>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " </tabs>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <fields>\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Base DN</fielddescr>\n"); - fwrite($fout, " <fieldname>ldap_basedn</fieldname>\n"); - fwrite($fout, " <description>This is the base where the LDAP search starts. All subsequent organizational units (OUs)will be included. Example: \"ou=users,o=company\" will search for users in and under the specified company.</description>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>50</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>LDAP Server</fielddescr>\n"); - fwrite($fout, " <fieldname>ldap_server</fieldname>\n"); - fwrite($fout, " <description>This is the LDAP server that the bind will be attempted against.</description>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>20</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>LDAP Type</fielddescr>\n"); - fwrite($fout, " <fieldname>ldap_type</fieldname>\n"); - fwrite($fout, " <description>This specifies the supported LDAP types.</description>\n"); - fwrite($fout, " <type>select</type>\n"); - fwrite($fout, " <options>\n"); - fwrite($fout, " <option><name>Active Directory</name><value>active_directory</value></option>\n"); - fwrite($fout, " <option><name>Novell eDirectory</name><value>novell_edirectory</value></option>\n"); - fwrite($fout, " <option><name>LDAP v2</name><value>ldap_v2</value></option>\n"); - fwrite($fout, " <option><name>LDAP v3</name><value>ldap_v3</value></option>\n"); - fwrite($fout, " </options>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>LDAP Port</fielddescr>\n"); - fwrite($fout, " <fieldname>ldap_port</fieldname>\n"); - fwrite($fout, " <description>This is the port that LDAP bind will attempt on. The default is \"389\".</description>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>5</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Bind DN Username</fielddescr>\n"); - fwrite($fout, " <fieldname>bind_dn_username</fieldname>\n"); - fwrite($fout, " <description>If \"anonymous bind\" is not supported, please specify the bind username that can access the Base DN hierarchy.</description>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>30</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Bind DN Password</fielddescr>\n"); - fwrite($fout, " <fieldname>bind_dn_password</fieldname>\n"); - fwrite($fout, " <description>This is the associated password with the Bind DN Username previously specified.</description>\n"); - fwrite($fout, " <type>password</type>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " </fields>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <custom_add_php_command_late>\n"); - fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n"); - fwrite($fout, "\n"); - fwrite($fout, " mod_htpasswd();\n"); - fwrite($fout, "\n"); - fwrite($fout, " global_write_squid_config();\n"); - fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); - fwrite($fout, " </custom_add_php_command_late>\n"); - fwrite($fout, "\n"); - fwrite($fout, "</packagegui>\n"); - - fclose($fout); - - /* mount filesystem read-only */ - conf_mount_ro(); -} - -/* dynamically re-writes all squid xml files to handle adddeletecolumnitems properly */ -function dynamic_auth_content($pkgvar) { - - switch ($pkgvar) { - case "pkg": - if ($handle = opendir("/usr/local/pkg")) { - while (($file = readdir($handle)) != false) { - if (stristr($file, "squid_") && stristr($file, ".xml")) { - $filecontents = file("/usr/local/pkg/" . $file); - $fout = fopen("/usr/local/pkg/" . $file, "w"); - foreach($filecontents as $line) { - if (stristr($line, "<url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>")) { - fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&id=0</url>\n"); - } else { - fwrite($fout, $line); - } - } - } - } - } - break; - - case "pkg_edit": - if ($handle = opendir("/usr/local/pkg")) { - while (($file = readdir($handle)) != false) { - if (stristr($file, "squid_") && stristr($file, ".xml")) { - $filecontents = file("/usr/local/pkg/" . $file); - $fout = fopen("/usr/local/pkg/" . $file,"w"); - foreach($filecontents as $line) { - if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&id=0</url>")) { - fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); - } else { - fwrite($fout, $line); - } - } - } - } - } - break; - } - -} /* end function dynamic_auth_content */ -?>
\ No newline at end of file diff --git a/config/squid3/34/squid_cpauth.php b/config/squid3/34/squid_cpauth.php deleted file mode 100644 index 98be9946..00000000 --- a/config/squid3/34/squid_cpauth.php +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/local/bin/php -q -<?php - -$NONINTERACTIVE_SCRIPT = TRUE; - -$fp = fopen('php://stdin', 'r'); -while($args = split(" ",trim(fgets($fp, 4096)))){ - print captive_ip_to_username($args); -} - -function captive_ip_to_username($args){ - $current_sessions = file("/var/db/captiveportal.db"); - foreach($current_sessions as $session){ - list($a, $b, $IP_Address, $Mac_Address, $Username) = explode(",", $session,5); - #this test allow access if user's ip is listed on captive portal - #args array has (ip, site, protocol and port) passed by squid helper - #include a more complex test here to allow or deny access based on username returned - # this script will not return username to squid logs - if($IP_Address == $args[0]) return "OK\n"; - } - return "ERR\n"; -} - -?>
\ No newline at end of file diff --git a/config/squid3/34/squid_extauth.xml b/config/squid3/34/squid_extauth.xml deleted file mode 100644 index 41d9f633..00000000 --- a/config/squid3/34/squid_extauth.xml +++ /dev/null @@ -1,106 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>squidextnoauth</name> - <version>none</version> - <title>Services: Proxy Server -> Extended Authentication Settings</title> - <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect> - <tabs> - <tab> - <text>General</text> - <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url> - </tab> - - <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> - </tab> - - <tab> - <text>Cache Mgmt</text> - <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> - </tab> - - <tab> - <text>Access Control</text> - <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> - </tab> - - <tab> - <text>Traffic Mgmt</text> - <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> - </tab> - - <tab> - <text>Auth</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> - </tab> - - <tab> - <text>Extended Auth</text> - <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url> - <active/> - </tab> - - </tabs> - <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath> - <fields> - <field> - <fielddescr>No Authentication Defined</fielddescr> - <fieldname>no_auth</fieldname> - <type>text</type> - </field> - </fields> - - <custom_add_php_command_late> - require_once("/usr/local/pkg/squid_ng.inc"); - - global_write_squid_config(); - mwexec("/usr/local/sbin/squid -k reconfigure"); - </custom_add_php_command_late> - -</packagegui> diff --git a/config/squid3/34/squid_ng.inc b/config/squid3/34/squid_ng.inc deleted file mode 100755 index bac4d4f0..00000000 --- a/config/squid3/34/squid_ng.inc +++ /dev/null @@ -1,1070 +0,0 @@ -<?php -/* $Id$ */ - -/* - squid_ng.inc - part of pfSense (www.pfSense.com) - - Copyright (C) 2005 Michael Capp <michael.capp@gmail.com> - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - -*/ - -if(!function_exists("filter_configure")) - require_once("filter.inc"); - -function global_write_squid_config() -{ - global $config; - conf_mount_rw(); - config_lock(); - - /* define squid configuration file in variable for replace function */ - $squidconfig = "/usr/local/etc/squid/squid.conf"; - - /* squid.xml values */ - $active_interface = $config['installedpackages']['squid']['config'][0]['active_interface']; - $transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy']; - $log_enabled = $config['installedpackages']['squid']['config'][0]['log_enabled']; - $urlfilter_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable']; - $accesslog_disabled = $config['installedpackages']['squid']['config'][0]['accesslog_disabled']; - $log_query_terms = $config['installedpackages']['squid']['config'][0]['log_query_terms']; - $log_user_agents = $config['installedpackages']['squid']['config'][0]['log_user_agents']; - $proxy_port = $config['installedpackages']['squid']['config'][0]['proxy_port']; - $visible_hostname = $config['installedpackages']['squid']['config'][0]['visible_hostname']; - $cache_admin_email = $config['installedpackages']['squid']['config'][0]['cache_admin_email']; - $error_language = $config['installedpackages']['squid']['config'][0]['error_language']; - $cachemgr_enabled = $config['installedpackages']['squid']['config'][0]['cachemgr_enabled']; - - /* squid_upstream.xml values */ - $proxy_forwarding = $config['installedpackages']['squidupstream']['config'][0]['proxy_forwarding']; - $client_ip_forwarding = $config['installedpackages']['squidupstream']['config'][0]['client_ip_forwarding']; - $user_forwarding = $config['installedpackages']['squidupstream']['config'][0]['user_forwarding']; - $upstream_proxy = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy']; - $upstream_proxy_port = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy_port']; - $upstream_username = $config['installedpackages']['squidupstream']['config'][0]['upstream_username']; - $upstream_password = $config['installedpackages']['squidupstream']['config'][0]['upstream_psasword']; - - /* squid_cache.xml values */ - $memory_cache_size = $config['installedpackages']['squidcache']['config'][0]['memory_cache_size']; - $harddisk_cache_size = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']; - $minimum_object_size = $config['installedpackages']['squidcache']['config'][0]['minimum_object_size']; - $maximum_object_size = $config['installedpackages']['squidcache']['config'][0]['maximum_object_size']; - $level_subdirs = $config['installedpackages']['squidcache']['config'][0]['level_subdirs']; - $memory_replacement = $config['installedpackages']['squidcache']['config'][0]['memory_replacement']; - $cache_replacement = $config['installedpackages']['squidcache']['config'][0]['cache_replacement']; - $domain = $config['installedpackages']['squidcache']['config'][0]['domain']; - $enable_offline = $config['installedpackages']['squidcache']['config'][0]['enable_offline']; - - /* squid_nac.xml values */ - $allowed_subnets = $config['installedpackages']['squidnac']['config'][0]['allowed_subnets']; - $unrestricted_ip_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_ip_address']; - $unrestricted_mac_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_mac_addresses']; - $banned_ip_addr = $config['installedpackages']['squidnac']['config'][0]['banned_ip_addresses']; - $banned_mac_addr = $config['installedpackages']['squidnac']['config'][0]['banned_mac_addresses']; - $override_hosts = $config['installedpackages']['squidnac']['config'][0]['override_hosts']; - - /* squid_traffic.xml values */ - $max_download_size = $config['installedpackages']['squidtraffic']['config'][0]['max_download_size']; - $max_upload_size = $config['installedpackages']['squidtraffic']['config'][0]['max_upload_size']; - $dl_overall = $config['installedpackages']['squidtraffic']['config'][0]['dl_overall']; - $dl_per_host = $config['installedpackages']['squidtraffic']['config'][0]['dl_per_host']; - $throttle_binary_files = $config['installedpackages']['squidtraffic']['config'][0]['throttle_binary_files']; - $throttle_cd_images = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_images']; - $throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia']; - - /* squid_auth.xml values */ - $auth_method = $config['installedpackages']['squidauth']['config'][0]['auth_method']; - $auth_processes = $config['installedpackages']['squidauth']['config'][0]['auth_processes']; - $auth_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['auth_cache_ttl']; - $limit_ip_addr = $config['installedpackages']['squidauth']['config'][0]['limit_ip_addr']; - $user_ip_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['user_ip_cache_ttl']; - $req_unrestricted_auth = $config['installedpackages']['squidauth']['config'][0]['req_unrestricted_auth']; - $auth_realm_prompt = $config['installedpackages']['squidauth']['config'][0]['auth_realm_prompt']; - $no_domain_auth = $config['installedpackages']['squidauth']['config'][0]['no_domain_auth']; - $min_pass_length = $config['installedpackages']['squidauth']['config'][0]['min_pass_length']; - $bypass_extended = $config['installedpackages']['squidauth']['config'][0]['bypass_extended']; - - /* squid_extauth.xml (ldap) values */ - $ldap_basedn = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_basedn']; - $ldap_server = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_server']; - $ldap_type = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_type']; - $ldap_port = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_port']; - $bind_dn_username = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_username']; - $bind_dn_password = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_password']; - - /* squid_extauth.xml (radius) values */ - $radius_server = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_server']; - $radius_port = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_port']; - $radius_identifier = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_identifier']; - $radius_secret = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_secret']; - - /* static variable assignments for directory mapping */ - $acldir = "/usr/local/etc/squid/advanced/acls"; - $ncsadir = "/usr/local/etc/squid/advanced/ncsa"; - $ntlmdir = "/usr/local/etc/squid/advanced/ntlm"; - $radiusdir = "/usr/local/etc/squid/advanced/radius"; - - $fout = fopen($squidconfig, "w"); - - $config_array = array('shutdown_lifetime 5 seconds' . "\n\n"); - - if (isset($cachemgr_enabled) && ($cachemgr_enabled == "on")) { - mwexec("cp /usr/local/libexec/squid/cachemgr.cgi /usr/local/www/cachemgr.cgi"); - mwexec("chmod a+rx /usr/local/www/cachemgr.cgi"); - } else { - mwexec("rm -f /usr/local/www/cachemgr.cgi"); - } - unset($cachemgr_enabled); - - if (!isset($icp_port) or ($icp_port == "")) { - $icp_port = "3130"; - } - $config_array[] = 'icp_port ' . $icp_port . "\n"; - unset($icp_port); - - if(!isset($proxy_port) or ($proxy_port == "")) { - $proxy_port = "3128"; - } - - if (isset($transparent_proxy) && ($transparent_proxy != "on")) { - $int = convert_friendly_interface_to_real_interface_name($active_interface); - $listen_ip = find_interface_ip($int); - - $config_array[] = 'http_port ' . $listen_ip . ':' . $proxy_port . "\n\n"; - $config_array[] = 'acl QUERY urlpath_regex cgi-bin \?' . "\n"; - $config_array[] = 'no_cache deny QUERY' . "\n\n"; - } - $config_array[] = 'http_port 127.0.0.1:' . $proxy_port . "\n\n"; - unset($proxy_port); - - if (isset($domain) && ($domain !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/dst_nocache.acl","w"); - - $domain_array = split("; ",$domain); - foreach ($domain_array as $no_cache_domain) { - fwrite($aclout, $no_cache_domain . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl no_cache_domains dstdomain "' . $acldir . '/dst_nocache.acl"' . "\n"; - $config_array[] = 'no_cache deny no_cache_domains' . "\n\n"; - } - unset($no_cache_domain); - unset($domain_array); - unset($domain); - - $config_array[] = 'cache_effective_user squid' . "\n"; - $config_array[] = 'cache_effective_group squid' . "\n\n"; - $config_array[] = 'pid_filename /var/run/squid.pid' . "\n\n"; - - if (!isset($memory_cache_size) or ($memory_cache_size == "")) { - $memory_cache_size = "8"; - } - $config_array[] = 'cache_mem ' . $memory_cache_size . ' MB' . "\n"; - unset($memory_cache_size); - - if (!isset($harddisk_cache_size) or ($harddisk_cache_size == "")) { - $harddisk_cache_size = "500"; - } - - if (!isset($level_subdirs) or ($level_subdirs == "")) { - $level_subdirs = "16"; - } - - $config_array[] = 'cache_dir diskd /var/squid/cache ' . $harddisk_cache_size . ' ' . $level_subdirs . ' 256' . "\n\n"; - unset($harddisk_cache_size); - unset($level_subdirs); - - if (!isset($error_language) or ($error_language == "")) { - $error_language = "English"; - } - $config_array[] = 'error_directory /usr/local/etc/squid/errors/' . $error_language . "\n\n"; - unset($error_language); - - if (isset($offline_mode) && ($offline_mode == "on")) { - $config_array[] = 'offline_mode on' . "\n\n"; - } else { - $config_array[] = 'offline_mode off' . "\n\n"; - } - - if (!isset($memory_replacement) or ($memory_replacement == "")) { - $memory_replacement = "heap GDSF"; - } - $config_array[] = 'memory_replacement_policy ' . $memory_replacement . "\n"; - unset($memory_replacement); - - if (!isset($cache_replacement) or ($cache_replacement == "")) { - $cache_replacement="heap GDSF"; - } - $config_array[] = 'cache_replacement_policy ' . $cache_replacement . "\n\n"; - unset($cache_replacement); - - if (isset($accesslog_disabled) && ($accesslog_disabled == "on")) { - $config_array[] = 'cache_access_log none' . "\n"; - } else { - $config_array[] = 'cache_access_log /var/log/access.log' . "\n"; - } - $config_array[] = 'cache_log /var/log/cache.log' . "\n"; - $config_array[] = 'cache_store_log none' . "\n"; - unset($accesslog_disabled); - unset($log_enabled); - - if (isset($log_query_terms) && ($log_query_terms == "on")) { - $config_array[] = 'strip_query_terms off' . "\n"; - } else { - $config_array[] = 'strip_query_terms on' . "\n"; - } - unset($log_query_terms); - - $config_array[] = 'useragent_log /var/log/useragent.log' . "\n\n"; - unset($log_user_agents); - - $config_array[] = 'log_mime_hdrs off' . "\n"; - $config_array[] = 'emulate_httpd_log on' . "\n"; - - switch ($user_forwarding) { - case "on": - $config_array[] = 'forwarded_for on' . "\n\n"; - break; - case "off": - $config_array[] = 'forwarded_for off' . "\n\n"; - break; - default: - $config_array[] = 'forwarded_for off' . "\n\n"; - break; - } - unset($user_forwarding); - - switch ($auth_method) { - case "none": - break; - case "local_auth": - $config_array[] = 'auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd' . "\n"; - if (!isset($auth_processes) or ($auth_processes == "")) { - $auth_processes = "5"; - } - $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; - - if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { - $auth_realm_prompt = "pfSense Advanced Proxy"; - } - $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; - - if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { - $auth_cache_ttl = "60"; - } - $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; - $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; - - unset($auth_realm_prompt); - unset($auth_processes); - unset($auth_cache_ttl); - - break; - case "radius_auth"; - $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_rad_auth -h ' . $radius_server . ' -p ' . $radius_port . ' -i ' . $radius_identifier . ' -w ' . $radius_secret . "\n"; - if (!isset($auth_processes) or ($auth_processes == "")) { - $auth_processes = "5"; - } - $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; - - if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { - $auth_realm_prompt = "pfSense Advanced Proxy"; - } - $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; - - if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { - $auth_cache_ttl = "60"; - } - $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; - $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; - - unset($auth_realm_prompt); - unset($auth_processes); - unset($auth_cache_ttl); - - break; - case "ldap_bind"; - $config_array[] = 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n"; - $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_ldap_auth'; - $config_array[] = ' -b "' . $ldap_basedn . '"'; - $config_array[] = ' -D "' . $bind_dn_username . '"'; - $config_array[] = " -w " . $bind_dn_password; - $config_array[] = ' -f "(&(objectClass=person)(cn=%s))"'; - $config_array[] = " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n"; - - if (!isset($auth_processes) or ($auth_processes == "")) { - $auth_processes = "5"; - } - $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; - - if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { - $auth_realm_prompt = "pfSense Advanced Proxy"; - } - $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; - - if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { - $auth_cache_ttl = "60"; - } - $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; - $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; - - unset($auth_realm_prompt); - unset($auth_processes); - unset($auth_cache_ttl); - - break; - case "windows_auth"; - break; - } - - if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n"; - - $throttle_out = fopen($acldir . "/dst_throttle_binary.acl", "w"); - fwrite($throttle_out, $binary_out); - fclose($throttle_out); - $config_array[] = 'acl for_throttled_binary url_regex -i "' . $acldir . '/dst_throttle_binary.acl"' . "\n"; - } else { - if (file_exists($acldir . "/dst_throttle_binary.acl")) unlink($acldir . "/dst_throttle_binary.acl"); - } - unset($throttle_binary_files); - unset($throttle_out); - unset($binary_out); - - if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $cd_out = "\.b5t$\n\.bin$\n\.bwt$\n\.cdi$\n\.cue$\n\.gho$\n\.img$\n\.iso$\n\.mds$\n\.nrg$\n\.pqi$\n"; - - $throttle_out = fopen($acldir . "/dst_throttle_cd.acl","w"); - fwrite($throttle_out, $cd_out); - fclose($throttle_out); - $config_array[] = 'acl for_throttled_cd url_regex -i "' . $acldir . '/dst_throttle_cd.acl"' . "\n"; - } else { - if (file_exists($acldir . "/dst_throttle_cd.acl")) { - unlink($acldir . "/dst_throttle_cd.acl"); - } - } - unset($throttle_cd_images); - unset($throttle_out); - unset($cd_out); - - if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $multimedia_out = "\.aiff?$\n\.asf$\n\.avi$\n\.divx$\n\.mov$\n\.mp3$\n\.mpe?g$\n\.qt$\n\.ra?m$\n"; - - $throttle_out = fopen($acldir . "/dst_throttle_multimedia.acl","w"); - fwrite($throttle_out, $multimedia_out); - fclose($throttle_out); - $config_array[] = 'acl for_throttled_multimedia url_regex -i "' . $acldir . '/dst_throttle_multimedia.acl"' . "\n"; - } else { - if (file_exists($acldir . "/dst_throttle_multimedia.acl")) { - unlink($acldir . "/dst_throttle_multimedia.acl"); - } - } - unset($throttle_multimedia); - unset($multimedia_out); - unset($throttle_out); - - $config_array[] = 'acl within_timeframe time MTWHFAS 00:00-24:00' . "\n\n"; - - /* obtain interface subnet and address for Squid rules */ - $lactive_interface = strtolower($active_interface); - - $lancfg = $config['interfaces'][$lactive_interface]; - $lanif = $lancfg['if']; - $lanip = $lancfg['ipaddr']; - $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); - $lansn = $lancfg['subnet']; - - $config_array[] = 'acl all src 0.0.0.0/0.0.0.0' . "\n"; - $config_array[] = 'acl localnet src ' . $lansa . '/' . $lansn . "\n"; - $config_array[] = 'acl localhost src 127.0.0.1/255.255.255.255' . "\n"; - $config_array[] = 'acl SSL_ports port 443 563 873 # https, snews, rsync' . "\n"; - $config_array[] = 'acl Safe_ports port 80 # http' . "\n"; - $config_array[] = 'acl Safe_ports port 21 # ftp' . "\n"; - $config_array[] = 'acl Safe_ports port 443 563 873 # https, snews, rsync' . "\n"; - $config_array[] = 'acl Safe_ports port 70 # gopher' . "\n"; - $config_array[] = 'acl Safe_ports port 210 # wais' . "\n"; - $config_array[] = 'acl Safe_ports port 1025-65535 # unregistered ports' . "\n"; - $config_array[] = 'acl Safe_ports port 280 # http-mgmt' . "\n"; - $config_array[] = 'acl Safe_ports port 488 # gss-http' . "\n"; - $config_array[] = 'acl Safe_ports port 591 # filemaker' . "\n"; - $config_array[] = 'acl Safe_ports port 777 # multiling http' . "\n"; - $config_array[] = 'acl Safe_ports port 800 # Squids port (for icons)' . "\n\n"; - - /* allow access through proxy for custom admin port */ - $custom_port = $config['system']['webgui']['port']; - if (isset($custom_port) && ($custom_port !== "")) { - $config_array[] = 'acl pf_admin_port port ' . $custom_port . "\n"; - unset($custom_port); - } else { - $admin_protocol = $config['system']['webgui']['protocol']; - switch ($admin_protocol) { - case "http"; - $config_array[] = 'acl pf_admin_port port 80' ."\n"; - break; - case "https"; - $config_array[] = 'acl pf_admin_port port 443' . "\n"; - break; - default; - $config_array[] = 'acl pf_admin_port port 80' . "\n"; - break; - } - unset($admin_protocol); - } - - /* define override hosts as specified in squid_nac.xml */ - if (isset($override_hosts) && ($override_hosts !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/src_override_hosts.acl", "w"); - - $override_hosts_array = split("; ", $override_hosts); - foreach ($override_hosts_array as $ind_override_host) { - fwrite($aclout, $ind_override_host . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl override_hosts src "/usr/local/etc/squid/advanced/acls/src_override_hosts.acl"' . "\n"; - } - /* clear variables */ - unset($override_hosts_array); - unset($ind_override_host); - unset($override_hosts); - - /* define subnets allowed to utilize proxy service */ - if (isset($allowed_subnets) && ($allowed_subnets !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - mwexec("touch {$acldir}/src_subnets.acl"); - } - - $aclout = fopen($acldir . "/src_subnets.acl","w"); - - $allowed_subnets_array = split("; ",$allowed_subnets); - foreach ($allowed_subnets_array as $ind_allowed_subnets) { - fwrite($aclout, $ind_allowed_subnets . "\n"); - } - - fclose($aclout); - } else { - - $aclout = fopen($acldir . "/src_subnets.acl","w"); - fwrite($aclout, $lansa . "/" . $lansn . "\n"); - fclose($aclout); - } - - $config_array[] = 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n"; - - unset($allowed_subnets_array); - unset($ind_allowed_subnets); - unset($allowed_subnets); - - /* define ip addresses that have 'unrestricted' access */ - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/src_unrestricted_ip.acl","w"); - - $unrestricted_ip_array = split("; ",$unrestricted_ip_addr); - foreach ($unrestricted_ip_array as $ind_unrestricted_ip) { - fwrite($aclout, $ind_unrestricted_ip . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl pf_unrestricted_ip src "/usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"' . "\n"; - } - unset($unrestricted_ip_array); - unset($unrestricted_ip_addr); - unset($ind_unrestricted_ip); - - /* define mac addresses that have 'unrestricted' access */ - if (isset($unrestricted_mac_addr) && ($unrestricted_mac_addr !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/src_unrestricted_mac.acl","w"); - - $unrestricted_mac_array = split("; ",$unrestricted_mac_addr); - foreach ($unrestricted_mac_array as $ind_unrestricted_mac) { - fwrite($aclout, $ind_unrestricted_mac . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl pf_unrestricted_mac src "/usr/local/etc/squid/advanced/acls/src_unrestricted_mac.acl"' . "\n"; - } - unset($unrestricted_mac_array); - unset($unrestricted_mac_addr); - unset($ind_unrestricted_mac); - - /* define ip addresses that are banned from using the proxy service */ - if (isset($banned_ip_addr) && ($banned_ip_addr !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/src_banned_ip.acl","w"); - - $banned_ip_array = split("; ",$banned_ip_addr); - foreach ($banned_ip_array as $ind_banned_ip) { - fwrite($aclout, $ind_banned_ip . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n"; - } - unset($banned_ip_array); - unset($banned_ip_addr); - unset($ind_banned_ip); - - /* define mac addresses that are banned from using the proxy service */ - if (isset($banned_mac_addr) && ($banned_mac_addr !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/src_banned_mac.acl","w"); - - $banned_mac_array = split("; ",$banned_mac_addr); - foreach ($banned_mac_array as $ind_banned_mac) { - fwrite($aclout, $ind_banned_mac . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl pf_banned_mac src "/usr/local/etc/squid/advanced/acls/src_banned_mac.acl"' . "\n"; - } - unset($banned_mac_array); - unset($banned_mac_addr); - unset($ind_banned_mac); - - $config_array[] = 'acl pf_ips dst ' . $lanip . "\n"; - $config_array[] = 'acl CONNECT method CONNECT' . "\n\n"; - - if (isset($auth_method) && ($auth_method == "none")) { - $config_array[] = 'http_access allow localnet' . "\n"; - } - $config_array[] = 'http_access allow localhost' . "\n"; - - if (isset($override_hosts) && ($override_hosts !== "")) { - $config_array[] = 'http_access allow override_hosts' . "\n"; - } - $config_array[] = "\n"; - - switch ($config['system']['webgui']['protocol']) { - case "http": - $config_array[] = 'http_access allow pf_ips' . "\n"; - $config_array[] = 'http_access allow pf_admin_port' . "\n"; - $config_array[] = 'http_access deny !pf_networks' . "\n\n"; - break; - case "https": - $config_array[] = 'http_access allow CONNECT pf_ips' . "\n"; - $config_array[] = 'http_access allow CONNECT pf_admin_port' . "\n"; - $config_array[] = 'http_access deny CONNECT !pf_networks' . "\n\n"; - break; - } - - $config_array[] = 'http_access deny !Safe_ports' . "\n"; - $config_array[] = 'http_access deny CONNECT !SSL_ports' . "\n\n"; - - if (isset($auth_method) && ($auth_method != "none")) { - $config_array[] = 'http_access allow pf_networks for_inetusers within_timeframe' . "\n"; - } - - $config_array[] = 'http_access deny all' . "\n\n"; - - if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "")) { - $config_array[] = 'delay_pools 1' . "\n"; - $config_array[] = 'delay_class 1 3' . "\n"; - - if ($dl_overall == "unlimited") { - $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . "\n"; - } else { - $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; - } - - /* if no unrestricted ip addresses are defined; this line is ignored */ - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr == "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; - - /* this will define bandwidth delay restrictions for specified throttles */ - if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { - $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; - } - if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { - $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; - } - if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { - $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; - } else { - $config_array[] = 'delay_access 1 allow all' . "\n"; - } - $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; - } - - if (isset($dl_per_host) && ($dl_per_host !== "") and isset($dl_overall) && ($dl_overall == "")) { - $config_array[] = 'delay_pools 1' . "\n"; - $config_array[] = 'delay_class 1 3' . "\n"; - - if ($dl_per_host == "unlimited") { - $config_array[] = 'delay_parameters 1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . '-1/-1 -1/-1' . "\n"; - } else { - $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . "\n"; - } - - /* if no unrestricted ip addresses are defined; this line is ignored */ - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; - - /* this will define bandwidth delay restrictions for specified throttles */ - if ($throttle_binary_files == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; - } - if ($throttle_cd_images == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; - } - if ($throttle_multimedia == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' ."\n"; - } else { - $config_array[] = 'delay_access 1 allow all' . "\n"; - } - $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n\n"; - } - - if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host !== "")) { - /* if no bandwidth restrictions are specified, then these parameters are not necessary */ - if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { - - if ((isset($dl_overall) && ($dl_overall == "unlimited")) and (isset($dl_per_host) && ($dl_per_host !== ""))) { - $config_array[] = 'delay_pools 1' . "\n"; - $config_array[] = 'delay_class 1 3' . "\n"; - $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_overall * 250) . "\n"; - } elseif (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "unlimited")) { - $config_array[] = 'delay_pools 1' . "\n"; - $config_array[] = 'delay_class 1 3' . "\n"; - $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; - } - } - - if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { - - /* if no unrestricted ip addresses are defined; this line is ignored */ - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; - - /* this will define bandwidth delay restrictions for specified throttles */ - if ($throttle_binary_files == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; - } - if ($throttle_cd_images == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; - } - if ($throttle_multimedia == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; - } else { - $config_array[] = 'delay_access 1 allow all' . "\n"; - } - $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; - } - } - - $config_array[] = 'header_access X-Forwarded-For deny all' . "\n"; - $config_array[] = 'header_access Via deny all' . "\n\n"; - - /* TODO: acl customization for snmp support */ - /* fwrite($fout, "\n"); */ - - if (isset($urlfilter_enable) && ($urlfilter_enable == "on")) { - $config_array[] = 'redirect_program /usr/sbin/squidGuard' . "\n"; - $config_array[] = 'redirect_children 5' . "\n\n"; - } - - if (isset($max_upload_size) && ($max_upload_size != "")) { - $config_array[] = 'request_body_max_size ' . $max_download_size . 'KB' . "\n"; - } - - if (isset($max_download_size) && ($max_download_size != "")) { - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'reply_body_max_size 0 allow pf_unrestricted_ip' . "\n"; - /* fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n"); */ - $config_array[] = 'reply_body_max_size ' . $max_download_size * 1024 . ' allow all' . "\n\n"; - } - - /* set default value for maximum_object_size */ - if (!isset($maximum_object_size) or ($maximum_object_size == "")) { - $maximum_object_size = "4096"; - } - - /* set default value for minimum_object_size */ - if (!isset($minimum_object_size) or ($minimum_object_size == "")) { - $minimum_object_size = "0"; - } - $config_array[] = 'maximum_object_size ' . $maximum_object_size . ' KB' . "\n"; - $config_array[] = 'minimum_object_size ' . $minimum_object_size . ' KB' . "\n\n"; - - if (isset($proxy_forwarding) && ($proxy_forwarding == "on")) { - $config_array[] = 'cache_peer ' . $upstream_proxy . ' parent ' . $upstream_proxy_port . ' 3130 login=' . upstream_username . ':' . upstream_password . ' default no-query' . "\n"; - $config_array[] = 'never_direct allow all' . "\n"; - } - unset($proxy_forwarding); - - - /* define default ruleset for transparent proxy operation */ - if (isset($transparent_proxy) && ($transparent_proxy == "on")) { - $config_array[] = 'httpd_accel_host virtual' . "\n"; - $config_array[] = 'httpd_accel_port 80' . "\n"; - $config_array[] = 'httpd_accel_with_proxy on' . "\n"; - $config_array[] = 'httpd_accel_uses_host_header on' . "\n\n"; - } - unset($transparent_proxy); - - - /* define visible hostname */ - if (isset($visible_hostname) && ($visible_hostname !== "")) { - $config_array[] = 'visible_hostname ' . $visible_hostname . "\n"; - } - unset($visible_hostname); - - /* define cache administrators email address within error messages */ - if (isset($cache_admin_email) && ($cache_admin_email !== "")) { - $config_array[] = 'cache_mgr ' . $cache_admin_email . "\n\n"; - } - unset($cache_admin_email); - - /* write configuration file */ - foreach ($config_array as $config_item) - { - fwrite($fout, trim($config_item)); - - if (stristr($config_item, "\n")) - { - for ($i = 1; $i < count(explode("\n", $config_item)); $i++) - { - fwrite($fout, "\n"); - } - } - - } - fclose($fout); - - conf_mount_ro(); - config_unlock(); - - touch($squidconfig); -} /* end function write_squid_config */ - -function squid3_custom_php_install_command() { - /* write initial static config for transparent proxy */ - write_static_squid_config(); - - touch("/tmp/squid3_custom_php_install_command"); - - /* make sure this all exists, see: - * https://forum.pfsense.org/index.php?topic=23.msg2391#msg2391 - */ - update_output_window("Setting up Squid environment..."); - mwexec("mkdir -p /var/squid"); - mwexec("chown squid:squid /var/squid"); - mwexec("mkdir -p /var/squid/logs"); - mwexec("chown squid:squid /var/squid/logs"); - mwexec("mkdir -p /var/squid/cache"); - mwexec("chown squid:squid /var/squid/cache"); - mwexec("mkdir -p /usr/local/etc/squid/advanced"); - mwexec("chown squid:squid /usr/local/etc/squid/advanced"); - mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); - mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls"); - mwexec("touch /usr/local/etc/squid/advanced/acls/src_subnets.acl"); - mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl"); - mwexec("touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); - mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); - mwexec("cp /usr/local/etc/squid/mime.conf.default /usr/local/etc/squid/mime.conf"); - - - /* set a few extra items noted by regan */ - update_output_window("Creating logs and setting user information..."); - $fdsquid = fopen("/usr/local/etc/rc.d/aSquid.sh", "w"); - fwrite($fdsquid, "#/bin/sh\n"); - fwrite($fdsquid, "# \n"); - fwrite($fdsquid, "# This file was created by the pfSense package system\n"); - fwrite($fdsquid, "# Sets up squid option on each bootup that are not persistent\n"); - fwrite($fdsquid, "# \n\n"); - fwrite($fdsquid, "chown squid:wheel /dev/pf\n"); - fwrite($fdsquid, "chmod ug+rw /dev/pf\n"); - fwrite($fdsquid, "touch /var/log/useragent.log\n"); - fwrite($fdsquid, "touch /var/log/access.log\n"); - fwrite($fdsquid, "touch /var/log/cache.log\n"); - fwrite($fdsquid, "chown squid:wheel /var/log/cache.log\n"); - fwrite($fdsquid, "chown squid:wheel /var/log/access.log\n"); - fwrite($fdsquid, "chown squid:wheel /var/log/useragent.log\n"); - fwrite($fdsquid, "\n"); - fclose($fdsquid); - mwexec("chmod a+rx /usr/local/etc/rc.d/aSquid.sh"); - mwexec("/usr/local/etc/rc.d/aSquid.sh"); - - update_output_window("Creating Proxy Server initialization scripts..."); - $start = "touch /tmp/ro_root_mount; /usr/local/sbin/squid -D; touch /tmp/filter_dirty"; - $stop = "/usr/local/sbin/squid -k shutdown"; - write_rcfile(array( - "file" => "squid.sh", - "start" => $start, - "stop" => $stop - ) - ); - - mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh"); - - /* create log directory hierarchies if they don't exist */ - update_output_window("Creating required directory hierarchies..."); - - if (!file_exists("/var/squid/logs")) { - mwexec("mkdir -p /var/squid/logs"); - } - mwexec("/usr/sbin/chown squid:squid /var/squid/logs"); - - - if (!file_exists("/var/squid/cache")) { - mwexec("mkdir -p /var/squid/cache"); - } - mwexec("/usr/sbin/chown squid:squid /var/squid/cache"); - - if (!file_exists("/usr/local/etc/squid/advanced/acls")) { - mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); - } - mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls"); - - if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) { - mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); - } - mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa"); - - if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) { - mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm"); - } - mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm"); - - if (!file_exists("/usr/local/etc/squid/advanced/radius")) { - mwexec("mkdir -p /usr/local/etc/squid/advanced/radius"); - } - mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius"); - - $devfs_file = fopen("/etc/devfs.conf", "a"); - fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable. "); - fwrite($devfs_file, "own pf root:squid"); - fwrite($devfs_file, "perm pf 0640"); - fclose($devfs_file); - - update_output_window("Initializing Cache... This may take a moment..."); - mwexec("/usr/local/sbin/squid -z"); - - update_output_window("Starting Proxy Server..."); - start_service("squid"); -} - -function squid3_custom_php_deinstall_command() { - update_output_window("Stopping proxy service..."); - stop_service("squid"); - sleep(1); - /* brute force any remaining squid processes out */ - mwexec("/usr/bin/killall squid"); - mwexec("/usr/bin/killall pinger"); - update_output_window("Recursively removing directories hierarchies. If existant, log files in /var/squid/logs will remain..."); - mwexec("rm -rf /var/squid/cache"); - update_output_window("Removing configuration files..."); - unlink_if_exists("/usr/local/etc/rc.d/squid.sh"); - unlink_if_exists("/usr/local/libexec/squid"); - unlink_if_exists("/usr/local/etc/rc.d/aSquid.sh"); - mwexec("rm -f /usr/local/etc/rc.d/squid*"); - mwexec("rm -f /usr/local/www/cachemgr.cgi"); - filter_configure(); -} - -function write_static_squid_config() { - touch("/tmp/write_static_squid_config"); - global $config; - $lancfg = $config['interfaces']['lan']; - $lanif = $lancfg['if']; - $lanip = $lancfg['ipaddr']; - $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); - $lansn = $lancfg['subnet']; - - $fout = fopen("/usr/local/etc/squid/squid.conf","w"); - fwrite($fout, "#\n"); - fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n"); - fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n"); - fwrite($fout, "#\n"); - - /* set # of dns children */ - fwrite($fout, "dns_children 15\n"); - - fwrite($fout, "shutdown_lifetime 5 seconds\n"); - fwrite($fout, "icp_port 0\n"); - fwrite($fout, "\n"); - - fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); - fwrite($fout, "no_cache deny QUERY\n"); - fwrite($fout, "\n"); - - fwrite($fout, "pid_filename /var/run/squid.pid\n"); - fwrite($fout, "\n"); - - fwrite($fout, "cache_mem 24 MB\n"); - fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n"); - fwrite($fout, "\n"); - - fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n"); - fwrite($fout, "\n"); - - fwrite($fout, "memory_replacement_policy heap GDSF\n"); - fwrite($fout, "cache_replacement_policy heap GDSF\n"); - fwrite($fout, "\n"); - - fwrite($fout, "cache_access_log none\n"); - fwrite($fout, "cache_log none\n"); - fwrite($fout, "cache_store_log none\n"); - fwrite($fout, "\n"); - - fwrite($fout, "log_mime_hdrs off\n"); - fwrite($fout, "emulate_httpd_log on\n"); - fwrite($fout, "forwarded_for off\n"); - fwrite($fout, "\n"); - - fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); - fwrite($fout, "\n"); - - fwrite($fout, "acl all src 0.0.0.0/0.0.0.0\n"); - fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); - fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); - fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n"); - fwrite($fout, "acl Safe_ports port 80 # http\n"); - fwrite($fout, "acl Safe_ports port 21 # ftp\n"); - fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n"); - fwrite($fout, "acl Safe_ports port 70 # gopher\n"); - fwrite($fout, "acl Safe_ports port 210 # wais\n"); - fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); - fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n"); - fwrite($fout, "acl Safe_ports port 488 # gss-http\n"); - fwrite($fout, "acl Safe_ports port 591 # filemaker\n"); - fwrite($fout, "acl Safe_ports port 777 # multiling http\n"); - fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n"); - fwrite($fout, "\n"); - - fwrite($fout, "acl CONNECT method CONNECT\n"); - fwrite($fout, "\n"); - - fwrite($fout, "#access to squid; local machine; no restrictions\n"); - fwrite($fout, "http_access allow localnet\n"); - fwrite($fout, "http_access allow localhost\n"); - fwrite($fout, "\n"); - - fwrite($fout, "#Deny non web services\n"); - fwrite($fout, "http_access deny !Safe_ports\n"); - fwrite($fout, "http_access deny CONNECT !SSL_ports\n"); - fwrite($fout, "\n"); - - fwrite($fout, "#Set custom configured ACLs\n"); - fwrite($fout, "http_access deny all\n"); - fwrite($fout, "visible_hostname pfSense\n"); - fwrite($fout, "\n"); - - fwrite($fout, "cache_effective_user squid\n"); - fwrite($fout, "cache_effective_group squid\n"); - fwrite($fout, "\n"); - - fwrite($fout, "maximum_object_size 4096 KB\n"); - fwrite($fout, "minimum_object_size 0 KB\n"); - fwrite($fout, "\n"); - - fwrite($fout, "request_body_max_size 0 KB\n"); - fwrite($fout, "reply_body_max_size 0 allow all\n"); - fwrite($fout, "\n"); - - fwrite($fout, "httpd_accel_host virtual\n"); - fwrite($fout, "httpd_accel_port 80\n"); - fwrite($fout, "httpd_accel_with_proxy on\n"); - fwrite($fout, "httpd_accel_uses_host_header on\n"); - - fclose($fout); -} - -function mod_htpasswd() { - global $config; - conf_mount_rw(); - config_lock(); - - if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); - - $passfile = fopen("/usr/local/etc/squid/advanced/ncsa/passwd", "w+"); - - if (isset($config['installedpackages']['squidextlocalauth']['config']) && $config['installedpackages']['squidextlocalauth']['config'] != "") { - foreach($config['installedpackages']['squidextlocalauth']['config'] as $rowhelper) { - $encpass = generate_htpasswd($rowhelper['username'], $rowhelper['password']); - fwrite($passfile, $rowhelper['username'] . ":" . $encpass . "\n"); - } - } - - fclose($passfile); - - conf_mount_ro(); - config_unlock(); -} - -function generate_htpasswd($username, $password) { - $all = explode( " ", - "a b c d e f g h i j k l m n o p q r s t u v w x y z " - . "A B C D E F G H I J K L M N O P Q R S T U V W X Y Z " - . "0 1 2 3 4 5 6 7 8 9"); - - for ($i = 0; $i < 9; $i++) { - srand((double)microtime()*1000000); - $randy = rand(0,61); - $seed .= $all[$randy]; - } - - $crypt = crypt($password, "$1$$seed"); - return $crypt; -} - -?> diff --git a/config/squid3/34/squid_ng.xml b/config/squid3/34/squid_ng.xml deleted file mode 100755 index b96b4eb2..00000000 --- a/config/squid3/34/squid_ng.xml +++ /dev/null @@ -1,267 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>squid</name> - <version>2.5.12_4</version> - <title>Services: Proxy Server</title> - <category>Security</category> - <aftersaveredirect>/pkg_edit.php?xml=squid_ng.xml&id=0</aftersaveredirect> - <include_file>/usr/local/pkg/squid_ng.inc</include_file> - <menu> - <name>Squid</name> - <tooltiptext>Modify settings for Proxy Server</tooltiptext> - <section>Services</section> - <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url> - </menu> - <menu> - <name>Squid stats</name> - <tooltiptext>Show Squid statistics</tooltiptext> - <section>Services</section> - <url>/cachemgr.cgi</url> - </menu> - <service> - <name>squid</name> - <rcfile>squid.sh</rcfile> - </service> - <tabs> - <tab> - <text>General Settings</text> - <url>/pkg_edit.php?xml=squid.xml&id=0</url> - <active/> - </tab> - <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> - </tab> - <tab> - <text>Cache Mgmt</text> - <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> - </tab> - <tab> - <text>Network Access Control</text> - <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> - </tab> - <tab> - <text>Traffic Mgmt</text> - <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> - </tab> - <tab> - <text>Auth</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> - </tab> - <tab> - <text>Extended Auth</text> - <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url> - </tab> - </tabs> - <configpath>installedpackages->package->squidng->configuration->settings</configpath> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid/squid_cache.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid/squid_nac.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid/squid_ng.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid/squid_traffic.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid/squid_upstream.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid/squid_auth.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid/squid_auth.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid/squid_extauth.xml</item> - </additional_files_needed> - <fields> - <field> - <fielddescr>Proxy Listening Interface</fielddescr> - <fieldname>active_interface</fieldname> - <description>This defines the active listening interface to which the proxy server will listen for its requests.</description> - <type>interfaces_selection</type> - </field> - <field> - <fielddescr>Transparent Proxy</fielddescr> - <fieldname>transparent_proxy</fieldname> - <description>If transparent mode is enabled; all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>URL Filtering Enabled</fielddescr> - <fieldname>urlfilter_enable</fieldname> - <description>This enables the advanced functionality in conjunction with squidGuard to provide an array of URL filtering options. This squidGuard functionality can be additionally configured from Services -> Advanced Proxy Filtering</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Disable Access Log</fielddescr> - <fieldname>accesslog_disabled</fieldname> - <description>Disable the access log entirely. By default, Squid keeps a log of all requests it processes in /var/log/access.log. This can grow to be fairly large. If you do not require this logging, check this box to disable.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Log Query Terms</fielddescr> - <fieldname>log_query_terms</fieldname> - <description>This will log the complete URL rather than the part of the URL containing dynamic queries.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Log User Agents</fielddescr> - <fieldname>log_user_agents</fieldname> - <description>This will enable the useragent string to be written to a separate log. The results are not shown in the GUI and should only be used for debugging purposes.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Proxy Port</fielddescr> - <fieldname>proxy_port</fieldname> - <description>This is the port the Proxy Server will listen for client requests on. The default is 3128.</description> - <type>input</type> - <size>4</size> - <combinefieldsend>true</combinefieldsend> - </field> - <field> - <fielddescr>ICP Port</fielddescr> - <fieldname>icp_port</fieldname> - <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. The default value is 0, which means this function is disabled.</description> - <type>input</type> - <size>4</size> - </field> - <field> - <fielddescr>Visible Hostname</fielddescr> - <fieldname>visible_hostname</fieldname> - <description>This URL is displayed on the Proxy Server error messages.</description> - <type>input</type> - <size>35</size> - </field> - <field> - <fielddescr>Cache Administrator E-Mail</fielddescr> - <fieldname>cache_admin_email</fieldname> - <description>This E-Mail address is displayed on the Proxy Server error messages.</description> - <type>input</type> - <size>35</size> - </field> - <field> - <fielddescr>Error Messages Language</fielddescr> - <fieldname>error_language</fieldname> - <description>Select the language in which the Proxy Server shall display error messages to users.</description> - <type>select</type> - <options> - <option><name>Bulgarian</name><value>Bulgarian</value></option> - <option><name>Catalan</name><value>Catalan</value></option> - <option><name>Czech</name><value>Czech</value></option> - <option><name>Danish</name><value>Danish</value></option> - <option><name>Dutch</name><value>Dutch</value></option> - <option><name>English</name><value>English</value></option> - <option><name>Estonian</name><value>Estonian</value></option> - <option><name>Finnish</name><value>Finnish</value></option> - <option><name>French</name><value>French</value></option> - <option><name>German</name><value>German</value></option> - <option><name>Hebrew</name><value>Hebrew</value></option> - <option><name>Hungarian</name><value>Hungarian</value></option> - <option><name>Italian</name><value>Italian</value></option> - <option><name>Japanese</name><value>Japanese</value></option> - <option><name>Korean</name><value>Korean</value></option> - <option><name>Lithuanian</name><value>Lithuanian</value></option> - <option><name>Polish</name><value>Polish</value></option> - <option><name>Portuguese</name><value>Portuguese</value></option> - <option><name>Romanian</name><value>Romanian</value></option> - <option><name>Russian-1251</name><value>Russian-1251</value></option> - <option><name>Russian-koi8-r</name><value>Russian-koi8-r</value></option> - <option><name>Serbian</name><value>Serbian</value></option> - <option><name>Simplify Chinese</name><value>Simplify Chinese</value></option> - <option><name>Slovak</name><value>Slovak</value></option> - <option><name>Spanish</name><value>Spanish</value></option> - <option><name>Swedish</name><value>Swedish</value></option> - <option><name>Traditional Chinese</name><value>Traditional Chinese</value></option> - <option><name>Turkish</name><value>Turkish</value></option> - </options> - </field> - <field> - <fielddescr>Enable cachemgr</fielddescr> - <fieldname>cachemgr_enabled</fieldname> - <description>Enable Squid's cachemgr.cgi to provide stats. Once enabled you can access this from the pfSense menus. <b>Note:</b> This page is not secured by pfSense, any user with access to the pfSense admin port can view the stats. The page prompts for a password but it only required for shutting down Squid.</description> - <type>checkbox</type> - </field> - - </fields> - <custom_add_php_command_late> - global_write_squid_config(); - mwexec("/usr/local/sbin/squid -k reconfigure"); - start_service("squid"); - </custom_add_php_command_late> - <custom_php_install_command> - squid3_custom_php_install_command(); - write_static_squid_config(); - mwexec("/usr/local/sbin/squid -k reconfigure"); - start_service("squid"); - </custom_php_install_command> - <custom_php_deinstall_command> - squid3_custom_php_deinstall_command(); - stop_service("squid"); - </custom_php_deinstall_command> -</packagegui> diff --git a/config/squid3/34/squid_reverse.inc b/config/squid3/34/squid_reverse.inc index 3f216296..f583ee12 100755 --- a/config/squid3/34/squid_reverse.inc +++ b/config/squid3/34/squid_reverse.inc @@ -31,8 +31,6 @@ function squid_resync_reverse() { global $config; - //if(!is_array($valid_acls)) - // return; //CONFIG FILE if (is_array($config['installedpackages']['squidreversegeneral'])) @@ -46,19 +44,19 @@ function squid_resync_reverse() { $conf = "# Reverse Proxy settings\n"; - if(isset($settings["reverse_ssl_cert"]) && $settings["reverse_ssl_cert"] != "none") { - $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); + if (isset($settings["reverse_ssl_cert"]) && $settings["reverse_ssl_cert"] != "none") { + $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); if ($svr_cert != false) { - if(base64_decode($svr_cert['crt'])) { + if (base64_decode($svr_cert['crt'])) { file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",sq_text_area_decode($svr_cert['crt'])); $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt"; - } - if(base64_decode($svr_cert['prv'])) { + } + if (base64_decode($svr_cert['prv'])) { file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key",sq_text_area_decode($svr_cert['prv'])); $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; - } } } + } if (!empty($settings['reverse_int_ca'])) file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . sq_text_area_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); @@ -66,42 +64,41 @@ function squid_resync_reverse() { $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); $real_ifaces = array(); - #set HTTP port and defsite + // set HTTP port and defsite $http_port=(empty($settings['reverse_http_port'])?"80":$settings['reverse_http_port']); $http_defsite=(empty($settings['reverse_http_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_http_defsite']); - #set HTTPS port and defsite + // set HTTPS port and defsite $https_port=(empty($settings['reverse_https_port'])?"443":$settings['reverse_https_port']); $https_defsite=(empty($settings['reverse_https_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_https_defsite']); foreach (explode(",", $ifaces) as $i => $iface) { $real_ifaces[] = squid_get_real_interface_address($iface); - if($real_ifaces[$i][0]) { - //HTTP - if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on')) - $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; - //HTTPS - if (!empty($settings['reverse_https'])) - $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; - } + if ($real_ifaces[$i][0]) { + //HTTP + if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on')) + $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + //HTTPS + if (!empty($settings['reverse_https'])) + $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; } + } - if(!empty($settings['reverse_ip'])) { + if (!empty($settings['reverse_ip'])) { $reverse_ip = explode(";", ($settings['reverse_ip'])); foreach ($reverse_ip as $reip) { - //HTTP - if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on')) - $conf .= "http_port {$reip}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; - //HTTPS - if (!empty($settings['reverse_https'])) - $conf .= "https_port {$reip}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; - } - } + //HTTP + if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on')) + $conf .= "http_port {$reip}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + //HTTPS + if (!empty($settings['reverse_https'])) + $conf .= "https_port {$reip}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + } + } //PEERS - if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) - - if(!empty($settings['reverse_owa_ip'])) { + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { + if (!empty($settings['reverse_owa_ip'])) { $reverse_owa_ip = explode(";", ($settings['reverse_owa_ip'])); $casnr = 0; foreach ($reverse_owa_ip as $reowaip) { @@ -110,36 +107,38 @@ function squid_resync_reverse() { $conf .= "cache_peer {$reowaip} parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on name=OWA_HOST_80_{$casnr}_pfs\n"; } } + } - $active_peers=array(); - if (is_array($reverse_peers)) - foreach ($reverse_peers as $rp){ - if ($rp['enable'] =="on" && $rp['name'] !="" && $rp['ip'] !="" && $rp['port'] !=""){ - $conf_peer = "#{$rp['description']}\n"; - $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin "; - if($rp['protocol'] == 'HTTPS') - $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + $active_peers=array(); + if (is_array($reverse_peers)) { + foreach ($reverse_peers as $rp) { + if ($rp['enable'] =="on" && $rp['name'] !="" && $rp['ip'] !="" && $rp['port'] !="") { + $conf_peer = "#{$rp['description']}\n"; + $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin "; + if ($rp['protocol'] == 'HTTPS') + $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; $conf_peer .= "name=rvp_{$rp['name']}\n\n"; // add peer only if reverse proxy is enabled for http - if($rp['protocol'] == 'HTTP' && $settings['reverse_http'] =="on"){ + if ($rp['protocol'] == 'HTTP' && $settings['reverse_http'] =="on") { $conf .= $conf_peer; array_push($active_peers,$rp['name']); - } + } // add peer only if if reverse proxy is enabled for https - if($rp['protocol'] == 'HTTPS' && $settings['reverse_https'] =="on"){ - if (!in_array($rp['name'],$active_peers)){ + if ($rp['protocol'] == 'HTTPS' && $settings['reverse_https'] =="on") { + if (!in_array($rp['name'],$active_peers)) { $conf .= $conf_peer; - array_push($active_peers,$rp['name']); + array_push($active_peers,$rp['name']); } } - } - } + } + } + } //REDIRECTS if (is_array($reverse_redir)) { foreach ($reverse_redir as $rdr) { - if($rdr['enable'] == "on" && $rdr['name'] != "" && $rdr['pathregex'] != "" && $rdr['redirurl'] != "") { + if ($rdr['enable'] == "on" && $rdr['name'] != "" && $rdr['pathregex'] != "" && $rdr['redirurl'] != "") { $conf_rdr = "# Redirect: {$rdr['description']}\n"; if (is_array($rdr['row'])) { @@ -152,11 +151,11 @@ function squid_resync_reverse() { $conf_rdr .= "deny_info {$rdr['redirurl']} rdr_path_{$rdr['name']}\n"; foreach (explode(',', $rdr['protocol']) as $rdr_protocol) { - if($rdr_protocol == "HTTP") { + if ($rdr_protocol == "HTTP") { $conf_rdr .= "http_access deny HTTP rdr_dst_{$rdr['name']} rdr_path_{$rdr['name']}\n"; } - if($rdr_protocol == "HTTPS") { + if ($rdr_protocol == "HTTPS") { $conf_rdr .= "http_access deny HTTPS rdr_dst_{$rdr['name']} rdr_path_{$rdr['name']}\n"; } } @@ -170,24 +169,24 @@ function squid_resync_reverse() { //ACLS and MAPPINGS - //create an empty owa_dirs to populate based on user selected options + //create an empty owa_dirs to populate based on user selected options $owa_dirs=array(); - if (($settings['reverse_owa'] == 'on') && $settings['reverse_https'] =="on"){ - if(!empty($settings['reverse_owa_ip'])){ + if (($settings['reverse_owa'] == 'on') && $settings['reverse_https'] =="on") { + if (!empty($settings['reverse_owa_ip'])) { array_push($owa_dirs,'owa','exchange','public','exchweb','ecp','OAB'); - if($settings['reverse_owa_activesync']) - array_push($owa_dirs,'Microsoft-Server-ActiveSync'); - if($settings['reverse_owa_rpchttp']) - array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll'); - if($settings['reverse_owa_mapihttp']) - array_push($owa_dirs,'mapi'); - if($settings['reverse_owa_webservice']){ - array_push($owa_dirs,'EWS'); - } - } - if (is_array($owa_dirs)) - foreach ($owa_dirs as $owa_dir) - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/$owa_dir.*$\n"; + if ($settings['reverse_owa_activesync']) + array_push($owa_dirs,'Microsoft-Server-ActiveSync'); + if ($settings['reverse_owa_rpchttp']) + array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll'); + if ($settings['reverse_owa_mapihttp']) + array_push($owa_dirs,'mapi'); + if ($settings['reverse_owa_webservice']) + array_push($owa_dirs,'EWS'); + } + if (is_array($owa_dirs)) { + foreach ($owa_dirs as $owa_dir) + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/$owa_dir.*$\n"; + } if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_autodiscover'] == 'on')) { $reverse_external_domain = strstr($settings['reverse_external_fqdn'], '.'); @@ -195,36 +194,36 @@ function squid_resync_reverse() { $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/AutoDiscover/AutoDiscover.xml\n"; $conf .= "acl OWA_URI_pfs url_regex -i ^http://autodiscover{$reverse_external_domain}/AutoDiscover/AutoDiscover.xml\n"; $conf .= "acl OWA_URI_pfs url_regex -i ^https://autodiscover{$reverse_external_domain}/AutoDiscover/AutoDiscover.xml\n"; - } } + } //$conf .= "ssl_unclean_shutdown on"; - if (is_array($reverse_maps)) - foreach ($reverse_maps as $rm){ - if ($rm['enable'] == "on" && $rm['name']!="" && $rm['peers']!=""){ - if (is_array($rm['row'])) - foreach ($rm['row'] as $uri){ + if (is_array($reverse_maps)) { + foreach ($reverse_maps as $rm) { + if ($rm['enable'] == "on" && $rm['name']!="" && $rm['peers']!="" && is_array($rm['row'])) { + foreach ($rm['row'] as $uri) { $url_regex=($uri['uri'] == '' ? $settings['reverse_external_fqdn'] : $uri['uri'] ); //$conf .= "acl rvm_{$rm['name']} url_regex -i {$uri['uri']}{$url_regex}.*$\n"; $conf .= "acl rvm_{$rm['name']} url_regex -i {$url_regex}\n"; - if($rm['name'] != $last_rm_name){ + if ($rm['name'] != $last_rm_name) { $cache_peer_never_direct_conf .= "never_direct allow rvm_{$rm['name']}\n"; $http_access_conf .= "http_access allow rvm_{$rm['name']}\n"; - foreach (explode(',',$rm['peers']) as $map_peer) - if (in_array($map_peer,$active_peers)){ + foreach (explode(',',$rm['peers']) as $map_peer) { + if (in_array($map_peer,$active_peers)) { $cache_peer_allow_conf .= "cache_peer_access rvp_{$map_peer} allow rvm_{$rm['name']}\n"; $cache_peer_deny_conf .= "cache_peer_access rvp_{$map_peer} deny allsrc\n"; } - $last_rm_name=$rm['name']; } + $last_rm_name=$rm['name']; + } } - } + } + } } //ACCESS - if ($settings['reverse_owa'] == 'on' && !empty($settings['reverse_owa_ip']) && $settings['reverse_https'] =="on") { + if ($settings['reverse_owa'] == 'on' && !empty($settings['reverse_owa_ip']) && $settings['reverse_https'] =="on") { - for($cascnt=1;$cascnt<$casnr+1;$cascnt++) - { + for ($cascnt=1;$cascnt<$casnr+1;$cascnt++) { $conf .= "cache_peer_access OWA_HOST_443_{$cascnt}_pfs allow OWA_URI_pfs\n"; $conf .= "cache_peer_access OWA_HOST_80_{$cascnt}_pfs allow OWA_URI_pfs\n"; $conf .= "cache_peer_access OWA_HOST_443_{$cascnt}_pfs deny allsrc\n"; @@ -233,7 +232,7 @@ function squid_resync_reverse() { $conf .= "never_direct allow OWA_URI_pfs\n"; $conf .= "http_access allow OWA_URI_pfs\n"; - } + } $conf .= $cache_peer_allow_conf.$cache_peer_deny_conf.$cache_peer_never_direct_conf.$http_access_conf."\n"; @@ -242,4 +241,5 @@ function squid_resync_reverse() { return $conf; } + ?> diff --git a/config/squid3/old/proxy_monitor.sh b/config/squid3/old/proxy_monitor.sh deleted file mode 100644 index 00430018..00000000 --- a/config/squid3/old/proxy_monitor.sh +++ /dev/null @@ -1,77 +0,0 @@ -#!/bin/sh -# $Id$ */ -# -# proxy_monitor.sh -# Copyright (C) 2006 Scott Ullrich -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# 1. Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. -# - -if [ `pgrep -f "proxy_monitor.sh"|wc -l` -ge 1 ]; then - exit 0 -fi - - -set -e - -LOOP_SLEEP=55 - -if [ -f /var/run/squid_alarm ]; then - rm /var/run/squid_alarm -fi - -# Sleep 5 seconds on startup not to mangle with existing boot scripts. -sleep 5 - -# Squid monitor 1.2 -while [ /bin/true ]; do - if [ ! -f /var/run/squid_alarm ]; then - NUM_PROCS=`ps auxw | grep "[s]quid -D"|awk '{print $2}'| wc -l | awk '{ print $1 }'` - if [ $NUM_PROCS -lt 1 ]; then - # squid is down - echo "Squid has exited. Reconfiguring filter." | \ - logger -p daemon.info -i -t Squid_Alarm - echo "Attempting restart..." | logger -p daemon.info -i -t Squid_Alarm - /usr/local/etc/rc.d/squid.sh start - sleep 3 - echo "Reconfiguring filter..." | logger -p daemon.info -i -t Squid_Alarm - /etc/rc.filter_configure - touch /var/run/squid_alarm - fi - fi - NUM_PROCS=`ps auxw | grep "[s]quid -D"|awk '{print $2}'| wc -l | awk '{ print $1 }'` - if [ $NUM_PROCS -gt 0 ]; then - if [ -f /var/run/squid_alarm ]; then - echo "Squid has resumed. Reconfiguring filter." | \ - logger -p daemon.info -i -t Squid_Alarm - /etc/rc.filter_configure - rm /var/run/squid_alarm - fi - fi - sleep $LOOP_SLEEP -done - -if [ -f /var/run/squid_alarm ]; then - rm /var/run/squid_alarm -fi - diff --git a/config/squid3/old/squid.inc b/config/squid3/old/squid.inc deleted file mode 100644 index ce196700..00000000 --- a/config/squid3/old/squid.inc +++ /dev/null @@ -1,1403 +0,0 @@ -<?php -/* $Id$ */ -/* - squid.inc - Copyright (C) 2006-2009 Scott Ullrich - Copyright (C) 2006 Fernando Lemos - Copyright (C) 2008 Martin Fuchs - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require_once('globals.inc'); -require_once('config.inc'); -require_once('util.inc'); -require_once('pfsense-utils.inc'); -require_once('pkg-utils.inc'); -require_once('service-utils.inc'); - -if(!function_exists("filter_configure")) - require_once("filter.inc"); - -define('SQUID_CONFBASE', '/usr/local/etc/squid'); -define('SQUID_BASE', '/var/squid/'); -define('SQUID_ACLDIR', '/var/squid/acl'); -define('SQUID_PASSWD', '/var/etc/squid.passwd'); - -$valid_acls = array(); - -function squid_get_real_interface_address($iface) { - global $config; - - $iface = convert_friendly_interface_to_real_interface_name($iface); - $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6")); - list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line); - - return array($ip, long2ip(hexdec($netmask))); -} - -function squid_chown_recursive($dir, $user, $group) { - chown($dir, $user); - chgrp($dir, $group); - $handle = opendir($dir) ; - while (($item = readdir($handle)) !== false) { - if (($item != ".") && ($item != "..")) { - $path = "$dir/$item"; - if (is_dir($path)) - squid_chown_recursive($path, $user, $group); - elseif (is_file($path)) { - chown($path, $user); - chgrp($path, $group); - } - } - } -} - -/* setup cache */ -function squid_dash_z() { - global $config; - $settings = $config['installedpackages']['squidcache']['config'][0]; - - // If the cache system is null, there is no need to initialize the (irrelevant) cache dir. - if ($settings['harddisk_cache_system'] == "null") - return; - - $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); - - if(!is_dir($cachedir.'/')) { - log_error("Creating Squid cache dir $cachedir"); - make_dirs($cachedir); - squid_chown_recursive($cachedir, 'proxy', 'proxy'); - } - - if(!is_dir($cachedir.'/00/')) { - log_error("Creating squid cache subdirs in $cachedir"); - mwexec("/usr/local/sbin/squid -k shutdown"); - sleep(5); - mwexec("/usr/local/sbin/squid -k kill"); - mwexec("/usr/local/sbin/squid -z"); - } - - if(file_exists("/var/squid/cache/swap.state")) - exec("chmod a+rw /var/squid/cache/swap.state"); - -} - -function squid_is_valid_acl($acl) { - global $valid_acls; - if(!is_array($valid_acls)) - return; - return in_array($acl, $valid_acls); -} - -function squid_install_command() { - global $config; - global $g; - /* migrate existing csv config fields */ - $settingsauth = $config['installedpackages']['squidauth']['config'][0]; - $settingscache = $config['installedpackages']['squidcache']['config'][0]; - $settingsnac = $config['installedpackages']['squidnac']['config'][0]; - - /* Set storage system */ - if ($g['platform'] == "nanobsd") { - $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_system'] = 'null'; - } - - /* migrate auth settings */ - if (!empty($settingsauth['no_auth_hosts'])) { - if(strstr($settingsauth['no_auth_hosts'], ",")) { - $settingsauth['no_auth_hosts'] = base64_encode(implode("\n", explode(",", $settingsauth['no_auth_hosts']))); - $config['installedpackages']['squidauth']['config'][0]['no_auth_hosts'] = $settingsauth['no_auth_hosts']; - } - } - - /* migrate cache settings */ - if (!empty($settingscache['donotcache'])) { - if(strstr($settingscache['donotcache'], ",")) { - $settingscache['donotcache'] = base64_encode(implode("\n", explode(",", $settingscache['donotcache']))); - $config['installedpackages']['squidcache']['config'][0]['donotcache'] = $settingscache['donotcache']; - } - } - - /* migrate nac settings */ - if(! empty($settingsnac['allowed_subnets'])) { - if(strstr($settingsnac['allowed_subnets'], ",")) { - $settingsnac['allowed_subnets'] = base64_encode(implode("\n", explode(",", $settingsnac['allowed_subnets']))); - $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'] = $settingsnac['allowed_subnets']; - } - } - - if(! empty($settingsnac['banned_hosts'])) { - if(strstr($settingsnac['banned_hosts'], ",")) { - $settingsnac['banned_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_hosts']))); - $config['installedpackages']['squidnac']['config'][0]['banned_hosts'] = $settingsnac['banned_hosts']; - } - } - - if(! empty($settingsnac['banned_macs'])) { - if(strstr($settingsnac['banned_macs'], ",")) { - $settingsnac['banned_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_macs']))); - $config['installedpackages']['squidnac']['config'][0]['banned_macs'] = $settingsnac['banned_macs']; - } - } - - if(! empty($settingsnac['unrestricted_hosts'])) { - if(strstr($settingsnac['unrestricted_hosts'], ",")) { - $settingsnac['unrestricted_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_hosts']))); - $config['installedpackages']['squidnac']['config'][0]['unrestricted_hosts'] = $settingsnac['unrestricted_hosts']; - } - } - - if(! empty($settingsnac['unrestricted_macs'])) { - if(strstr($settingsnac['unrestricted_macs'], ",")) { - $settingsnac['unrestricted_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_macs']))); - $config['installedpackages']['squidnac']['config'][0]['unrestricted_macs'] = $settingsnac['unrestricted_macs']; - } - } - - if(! empty($settingsnac['whitelist'])) { - if(strstr($settingsnac['whitelist'], ",")) { - $settingsnac['whitelist'] = base64_encode(implode("\n", explode(",", $settingsnac['whitelist']))); - $config['installedpackages']['squidnac']['config'][0]['whitelist'] = $settingsnac['whitelist']; - } - } - - if(! empty($settingsnac['blacklist'])) { - if(strstr($settingsnac['blacklist'], ",")) { - $settingsnac['blacklist'] = base64_encode(implode("\n", explode(",", $settingsnac['blacklist']))); - $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist']; - } - } - - update_status("Writing configuration... One moment please..."); - - write_config(); - - /* create cache */ - update_status("Creating squid cache pools... One moment please..."); - squid_dash_z(); - /* make sure pinger is executable */ - if(file_exists("/usr/local/libexec/squid/pinger")) - exec("/bin/chmod a+x /usr/local/libexec/squid/pinger"); - if(file_exists("/usr/local/etc/rc.d/squid")) - exec("/bin/rm /usr/local/etc/rc.d/squid"); - $rc = array(); - $rc['file'] = 'squid.sh'; - $rc['start'] = <<<EOD -if [ -z "`ps auxw | grep "[s]quid -D"|awk '{print $2}'`" ];then - /usr/local/sbin/squid -D -fi - -EOD; - $rc['stop'] = <<<EOD -/usr/local/sbin/squid -k shutdown -# Just to be sure... -sleep 5 -killall -9 squid 2>/dev/null -killall pinger 2>/dev/null - -EOD; - $rc['restart'] = <<<EOD -if [ -z "`ps auxw | grep "[s]quid -D"|awk '{print $2}'`" ];then - /usr/local/sbin/squid -D - else - /usr/local/sbin/squid -k reconfigure - fi - -EOD; - update_status("Writing rc.d files... One moment please..."); - conf_mount_rw(); - write_rcfile($rc); - - exec("chmod a+rx /usr/local/libexec/squid/dnsserver"); - - foreach (array( SQUID_CONFBASE, - SQUID_ACLDIR, - SQUID_BASE ) as $dir) { - make_dirs($dir); - squid_chown_recursive($dir, 'proxy', 'proxy'); - } - - /* kill any running proxy alarm scripts */ - update_status("Checking for running processes... One moment please..."); - log_error("Stopping any running proxy monitors"); - mwexec("ps awux | grep \"proxy_monitor\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill"); - sleep(1); - - if (!file_exists(SQUID_CONFBASE . '/mime.conf') && file_exists(SQUID_CONFBASE . '/mime.conf.default')) - copy(SQUID_CONFBASE . '/mime.conf.default', SQUID_CONFBASE . '/mime.conf'); - - update_status("Checking cache... One moment please..."); - squid_dash_z(); - - if (!is_service_running('squid')) { - update_status("Starting... One moment please..."); - log_error("Starting Squid"); - mwexec_bg("/usr/local/sbin/squid -D"); - } else { - update_status("Reloading Squid for configuration sync... One moment please..."); - log_error("Reloading Squid for configuration sync"); - mwexec("/usr/local/sbin/squid -k reconfigure"); - } - - /* restart proxy alarm scripts */ - log_error("Starting a proxy monitor script"); - mwexec_bg("/usr/local/etc/rc.d/proxy_monitor.sh"); - - update_status("Reconfiguring filter... One moment please..."); - filter_configure(); -} - -function squid_deinstall_command() { - global $config, $g; - $plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."; - squid_install_cron(false); - $settings = &$config['installedpackages']['squidcache']['config'][0]; - $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); - $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); - update_status("Removing swap.state ... One moment please..."); - update_output_window("$plswait_txt"); - mwexec('rm -rf $cachedir/swap.state'); - mwexec('rm -rf $logdir'); - update_status("Finishing package cleanup."); - mwexec('rm -f /usr/local/etc/rc.d/proxy_monitor.sh'); - mwexec("ps awux | grep \"proxy_monitor\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill"); - mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); - mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); - mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); - update_status("Reloading filter..."); - filter_configure(); -} - -function squid_before_form_general(&$pkg) { - $values = get_dir(SQUID_CONFBASE . '/errors/'); - // Get rid of '..' and '.' - array_shift($values); - array_shift($values); - $name = array(); - foreach ($values as $value) - $names[] = implode(" ", explode("_", $value)); - - $i = 0; - foreach ($pkg['fields']['field'] as $field) { - if ($field['fieldname'] == 'error_language') - break; - $i++; - } - $field = &$pkg['fields']['field'][$i]; - - for ($i = 0; $i < count($values) - 1; $i++) - $field['options']['option'][] = array('name' => $names[$i], 'value' => $values[$i]); -} - -function squid_validate_general($post, &$input_errors) { - global $config; - $settings = $config['installedpackages']['squid']['config'][0]; - $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $port = $post['proxy_port'] ? $post['proxy_port'] : $port; - - $icp_port = trim($post['icp_port']); - if (!empty($icp_port) && !is_port($icp_port)) - $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field'; - - if (substr($post['log_dir'], -1, 1) == '/') - $input_errors[] = 'You may not end log location with an / mark'; - - if ($post['log_dir']{0} != '/') - $input_errors[] = 'You must start log location with a / mark'; - if (strlen($post['log_dir']) <= 3) - $input_errors[] = "That is not a valid log location dir"; - - $log_rotate = trim($post['log_rotate']); - if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1))) - $input_errors[] = 'You must enter a valid number of days \'Log rotate\' field'; - - $webgui_port = $config['system']['webgui']['port']; - if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { - $webgui_port = 80; - } - if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { - $webgui_port = 443; - } - - if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) { - $input_errors[] = "You can not run squid on the same port as the webgui"; - } - - foreach (array('defined_ip_proxy_off') as $hosts) { - foreach (explode(";", $post[$hosts]) as $host) { - $host = trim($host); - if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host)) - $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; - } - } - foreach (array('defined_ip_proxy_off_dest') as $hosts) { - foreach (explode(";", $post[$hosts]) as $host) { - $host = trim($host); - if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host)) - $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; - } - } - - if(!empty($post['dns_nameservers'])) { - $altdns = explode(";", ($post['dns_nameservers'])); - foreach ($altdns as $dnssrv) { - if (!is_ipaddr($dnssrv)) - $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; - }} -} - -function squid_validate_upstream($post, &$input_errors) { - if ($post['proxy_forwarding'] == 'on') { - $addr = trim($post['proxy_addr']); - if (empty($addr)) - $input_errors[] = 'The field \'Hostname\' is required'; - else { - if (!is_ipaddr($addr) && !is_domain($addr)) - $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; - } - - foreach (array('proxy_port' => 'TCP port', 'icp_port' => 'ICP port') as $field => $name) { - $port = trim($post[$field]); - if (empty($port)) - $input_errors[] = "The field '$name' is required"; - else { - if (!is_port($port)) - $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; - } - } - } -} - -function squid_validate_cache($post, &$input_errors) { - $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size', - 'memory_cache_size' => 'Memory cache size', - 'maximum_object_size' => 'Maximum object size', - ); - foreach ($num_fields as $field => $name) { - $value = trim($post[$field]); - if (!is_numeric($value) || ($value < 0)) - $input_errors[] = "You must enter a valid value for '$field'"; - } - - $value = trim($post['minimum_object_size']); - if (!is_numeric($value) || ($value < 0)) - $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; - - if (!empty($post['cache_swap_low'])) { - $value = trim($post['cache_swap_low']); - if (!is_numeric($value) || ($value > 100)) - $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; - } - - if (!empty($post['cache_swap_high'])) { - $value = trim($post['cache_swap_high']); - if (!is_numeric($value) || ($value > 100)) - $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; - } - - if ($post['donotcache'] != "") { - foreach (split("\n", $post['donotcache']) as $host) { - $host = trim($host); - if (!is_ipaddr($host) && !is_domain($host)) - $input_errors[] = "The host '$host' is not a valid IP or host name"; - } - } - - squid_dash_z(); - -} - -function squid_validate_nac($post, &$input_errors) { - $allowed_subnets = explode("\n", $post['allowed_subnets']); - foreach ($allowed_subnets as $subnet) { - $subnet = trim($subnet); - if (!empty($subnet) && !is_subnet($subnet)) - $input_errors[] = "The subnet '$subnet' is not a valid CIDR range"; - } - - foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) { - foreach (explode("\n", $post[$hosts]) as $host) { - $host = trim($host); - if (!empty($host) && !is_ipaddr($host)) - $input_errors[] = "The host '$host' is not a valid IP address"; - } - } - - foreach (array('unrestricted_macs', 'banned_macs') as $macs) { - foreach (explode("\n", $post[$macs]) as $mac) { - $mac = trim($mac); - if (!empty($mac) && !is_macaddr($mac)) - $input_errors[] = "The mac '$mac' is not a valid MAC address"; - } - } - - foreach (explode(",", $post['timelist']) as $time) { - $time = trim($time); - if (!empty($time) && !squid_is_timerange($time)) - $input_errors[] = "The time range '$time' is not a valid time range"; - } - - if(!empty($post['ext_cachemanager'])) { - $extmgr = explode(";", ($post['ext_cachemanager'])); - foreach ($extmgr as $mgr) { - if (!is_ipaddr($mgr)) - $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; - }} -} - -function squid_validate_traffic($post, &$input_errors) { - $num_fields = array( 'max_download_size' => 'Maximum download size', - 'max_upload_size' => 'Maximum upload size', - 'perhost_throttling' => 'Per-host bandwidth throttling', - 'overall_throttling' => 'Overall bandwidth throttling', - ); - foreach ($num_fields as $field => $name) { - $value = trim($post[$field]); - if (!is_numeric($value) || ($value < 0)) - $input_errors[] = "The field '$name' must contain a positive number"; - } - - if (!empty($post['quick_abort_min'])) { - $value = trim($post['quick_abort_min']); - if (!is_numeric($value)) - $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; - } - - if (!empty($post['quick_abort_max'])) { - $value = trim($post['quick_abort_max']); - if (!is_numeric($value)) - $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; - } - - if (!empty($post['quick_abort_pct'])) { - $value = trim($post['quick_abort_pct']); - if (!is_numeric($value) || ($value > 100)) - $input_errors[] = "The field 'Finish when remaining %' must contain a percentaged value"; - } - -} - -function squid_validate_auth($post, &$input_errors) { - $num_fields = array( array('auth_processes', 'Authentication processes', 1), - array('auth_ttl', 'Authentication TTL', 0), - ); - foreach ($num_fields as $field) { - $value = trim($post[$field[0]]); - if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) - $input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}"; - } - - $auth_method = $post['auth_method']; - if (($auth_method != 'none') && ($auth_method != 'local')) { - $server = trim($post['auth_server']); - if (empty($server)) - $input_errors[] = 'The field \'Authentication server\' is required'; - else if (!is_ipaddr($server) && !is_domain($server)) - $input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name'; - - $port = trim($post['auth_server_port']); - if (!empty($port) && !is_port($port)) - $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number'; - - switch ($auth_method) { - case 'ldap': - $user = trim($post['ldap_user']); - if (empty($user)) - $input_errors[] = 'The field \'LDAP server user DN\' is required'; - else if (!$user) - $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; - break; - case 'radius': - $secret = trim($post['radius_secret']); - if (empty($secret)) - $input_errors[] = 'The field \'RADIUS secret\' is required'; - break; - case 'msnt': - foreach (explode(",", trim($post['msnt_secondary'])) as $server) { - if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) - $input_errors[] = "The host '$server' is not a valid IP address or domain name"; - } - break; - } - - $no_auth = explode("\n", $post['no_auth_hosts']); - foreach ($no_auth as $host) { - $host = trim($host); - if (!empty($host) && !is_subnet($host)) - $input_errors[] = "The host '$host' is not a valid CIDR range"; - } - } -} - -function squid_install_cron($should_install) { - global $config, $g; - if($g['booting']==true) - return; - $is_installed = false; - if(!$config['cron']['item']) - return; - $x=0; - foreach($config['cron']['item'] as $item) { - if(strstr($item['task_name'], "squid_rotate_logs")) { - $is_installed = true; - break; - } - $x++; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['task_name'] = "squid_rotate_logs"; - $cron_item['minute'] = "0"; - $cron_item['hour'] = "0"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/local/sbin/squid -k rotate"; - $config['cron']['item'][] = $cron_item; - parse_config(true); - write_config("Squid Log Rotation"); - configure_cron(); - } - break; - case false: - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - parse_config(true); - write_config(); - } - configure_cron(); - } - break; - } -} - -function squid_resync_general() { - global $g, $config, $valid_acls; - - $settings = $config['installedpackages']['squid']['config'][0]; - $conf = "# This file is automatically generated by pfSense\n"; - $conf = "# Do not edit manually !\n"; - - $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan'); - $real_ifaces = array(); - foreach (explode(",", $ifaces) as $i => $iface) { - $real_ifaces[] = squid_get_real_interface_address($iface); - if($real_ifaces[$i][0]) { - $conf .= "http_port {$real_ifaces[$i][0]}:$port\n"; - } - } - if (($settings['transparent_proxy'] == 'on')) { - $conf .= "http_port 127.0.0.1:80 intercept\n"; - } - $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0); - - $pidfile = "{$g['varrun_path']}/squid.pid"; - $language = ($settings['error_language'] ? $settings['error_language'] : 'English'); - $errordir = SQUID_CONFBASE . '/errors/' . $language; - $icondir = SQUID_CONFBASE . '/icons'; - $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost'); - $email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost'); - - $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); - - $logdir_cache = $logdir . '/cache.log'; - $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); - - $conf .= <<<EOD -icp_port $icp_port - -pid_filename $pidfile -cache_effective_user proxy -cache_effective_group proxy -error_directory $errordir -icon_directory $icondir -visible_hostname $hostname -cache_mgr $email -access_log $logdir_access -cache_log $logdir_cache -cache_store_log none - -EOD; - - if (!empty($settings['log_rotate'])) { - $conf .= "logfile_rotate {$settings['log_rotate']}\n"; - squid_install_cron(true); - } - else { - squid_install_cron(false); - } - - $conf .= <<<EOD -shutdown_lifetime 3 seconds - -EOD; - - if ($settings['allow_interface'] == 'on') { - $src = ''; - foreach ($real_ifaces as $iface) { - list($ip, $mask) = $iface; - $ip = long2ip(ip2long($ip) & ip2long($mask)); - $mask = 32-log((ip2long($mask) ^ ip2long('255.255.255.255'))+1,2); - $src .= " $ip/$mask"; - } - $conf .= "# Allow local network(s) on interface(s)\n"; - $conf .= "acl localnet src $src\n"; - $valid_acls[] = 'localnet'; - } - if ($settings['disable_xforward']) $conf .= "forwarded_for off\n"; - if ($settings['disable_via']) $conf .= "via off\n"; - if ($settings['disable_squidversion']) $conf .= "httpd_suppress_version_string on\n"; - if (!empty($settings['uri_whitespace'])) $conf .= "uri_whitespace {$settings['uri_whitespace']}\n"; - else $conf .= "uri_whitespace strip\n"; //only used for first run - - if(!empty($settings['dns_nameservers'])) { - $altdns = explode(";", ($settings['dns_nameservers'])); - $conf .= "dns_nameservers "; - foreach ($altdns as $dnssrv) { - $conf .= $dnssrv." "; - } -// $conf .= "\n"; //Kill blank line after DNS-Servers - } - - return $conf; -} - - -function squid_resync_cache() { - global $config, $g; - - $settings = $config['installedpackages']['squidcache']['config'][0]; - - $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); - $disk_cache_size = ($settings['harddisk_cache_size'] ? $settings['harddisk_cache_size'] : 100); - $level1 = ($settings['level1_subdirs'] ? $settings['level1_subdirs'] : 16); - $memory_cache_size = ($settings['memory_cache_size'] ? $settings['memory_cache_size'] : 8); - $max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size'] : 10); - $min_objsize = ($settings['minimum_object_size'] ? $settings['minimum_object_size'] : 0); - $cache_policy = ($settings['cache_replacement_policy'] ? $settings['cache_replacement_policy'] : 'heap LFUDA'); - $memory_policy = ($settings['memory_replacement_policy'] ? $settings['memory_replacement_policy'] : 'heap GDSF'); - $offline_mode = ($settings['enable_offline'] == 'on' ? 'on' : 'off'); - - if (!isset($settings['harddisk_cache_system'])) { - if ($g['platform'] == "nanobsd") { - $disk_cache_system = 'null'; - } else { - $disk_cache_system = 'ufs'; - } - } else { - $disk_cache_system = $settings['harddisk_cache_system']; - } - - if ($disk_cache_system == "null") { - $disk_cache_opts = "{$disk_cache_system} /tmp"; - } else { - $disk_cache_opts = "{$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256"; - } - - $conf = <<<EOD -cache_mem $memory_cache_size MB -maximum_object_size_in_memory 32 KB -memory_replacement_policy $memory_policy -cache_replacement_policy $cache_policy -cache_dir $disk_cache_opts -minimum_object_size $min_objsize KB -maximum_object_size $max_objsize KB -offline_mode $offline_mode - -EOD; - - if (!empty($settings['cache_swap_low'])) $conf .= "cache_swap_low {$settings['cache_swap_low']}\n"; - if (!empty($settings['cache_swap_high'])) $conf .= "cache_swap_high {$settings['cache_swap_high']}\n"; - - $donotcache = base64_decode($settings['donotcache']); - if (!empty($donotcache)) { - file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache); - $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n"; - $conf .= 'cache deny donotcache'; - } - elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) { - unlink(SQUID_ACLDIR . '/donotcache.acl'); - } - - return $conf; -} - -function squid_resync_upstream() { - global $config; - $settings = $config['installedpackages']['squidupstream']['config'][0]; - - $conf = ''; - if ($settings['proxy_forwarding'] == 'on') { - $conf .= "cache_peer {$settings['proxy_addr']} parent {$settings['proxy_port']} "; - if ($settings['icp_port'] == '7') - $conf .= "{$settings['icp_port']} no-query"; - else - $conf .= "{$settings['icp_port']}"; - - if (!empty($settings['username'])) - $conf .= " login={$settings['username']}"; - if (!empty($settings['password'])) - $conf .= ":{$settings['password']}"; - } - - return $conf; -} - -function squid_resync_redirector() { - global $config; - - $httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on'); - if ($httpav_enabled) { - $conf = "url_rewrite_program /usr/local/bin/squirm\n"; - } else { - $conf = "# No redirector configured\n"; - } - return $conf; -} - -function squid_resync_nac() { - global $config, $valid_acls; - - $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $settings = $config['installedpackages']['squidnac']['config'][0]; - $webgui_port = $config['system']['webgui']['port']; - $addtl_ports = $settings['addtl_ports']; - $addtl_sslports = $settings['addtl_sslports']; - - $conf = <<<EOD - -# Setup some default acls -acl all src all -acl localhost src 127.0.0.1/32 -acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port $port 1025-65535 $addtl_ports -acl sslports port 443 563 $webgui_port $addtl_sslports -acl manager proto cache_object -acl purge method PURGE -acl connect method CONNECT -acl dynamic urlpath_regex cgi-bin \? - -EOD; - - $allowed_subnets = explode("\n", base64_decode($settings['allowed_subnets'])); - $allowed = ""; - foreach ($allowed_subnets as $subnet) { - if(!empty($subnet)) { - $subnet = trim($subnet); - $allowed .= "$subnet "; - } - } - if (!empty($allowed)) { - $conf .= "acl allowed_subnets src $allowed\n"; - $valid_acls[] = 'allowed_subnets'; - } - - $options = array( 'unrestricted_hosts' => 'src', - 'banned_hosts' => 'src', - 'whitelist' => 'dstdom_regex -i', - 'blacklist' => 'dstdom_regex -i', - ); - foreach ($options as $option => $directive) { - $contents = base64_decode($settings[$option]); - if (!empty($contents)) { - file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents); - $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n"; - $valid_acls[] = $option; - } - elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) { - unlink(SQUID_ACLDIR . "/$option.acl"); - } - } - - $conf .= <<<EOD -cache deny dynamic -http_access allow manager localhost - -EOD; - - if(!empty($settings['ext_cachemanager'])) { - $extmgr = explode(";", ($settings['ext_cachemanager'])); - $count = 1; - $conf .= "\n# Allow external cache managers\n"; -// $conf .= "acl ext_manager src ".$settings['ext_cachemanager']."\n"; - foreach ($extmgr as $mgr) { - $conf .= "acl ext_manager_".$count." src "; - $conf .= $mgr." "; - $conf .= "\n"; - $conf .= "http_access allow manager ext_manager_".$count."\n"; - $count += 1; - }} - - $conf .= <<<EOD - -http_access deny manager -http_access allow purge localhost -http_access deny purge -http_access deny !safeports -http_access deny CONNECT !sslports - -# Always allow localhost connections -http_access allow localhost - -EOD; - - return $conf; -} - -function squid_resync_traffic() { - global $config, $valid_acls; - if(!is_array($valid_acls)) - return; - $settings = $config['installedpackages']['squidtraffic']['config'][0]; - $conf = ''; - - if (!empty($settings['quick_abort_min']) || ($settings['quick_abort_min']) == "0") $conf .= "quick_abort_min {$settings['quick_abort_min']} KB\n"; - if (!empty($settings['quick_abort_max']) || ($settings['quick_abort_max']) == "0") $conf .= "quick_abort_max {$settings['quick_abort_max']} KB\n"; - if (!empty($settings['quick_abort_pct'])) $conf .= "quick_abort_pct {$settings['quick_abort_pct']}\n"; - - $up_limit = ($settings['max_upload_size'] ? $settings['max_upload_size'] : 0); - $down_limit = ($settings['max_download_size'] ? $settings['max_download_size'] : 0); - $conf .= "request_body_max_size $up_limit KB\n"; - if ($down_limit != 0) - $conf .= 'reply_body_max_size ' . $down_limit . " KB all \n"; - - // Only apply throttling past 10MB - // XXX: Should this really be hardcoded? - $threshold = 10 * 1024 * 1024; - $overall = $settings['overall_throttling']; - if (!isset($overall) || ($overall == 0)) - $overall = -1; - else - $overall *= 1024; - $perhost = $settings['perhost_throttling']; - if (!isset($perhost) || ($perhost == 0)) - $perhost = -1; - else - $perhost *= 1024; - $conf .= <<<EOD -delay_pools 1 -delay_class 1 2 -delay_parameters 1 $overall/$overall $perhost/$perhost -delay_initial_bucket_level 100 - -EOD; - - if(! empty($settings['unrestricted_hosts'])) { - foreach (array('unrestricted_hosts') as $item) { - if (in_array($item, $valid_acls)) - $conf .= "# Do not throttle unrestricted hosts\n"; - $conf .= "delay_access 1 deny $item\n"; - } - } - - if ($settings['throttle_specific'] == 'on') { - $exts = array(); - $binaries = 'bin,cab,sea,ar,arj,tar,tgz,gz,tbz,bz2,zip,7z,exe,com'; - $cdimages = 'iso,bin,mds,nrg,gho,bwt,b5t,pqi'; - $multimedia = 'aiff?,asf,avi,divx,mov,mp3,mp4,wmv,mpe?g,qt,ra?m'; - foreach (array( 'throttle_binaries' => $binaries, - 'throttle_cdimages' => $cdimages, - 'throttle_multimedia' => $multimedia) as $field => $set) { - if ($settings[$field] == 'on') - $exts = array_merge($exts, explode(",", $set)); - } - - foreach (explode(",", $settings['throttle_others']) as $ext) { - if (!empty($ext)) $exts[] = $ext; - } - - $contents = ''; - foreach ($exts as $ext) - $contents .= "\.$ext\$\n"; - file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents); - - $conf .= "# Throttle extensions matched in the url\n"; - $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; - $conf .= "delay_access 1 allow throttle_exts\n"; - $conf .= "delay_access 1 deny all\n"; - } - else - $conf .= "delay_access 1 allow all\n"; - - return $conf; -} - -function squid_resync_auth() { - global $config, $valid_acls; - - $settings = $config['installedpackages']['squidauth']['config'][0]; - $settingsnac = $config['installedpackages']['squidnac']['config'][0]; - $settingsconfig = $config['installedpackages']['squid']['config'][0]; - $conf = ''; - - // Deny the banned guys before allowing the good guys - if(! empty($settingsnac['banned_hosts'])) { - if (squid_is_valid_acl('banned_hosts')) { - $conf .= "# These hosts are banned\n"; - $conf .= "http_access deny banned_hosts\n"; - } - } - if(! empty($settingsnac['banned_macs'])) { - if (squid_is_valid_acl('banned_macs')) { - $conf .= "# These macs are banned\n"; - $conf .= "http_access deny banned_macs\n"; - } - } - - // Unrestricted hosts take precendence over blacklist - if(! empty($settingsnac['unrestricted_hosts'])) { - if (squid_is_valid_acl('unrestricted_hosts')) { - $conf .= "# These hosts do not have any restrictions\n"; - $conf .= "http_access allow unrestricted_hosts\n"; - } - } - if(! empty($settingsnac['unrestricted_macs'])) { - if (squid_is_valid_acl('unrestricted_macs')) { - $conf .= "# These hosts do not have any restrictions\n"; - $conf .= "http_access allow unrestricted_macs\n"; - } - } - - // Whitelist and blacklist also take precendence over other allow rules - if(! empty($settingsnac['whitelist'])) { - if (squid_is_valid_acl('whitelist')) { - $conf .= "# Always allow access to whitelist domains\n"; - $conf .= "http_access allow whitelist\n"; - } - } - if(! empty($settingsnac['blacklist'])) { - if (squid_is_valid_acl('blacklist')) { - $conf .= "# Block access to blacklist domains\n"; - $conf .= "http_access deny blacklist\n"; - } - } - - $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); - $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); - // Allow the remaining ACLs if no authentication is set - if ($auth_method == 'none') { - $conf .="# Setup allowed acls\n"; - $allowed = array('allowed_subnets'); - if ($settingsconfig['allow_interface'] == 'on') { - $conf .= "# Allow local network(s) on interface(s)\n"; - $allowed[] = "localnet"; - } - $allowed = array_filter($allowed, 'squid_is_valid_acl'); - foreach ($allowed as $acl) - $conf .= "http_access allow $acl\n"; - } - else { - $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); - if (!empty($noauth)) { - $conf .= "acl noauth src $noauth\n"; - $valid_acls[] = 'noauth'; - } - - // Set up the external authentication programs - $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 60); - $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); - $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); - switch ($auth_method) { - case 'local': - $conf .= 'auth_param basic program /usr/local/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n"; - break; - case 'ldap': - $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); - $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); - $conf .= "auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; - break; - case 'radius': - $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); - $conf .= "auth_param basic program /usr/local/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; - break; - case 'msnt': - $conf .= "auth_param basic program /usr/local/libexec/squid/msnt_auth\n"; - squid_resync_msnt(); - break; - } - $conf .= <<<EOD -auth_param basic children $processes -auth_param basic realm $prompt -auth_param basic credentialsttl $auth_ttl minutes -acl password proxy_auth REQUIRED - -EOD; - - // Onto the ACLs - $password = array('localnet', 'allowed_subnets'); - $passwordless = array('unrestricted_hosts'); - if ($settings['unrestricted_auth'] == 'on') { - // Even the unrestricted hosts should authenticate - $password = array_merge($password, $passwordless); - $passwordless = array(); - } - $passwordless[] = 'noauth'; - $password = array_filter($password, 'squid_is_valid_acl'); - $passwordless = array_filter($passwordless, 'squid_is_valid_acl'); - - // Allow the ACLs that don't need to authenticate - foreach ($passwordless as $acl) - $conf .= "http_access allow $acl\n"; - - // Allow the other ACLs as long as they authenticate - foreach ($password as $acl) - $conf .= "http_access allow password $acl\n"; - } - - if(!empty($config['installedpackages']['squid']['config'][0]['custom_options'])) { - $custopts = explode(";", ($config['installedpackages']['squid']['config'][0]['custom_options'])); - $conf .= "# Custom options\n"; - foreach ($custopts as $custopt) { - $conf .= $custopt."\n"; - } - } - - $conf .= "# Default block all to be sure\n"; - $conf .= "http_access deny all\n"; - - return $conf; -} - -function squid_resync_users() { - global $config; - - $users = $config['installedpackages']['squidusers']['config']; - $contents = ''; - if (is_array($users)) { - foreach ($users as $user) - $contents .= $user['username'] . ':' . crypt($user['password'], base64_encode($user['password'])) . "\n"; - } - file_put_contents(SQUID_PASSWD, $contents); - chown(SQUID_PASSWD, 'proxy'); - chmod(SQUID_PASSWD, 0600); -} - -function squid_resync_msnt() { - global $config; - - $settings = $config['installedpackages']['squidauth']['config'][0]; - $pdcserver = $settings['auth_server']; - $bdcserver = str_replace(',',' ',$settings['msnt_secondary']); - $ntdomain = $settings['auth_ntdomain']; - - file_put_contents(SQUID_CONFBASE."/msntauth.conf","server {$pdcserver} {$bdcserver} {$ntdomain}"); - chown(SQUID_CONFBASE."/msntauth.conf", 'proxy'); - chmod(SQUID_CONFBASE."/msntauth.conf", 0600); -} - -function squid_resync() { - global $config; - conf_mount_rw(); - $conf = squid_resync_general() . "\n"; - $conf .= squid_resync_cache() . "\n"; - $conf .= squid_resync_redirector() . "\n"; - $conf .= squid_resync_upstream() . "\n"; - $conf .= squid_resync_nac() . "\n"; - $conf .= squid_resync_traffic() . "\n"; - $conf .= squid_resync_auth(); - squid_resync_users(); - - /* make sure pinger is executable */ - if(file_exists("/usr/local/libexec/squid/pinger")) - exec("chmod a+x /usr/local/libexec/squid/pinger"); - - foreach (array( SQUID_CONFBASE, - SQUID_ACLDIR, - SQUID_BASE ) as $dir) { - make_dirs($dir); - squid_chown_recursive($dir, 'proxy', 'proxy'); - } - - file_put_contents(SQUID_CONFBASE . '/squid.conf', $conf); - - $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'].'/'; - - if(!is_dir($log_dir)) { - log_error("Creating squid log dir $log_dir"); - make_dirs($log_dir); - squid_chown_recursive($log_dir, 'proxy', 'proxy'); - } - - squid_dash_z(); - - if (!is_service_running('squid')) { - log_error("Starting Squid"); - mwexec("/usr/local/sbin/squid"); - } else { - log_error("Reloading Squid for configuration sync"); - mwexec("/usr/local/sbin/squid -k reconfigure"); - } - - // Sleep for a couple seconds to give squid a chance to fire up fully. - for ($i=0; $i < 10; $i++) { - if (!is_service_running('squid')) - sleep(1); - } - filter_configure(); - conf_mount_ro(); -} - -function squid_print_javascript_auth() { - global $config; - $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); - - // No authentication for transparent proxy - if ($transparent_proxy) { - $javascript = <<<EOD -<script language="JavaScript"> -<!-- -function on_auth_method_changed() { - document.iform.auth_method.disabled = 1; - document.iform.auth_server.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - document.iform.auth_server_port.disabled = 1; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 1; - document.iform.auth_prompt.disabled = 1; - document.iform.auth_processes.disabled = 1; - document.iform.auth_ttl.disabled = 1; - document.iform.unrestricted_auth.disabled = 1; - document.iform.no_auth_hosts.disabled = 1; -} ---> -</script> - -EOD; - } - else { - $javascript = <<<EOD -<script language="JavaScript"> -<!-- -function on_auth_method_changed() { - var field = document.iform.auth_method; - var auth_method = field.options[field.selectedIndex].value; - - if (auth_method == 'none') { - document.iform.auth_server.disabled = 1; - document.iform.auth_server_port.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 1; - document.iform.auth_prompt.disabled = 1; - document.iform.auth_processes.disabled = 1; - document.iform.auth_ttl.disabled = 1; - document.iform.unrestricted_auth.disabled = 1; - document.iform.no_auth_hosts.disabled = 1; - } - else { - document.iform.auth_prompt.disabled = 0; - document.iform.auth_processes.disabled = 0; - document.iform.auth_ttl.disabled = 0; - document.iform.unrestricted_auth.disabled = 0; - document.iform.no_auth_hosts.disabled = 0; - } - - switch (auth_method) { - case 'local': - document.iform.auth_server.disabled = 1; - document.iform.auth_server_port.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 1; - break; - case 'ldap': - document.iform.auth_server.disabled = 0; - document.iform.auth_server_port.disabled = 0; - document.iform.ldap_user.disabled = 0; - document.iform.ldap_pass.disabled = 0; - document.iform.ldap_version.disabled = 0; - document.iform.ldap_userattribute.disabled = 0; - document.iform.ldap_filter.disabled = 0; - document.iform.ldap_basedomain.disabled = 0; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - break; - case 'radius': - document.iform.auth_server.disabled = 0; - document.iform.auth_server_port.disabled = 0; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 0; - document.iform.msnt_secondary.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - break; - case 'msnt': - document.iform.auth_server.disabled = 0; - document.iform.auth_server_port.disabled = 1; - document.iform.auth_ntdomain.disabled = 0; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 0; - break; - } -} ---> -</script> - -EOD; - } - - print($javascript); -} - -function squid_print_javascript_auth2() { - print("<script language=\"JavaScript\">on_auth_method_changed()</script>\n"); -} - -function squid_generate_rules($type) { - global $config; - - $squid_conf = $config['installedpackages']['squid']['config'][0]; - - if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { - return; - } - - if (!is_service_running('squid')) { - log_error("SQUID is installed but not started. Not installing \"{$type}\" rules."); - return; - } - - $ifaces = explode(",", $squid_conf['active_interface']); - $ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ifaces); - $port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128); - - $fw_aliases = filter_generate_aliases(); - if(strstr($fw_aliases, "pptp =")) - $PPTP_ALIAS = "\$pptp"; - else - $PPTP_ALIAS = "\$PPTP"; - if(strstr($fw_aliases, "PPPoE =")) - $PPPOE_ALIAS = "\$PPPoE"; - else - $PPPOE_ALIAS = "\$pppoe"; - - switch($type) { - case 'nat': - $rules .= "\n# Setup Squid proxy redirect\n"; - if ($squid_conf['private_subnet_proxy_off'] == 'on') { - foreach ($ifaces as $iface) { - $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n"; - } - } - if (!empty($squid_conf['defined_ip_proxy_off'])) { - $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); - $exempt_ip = ""; - foreach ($defined_ip_proxy_off as $ip_proxy_off) { - if(!empty($ip_proxy_off)) { - $ip_proxy_off = trim($ip_proxy_off); - if (is_alias($ip_proxy_off)) - $ip_proxy_off = '$'.$ip_proxy_off; - $exempt_ip .= ", $ip_proxy_off"; - } - } - $exempt_ip = substr($exempt_ip,2); - foreach ($ifaces as $iface) { - $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port 80\n"; - } - } - if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { - $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); - $exempt_dest = ""; - foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { - if(!empty($ip_proxy_off_dest)) { - $ip_proxy_off_dest = trim($ip_proxy_off_dest); - if (is_alias($ip_proxy_off_dest)) - $ip_proxy_off_dest = '$'.$ip_proxy_off_dest; - $exempt_dest .= ", $ip_proxy_off_dest"; - } - } - $exempt_dest = substr($exempt_dest,2); - foreach ($ifaces as $iface) { - $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port 80\n"; - } - } - foreach ($ifaces as $iface) { - $rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n"; - } - /* Handle PPPOE case */ - if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { - $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port 80 -> 127.0.0.1 port 80\n"; - } - /* Handle PPTP case */ - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port 80 -> 127.0.0.1 port 80\n"; - } - $rules .= "\n"; - break; - case 'filter': - case 'rule': - foreach ($ifaces as $iface) { - $rules .= "# Setup squid pass rules for proxy\n"; - $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n"; - $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n"; - $rules .= "\n"; - }; - if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { - $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port $port flags S/SA keep state\n"; - } - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port $port flags S/SA keep state\n"; - } - break; - default: - break; - } - - return $rules; -} - -?> diff --git a/config/squid3/old/squid.xml b/config/squid3/old/squid.xml deleted file mode 100644 index 83fb9bc0..00000000 --- a/config/squid3/old/squid.xml +++ /dev/null @@ -1,342 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>squid</name> - <version>2.6.STABLE18</version> - <title>Proxy server: General settings</title> - <include_file>/usr/local/pkg/squid.inc</include_file> - <menu> - <name>Proxy server</name> - <tooltiptext>Modify the proxy server's settings</tooltiptext> - <section>Services</section> - <url>/pkg_edit.php?xml=squid.xml&id=0</url> - </menu> - <service> - <name>squid</name> - <rcfile>squid.sh</rcfile> - <executable>squid</executable> - <description>Proxy server Service</description> - </service> - <tabs> - <tab> - <text>General</text> - <url>/pkg_edit.php?xml=squid.xml&id=0</url> - <active/> - </tab> - <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> - </tab> - <tab> - <text>Cache Mgmt</text> - <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> - </tab> - <tab> - <text>Access Control</text> - <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> - </tab> - <tab> - <text>Traffic Mgmt</text> - <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> - </tab> - <tab> - <text>Local Users</text> - <url>/pkg.php?xml=squid_users.xml</url> - </tab> - </tabs> - <!-- Installation --> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid_cache.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid_nac.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid_ng.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid_traffic.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid_upstream.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid_auth.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid_users.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/etc/rc.d/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/proxy_monitor.sh</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid_cache.xml</item> - </additional_files_needed> - <fields> - <field> - <fielddescr>Proxy interface</fielddescr> - <fieldname>active_interface</fieldname> - <description>The interface(s) the proxy server will bind to.</description> - <type>interfaces_selection</type> - <required/> - <default_value>lan</default_value> - <multiple/> - </field> - <field> - <fielddescr>Allow users on interface</fielddescr> - <fieldname>allow_interface</fieldname> - <description>If this field is checked, the users connected to the interface selected in the 'Proxy interface' field will be allowed to use the proxy, i.e., there will be no need to add the interface's subnet to the list of allowed subnets. This is just a shortcut.</description> - <type>checkbox</type> - <required/> - <default_value>on</default_value> - </field> - <field> - <fielddescr>Transparent proxy</fielddescr> - <fieldname>transparent_proxy</fieldname> - <description>If transparent mode is enabled, all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description> - <type>checkbox</type> - <enablefields>private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest</enablefields> - <required/> - </field> - <field> - <fielddescr>Bypass proxy for Private Address Space (RFC 1918) destination</fielddescr> - <fieldname>private_subnet_proxy_off</fieldname> - <description>Do not forward traffic to Private Address Space (RFC 1918) <b>destination</b> through the proxy server but directly through the firewall.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Bypass proxy for these source IPs</fielddescr> - <fieldname>defined_ip_proxy_off</fieldname> - <description>Do not forward traffic from these <b>source</b> IPs, hostnames, or aliases through the proxy server but directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description> - <type>input</type> - <size>80</size> - </field> - <field> - <fielddescr>Bypass proxy for these destination IPs</fielddescr> - <fieldname>defined_ip_proxy_off_dest</fieldname> - <description>Do not proxy traffic going to these <b>destination</b> IPs, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description> - <type>input</type> - <size>80</size> - </field> - <field> - <fielddescr>Enabled logging</fielddescr> - <fieldname>log_enabled</fieldname> - <description>This will enable the access log. Don't switch this on if you don't have much disk space left.</description> - <type>checkbox</type> - <enablefields>log_query_terms,log_user_agents</enablefields> - </field> - <field> - <fielddescr>Log store directory</fielddescr> - <fieldname>log_dir</fieldname> - <description>The directory where the log will be stored (note: do not end with a / mark)</description> - <type>input</type> - <size>60</size> - <required/> - <default_value>/var/squid/logs</default_value> - </field> - <field> - <fielddescr>Log rotate</fielddescr> - <fieldname>log_rotate</fieldname> - <description>Defines how many days of logfiles will be kept. Rotation is disabled if left empty.</description> - <type>input</type> - <size>5</size> - </field> - <field> - <fielddescr>Proxy port</fielddescr> - <fieldname>proxy_port</fieldname> - <description>This is the port the proxy server will listen on.</description> - <type>input</type> - <size>5</size> - <required/> - <default_value>3128</default_value> - </field> - <field> - <fielddescr>ICP port</fielddescr> - <fieldname>icp_port</fieldname> - <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP.</description> - <type>input</type> - <size>5</size> - </field> - <field> - <fielddescr>Visible hostname</fielddescr> - <fieldname>visible_hostname</fieldname> - <description>This is the URL to be displayed in proxy server error messages.</description> - <type>input</type> - <size>60</size> - <default_value>localhost</default_value> - </field> - <field> - <fielddescr>Administrator email</fielddescr> - <fieldname>admin_email</fieldname> - <description>This is the email address displayed in error messages to the users.</description> - <type>input</type> - <size>60</size> - <default_value>admin@localhost</default_value> - </field> - <field> - <fielddescr>Language</fielddescr> - <fieldname>error_language</fieldname> - <description>Select the language in which the proxy server will display error messages to users.</description> - <type>select</type> - <default_value>en</default_value> - </field> - <field> - <fielddescr>Disable X-Forward</fielddescr> - <fieldname>disable_xforward</fieldname> - <description>If not set, Squid will include your system's IP address or name in the HTTP requests it forwards.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Disable VIA</fielddescr> - <fieldname>disable_via</fieldname> - <description>If not set, Squid will include a Via header in requests and replies as required by RFC2616.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>What to do with requests that have whitespace characters in the URI</fielddescr> - <fieldname>uri_whitespace</fieldname> - <description><b> strip:</b> The whitespace characters are stripped out of the URL. This is the behavior recommended by RFC2396. <p> <b> deny:</b> The request is denied. The user receives an "Invalid Request" message.<p> <b> allow:</b> The request is allowed and the URI is not changed. The whitespace characters remain in the URI.<p> <b> encode:</b> The request is allowed and the whitespace characters are encoded according to RFC1738.<p> <b> chop:</b> The request is allowed and the URI is chopped at the first whitespace.</description> - <type>select</type> - <default_value>strip</default_value> - <options> - <option> - <name>strip</name> - <value>strip</value> - </option> - <option> - <name>deny</name> - <value>deny</value> - </option> - <option> - <name>allow</name> - <value>allow</value> - </option> - <option> - <name>encode</name> - <value>encode</value> - </option> - <option> - <name>chop</name> - <value>chop</value> - </option> - </options> - </field> - <field> - <fielddescr>Use alternate DNS-servers for the proxy-server</fielddescr> - <fieldname>dns_nameservers</fieldname> - <description>If you want to use other DNS-servers than the DNS-forwarder, enter the IPs here, separated by semi-colons (;).</description> - <type>input</type> - <size>60</size> - </field> - <field> - <fielddescr>Suppress Squid Version</fielddescr> - <fieldname>disable_squidversion</fieldname> - <description>If set, suppress Squid version string info in HTTP headers and HTML error pages.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Custom Options</fielddescr> - <fieldname>custom_options</fieldname> - <description>You can put your own custom options here, separated by semi-colons (;). They'll be added to the configuration. They need to be squid.conf native options, otherwise squid will NOT work.</description> - <type>textarea</type> - <cols>65</cols> - <rows>5</rows> - </field> - </fields> - <custom_php_command_before_form> - squid_before_form_general($pkg); - </custom_php_command_before_form> - <custom_add_php_command> - squid_resync(); - </custom_add_php_command> - <custom_php_validation_command> - squid_validate_general($_POST, $input_errors); - </custom_php_validation_command> - <custom_php_resync_config_command> - squid_resync(); - exec("/bin/rm -f /usr/local/etc/rc.d/squid"); - </custom_php_resync_config_command> - <custom_php_install_command> - update_status("Checking Squid cache... One moment please..."); - update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."); - squid_install_command(); - squid_resync(); - exec("/bin/rm -f /usr/local/etc/rc.d/squid"); - </custom_php_install_command> - <custom_php_deinstall_command> - squid_deinstall_command(); - exec("/bin/rm -f /usr/local/etc/rc.d/squid*"); - </custom_php_deinstall_command> - <filter_rules_needed>squid_generate_rules</filter_rules_needed> -</packagegui> diff --git a/config/squid3/old/squid_auth.inc b/config/squid3/old/squid_auth.inc deleted file mode 100644 index 7c99a01b..00000000 --- a/config/squid3/old/squid_auth.inc +++ /dev/null @@ -1,446 +0,0 @@ -<?php -/* $Id$ */ - -/* - squid_auth.inc - part of pfSense (www.pfSense.com) - - Copyright (C) 2005 Michael Capp <michael.capp@gmail.com> - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - -*/ - -function global_eval_auth_options() -{ - global $config; - conf_mount_rw(); - config_lock(); - - switch ($config['installedpackages']['squidauth']['config'][0]['auth_method']) { - case "none": - dynamic_auth_content("pkg_edit"); - dynamic_no_auth(); - break; - case "local_auth": - dynamic_auth_content("pkg"); - /* create empty passwd file to prevent stat error with squid reload */ - touch ("/usr/local/etc/squid/advanced/ncsa/passwd"); - dynamic_local_auth(); - break; - case "ldap_bind": - dynamic_auth_content("pkg_edit"); - dynamic_ldap_auth(); - break; - case "domain_auth": - $filecontents = file("/usr/local/pkg/squid_auth.xml"); - dynamic_auth_content("pkg_edit"); - dynamic_domain_auth(); - break; - case "radius_auth": - $filecontents = file("/usr/local/pkg/squid_auth.xml"); - dynamic_auth_content("pkg_edit"); - dynamic_radius_auth(); - break; - default: - $filecontents = file("/usr/local/pkg/squid_auth.xml"); - dynamic_auth_content("pkg_edit"); - dynamic_no_auth(); - break; - } - - config_unlock(); - conf_mount_ro(); - -} /* end function global_eval_auth_options */ - -function dynamic_no_auth() { - global $config; - conf_mount_rw(); - $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); - fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); - fwrite($fout, "<packagegui>\n"); - fwrite($fout, " <name>squidextnoauth</name>\n"); - fwrite($fout, " <title>Services: Proxy Server -> Extended Authentication Settings</title>\n"); - fwrite($fout, " <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tabs>\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>General Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Upstream Proxy</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Cache Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Network Access Control</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Traffic Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Extended Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); - fwrite($fout, " <active/>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " </tabs>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <fields>\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>No Authentication Defined</fielddescr>\n"); - fwrite($fout, " <fieldname>no_auth</fieldname>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, " </fields>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <custom_add_php_command_late>\n"); - fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");"); - fwrite($fout, "\n"); - fwrite($fout, " global_write_squid_config();\n"); - fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); - fwrite($fout, " </custom_add_php_command_late>\n"); - fwrite($fout, "\n"); - fwrite($fout, "</packagegui>\n"); - fclose($fout); - - /* mount filesystem read-only */ - conf_mount_ro(); -} - -function dynamic_local_auth() { - global $config; - conf_mount_rw(); - - $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); - - fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); - fwrite($fout, "\n"); - fwrite($fout, "<packagegui>\n"); - fwrite($fout, " <name>squidextlocalauth</name>\n"); - fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n"); - fwrite($fout, " <version>2.5.10_4</version>\n"); - fwrite($fout, " <configpath>installedpackages->package->squidextlocalauth->configuration->settings</configpath>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <files></files>\n"); - fwrite($fout, " <menu></menu>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <aftersaveredirect>/pkg.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tabs>\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>General Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Upstream Proxy</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Cache Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Network Access Control</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Traffic Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Extended Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&id=0</url>\n"); - fwrite($fout, " <active/>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " </tabs>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <adddeleteeditpagefields>\n"); - fwrite($fout, " <columnitem>\n"); - fwrite($fout, " <fielddescr>Username</fielddescr>\n"); - fwrite($fout, " <fieldname>username</fieldname>\n"); - fwrite($fout, " </columnitem>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <columnitem>\n"); - fwrite($fout, " <fielddescr>Description</fielddescr>\n"); - fwrite($fout, " <fieldname>description</fieldname>\n"); - fwrite($fout, " </columnitem>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <columnitem>\n"); - fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n"); - fwrite($fout, " <fieldname>group</fieldname>\n"); - fwrite($fout, " </columnitem>\n"); - fwrite($fout, " </adddeleteeditpagefields>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <fields>\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Username</fielddescr>\n"); - fwrite($fout, " <fieldname>username</fieldname>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>15</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Password</fielddescr>\n"); - fwrite($fout, " <fieldname>password</fieldname>\n"); - fwrite($fout, " <type>password</type>\n"); - fwrite($fout, " <size>8</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Description (Optional)</fielddescr>\n"); - fwrite($fout, " <fieldname>description</fieldname>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>30</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n"); - fwrite($fout, " <fieldname>group</fieldname>\n"); - fwrite($fout, " <type>select</type>\n"); - fwrite($fout, " <options>\n"); - fwrite($fout, " <option><name>Standard</name><value>Standard</value></option>\n"); - fwrite($fout, " <option><name>Extended</name><value>Extended</value></option>\n"); - fwrite($fout, " </options>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " </fields>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <custom_add_php_command_late>\n"); - fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n"); - fwrite($fout, "\n"); - fwrite($fout, " mod_htpasswd();\n"); - fwrite($fout, " global_write_squid_config();\n"); - fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); - fwrite($fout, " </custom_add_php_command_late>\n"); - fwrite($fout, "\n"); - fwrite($fout, "</packagegui>\n"); - - fclose($fout); - - /* mount filesystem read-only */ - conf_mount_ro(); -} - -function dynamic_ldap_auth() { - global $config; - conf_mount_rw(); - - $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); - - fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); - fwrite($fout, "\n"); - fwrite($fout, "<packagegui>\n"); - fwrite($fout, " <name>squidextldapauth</name>\n"); - fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n"); - fwrite($fout, " <version>2.5.11</version>\n"); - fwrite($fout, " <configpath>installedpackages->package->squidextldapauth->configuration->settings</configpath>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <files></files>\n"); - fwrite($fout, " <menu></menu>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tabs>\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>General Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Upstream Proxy</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Cache Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Network Access Control</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Traffic Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Extended Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); - fwrite($fout, " <active/>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " </tabs>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <fields>\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Base DN</fielddescr>\n"); - fwrite($fout, " <fieldname>ldap_basedn</fieldname>\n"); - fwrite($fout, " <description>This is the base where the LDAP search starts. All subsequent organizational units (OUs)will be included. Example: \"ou=users,o=company\" will search for users in and under the specified company.</description>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>50</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>LDAP Server</fielddescr>\n"); - fwrite($fout, " <fieldname>ldap_server</fieldname>\n"); - fwrite($fout, " <description>This is the LDAP server that the bind will be attempted against.</description>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>20</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>LDAP Type</fielddescr>\n"); - fwrite($fout, " <fieldname>ldap_type</fieldname>\n"); - fwrite($fout, " <description>This specifies the supported LDAP types.</description>\n"); - fwrite($fout, " <type>select</type>\n"); - fwrite($fout, " <options>\n"); - fwrite($fout, " <option><name>Active Directory</name><value>active_directory</value></option>\n"); - fwrite($fout, " <option><name>Novell eDirectory</name><value>novell_edirectory</value></option>\n"); - fwrite($fout, " <option><name>LDAP v2</name><value>ldap_v2</value></option>\n"); - fwrite($fout, " <option><name>LDAP v3</name><value>ldap_v3</value></option>\n"); - fwrite($fout, " </options>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>LDAP Port</fielddescr>\n"); - fwrite($fout, " <fieldname>ldap_port</fieldname>\n"); - fwrite($fout, " <description>This is the port that LDAP bind will attempt on. The default is \"389\".</description>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>5</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Bind DN Username</fielddescr>\n"); - fwrite($fout, " <fieldname>bind_dn_username</fieldname>\n"); - fwrite($fout, " <description>If \"anonymous bind\" is not supported, please specify the bind username that can access the Base DN hierarchy.</description>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>30</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Bind DN Password</fielddescr>\n"); - fwrite($fout, " <fieldname>bind_dn_password</fieldname>\n"); - fwrite($fout, " <description>This is the associated password with the Bind DN Username previously specified.</description>\n"); - fwrite($fout, " <type>password</type>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " </fields>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <custom_add_php_command_late>\n"); - fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n"); - fwrite($fout, "\n"); - fwrite($fout, " mod_htpasswd();\n"); - fwrite($fout, "\n"); - fwrite($fout, " global_write_squid_config();\n"); - fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); - fwrite($fout, " </custom_add_php_command_late>\n"); - fwrite($fout, "\n"); - fwrite($fout, "</packagegui>\n"); - - fclose($fout); - - /* mount filesystem read-only */ - conf_mount_ro(); -} - -/* dynamically re-writes all squid xml files to handle adddeletecolumnitems properly */ -function dynamic_auth_content($pkgvar) { - - switch ($pkgvar) { - case "pkg": - if ($handle = opendir("/usr/local/pkg")) { - while (($file = readdir($handle)) != false) { - if (stristr($file, "squid_") && stristr($file, ".xml")) { - $filecontents = file("/usr/local/pkg/" . $file); - $fout = fopen("/usr/local/pkg/" . $file, "w"); - foreach($filecontents as $line) { - if (stristr($line, "<url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>")) { - fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&id=0</url>\n"); - } else { - fwrite($fout, $line); - } - } - } - } - } - break; - - case "pkg_edit": - if ($handle = opendir("/usr/local/pkg")) { - while (($file = readdir($handle)) != false) { - if (stristr($file, "squid_") && stristr($file, ".xml")) { - $filecontents = file("/usr/local/pkg/" . $file); - $fout = fopen("/usr/local/pkg/" . $file,"w"); - foreach($filecontents as $line) { - if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&id=0</url>")) { - fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); - } else { - fwrite($fout, $line); - } - } - } - } - } - break; - } - -} /* end function dynamic_auth_content */ -?>
\ No newline at end of file diff --git a/config/squid3/old/squid_auth.xml b/config/squid3/old/squid_auth.xml deleted file mode 100644 index db26756b..00000000 --- a/config/squid3/old/squid_auth.xml +++ /dev/null @@ -1,240 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>squidauth</name> - <version>none</version> - <title>Proxy server: Authentication</title> - <include_file>squid.inc</include_file> - <tabs> - <tab> - <text>General</text> - <url>/pkg_edit.php?xml=squid.xml&id=0</url> - </tab> - <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> - </tab> - <tab> - <text>Cache Mgmt</text> - <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> - </tab> - <tab> - <text>Access Control</text> - <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> - </tab> - <tab> - <text>Traffic Mgmt</text> - <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> - <active/> - </tab> - <tab> - <text>Local Users</text> - <url>/pkg.php?xml=squid_users.xml</url> - </tab> - </tabs> - <fields> - <field> - <fielddescr>Authentication method</fielddescr> - <fieldname>auth_method</fieldname> - <description>Select an authentication method. This will allow users to be authenticated by local or external services.</description> - <type>select</type> - <required/> - <default_value>none</default_value> - <options> - <option><name>None</name><value>none</value></option> - <option><name>Local</name><value>local</value></option> - <option><name>LDAP</name><value>ldap</value></option> - <option><name>RADIUS</name><value>radius</value></option> - <option><name>NT domain</name><value>msnt</value></option> - </options> - <onchange>on_auth_method_changed()</onchange> - </field> - <field> - <fielddescr>LDAP version</fielddescr> - <fieldname>ldap_version</fieldname> - <description>Enter LDAP protocol version (2 or 3).</description> - <type>select</type> - <default_value>2</default_value> - <options> - <option><name>2</name><value>2</value></option> - <option><name>3</name><value>3</value></option> - </options> - </field> - <field> - <fielddescr>Authentication server</fielddescr> - <fieldname>auth_server</fieldname> - <description>Enter here the IP or hostname of the server that will perform the authentication.</description> - <type>input</type> - <size>60</size> - </field> - <field> - <fielddescr>Authentication server port</fielddescr> - <fieldname>auth_server_port</fieldname> - <description>Enter here the port to use to connect to the authentication server. Leave this field blank to use the authentication method's default port.</description> - <type>input</type> - <size>60</size> - </field> - <field> - <fielddescr>NT domain</fielddescr> - <fieldname>auth_ntdomain</fieldname> - <description>Enter here the NT domain.</description> - <type>input</type> - <size>60</size> - </field> - <field> - <fielddescr>LDAP server user DN</fielddescr> - <fieldname>ldap_user</fieldname> - <description>Enter here the user DN to use to connect to the LDAP server.</description> - <type>input</type> - <size>60</size> - </field> - <field> - <fielddescr>LDAP password</fielddescr> - <fieldname>ldap_pass</fieldname> - <description>Enter here the password to use to connect to the LDAP server.</description> - <type>password</type> - <size>60</size> - </field> - <field> - <fielddescr>LDAP base domain</fielddescr> - <fieldname>ldap_basedomain</fieldname> - <description>For LDAP authentication, enter here the base domain in the LDAP server.</description> - <type>input</type> - <size>60</size> - </field> - <field> - <fielddescr>LDAP username DN attribute</fielddescr> - <fieldname>ldap_userattribute</fieldname> - <description>Enter LDAP username DN attibute.</description> - <type>input</type> - <size>60</size> - <default_value>uid</default_value> - </field> - <field> - <fielddescr>LDAP search filter</fielddescr> - <fieldname>ldap_filter</fieldname> - <description>Enter LDAP search filter.</description> - <type>input</type> - <size>60</size> - <default_value>(&(objectClass=person)(uid=%s))</default_value> - </field> - <field> - <fielddescr>RADIUS secret</fielddescr> - <fieldname>radius_secret</fieldname> - <description>The RADIUS secret for RADIUS authentication.</description> - <type>password</type> - <size>60</size> - </field> - <field> - <fielddescr>Secondary NT servers</fielddescr> - <fieldname>msnt_secondary</fieldname> - <description>Comma-separated list of secondary servers to be used for NT domain authentication.</description> - <type>input</type> - <size>60</size> - </field> - <field> - <fielddescr>Authentication prompt</fielddescr> - <fieldname>auth_prompt</fieldname> - <description>This string will be displayed at the top of the authentication request window.</description> - <type>input</type> - <default_value>Please enter your credentials to access the proxy</default_value> - </field> - <field> - <fielddescr>Authentication processes</fielddescr> - <fieldname>auth_processes</fieldname> - <description>The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly.</description> - <type>input</type> - <size>60</size> - <default_value>5</default_value> - </field> - <field> - <fielddescr>Authentication TTL</fielddescr> - <fieldname>auth_ttl</fieldname> - <description>This specifies for how long (in minutes) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.</description> - <type>input</type> - <size>60</size> - <default_value>60</default_value> - </field> - <field> - <fielddescr>Requiere authentication for unrestricted hosts</fielddescr> - <fieldname>unrestricted_auth</fieldname> - <description>If this option is enabled, even users tagged as unrestricted through access control are required to authenticate to use the proxy.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Subnets that don't need authentication</fielddescr> - <fieldname>no_auth_hosts</fieldname> - <description>Enter each subnet or IP address on a new line (in CIDR format, e.g.: 10.5.0.0/16, 192.168.1.50/32) that should not be asked for authentication to access the proxy.</description> - <type>textarea</type> - <cols>50</cols> - <rows>5</rows> - <encoding>base64</encoding> - </field> - </fields> - <custom_php_validation_command> - squid_validate_auth($_POST, $input_errors); - </custom_php_validation_command> - <custom_php_after_form_command> - squid_print_javascript_auth2(); - </custom_php_after_form_command> - <custom_php_resync_config_command> - squid_resync(); - </custom_php_resync_config_command> - <custom_php_before_form_command> - squid_print_javascript_auth2(); - </custom_php_before_form_command> - <custom_php_after_head_command> - $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); - if($transparent_proxy) - $input_errors[] = "Authentication cannot be enabled while transparent proxy mode is enabled"; - squid_print_javascript_auth(); - </custom_php_after_head_command> -</packagegui> diff --git a/config/squid3/old/squid_cache.xml b/config/squid3/old/squid_cache.xml deleted file mode 100644 index a765d911..00000000 --- a/config/squid3/old/squid_cache.xml +++ /dev/null @@ -1,224 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>squidcache</name> - <version>none</version> - <title>Proxy server: Cache management</title> - <include_file>squid.inc</include_file> - <tabs> - <tab> - <text>General</text> - <url>/pkg_edit.php?xml=squid.xml&id=0</url> - </tab> - <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> - </tab> - <tab> - <text>Cache Mgmt</text> - <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> - <active/> - </tab> - <tab> - <text>Access Control</text> - <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> - </tab> - <tab> - <text>Traffic Mgmt</text> - <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> - </tab> - <tab> - <text>Local Users</text> - <url>/pkg.php?xml=squid_users.xml</url> - </tab> - </tabs> - <fields> - <field> - <fielddescr>Hard disk cache size</fielddescr> - <fieldname>harddisk_cache_size</fieldname> - <description>This is the amount of disk space (in megabytes) to use for cached objects.</description> - <type>input</type> - <required/> - <default_value>100</default_value> - </field> - <field> - <fielddescr>Hard disk cache system</fielddescr> - <fieldname>harddisk_cache_system</fieldname> - <description>This specifies the kind of storage system to use. <p> <b> ufs </b> is the old well-known Squid storage format that has always been there. <p> <b> aufs </b> uses POSIX-threads to avoid blocking the main Squid process on disk-I/O. (Formerly known as async-io.) <p> <b> diskd </b> uses a separate process to avoid blocking the main Squid process on disk-I/O. <p> <b> null </b> Does not use any storage. Ideal for Embedded/NanoBSD.</description> - <type>select</type> - <default_value>ufs</default_value> - <options> - <option><name>ufs</name><value>ufs</value></option> - <option><name>aufs</name><value>aufs</value></option> - <option><name>diskd</name><value>diskd</value></option> - <option><name>null</name><value>null</value></option> - </options> - </field> - <field> - <fielddescr>Hard disk cache location</fielddescr> - <fieldname>harddisk_cache_location</fieldname> - <description>This is the directory where the cache will be stored. (note: do not end with a /). If you change this location, squid needs to make a new cache, this could take a while</description> - <type>input</type> - <size>60</size> - <required/> - <default_value>/var/squid/cache</default_value> - </field> - <field> - <fielddescr>Memory cache size</fielddescr> - <fieldname>memory_cache_size</fieldname> - <description>This is the amount of physical RAM (in megabytes) to be used for negative cache and in-transit objects. This value should not exceed more than 50% of the installed RAM. The minimum value is 1MB.</description> - <type>input</type> - <required/> - <default_value>8</default_value> - </field> - <field> - <fielddescr>Minimum object size</fielddescr> - <fieldname>minimum_object_size</fieldname> - <description>Objects smaller than the size specified (in kilobytes) will not be saved on disk. The default value is 0, meaning there is no minimum.</description> - <type>input</type> - <required /> - <default_value>0</default_value> - </field> - <field> - <fielddescr>Maximum object size</fielddescr> - <fieldname>maximum_object_size</fieldname> - <description>Objects larger than the size specified (in kilobytes) will not be saved on disk. If you wish to increase speed more than you want to save bandwidth, this should be set to a low value.</description> - <type>input</type> - <required/> - <default_value>4</default_value> - </field> - <field> - <fielddescr>Level 1 subdirectories</fielddescr> - <fieldname>level1_subdirs</fieldname> - <description>Each level-1 directory contains 256 subdirectories, so a value of 256 level-1 directories will use a total of 65536 directories for the hard disk cache. This will significantly slow down the startup process of the proxy service, but can speed up the caching under certain conditions.</description> - <type>select</type> - <default_value>16</default_value> - <options> - <option><name>4</name><value>4</value></option> - <option><name>8</name><value>8</value></option> - <option><name>16</name><value>16</value></option> - <option><name>32</name><value>32</value></option> - <option><name>64</name><value>64</value></option> - <option><name>128</name><value>128</value></option> - <option><name>256</name><value>256</value></option> - </options> - </field> - <field> - <fielddescr>Memory replacement policy</fielddescr> - <fieldname>memory_replacement_policy</fieldname> - <description>The memory replacement policy determines which objects are purged from memory when space is needed. The default policy for memory replacement is GDSF. <p> <b> LRU: Last Recently Used Policy </b> - The LRU policies keep recently referenced objects. i.e., it replaces the object that has not been accessed for the longest time. <p> <b> Heap GDSF: Greedy-Dual Size Frequency </b> - The Heap GDSF policy optimizes object-hit rate by keeping smaller, popular objects in cache. It achieves a lower byte hit rate than LFUDA though, since it evicts larger (possibly popular) objects. <p> <b> Heap LFUDA: Least Frequently Used with Dynamic Aging </b> - The Heap LFUDA policy keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate since one large, popular object will prevent many smaller, slightly less popular objects from being cached. <p> <b> Heap LRU: Last Recently Used </b> - Works like LRU, but uses a heap instead. <p> Note: If using the LFUDA replacement policy, the value of Maximum Object Size should be increased above its default of 12KB to maximize the potential byte hit rate improvement of LFUDA.</description> - <type>select</type> - <default_value>heap GDSF</default_value> - <options> - <option><name>LRU</name><value>lru</value></option> - <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> - <option><name>Heap GDSF</name><value>heap GDSF</value></option> - <option><name>Heap LRU</name><value>heap LRU</value></option> - </options> - </field> - <field> - <fielddescr>Cache replacement policy</fielddescr> - <fieldname>cache_replacement_policy</fieldname> - <description>The cache replacement policy decides which objects will remain in cache and which objects are replaced to create space for the new objects. The default policy for cache replacement is LFUDA. Please see the type descriptions specified in the memory replacement policy for additional detail.</description> - <type>select</type> - <default_value>heap LFUDA</default_value> - <options> - <option><name>LRU</name><value>lru</value></option> - <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> - <option><name>Heap GDSF</name><value>heap GDSF</value></option> - <option><name>Heap LRU</name><value>heap LRU</value></option> - </options> - </field> - <field> - <fielddescr>Low-water-mark in %</fielddescr> - <fieldname>cache_swap_low</fieldname> - <description>Cache replacement begins when the swap usage is above the low-low-water mark and attempts to maintain utilisation near the low-water-mark.</description> - <type>input</type> - <default_value>90</default_value> - </field> - <field> - <fielddescr>High-water-mark in %</fielddescr> - <fieldname>cache_swap_high</fieldname> - <description>As swap utilisation gets close to the high-water-mark object eviction becomes more aggressive.</description> - <type>input</type> - <default_value>95</default_value> - </field> - <field> - <fielddescr>Do not cache</fielddescr> - <fieldname>donotcache</fieldname> - <description>Enter each domain or IP address on a new line that should never be cached.</description> - <type>textarea</type> - <cols>50</cols> - <rows>5</rows> - <encoding>base64</encoding> - </field> - <field> - <fielddescr>Enable offline mode</fielddescr> - <fieldname>enable_offline</fieldname> - <description>Enable this option and the proxy server will never try to validate cached objects. The offline mode gives access to more cached information than the proposed feature would allow (stale cached versions, where the origin server should have been contacted).</description> - <type>checkbox</type> - <required/> - </field> - </fields> - <custom_php_command_before_form> - if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) { - $needs_dash_z = true; - } - </custom_php_command_before_form> - <custom_php_validation_command> - squid_validate_cache($_POST, $input_errors); - </custom_php_validation_command> - <custom_php_resync_config_command> - squid_resync(); - if($needs_dash_z) - squid_dash_z(); - </custom_php_resync_config_command> -</packagegui> diff --git a/config/squid3/old/squid_extauth.xml b/config/squid3/old/squid_extauth.xml deleted file mode 100644 index 41d9f633..00000000 --- a/config/squid3/old/squid_extauth.xml +++ /dev/null @@ -1,106 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>squidextnoauth</name> - <version>none</version> - <title>Services: Proxy Server -> Extended Authentication Settings</title> - <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect> - <tabs> - <tab> - <text>General</text> - <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url> - </tab> - - <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> - </tab> - - <tab> - <text>Cache Mgmt</text> - <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> - </tab> - - <tab> - <text>Access Control</text> - <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> - </tab> - - <tab> - <text>Traffic Mgmt</text> - <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> - </tab> - - <tab> - <text>Auth</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> - </tab> - - <tab> - <text>Extended Auth</text> - <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url> - <active/> - </tab> - - </tabs> - <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath> - <fields> - <field> - <fielddescr>No Authentication Defined</fielddescr> - <fieldname>no_auth</fieldname> - <type>text</type> - </field> - </fields> - - <custom_add_php_command_late> - require_once("/usr/local/pkg/squid_ng.inc"); - - global_write_squid_config(); - mwexec("/usr/local/sbin/squid -k reconfigure"); - </custom_add_php_command_late> - -</packagegui> diff --git a/config/squid3/old/squid_nac.xml b/config/squid3/old/squid_nac.xml deleted file mode 100644 index 0d914dca..00000000 --- a/config/squid3/old/squid_nac.xml +++ /dev/null @@ -1,143 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>squidnac</name> - <version>none</version> - <title>Proxy server: Access control</title> - <include_file>squid.inc</include_file> - <tabs> - <tab> - <text>General</text> - <url>/pkg_edit.php?xml=squid.xml&id=0</url> - </tab> - <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> - </tab> - <tab> - <text>Cache Mgmt</text> - <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> - </tab> - <tab> - <text>Access Control</text> - <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> - <active/> - </tab> - <tab> - <text>Traffic Mgmt</text> - <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> - </tab> - <tab> - <text>Local Users</text> - <url>/pkg.php?xml=squid_users.xml</url> - </tab> - </tabs> - <fields> - <field> - <fielddescr>Allowed subnets</fielddescr> - <fieldname>allowed_subnets</fieldname> - <description>Enter each subnet on a new line that is allowed to use the proxy. The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24). Note that the proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy.</description> - <type>textarea</type> - <cols>50</cols> - <rows>5</rows> - <encoding>base64</encoding> - </field> - <field> - <fielddescr>Unrestricted IPs</fielddescr> - <fieldname>unrestricted_hosts</fieldname> - <description>Enter each unrestricted IP address on a new line that is not to be filtered out by the other access control directives set in this page.</description> - <type>textarea</type> - <cols>50</cols> - <rows>5</rows> - <encoding>base64</encoding> - </field> - <field> - <fielddescr>Banned host addresses</fielddescr> - <fieldname>banned_hosts</fieldname> - <description>Enter each IP address on a new line that is not to be allowed to use the proxy.</description> - <type>textarea</type> - <cols>50</cols> - <rows>5</rows> - <encoding>base64</encoding> - </field> - <field> - <fielddescr>Whitelist</fielddescr> - <fieldname>whitelist</fieldname> - <description>Enter each destination domain on a new line that will be accessable to the users that are allowed to use the proxy. You also can use regular expressions.</description> - <type>textarea</type> - <cols>50</cols> - <rows>5</rows> - <encoding>base64</encoding> - </field> - <field> - <fielddescr>Blacklist</fielddescr> - <fieldname>blacklist</fieldname> - <description>Enter each destination domain on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions.</description> - <type>textarea</type> - <cols>50</cols> - <rows>5</rows> - <encoding>base64</encoding> - </field> - <field> - <fielddescr>External Cache-Managers</fielddescr> - <fieldname>ext_cachemanager</fieldname> - <description>Enter the IPs for the external Cache Managers to be allowed here, separated by semi-colons (;).</description> - <type>input</type> - <size>60</size> - </field> - </fields> - <custom_php_validation_command> - squid_validate_nac($_POST, $input_errors); - </custom_php_validation_command> - <custom_php_resync_config_command> - squid_resync(); - </custom_php_resync_config_command> -</packagegui> diff --git a/config/squid3/old/squid_ng.inc b/config/squid3/old/squid_ng.inc deleted file mode 100644 index bfc99faf..00000000 --- a/config/squid3/old/squid_ng.inc +++ /dev/null @@ -1,1070 +0,0 @@ -<?php -/* $Id$ */ - -/* - squid_ng.inc - part of pfSense (www.pfSense.com) - - Copyright (C) 2005 Michael Capp <michael.capp@gmail.com> - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - -*/ - -if(!function_exists("filter_configure")) - require_once("filter.inc"); - -function global_write_squid_config() -{ - global $config; - conf_mount_rw(); - config_lock(); - - /* define squid configuration file in variable for replace function */ - $squidconfig = "/usr/local/etc/squid/squid.conf"; - - /* squid.xml values */ - $active_interface = $config['installedpackages']['squid']['config'][0]['active_interface']; - $transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy']; - $log_enabled = $config['installedpackages']['squid']['config'][0]['log_enabled']; - $urlfier_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable']; - $accesslog_disabled = $config['installedpackages']['squid']['config'][0]['accesslog_disabled']; - $log_query_terms = $config['installedpackages']['squid']['config'][0]['log_query_terms']; - $log_user_agents = $config['installedpackages']['squid']['config'][0]['log_user_agents']; - $proxy_port = $config['installedpackages']['squid']['config'][0]['proxy_port']; - $visible_hostname = $config['installedpackages']['squid']['config'][0]['visible_hostname']; - $cache_admin_email = $config['installedpackages']['squid']['config'][0]['cache_admin_email']; - $error_language = $config['installedpackages']['squid']['config'][0]['error_language']; - $cachemgr_enabled = $config['installedpackages']['squid']['config'][0]['cachemgr_enabled']; - - /* squid_upstream.xml values */ - $proxy_forwarding = $config['installedpackages']['squidupstream']['config'][0]['proxy_forwarding']; - $client_ip_forwarding = $config['installedpackages']['squidupstream']['config'][0]['client_ip_forwarding']; - $user_forwarding = $config['installedpackages']['squidupstream']['config'][0]['user_forwarding']; - $upstream_proxy = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy']; - $upstream_proxy_port = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy_port']; - $upstream_username = $config['installedpackages']['squidupstream']['config'][0]['upstream_username']; - $upstream_password = $config['installedpackages']['squidupstream']['config'][0]['upstream_psasword']; - - /* squid_cache.xml values */ - $memory_cache_size = $config['installedpackages']['squidcache']['config'][0]['memory_cache_size']; - $harddisk_cache_size = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']; - $minimum_object_size = $config['installedpackages']['squidcache']['config'][0]['minimum_object_size']; - $maximum_object_size = $config['installedpackages']['squidcache']['config'][0]['maximum_object_size']; - $level_subdirs = $config['installedpackages']['squidcache']['config'][0]['level_subdirs']; - $memory_replacement = $config['installedpackages']['squidcache']['config'][0]['memory_replacement']; - $cache_replacement = $config['installedpackages']['squidcache']['config'][0]['cache_replacement']; - $domain = $config['installedpackages']['squidcache']['config'][0]['domain']; - $enable_offline = $config['installedpackages']['squidcache']['config'][0]['enable_offline']; - - /* squid_nac.xml values */ - $allowed_subnets = $config['installedpackages']['squidnac']['config'][0]['allowed_subnets']; - $unrestricted_ip_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_ip_address']; - $unrestricted_mac_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_mac_addresses']; - $banned_ip_addr = $config['installedpackages']['squidnac']['config'][0]['banned_ip_addresses']; - $banned_mac_addr = $config['installedpackages']['squidnac']['config'][0]['banned_mac_addresses']; - $override_hosts = $config['installedpackages']['squidnac']['config'][0]['override_hosts']; - - /* squid_traffic.xml values */ - $max_download_size = $config['installedpackages']['squidtraffic']['config'][0]['max_download_size']; - $max_upload_size = $config['installedpackages']['squidtraffic']['config'][0]['max_upload_size']; - $dl_overall = $config['installedpackages']['squidtraffic']['config'][0]['dl_overall']; - $dl_per_host = $config['installedpackages']['squidtraffic']['config'][0]['dl_per_host']; - $throttle_binary_files = $config['installedpackages']['squidtraffic']['config'][0]['throttle_binary_files']; - $throttle_cd_images = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_images']; - $throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia']; - - /* squid_auth.xml values */ - $auth_method = $config['installedpackages']['squidauth']['config'][0]['auth_method']; - $auth_processes = $config['installedpackages']['squidauth']['config'][0]['auth_processes']; - $auth_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['auth_cache_ttl']; - $limit_ip_addr = $config['installedpackages']['squidauth']['config'][0]['limit_ip_addr']; - $user_ip_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['user_ip_cache_ttl']; - $req_unrestricted_auth = $config['installedpackages']['squidauth']['config'][0]['req_unrestricted_auth']; - $auth_realm_prompt = $config['installedpackages']['squidauth']['config'][0]['auth_realm_prompt']; - $no_domain_auth = $config['installedpackages']['squidauth']['config'][0]['no_domain_auth']; - $min_pass_length = $config['installedpackages']['squidauth']['config'][0]['min_pass_length']; - $bypass_extended = $config['installedpackages']['squidauth']['config'][0]['bypass_extended']; - - /* squid_extauth.xml (ldap) values */ - $ldap_basedn = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_basedn']; - $ldap_server = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_server']; - $ldap_type = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_type']; - $ldap_port = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_port']; - $bind_dn_username = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_username']; - $bind_dn_password = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_password']; - - /* squid_extauth.xml (radius) values */ - $radius_server = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_server']; - $radius_port = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_port']; - $radius_identifier = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_identifier']; - $radius_secret = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_secret']; - - /* static variable assignments for directory mapping */ - $acldir = "/usr/local/etc/squid/advanced/acls"; - $ncsadir = "/usr/local/etc/squid/advanced/ncsa"; - $ntlmdir = "/usr/local/etc/squid/advanced/ntlm"; - $radiusdir = "/usr/local/etc/squid/advanced/radius"; - - $fout = fopen($squidconfig, "w"); - - $config_array = array('shutdown_lifetime 5 seconds' . "\n\n"); - - if (isset($cachemgr_enabled) && ($cachemgr_enabled == "on")) { - mwexec("cp /usr/local/libexec/squid/cachemgr.cgi /usr/local/www/cachemgr.cgi"); - mwexec("chmod a+rx /usr/local/www/cachemgr.cgi"); - } else { - mwexec("rm -f /usr/local/www/cachemgr.cgi"); - } - unset($cachemgr_enabled); - - if (!isset($icp_port) or ($icp_port == "")) { - $icp_port = "3130"; - } - $config_array[] = 'icp_port ' . $icp_port . "\n"; - unset($icp_port); - - if(!isset($proxy_port) or ($proxy_port == "")) { - $proxy_port = "3128"; - } - - if (isset($transparent_proxy) && ($transparent_proxy != "on")) { - $int = convert_friendly_interface_to_real_interface_name($active_interface); - $listen_ip = find_interface_ip($int); - - $config_array[] = 'http_port ' . $listen_ip . ':' . $proxy_port . "\n\n"; - $config_array[] = 'acl QUERY urlpath_regex cgi-bin \?' . "\n"; - $config_array[] = 'no_cache deny QUERY' . "\n\n"; - } - $config_array[] = 'http_port 127.0.0.1:' . $proxy_port . "\n\n"; - unset($proxy_port); - - if (isset($domain) && ($domain !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/dst_nocache.acl","w"); - - $domain_array = split("; ",$domain); - foreach ($domain_array as $no_cache_domain) { - fwrite($aclout, $no_cache_domain . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl no_cache_domains dstdomain "' . $acldir . '/dst_nocache.acl"' . "\n"; - $config_array[] = 'no_cache deny no_cache_domains' . "\n\n"; - } - unset($no_cache_domain); - unset($domain_array); - unset($domain); - - $config_array[] = 'cache_effective_user squid' . "\n"; - $config_array[] = 'cache_effective_group squid' . "\n\n"; - $config_array[] = 'pid_filename /var/run/squid.pid' . "\n\n"; - - if (!isset($memory_cache_size) or ($memory_cache_size == "")) { - $memory_cache_size = "8"; - } - $config_array[] = 'cache_mem ' . $memory_cache_size . ' MB' . "\n"; - unset($memory_cache_size); - - if (!isset($harddisk_cache_size) or ($harddisk_cache_size == "")) { - $harddisk_cache_size = "500"; - } - - if (!isset($level_subdirs) or ($level_subdirs == "")) { - $level_subdirs = "16"; - } - - $config_array[] = 'cache_dir diskd /var/squid/cache ' . $harddisk_cache_size . ' ' . $level_subdirs . ' 256' . "\n\n"; - unset($harddisk_cache_size); - unset($level_subdirs); - - if (!isset($error_language) or ($error_language == "")) { - $error_language = "English"; - } - $config_array[] = 'error_directory /usr/local/etc/squid/errors/' . $error_language . "\n\n"; - unset($error_language); - - if (isset($offline_mode) && ($offline_mode == "on")) { - $config_array[] = 'offline_mode on' . "\n\n"; - } else { - $config_array[] = 'offline_mode off' . "\n\n"; - } - - if (!isset($memory_replacement) or ($memory_replacement == "")) { - $memory_replacement = "heap GDSF"; - } - $config_array[] = 'memory_replacement_policy ' . $memory_replacement . "\n"; - unset($memory_replacement); - - if (!isset($cache_replacement) or ($cache_replacement == "")) { - $cache_replacement="heap GDSF"; - } - $config_array[] = 'cache_replacement_policy ' . $cache_replacement . "\n\n"; - unset($cache_replacement); - - if (isset($accesslog_disabled) && ($accesslog_disabled == "on")) { - $config_array[] = 'cache_access_log none' . "\n"; - } else { - $config_array[] = 'cache_access_log /var/log/access.log' . "\n"; - } - $config_array[] = 'cache_log /var/log/cache.log' . "\n"; - $config_array[] = 'cache_store_log none' . "\n"; - unset($accesslog_disabled); - unset($log_enabled); - - if (isset($log_query_terms) && ($log_query_terms == "on")) { - $config_array[] = 'strip_query_terms off' . "\n"; - } else { - $config_array[] = 'strip_query_terms on' . "\n"; - } - unset($log_query_terms); - - $config_array[] = 'useragent_log /var/log/useragent.log' . "\n\n"; - unset($log_user_agents); - - $config_array[] = 'log_mime_hdrs off' . "\n"; - $config_array[] = 'emulate_httpd_log on' . "\n"; - - switch ($user_forwarding) { - case "on": - $config_array[] = 'forwarded_for on' . "\n\n"; - break; - case "off": - $config_array[] = 'forwarded_for off' . "\n\n"; - break; - default: - $config_array[] = 'forwarded_for off' . "\n\n"; - break; - } - unset($user_forwarding); - - switch ($auth_method) { - case "none": - break; - case "local_auth": - $config_array[] = 'auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd' . "\n"; - if (!isset($auth_processes) or ($auth_processes == "")) { - $auth_processes = "5"; - } - $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; - - if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { - $auth_realm_prompt = "pfSense Advanced Proxy"; - } - $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; - - if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { - $auth_cache_ttl = "60"; - } - $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; - $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; - - unset($auth_realm_prompt); - unset($auth_processes); - unset($auth_cache_ttl); - - break; - case "radius_auth"; - $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_rad_auth -h ' . $radius_server . ' -p ' . $radius_port . ' -i ' . $radius_identifier . ' -w ' . $radius_secret . "\n"; - if (!isset($auth_processes) or ($auth_processes == "")) { - $auth_processes = "5"; - } - $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; - - if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { - $auth_realm_prompt = "pfSense Advanced Proxy"; - } - $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; - - if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { - $auth_cache_ttl = "60"; - } - $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; - $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; - - unset($auth_realm_prompt); - unset($auth_processes); - unset($auth_cache_ttl); - - break; - case "ldap_bind"; - $config_array[] = 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n"; - $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_ldap_auth'; - $config_array[] = ' -b "' . $ldap_basedn . '"'; - $config_array[] = ' -D "' . $bind_dn_username . '"'; - $config_array[] = " -w " . $bind_dn_password; - $config_array[] = ' -f "(&(objectClass=person)(cn=%s))"'; - $config_array[] = " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n"; - - if (!isset($auth_processes) or ($auth_processes == "")) { - $auth_processes = "5"; - } - $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; - - if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { - $auth_realm_prompt = "pfSense Advanced Proxy"; - } - $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; - - if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { - $auth_cache_ttl = "60"; - } - $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; - $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; - - unset($auth_realm_prompt); - unset($auth_processes); - unset($auth_cache_ttl); - - break; - case "windows_auth"; - break; - } - - if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n"; - - $throttle_out = fopen($acldir . "/dst_throttle_binary.acl", "w"); - fwrite($throttle_out, $binary_out); - fclose($throttle_out); - $config_array[] = 'acl for_throttled_binary url_regex -i "' . $acldir . '/dst_throttle_binary.acl"' . "\n"; - } else { - if (file_exists($acldir . "/dst_throttle_binary.acl")) unlink($acldir . "/dst_throttle_binary.acl"); - } - unset($throttle_binary_files); - unset($throttle_out); - unset($binary_out); - - if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $cd_out = "\.b5t$\n\.bin$\n\.bwt$\n\.cdi$\n\.cue$\n\.gho$\n\.img$\n\.iso$\n\.mds$\n\.nrg$\n\.pqi$\n"; - - $throttle_out = fopen($acldir . "/dst_throttle_cd.acl","w"); - fwrite($throttle_out, $cd_out); - fclose($throttle_out); - $config_array[] = 'acl for_throttled_cd url_regex -i "' . $acldir . '/dst_throttle_cd.acl"' . "\n"; - } else { - if (file_exists($acldir . "/dst_throttle_cd.acl")) { - unlink($acldir . "/dst_throttle_cd.acl"); - } - } - unset($throttle_cd_images); - unset($throttle_out); - unset($cd_out); - - if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $multimedia_out = "\.aiff?$\n\.asf$\n\.avi$\n\.divx$\n\.mov$\n\.mp3$\n\.mpe?g$\n\.qt$\n\.ra?m$\n"; - - $throttle_out = fopen($acldir . "/dst_throttle_multimedia.acl","w"); - fwrite($throttle_out, $multimedia_out); - fclose($throttle_out); - $config_array[] = 'acl for_throttled_multimedia url_regex -i "' . $acldir . '/dst_throttle_multimedia.acl"' . "\n"; - } else { - if (file_exists($acldir . "/dst_throttle_multimedia.acl")) { - unlink($acldir . "/dst_throttle_multimedia.acl"); - } - } - unset($throttle_multimedia); - unset($multimedia_out); - unset($throttle_out); - - $config_array[] = 'acl within_timeframe time MTWHFAS 00:00-24:00' . "\n\n"; - - /* obtain interface subnet and address for Squid rules */ - $lactive_interface = strtolower($active_interface); - - $lancfg = $config['interfaces'][$lactive_interface]; - $lanif = $lancfg['if']; - $lanip = $lancfg['ipaddr']; - $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); - $lansn = $lancfg['subnet']; - - $config_array[] = 'acl all src 0.0.0.0/0.0.0.0' . "\n"; - $config_array[] = 'acl localnet src ' . $lansa . '/' . $lansn . "\n"; - $config_array[] = 'acl localhost src 127.0.0.1/255.255.255.255' . "\n"; - $config_array[] = 'acl SSL_ports port 443 563 873 # https, snews, rsync' . "\n"; - $config_array[] = 'acl Safe_ports port 80 # http' . "\n"; - $config_array[] = 'acl Safe_ports port 21 # ftp' . "\n"; - $config_array[] = 'acl Safe_ports port 443 563 873 # https, snews, rsync' . "\n"; - $config_array[] = 'acl Safe_ports port 70 # gopher' . "\n"; - $config_array[] = 'acl Safe_ports port 210 # wais' . "\n"; - $config_array[] = 'acl Safe_ports port 1025-65535 # unregistered ports' . "\n"; - $config_array[] = 'acl Safe_ports port 280 # http-mgmt' . "\n"; - $config_array[] = 'acl Safe_ports port 488 # gss-http' . "\n"; - $config_array[] = 'acl Safe_ports port 591 # filemaker' . "\n"; - $config_array[] = 'acl Safe_ports port 777 # multiling http' . "\n"; - $config_array[] = 'acl Safe_ports port 800 # Squids port (for icons)' . "\n\n"; - - /* allow access through proxy for custom admin port */ - $custom_port = $config['system']['webgui']['port']; - if (isset($custom_port) && ($custom_port !== "")) { - $config_array[] = 'acl pf_admin_port port ' . $custom_port . "\n"; - unset($custom_port); - } else { - $admin_protocol = $config['system']['webgui']['protocol']; - switch ($admin_protocol) { - case "http"; - $config_array[] = 'acl pf_admin_port port 80' ."\n"; - break; - case "https"; - $config_array[] = 'acl pf_admin_port port 443' . "\n"; - break; - default; - $config_array[] = 'acl pf_admin_port port 80' . "\n"; - break; - } - unset($admin_protocol); - } - - /* define override hosts as specified in squid_nac.xml */ - if (isset($override_hosts) && ($override_hosts !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/src_override_hosts.acl", "w"); - - $override_hosts_array = split("; ", $override_hosts); - foreach ($override_hosts_array as $ind_override_host) { - fwrite($aclout, $ind_override_host . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl override_hosts src "/usr/local/etc/squid/advanced/acls/src_override_hosts.acl"' . "\n"; - } - /* clear variables */ - unset($override_hosts_array); - unset($ind_override_host); - unset($override_hosts); - - /* define subnets allowed to utilize proxy service */ - if (isset($allowed_subnets) && ($allowed_subnets !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - mwexec("touch {$acldir}/src_subnets.acl"); - } - - $aclout = fopen($acldir . "/src_subnets.acl","w"); - - $allowed_subnets_array = split("; ",$allowed_subnets); - foreach ($allowed_subnets_array as $ind_allowed_subnets) { - fwrite($aclout, $ind_allowed_subnets . "\n"); - } - - fclose($aclout); - } else { - - $aclout = fopen($acldir . "/src_subnets.acl","w"); - fwrite($aclout, $lansa . "/" . $lansn . "\n"); - fclose($aclout); - } - - $config_array[] = 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n"; - - unset($allowed_subnets_array); - unset($ind_allowed_subnets); - unset($allowed_subnets); - - /* define ip addresses that have 'unrestricted' access */ - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/src_unrestricted_ip.acl","w"); - - $unrestricted_ip_array = split("; ",$unrestricted_ip_addr); - foreach ($unrestricted_ip_array as $ind_unrestricted_ip) { - fwrite($aclout, $ind_unrestricted_ip . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl pf_unrestricted_ip src "/usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"' . "\n"; - } - unset($unrestricted_ip_array); - unset($unrestricted_ip_addr); - unset($ind_unrestricted_ip); - - /* define mac addresses that have 'unrestricted' access */ - if (isset($unrestricted_mac_addr) && ($unrestricted_mac_addr !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/src_unrestricted_mac.acl","w"); - - $unrestricted_mac_array = split("; ",$unrestricted_mac_addr); - foreach ($unrestricted_mac_array as $ind_unrestricted_mac) { - fwrite($aclout, $ind_unrestricted_mac . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl pf_unrestricted_mac src "/usr/local/etc/squid/advanced/acls/src_unrestricted_mac.acl"' . "\n"; - } - unset($unrestricted_mac_array); - unset($unrestricted_mac_addr); - unset($ind_unrestricted_mac); - - /* define ip addresses that are banned from using the proxy service */ - if (isset($banned_ip_addr) && ($banned_ip_addr !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/src_banned_ip.acl","w"); - - $banned_ip_array = split("; ",$banned_ip_addr); - foreach ($banned_ip_array as $ind_banned_ip) { - fwrite($aclout, $ind_banned_ip . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n"; - } - unset($banned_ip_addr); - unset($banned_ip_addr); - unset($ind_banned_ip); - - /* define mac addresses that are banned from using the proxy service */ - if (isset($banned_mac_addr) && ($banned_mac_addr !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/src_banned_mac.acl","w"); - - $banned_mac_array = split("; ",$banned_mac_addr); - foreach ($banned_mac_array as $ind_banned_mac) { - fwrite($aclout, $ind_banned_mac . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl pf_banned_mac src "/usr/local/etc/squid/advanced/acls/src_banned_mac.acl"' . "\n"; - } - unset($banned_mac_array); - unset($banned_mac_addr); - unset($ind_banned_mac); - - $config_array[] = 'acl pf_ips dst ' . $lanip . "\n"; - $config_array[] = 'acl CONNECT method CONNECT' . "\n\n"; - - if (isset($auth_method) && ($auth_method == "none")) { - $config_array[] = 'http_access allow localnet' . "\n"; - } - $config_array[] = 'http_access allow localhost' . "\n"; - - if (isset($override_hosts) && ($override_hosts !== "")) { - $config_array[] = 'http_access allow override_hosts' . "\n"; - } - $config_array[] = "\n"; - - switch ($config['system']['webgui']['protocol']) { - case "http": - $config_array[] = 'http_access allow pf_ips' . "\n"; - $config_array[] = 'http_access allow pf_admin_port' . "\n"; - $config_array[] = 'http_access deny !pf_networks' . "\n\n"; - break; - case "https": - $config_array[] = 'http_access allow CONNECT pf_ips' . "\n"; - $config_array[] = 'http_access allow CONNECT pf_admin_port' . "\n"; - $config_array[] = 'http_access deny CONNECT !pf_networks' . "\n\n"; - break; - } - - $config_array[] = 'http_access deny !Safe_ports' . "\n"; - $config_array[] = 'http_access deny CONNECT !SSL_ports' . "\n\n"; - - if (isset($auth_method) && ($auth_method != "none")) { - $config_array[] = 'http_access allow pf_networks for_inetusers within_timeframe' . "\n"; - } - - $config_array[] = 'http_access deny all' . "\n\n"; - - if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "")) { - $config_array[] = 'delay_pools 1' . "\n"; - $config_array[] = 'delay_class 1 3' . "\n"; - - if ($dl_overall == "unlimited") { - $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . "\n"; - } else { - $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; - } - - /* if no unrestricted ip addresses are defined; this line is ignored */ - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr == "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; - - /* this will define bandwidth delay restrictions for specified throttles */ - if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { - $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; - } - if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { - $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; - } - if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { - $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; - } else { - $config_array[] = 'delay_access 1 allow all' . "\n"; - } - $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; - } - - if (isset($dl_per_host) && ($dl_per_host !== "") and isset($dl_overall) && ($dl_overall == "")) { - $config_array[] = 'delay_pools 1' . "\n"; - $config_array[] = 'delay_class 1 3' . "\n"; - - if ($dl_per_host == "unlimited") { - $config_array[] = 'delay_parameters 1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . '-1/-1 -1/-1' . "\n"; - } else { - $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . "\n"; - } - - /* if no unrestricted ip addresses are defined; this line is ignored */ - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; - - /* this will define bandwidth delay restrictions for specified throttles */ - if ($throttle_binary_files == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; - } - if ($throttle_cd_images == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; - } - if ($throttle_multimedia == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' ."\n"; - } else { - $config_array[] = 'delay_access 1 allow all' . "\n"; - } - $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n\n"; - } - - if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host !== "")) { - /* if no bandwidth restrictions are specified, then these parameters are not necessary */ - if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { - - if ((isset($dl_overall) && ($dl_overall == "unlimited")) and (isset($dl_per_host) && ($dl_per_host !== ""))) { - $config_array[] = 'delay_pools 1' . "\n"; - $config_array[] = 'delay_class 1 3' . "\n"; - $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_overall * 250) . "\n"; - } elseif (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "unlimited")) { - $config_array[] = 'delay_pools 1' . "\n"; - $config_array[] = 'delay_class 1 3' . "\n"; - $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; - } - } - - if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { - - /* if no unrestricted ip addresses are defined; this line is ignored */ - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; - - /* this will define bandwidth delay restrictions for specified throttles */ - if ($throttle_binary_files == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; - } - if ($throttle_cd_images == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; - } - if ($throttle_multimedia == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; - } else { - $config_array[] = 'delay_access 1 allow all' . "\n"; - } - $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; - } - } - - $config_array[] = 'header_access X-Forwarded-For deny all' . "\n"; - $config_array[] = 'header_access Via deny all' . "\n\n"; - - /* TODO: acl customization for snmp support */ - /* fwrite($fout, "\n"); */ - - if (isset($urlfilter_enable) && ($urlfilter_enable == "on")) { - $config_array[] = 'redirect_program /usr/sbin/squidGuard' . "\n"; - $config_array[] = 'redirect_children 5' . "\n\n"; - } - - if (isset($max_upload_size) && ($max_upload_size != "")) { - $config_array[] = 'request_body_max_size ' . $max_download_size . 'KB' . "\n"; - } - - if (isset($max_download_size) && ($max_download_size != "")) { - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'reply_body_max_size 0 allow pf_unrestricted_ip' . "\n"; - /* fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n"); */ - $config_array[] = 'reply_body_max_size ' . $max_download_size * 1024 . ' allow all' . "\n\n"; - } - - /* set default value for maximum_object_size */ - if (!isset($maximum_object_size) or ($maximum_object_size == "")) { - $maximum_object_size = "4096"; - } - - /* set default value for minimum_object_size */ - if (!isset($minimum_object_size) or ($minimum_object_size == "")) { - $minimum_object_size = "0"; - } - $config_array[] = 'maximum_object_size ' . $maximum_object_size . ' KB' . "\n"; - $config_array[] = 'minimum_object_size ' . $minimum_object_size . ' KB' . "\n\n"; - - if (isset($proxy_forwarding) && ($proxy_forwarding == "on")) { - $config_array[] = 'cache_peer ' . $upstream_proxy . ' parent ' . $upstream_proxy_port . ' 3130 login=' . upstream_username . ':' . upstream_password . ' default no-query' . "\n"; - $config_array[] = 'never_direct allow all' . "\n"; - } - unset($proxy_forwarding); - - - /* define default ruleset for transparent proxy operation */ - if (isset($transparent_proxy) && ($transparent_proxy == "on")) { - $config_array[] = 'httpd_accel_host virtual' . "\n"; - $config_array[] = 'httpd_accel_port 80' . "\n"; - $config_array[] = 'httpd_accel_with_proxy on' . "\n"; - $config_array[] = 'httpd_accel_uses_host_header on' . "\n\n"; - } - unset($transparent_proxy); - - - /* define visible hostname */ - if (isset($visible_hostname) && ($visible_hostname !== "")) { - $config_array[] = 'visible_hostname ' . $visible_hostname . "\n"; - } - unset($visible_hostname); - - /* define cache administrators email address within error messages */ - if (isset($cache_admin_email) && ($cache_admin_email !== "")) { - $config_array[] = 'cache_mgr ' . $cache_admin_email . "\n\n"; - } - unset($cache_admin_email); - - /* write configuration file */ - foreach ($config_array as $config_item) - { - fwrite($fout, trim($config_item)); - - if (stristr($config_item, "\n")) - { - for ($i = 1; $i < count(explode("\n", $config_item)); $i++) - { - fwrite($fout, "\n"); - } - } - - } - fclose($fout); - - conf_mount_ro(); - config_unlock(); - - touch($squidconfig); -} /* end function write_squid_config */ - -function custom_php_install_command() { - /* write initial static config for transparent proxy */ - write_static_squid_config(); - - touch("/tmp/custom_php_install_command"); - - /* make sure this all exists, see: - * https://forum.pfsense.org/index.php?topic=23.msg2391#msg2391 - */ - update_output_window("Setting up Squid environment..."); - mwexec("mkdir -p /var/squid"); - mwexec("chown squid:squid /var/squid"); - mwexec("mkdir -p /var/squid/logs"); - mwexec("chown squid:squid /var/squid/logs"); - mwexec("mkdir -p /var/squid/cache"); - mwexec("chown squid:squid /var/squid/cache"); - mwexec("mkdir -p /usr/local/etc/squid/advanced"); - mwexec("chown squid:squid /usr/local/etc/squid/advanced"); - mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); - mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls"); - mwexec("touch /usr/local/etc/squid/advanced/acls/src_subnets.acl"); - mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl"); - mwexec("touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); - mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); - mwexec("cp /usr/local/etc/squid/mime.conf.default /usr/local/etc/squid/mime.conf"); - - - /* set a few extra items noted by regan */ - update_output_window("Creating logs and setting user information..."); - $fdsquid = fopen("/usr/local/etc/rc.d/aSquid.sh", "w"); - fwrite($fdsquid, "#/bin/sh\n"); - fwrite($fdsquid, "# \n"); - fwrite($fdsquid, "# This file was created by the pfSense package system\n"); - fwrite($fdsquid, "# Sets up squid option on each bootup that are not persistent\n"); - fwrite($fdsquid, "# \n\n"); - fwrite($fdsquid, "chown squid:wheel /dev/pf\n"); - fwrite($fdsquid, "chmod ug+rw /dev/pf\n"); - fwrite($fdsquid, "touch /var/log/useragent.log\n"); - fwrite($fdsquid, "touch /var/log/access.log\n"); - fwrite($fdsquid, "touch /var/log/cache.log\n"); - fwrite($fdsquid, "chown squid:wheel /var/log/cache.log\n"); - fwrite($fdsquid, "chown squid:wheel /var/log/access.log\n"); - fwrite($fdsquid, "chown squid:wheel /var/log/useragent.log\n"); - fwrite($fdsquid, "\n"); - fclose($fdsquid); - mwexec("chmod a+rx /usr/local/etc/rc.d/aSquid.sh"); - mwexec("/usr/local/etc/rc.d/aSquid.sh"); - - update_output_window("Creating Proxy Server initialization scripts..."); - $start = "touch /tmp/ro_root_mount; /usr/local/sbin/squid -D; touch /tmp/filter_dirty"; - $stop = "/usr/local/sbin/squid -k shutdown"; - write_rcfile(array( - "file" => "squid.sh", - "start" => $start, - "stop" => $stop - ) - ); - - mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh"); - - /* create log directory hierarchies if they don't exist */ - update_output_window("Creating required directory hierarchies..."); - - if (!file_exists("/var/squid/logs")) { - mwexec("mkdir -p /var/squid/logs"); - } - mwexec("/usr/sbin/chown squid:squid /var/squid/logs"); - - - if (!file_exists("/var/squid/cache")) { - mwexec("mkdir -p /var/squid/cache"); - } - mwexec("/usr/sbin/chown squid:squid /var/squid/cache"); - - if (!file_exists("/usr/local/etc/squid/advanced/acls")) { - mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); - } - mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls"); - - if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) { - mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); - } - mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa"); - - if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) { - mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm"); - } - mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm"); - - if (!file_exists("/usr/local/etc/squid/advanced/radius")) { - mwexec("mkdir -p /usr/local/etc/squid/advanced/radius"); - } - mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius"); - - $devfs_file = fopen("/etc/devfs.conf", "a"); - fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable. "); - fwrite($devfs_file, "own pf root:squid"); - fwrite($devfs_file, "perm pf 0640"); - fclose($devfs_file); - - update_output_window("Initializing Cache... This may take a moment..."); - mwexec("/usr/local/sbin/squid -z"); - - update_output_window("Starting Proxy Server..."); - start_service("squid"); -} - -function custom_php_deinstall_command() { - update_output_window("Stopping proxy service..."); - stop_service("squid"); - sleep(1); - /* brute force any remaining squid processes out */ - mwexec("/usr/bin/killall squid"); - mwexec("/usr/bin/killall pinger"); - update_output_window("Recursively removing directories hierarchies. If existant, log files in /var/squid/logs will remain..."); - mwexec("rm -rf /var/squid/cache"); - update_output_window("Removing configuration files..."); - unlink_if_exists("/usr/local/etc/rc.d/squid.sh"); - unlink_if_exists("/usr/local/libexec/squid"); - unlink_if_exists("/usr/local/etc/rc.d/aSquid.sh"); - mwexec("rm -f /usr/local/etc/rc.d/squid*"); - mwexec("rm -f /usr/local/www/cachemgr.cgi"); - filter_configure(); -} - -function write_static_squid_config() { - touch("/tmp/write_static_squid_config"); - global $config; - $lancfg = $config['interfaces']['lan']; - $lanif = $lancfg['if']; - $lanip = $lancfg['ipaddr']; - $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); - $lansn = $lancfg['subnet']; - - $fout = fopen("/usr/local/etc/squid/squid.conf","w"); - fwrite($fout, "#\n"); - fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n"); - fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n"); - fwrite($fout, "#\n"); - - /* set # of dns children */ - fwrite($fout, "dns_children 15\n"); - - fwrite($fout, "shutdown_lifetime 5 seconds\n"); - fwrite($fout, "icp_port 0\n"); - fwrite($fout, "\n"); - - fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); - fwrite($fout, "no_cache deny QUERY\n"); - fwrite($fout, "\n"); - - fwrite($fout, "pid_filename /var/run/squid.pid\n"); - fwrite($fout, "\n"); - - fwrite($fout, "cache_mem 24 MB\n"); - fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n"); - fwrite($fout, "\n"); - - fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n"); - fwrite($fout, "\n"); - - fwrite($fout, "memory_replacement_policy heap GDSF\n"); - fwrite($fout, "cache_replacement_policy heap GDSF\n"); - fwrite($fout, "\n"); - - fwrite($fout, "cache_access_log none\n"); - fwrite($fout, "cache_log none\n"); - fwrite($fout, "cache_store_log none\n"); - fwrite($fout, "\n"); - - fwrite($fout, "log_mime_hdrs off\n"); - fwrite($fout, "emulate_httpd_log on\n"); - fwrite($fout, "forwarded_for off\n"); - fwrite($fout, "\n"); - - fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); - fwrite($fout, "\n"); - - fwrite($fout, "acl all src 0.0.0.0/0.0.0.0\n"); - fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); - fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); - fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n"); - fwrite($fout, "acl Safe_ports port 80 # http\n"); - fwrite($fout, "acl Safe_ports port 21 # ftp\n"); - fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n"); - fwrite($fout, "acl Safe_ports port 70 # gopher\n"); - fwrite($fout, "acl Safe_ports port 210 # wais\n"); - fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); - fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n"); - fwrite($fout, "acl Safe_ports port 488 # gss-http\n"); - fwrite($fout, "acl Safe_ports port 591 # filemaker\n"); - fwrite($fout, "acl Safe_ports port 777 # multiling http\n"); - fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n"); - fwrite($fout, "\n"); - - fwrite($fout, "acl CONNECT method CONNECT\n"); - fwrite($fout, "\n"); - - fwrite($fout, "#access to squid; local machine; no restrictions\n"); - fwrite($fout, "http_access allow localnet\n"); - fwrite($fout, "http_access allow localhost\n"); - fwrite($fout, "\n"); - - fwrite($fout, "#Deny non web services\n"); - fwrite($fout, "http_access deny !Safe_ports\n"); - fwrite($fout, "http_access deny CONNECT !SSL_ports\n"); - fwrite($fout, "\n"); - - fwrite($fout, "#Set custom configured ACLs\n"); - fwrite($fout, "http_access deny all\n"); - fwrite($fout, "visible_hostname pfSense\n"); - fwrite($fout, "\n"); - - fwrite($fout, "cache_effective_user squid\n"); - fwrite($fout, "cache_effective_group squid\n"); - fwrite($fout, "\n"); - - fwrite($fout, "maximum_object_size 4096 KB\n"); - fwrite($fout, "minimum_object_size 0 KB\n"); - fwrite($fout, "\n"); - - fwrite($fout, "request_body_max_size 0 KB\n"); - fwrite($fout, "reply_body_max_size 0 allow all\n"); - fwrite($fout, "\n"); - - fwrite($fout, "httpd_accel_host virtual\n"); - fwrite($fout, "httpd_accel_port 80\n"); - fwrite($fout, "httpd_accel_with_proxy on\n"); - fwrite($fout, "httpd_accel_uses_host_header on\n"); - - fclose($fout); -} - -function mod_htpasswd() { - global $config; - conf_mount_rw(); - config_lock(); - - if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); - - $passfile = fopen("/usr/local/etc/squid/advanced/ncsa/passwd", "w+"); - - if (isset($config['installedpackages']['squidextlocalauth']['config']) && $config['installedpackages']['squidextlocalauth']['config'] != "") { - foreach($config['installedpackages']['squidextlocalauth']['config'] as $rowhelper) { - $encpass = generate_htpasswd($rowhelper['username'], $rowhelper['password']); - fwrite($passfile, $rowhelper['username'] . ":" . $encpass . "\n"); - } - } - - fclose($passfile); - - conf_mount_ro(); - config_unlock(); -} - -function generate_htpasswd($username, $password) { - $all = explode( " ", - "a b c d e f g h i j k l m n o p q r s t u v w x y z " - . "A B C D E F G H I J K L M N O P Q R S T U V W X Y Z " - . "0 1 2 3 4 5 6 7 8 9"); - - for ($i = 0; $i < 9; $i++) { - srand((double)microtime()*1000000); - $randy = rand(0,61); - $seed .= $all[$randy]; - } - - $crypt = crypt($password, "$1$$seed"); - return $crypt; -} - -?> diff --git a/config/squid3/old/squid_ng.xml b/config/squid3/old/squid_ng.xml deleted file mode 100644 index 3448657f..00000000 --- a/config/squid3/old/squid_ng.xml +++ /dev/null @@ -1,267 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>squid</name> - <version>2.5.12_4</version> - <title>Services: Proxy Server</title> - <category>Security</category> - <aftersaveredirect>/pkg_edit.php?xml=squid_ng.xml&id=0</aftersaveredirect> - <include_file>/usr/local/pkg/squid_ng.inc</include_file> - <menu> - <name>Squid</name> - <tooltiptext>Modify settings for Proxy Server</tooltiptext> - <section>Services</section> - <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url> - </menu> - <menu> - <name>Squid stats</name> - <tooltiptext>Show Squid statistics</tooltiptext> - <section>Services</section> - <url>/cachemgr.cgi</url> - </menu> - <service> - <name>squid</name> - <rcfile>squid.sh</rcfile> - </service> - <tabs> - <tab> - <text>General Settings</text> - <url>/pkg_edit.php?xml=squid.xml&id=0</url> - <active/> - </tab> - <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> - </tab> - <tab> - <text>Cache Mgmt</text> - <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> - </tab> - <tab> - <text>Network Access Control</text> - <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> - </tab> - <tab> - <text>Traffic Mgmt</text> - <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> - </tab> - <tab> - <text>Auth</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> - </tab> - <tab> - <text>Extended Auth</text> - <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url> - </tab> - </tabs> - <configpath>installedpackages->package->squidng->configuration->settings</configpath> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid_cache.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid_nac.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid_ng.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid_traffic.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid_upstream.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid_auth.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid_auth.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/squid_extauth.xml</item> - </additional_files_needed> - <fields> - <field> - <fielddescr>Proxy Listening Interface</fielddescr> - <fieldname>active_interface</fieldname> - <description>This defines the active listening interface to which the proxy server will listen for its requests.</description> - <type>interfaces_selection</type> - </field> - <field> - <fielddescr>Transparent Proxy</fielddescr> - <fieldname>transparent_proxy</fieldname> - <description>If transparent mode is enabled; all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>URL Filtering Enabled</fielddescr> - <fieldname>urlfilter_enable</fieldname> - <description>This enables the advanced functionality in conjunction with squidGuard to provide an array of URL filtering options. This squidGuard functionality can be additionally configured from Services -> Advanced Proxy Filtering</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Disable Access Log</fielddescr> - <fieldname>accesslog_disabled</fieldname> - <description>Disable the access log entirely. By default, Squid keeps a log of all requests it processes in /var/log/access.log. This can grow to be fairly large. If you do not require this logging, check this box to disable.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Log Query Terms</fielddescr> - <fieldname>log_query_terms</fieldname> - <description>This will log the complete URL rather than the part of the URL containing dynamic queries.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Log User Agents</fielddescr> - <fieldname>log_user_agents</fieldname> - <description>This will enable the useragent string to be written to a separate log. The results are not shown in the GUI and should only be used for debugging purposes.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Proxy Port</fielddescr> - <fieldname>proxy_port</fieldname> - <description>This is the port the Proxy Server will listen for client requests on. The default is 3128.</description> - <type>input</type> - <size>4</size> - <combinefieldsend>true</combinefieldsend> - </field> - <field> - <fielddescr>ICP Port</fielddescr> - <fieldname>icp_port</fieldname> - <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. The default value is 0, which means this function is disabled.</description> - <type>input</type> - <size>4</size> - </field> - <field> - <fielddescr>Visible Hostname</fielddescr> - <fieldname>visible_hostname</fieldname> - <description>This URL is displayed on the Proxy Server error messages.</description> - <type>input</type> - <size>35</size> - </field> - <field> - <fielddescr>Cache Administrator E-Mail</fielddescr> - <fieldname>cache_admin_email</fieldname> - <description>This E-Mail address is displayed on the Proxy Server error messages.</description> - <type>input</type> - <size>35</size> - </field> - <field> - <fielddescr>Error Messages Language</fielddescr> - <fieldname>error_language</fieldname> - <description>Select the language in which the Proxy Server shall display error messages to users.</description> - <type>select</type> - <options> - <option><name>Bulgarian</name><value>Bulgarian</value></option> - <option><name>Catalan</name><value>Catalan</value></option> - <option><name>Czech</name><value>Czech</value></option> - <option><name>Danish</name><value>Danish</value></option> - <option><name>Dutch</name><value>Dutch</value></option> - <option><name>English</name><value>English</value></option> - <option><name>Estonian</name><value>Estonian</value></option> - <option><name>Finnish</name><value>Finnish</value></option> - <option><name>French</name><value>French</value></option> - <option><name>German</name><value>German</value></option> - <option><name>Hebrew</name><value>Hebrew</value></option> - <option><name>Hungarian</name><value>Hungarian</value></option> - <option><name>Italian</name><value>Italian</value></option> - <option><name>Japanese</name><value>Japanese</value></option> - <option><name>Korean</name><value>Korean</value></option> - <option><name>Lithuanian</name><value>Lithuanian</value></option> - <option><name>Polish</name><value>Polish</value></option> - <option><name>Portuguese</name><value>Portuguese</value></option> - <option><name>Romanian</name><value>Romanian</value></option> - <option><name>Russian-1251</name><value>Russian-1251</value></option> - <option><name>Russian-koi8-r</name><value>Russian-koi8-r</value></option> - <option><name>Serbian</name><value>Serbian</value></option> - <option><name>Simplify Chinese</name><value>Simplify Chinese</value></option> - <option><name>Slovak</name><value>Slovak</value></option> - <option><name>Spanish</name><value>Spanish</value></option> - <option><name>Swedish</name><value>Swedish</value></option> - <option><name>Traditional Chinese</name><value>Traditional Chinese</value></option> - <option><name>Turkish</name><value>Turkish</value></option> - </options> - </field> - <field> - <fielddescr>Enable cachemgr</fielddescr> - <fieldname>cachemgr_enabled</fieldname> - <description>Enable Squid's cachemgr.cgi to provide stats. Once enabled you can access this from the pfSense menus. <b>Note:</b> This page is not secured by pfSense, any user with access to the pfSense admin port can view the stats. The page prompts for a password but it only required for shutting down Squid.</description> - <type>checkbox</type> - </field> - - </fields> - <custom_add_php_command_late> - global_write_squid_config(); - mwexec("/usr/local/sbin/squid -k reconfigure"); - start_service("squid"); - </custom_add_php_command_late> - <custom_php_install_command> - custom_php_install_command(); - write_static_squid_config(); - mwexec("/usr/local/sbin/squid -k reconfigure"); - start_service("squid"); - </custom_php_install_command> - <custom_php_deinstall_command> - custom_php_deinstall_command(); - stop_service("squid"); - </custom_php_deinstall_command> -</packagegui> diff --git a/config/squid3/old/squid_traffic.xml b/config/squid3/old/squid_traffic.xml deleted file mode 100644 index f34eec19..00000000 --- a/config/squid3/old/squid_traffic.xml +++ /dev/null @@ -1,177 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>squidtraffic</name> - <version>none</version> - <title>Proxy server: Traffic management</title> - <include_file>squid.inc</include_file> - <tabs> - <tab> - <text>General</text> - <url>/pkg_edit.php?xml=squid.xml&id=0</url> - </tab> - <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> - </tab> - <tab> - <text>Cache Mgmt</text> - <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> - </tab> - <tab> - <text>Access Control</text> - <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> - </tab> - <tab> - <text>Traffic Mgmt</text> - <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> - <active/> - </tab> - <tab> - <text>Auth Settings</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> - </tab> - <tab> - <text>Local Users</text> - <url>/pkg.php?xml=squid_users.xml</url> - </tab> - </tabs> - <fields> - <field> - <fielddescr>Maximum download size</fielddescr> - <fieldname>max_download_size</fieldname> - <description>Limit the maximum total download size to the size specified here (in kilobytes). Set to 0 to disable.</description> - <type>input</type> - <required/> - <default_value>0</default_value> - </field> - <field> - <fielddescr>Maximum upload size</fielddescr> - <fieldname>max_upload_size</fieldname> - <description>Limit the maximum total upload size to the size specified here (in kilobytes). Set to 0 to disable.</description> - <type>input</type> - <required/> - <default_value>0</default_value> - </field> - <field> - <fielddescr>Overall bandwidth throttling</fielddescr> - <fieldname>overall_throttling</fieldname> - <description>This value specifies (in kilobytes per second) the bandwidth throttle for downloads. Users will gradually have their download speed increased according to this value. Set to 0 to disable bandwidth throttling.</description> - <type>input</type> - <required/> - <default_value>0</default_value> - </field> - <field> - <fielddescr>Per-host throttling</fielddescr> - <fieldname>perhost_throttling</fieldname> - <description>This value specifies the download throttling per host. Set to 0 to disable this.</description> - <type>input</type> - <required/> - <default_value>0</default_value> - </field> - <field> - <fielddescr>Throttle only specific extensions</fielddescr> - <fieldname>throttle_specific</fieldname> - <description>Leave this checked to be able to choose the extensions that throttling will be applied to. Otherwise, all files will be throttled.</description> - <type>checkbox</type> - <enablefields>throttle_binaries,throttle_cdimages,throttle_multimedia,throttle_others</enablefields> - <default_value>on</default_value> - </field> - <field> - <fielddescr>Throttle binary files</fielddescr> - <fieldname>throttle_binaries</fieldname> - <description>Check this to apply bandwidth throttle to binary files. This includes compressed archives and executables.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Throttle CD images</fielddescr> - <fieldname>throttle_cdimages</fieldname> - <description>Check this to apply bandwidth throttle to CD image files.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Throttle multimedia files</fielddescr> - <fieldname>throttle_multimedia</fieldname> - <description>Check this to apply bandwidth throttle to multimedia files, such as movies or songs.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Throttle other extensions</fielddescr> - <fieldname>throttle_others</fieldname> - <description>Comma-separated list of extensions to apply bandwidth throttle to.</description> - <type>input</type> - <size>60</size> - </field> - <field> - <fielddescr>Finish transfer if less than x KB remaining</fielddescr> - <fieldname>quick_abort_min</fieldname> - <description>If the transfer has less than x KB remaining, it will finish the retrieval. Set to 0 to abort the transfer immediately.</description> - <type>input</type> - <default_value>0</default_value> - </field> - <field> - <fielddescr>Abort transfer if more than x KB remaining</fielddescr> - <fieldname>quick_abort_max</fieldname> - <description>If the transfer has more than x KB remaining, it will abort the retrieval. Set to 0 to abort the transfer immediately.</description> - <type>input</type> - <default_value>0</default_value> - </field> - <field> - <fielddescr>Finish transfer if more than x % finished</fielddescr> - <fieldname>quick_abort_pct</fieldname> - <description>If more than x % of the transfer has completed, it will finish the retrieval.</description> - <type>input</type> - <default_value>0</default_value> - </field> - </fields> - <custom_php_validation_command> - squid_validate_traffic($_POST, $input_errors); - </custom_php_validation_command> - <custom_php_resync_config_command> - squid_resync(); - </custom_php_resync_config_command> -</packagegui> diff --git a/config/squid3/old/squid_upstream.xml b/config/squid3/old/squid_upstream.xml deleted file mode 100644 index b9a14dc8..00000000 --- a/config/squid3/old/squid_upstream.xml +++ /dev/null @@ -1,133 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>squidupstream</name> - <version>none</version> - <title>Proxy server: Upstream proxy settings</title> - <include_file>squid.inc</include_file> - <tabs> - <tab> - <text>General</text> - <url>/pkg_edit.php?xml=squid.xml&id=0</url> - </tab> - <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> - <active/> - </tab> - <tab> - <text>Cache Mgmt</text> - <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> - </tab> - <tab> - <text>Access Control</text> - <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> - </tab> - <tab> - <text>Traffic Mgmt</text> - <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> - </tab> - <tab> - <text>Local Users</text> - <url>/pkg.php?xml=squid_users.xml</url> - </tab> - </tabs> - <fields> - <field> - <fielddescr>Enable forwarding</fielddescr> - <fieldname>proxy_forwarding</fieldname> - <description>This option enables the proxy server to forward requests to an upstream server.</description> - <type>checkbox</type> - <enablefields>proxy_addr,proxy_port,icp_port,username,password</enablefields> - <required/> - </field> - <field> - <fielddescr>Hostname</fielddescr> - <fieldname>proxy_addr</fieldname> - <description>Enter here the IP address or host name of the upstream proxy.</description> - <type>input</type> - </field> - <field> - <fielddescr>TCP port</fielddescr> - <fieldname>proxy_port</fieldname> - <description>Enter the port to use to connect to the upstream proxy.</description> - <type>input</type> - <size>5</size> - <default_value>3128</default_value> - </field> - <field> - <fielddescr>ICP port</fielddescr> - <fieldname>icp_port</fieldname> - <description>Enter the port to connect to the upstream proxy for the ICP protocol. Use port number 7 to disable ICP communication between the proxies.</description> - <type>input</type> - <size>5</size> - <default_value>7</default_value> - </field> - <field> - <fielddescr>Username</fielddescr> - <fieldname>username</fieldname> - <description>If the upstream proxy requires a username, specify it here.</description> - <type>input</type> - </field> - <field> - <fielddescr>Password</fielddescr> - <fieldname>password</fieldname> - <description>If the upstream proxy requires a password, specify it here.</description> - <type>password</type> - </field> - </fields> - <custom_php_validation_command> - squid_validate_upstream($_POST, $input_errors); - </custom_php_validation_command> - <custom_php_resync_config_command> - squid_resync(); - </custom_php_resync_config_command> -</packagegui> diff --git a/config/squid3/old/squid_users.xml b/config/squid3/old/squid_users.xml deleted file mode 100644 index eef6389f..00000000 --- a/config/squid3/old/squid_users.xml +++ /dev/null @@ -1,120 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>squidusers</name> - <version>none</version> - <title>Proxy server: Local users</title> - <include_file>squid.inc</include_file> - <delete_string>A proxy server user has been deleted.</delete_string> - <addedit_string>A proxy server user has been created/modified.</addedit_string> - <tabs> - <tab> - <text>General</text> - <url>/pkg_edit.php?xml=squid.xml&id=0</url> - </tab> - <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> - </tab> - <tab> - <text>Cache Mgmt</text> - <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> - </tab> - <tab> - <text>Access Control</text> - <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> - </tab> - <tab> - <text>Traffic Mgmt</text> - <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> - </tab> - <tab> - <text>Local Users</text> - <url>/pkg.php?xml=squid_users.xml</url> - <active/> - </tab> - </tabs> - <adddeleteeditpagefields> - <columnitem> - <fielddescr>Username</fielddescr> - <fieldname>username</fieldname> - </columnitem> - <columnitem> - <fielddescr>Description</fielddescr> - <fieldname>description</fieldname> - </columnitem> - </adddeleteeditpagefields> - <fields> - <field> - <fielddescr>Username</fielddescr> - <fieldname>username</fieldname> - <description>Enter the username here.</description> - <type>input</type> - <required/> - </field> - <field> - <fielddescr>Password</fielddescr> - <fieldname>password</fieldname> - <description>Enter the password here.</description> - <type>password</type> - <required/> - </field> - <field> - <fielddescr>Description</fielddescr> - <fieldname>description</fieldname> - <description>You may enter a description here for your reference (not parsed).</description> - <type>input</type> - </field> - </fields> - <custom_php_resync_config_command> - squid_resync_users(); - </custom_php_resync_config_command> -</packagegui> diff --git a/config/stunnel/stunnel.inc b/config/stunnel/stunnel.inc index 571cfb01..dd3eee5c 100644 --- a/config/stunnel/stunnel.inc +++ b/config/stunnel/stunnel.inc @@ -1,5 +1,13 @@ <?php +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version == "2.1" || $pf_version == "2.2") { + define('STUNNEL_LOCALBASE', '/usr/pbi/stunnel-' . php_uname("m")); +} else { + define('STUNNEL_LOCALBASE','/usr/local'); +} +define('STUNNEL_ETCDIR', STUNNEL_LOCALBASE . "/etc/stunnel"); + if(!isset($_GET['id']) and !isset($_POST['id'])) { if($GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg']) { $savemsg=$GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg']; @@ -105,9 +113,9 @@ function stunnel_disablefields() { function stunnel_delete($config) { $cert=$config['installedpackages']['stunnelcerts']['config'][$_GET['id']]; if(isset($_GET['id'])) { - unlink_if_exists('/usr/local/etc/stunnel/'.$cert['filename'].'pem'); - unlink_if_exists('/usr/local/etc/stunnel/'.$cert['filename'].'key'); - unlink_if_exists('/usr/local/etc/stunnel/'.$cert['filename'].'chain'); + unlink_if_exists(STUNNEL_ETCDIR . '/'.$cert['filename'].'pem'); + unlink_if_exists(STUNNEL_ETCDIR . '/'.$cert['filename'].'key'); + unlink_if_exists(STUNNEL_ETCDIR . '/'.$cert['filename'].'chain'); } } @@ -115,19 +123,22 @@ function stunnel_save($config) { $GLOBALS['config']['installedpackages']['stunnelcerts']['savemsg']=''; conf_mount_rw(); config_lock(); - $fout = fopen("/usr/local/etc/stunnel/stunnel.conf","w"); - fwrite($fout, "cert = /usr/local/etc/stunnel/stunnel.pem \n"); + if (!file_exists(STUNNEL_ETCDIR)) + @mkdir(STUNNEL_ETCDIR, 0755, true); + $fout = fopen(STUNNEL_ETCDIR . "/stunnel.conf","w"); + fwrite($fout, "cert = " . STUNNEL_ETCDIR . "/stunnel.pem \n"); fwrite($fout, "chroot = /var/tmp/stunnel \n"); fwrite($fout, "setuid = stunnel \n"); fwrite($fout, "setgid = stunnel \n"); if(!is_array($config['installedpackages']['stunnel']['config'])) { $config['installedpackages']['stunnel']['config']=Array(); } foreach($config['installedpackages']['stunnel']['config'] as $pkgconfig) { fwrite($fout, "\n[" . $pkgconfig['description'] . "]\n"); + if($pkgconfig['client']) fwrite($fout, "client = yes" . "\n"); if($pkgconfig['certificate']) { - if(file_exists('/usr/local/etc/stunnel/'.$pkgconfig['certificate'].'.key') and - file_exists('/usr/local/etc/stunnel/'.$pkgconfig['certificate'].'.chain')) { - fwrite($fout, "key = /usr/local/etc/stunnel/" . $pkgconfig['certificate'] . ".key\n"); - fwrite($fout, "cert = /usr/local/etc/stunnel/" . $pkgconfig['certificate'] . ".chain\n"); + if(file_exists(STUNNEL_ETCDIR . '/'.$pkgconfig['certificate'].'.key') and + file_exists(STUNNEL_ETCDIR . '/'.$pkgconfig['certificate'].'.chain')) { + fwrite($fout, "key = " . STUNNEL_ETCDIR . "/" . $pkgconfig['certificate'] . ".key\n"); + fwrite($fout, "cert = " . STUNNEL_ETCDIR . "/" . $pkgconfig['certificate'] . ".chain\n"); } } if($pkgconfig['sourceip']) fwrite($fout, "local = " . $pkgconfig['sourceip'] . "\n"); @@ -160,15 +171,15 @@ function stunnel_save_cert($config) { # echo("</pre>"); if($_cert['hash']) { if(openssl_x509_check_private_key($_POST['cert_chain'], $_POST['cert_key'])) { - file_put_contents('/usr/local/etc/stunnel/'.$_cert['hash'].'.key', + file_put_contents(STUNNEL_ETCDIR . '/'.$_cert['hash'].'.key', $_POST['cert_key']); - file_put_contents('/usr/local/etc/stunnel/'.$_cert['hash'].'.chain', + file_put_contents(STUNNEL_ETCDIR . '/'.$_cert['hash'].'.chain', $_POST['cert_chain']); - file_put_contents('/usr/local/etc/stunnel/'.$_cert['hash'].'.pem', + file_put_contents(STUNNEL_ETCDIR . '/'.$_cert['hash'].'.pem', $_POST['cert_key']."\n".$_POST['cert_chain']); - system('chown stunnel:stunnel /usr/local/etc/stunnel/*'); - chmod('/usr/local/etc/stunnel/'.$_cert['hash'].'.key', 0600); - chmod('/usr/local/etc/stunnel/'.$_cert['hash'].'.pem', 0600); + system('chown stunnel:stunnel ' . STUNNEL_ETCDIR . '/*'); + chmod(STUNNEL_ETCDIR . '/'.$_cert['hash'].'.key', 0600); + chmod(STUNNEL_ETCDIR . '/'.$_cert['hash'].'.pem', 0600); $_POST['filename']=$_cert['hash']; $_POST['expiry_raw']=$_cert['validTo_time_t']; @@ -190,29 +201,29 @@ function stunnel_save_cert($config) { $_POST['cert_chain']=base64_encode($_POST['cert_chain']); $_fname=$GLOBALS['config']['installedpackages']['stunnelcerts']['config'][$_POST['id']]['filename']; if($_fname and $_fname!=$_POST['filename']) { - unlink_if_exists('/usr/local/etc/stunnel/'.$_fname.'.chain'); - unlink_if_exists('/usr/local/etc/stunnel/'.$_fname.'.key'); - unlink_if_exists('/usr/local/etc/stunnel/'.$_fname.'.pem'); + unlink_if_exists(STUNNEL_ETCDIR . '/'.$_fname.'.chain'); + unlink_if_exists(STUNNEL_ETCDIR . '/'.$_fname.'.key'); + unlink_if_exists(STUNNEL_ETCDIR . '/'.$_fname.'.pem'); } } } function stunnel_install() { - safe_mkdir("/usr/local/etc/stunnel"); - system("/usr/bin/openssl req -new -x509 -days 365 -nodes -out /usr/local/etc/stunnel/stunnel.pem -keyout /usr/local/etc/stunnel/stunnel.pem 2>/dev/null"); - chmod("/usr/local/etc/stunnel/stunnel.pem", 0600); - make_dirs("/var/tmp/stunnel/var/tmp/run/stunnel"); + safe_mkdir(STUNNEL_ETCDIR); + system("/usr/bin/openssl req -new -x509 -days 365 -nodes -out " . STUNNEL_ETCDIR . "/stunnel.pem -keyout " . STUNNEL_ETCDIR . "/stunnel.pem 2>/dev/null"); + chmod(STUNNEL_ETCDIR . "/stunnel.pem", 0600); + @mkdir("/var/tmp/stunnel/var/tmp/run/stunnel", 0755, true); system("/usr/sbin/chown -R stunnel:stunnel /var/tmp/stunnel"); $_rcfile['file']='stunnel.sh'; - $_rcfile['start'].="/usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf \n\t"; + $_rcfile['start'].= STUNNEL_LOCALBASE . "/bin/stunnel " . STUNNEL_ETCDIR . "/stunnel.conf \n\t"; $_rcfile['stop'].="killall stunnel \n\t"; write_rcfile($_rcfile); unlink_if_exists("/usr/local/etc/rc.d/stunnel"); conf_mount_rw(); config_lock(); - $fout = fopen("/usr/local/etc/stunnel/stunnel.conf","w"); - fwrite($fout, "cert = /usr/local/etc/stunnel/stunnel.pem \n"); + $fout = fopen(STUNNEL_ETCDIR . "/stunnel.conf","w"); + fwrite($fout, "cert = " . STUNNEL_ETCDIR . "/stunnel.pem \n"); fwrite($fout, "chroot = /var/tmp/stunnel \n"); fwrite($fout, "setuid = stunnel \n"); fwrite($fout, "setgid = stunnel \n"); @@ -232,7 +243,7 @@ function stunnel_install() { function stunnel_deinstall() { rmdir_recursive("/var/tmp/stunnel"); - rmdir_recursive("/usr/local/etc/stunnel*"); + rmdir_recursive(STUNNEL_ETCDIR); unlink_if_exists("/usr/local/etc/rc.d/stunnel.sh"); } diff --git a/config/stunnel/stunnel.xml b/config/stunnel/stunnel.xml index 21e023a9..bb66d196 100644 --- a/config/stunnel/stunnel.xml +++ b/config/stunnel/stunnel.xml @@ -116,6 +116,12 @@ <type>input</type> </field> <field> + <fielddescr>Client Mode</fielddescr> + <fieldname>client</fieldname> + <description>Use client mode for this tunnel (i.e. connect to an SSL server, do not act as an SSL server)</description> + <type>checkbox</type> + </field> + <field> <fielddescr>Listen on IP</fielddescr> <fieldname>localip</fieldname> <description>Enter the local IP address to bind this redirection to.</description> @@ -158,7 +164,7 @@ </fields> <service> <name>stunnel</name> - <rcfile>/usr/local/etc/rc.d/stunnel.sh</rcfile> + <rcfile>stunnel.sh</rcfile> <executable>stunnel</executable> </service> <include_file>/usr/local/pkg/stunnel.inc</include_file> @@ -174,4 +180,4 @@ <custom_php_after_form_command> stunnel_addcerts($config); </custom_php_after_form_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/sudo/sudo.inc b/config/sudo/sudo.inc index a8107029..1c07984d 100644 --- a/config/sudo/sudo.inc +++ b/config/sudo/sudo.inc @@ -31,11 +31,6 @@ require_once("config.inc"); global $pfs_version; $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); switch ($pfs_version) { - case "1.2": - case "2.0": - define('SUDO_BASE','/usr/local'); - define('SUDO_LIBEXEC_DIR', '/usr/local/libexec/sudo'); - break; case "2.1": // Hackish way to detect if someone manually did pkg_add rather than use pbi. if (is_dir('/usr/pbi/sudo-' . php_uname("m"))) { @@ -46,7 +41,7 @@ switch ($pfs_version) { define('SUDO_LIBEXEC_DIR', '/usr/local/libexec/sudo'); } break; - default: + case "2.2": define('SUDO_BASE','/usr/local'); // Hackish way to detect if someone manually did pkg_add rather than use pbi. if (is_dir('/usr/pbi/sudo-' . php_uname("m"))) { @@ -54,6 +49,10 @@ switch ($pfs_version) { } else { define('SUDO_LIBEXEC_DIR', '/usr/local/libexec/sudo'); } + break; + default: + define('SUDO_BASE','/usr/local'); + define('SUDO_LIBEXEC_DIR', '/usr/local/libexec/sudo'); } define('SUDO_CONFIG_DIR', SUDO_BASE . '/etc'); diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml index 88628877..91708672 100644 --- a/config/suricata/suricata.xml +++ b/config/suricata/suricata.xml @@ -42,7 +42,7 @@ <description>Suricata IDS/IPS Package</description> <requirements>None</requirements> <name>suricata</name> - <version>2.0.4 pkg v2.1.4</version> + <version>2.0.8 pkg v2.1.5</version> <title>Services: Suricata IDS</title> <include_file>/usr/local/pkg/suricata/suricata.inc</include_file> <menu> diff --git a/config/suricata/suricata_check_cron_misc.inc b/config/suricata/suricata_check_cron_misc.inc index eb1ba2d0..ab2f864f 100644 --- a/config/suricata/suricata_check_cron_misc.inc +++ b/config/suricata/suricata_check_cron_misc.inc @@ -104,6 +104,9 @@ function suricata_check_dir_size_limit($suricataloglimitsize) { // Check for any captured stored files and clean them up unlink_if_exists("{$suricata_log_dir}/files/*"); + // Check for any captured stored TLS certs and clean them up + unlink_if_exists("{$suricata_log_dir}/certs/*"); + // This is needed if suricata is run as suricata user mwexec('/bin/chmod 660 /var/log/suricata/*', true); } @@ -237,6 +240,23 @@ if ($config['installedpackages']['suricata']['config'][0]['enable_log_mgmt'] == unset($files); } + // Prune aged-out TLS Certs Store files if any exist + if (is_dir("{$suricata_log_dir}/certs") && + $config['installedpackages']['suricata']['config'][0]['tls_certs_store_retention'] > 0) { + $now = time(); + $files = glob("{$suricata_log_dir}/certs/*.*"); + $prune_count = 0; + foreach ($files as $f) { + if (($now - filemtime($f)) > ($config['installedpackages']['suricata']['config'][0]['tls_certs_store_retention'] * 3600)) { + $prune_count++; + unlink_if_exists($f); + } + } + if ($prune_count > 0) + log_error(gettext("[Suricata] TLS Certs Store cleanup job removed {$prune_count} file(s) from {$suricata_log_dir}/certs/...")); + unset($files); + } + // Prune any pcap log files over configured limit $files = glob("{$suricata_log_dir}/log.pcap.*"); if (count($files) > $value['max_pcap_log_files']) { diff --git a/config/suricata/suricata_defs.inc b/config/suricata/suricata_defs.inc index 7758a9f0..5467f88c 100644 --- a/config/suricata/suricata_defs.inc +++ b/config/suricata/suricata_defs.inc @@ -58,9 +58,14 @@ $suricata_package_version = "Suricata {$config['installedpackages']['package'][g if (!defined('SURICATA_PKG_VER')) define('SURICATA_PKG_VER', $suricata_package_version); +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); // Define the PBI base directory -if (!defined('SURICATA_PBI_BASEDIR')) - define('SURICATA_PBI_BASEDIR', '/usr/pbi/suricata-' . php_uname("m") . '/'); +if (!defined('SURICATA_PBI_BASEDIR')) { + if ($pf_version == "2.1" || $pf_version == "2.2") + define('SURICATA_PBI_BASEDIR', '/usr/pbi/suricata-' . php_uname("m") . '/'); + else + define('SURICATA_PBI_BASEDIR', '/usr/local/'); +} // Define the PBI binary wrapper directory if (!defined('SURICATA_PBI_BINDIR')) diff --git a/config/suricata/suricata_logs_mgmt.php b/config/suricata/suricata_logs_mgmt.php index aa353d6f..4bb49958 100644 --- a/config/suricata/suricata_logs_mgmt.php +++ b/config/suricata/suricata_logs_mgmt.php @@ -67,6 +67,7 @@ $pconfig['tls_log_retention'] = $config['installedpackages']['suricata']['config $pconfig['unified2_log_limit'] = $config['installedpackages']['suricata']['config'][0]['unified2_log_limit']; $pconfig['u2_archive_log_retention'] = $config['installedpackages']['suricata']['config'][0]['u2_archive_log_retention']; $pconfig['file_store_retention'] = $config['installedpackages']['suricata']['config'][0]['file_store_retention']; +$pconfig['tls_certs_store_retention'] = $config['installedpackages']['suricata']['config'][0]['tls_certs_store_retention']; $pconfig['dns_log_limit_size'] = $config['installedpackages']['suricata']['config'][0]['dns_log_limit_size']; $pconfig['dns_log_retention'] = $config['installedpackages']['suricata']['config'][0]['dns_log_retention']; $pconfig['eve_log_limit_size'] = $config['installedpackages']['suricata']['config'][0]['eve_log_limit_size']; @@ -112,6 +113,8 @@ if (!isset($pconfig['u2_archive_log_retention'])) $pconfig['u2_archive_log_retention'] = "168"; if (!isset($pconfig['file_store_retention'])) $pconfig['file_store_retention'] = "168"; +if (!isset($pconfig['tls_certs_store_retention'])) + $pconfig['tls_certs_store_retention'] = "168"; if (!isset($pconfig['eve_log_retention'])) $pconfig['eve_log_retention'] = "168"; if (!isset($pconfig['sid_changes_log_retention'])) @@ -151,6 +154,7 @@ if ($_POST['ResetAll']) { $pconfig['tls_log_retention'] = "336"; $pconfig['u2_archive_log_retention'] = "168"; $pconfig['file_store_retention'] = "168"; + $pconfig['tls_certs_store_retention'] = "168"; $pconfig['eve_log_retention'] = "168"; $pconfig['sid_changes_log_retention'] = "336"; @@ -216,6 +220,7 @@ if ($_POST["save"] || $_POST['apply']) { $config['installedpackages']['suricata']['config'][0]['unified2_log_limit'] = $_POST['unified2_log_limit']; $config['installedpackages']['suricata']['config'][0]['u2_archive_log_retention'] = $_POST['u2_archive_log_retention']; $config['installedpackages']['suricata']['config'][0]['file_store_retention'] = $_POST['file_store_retention']; + $config['installedpackages']['suricata']['config'][0]['tls_certs_store_retention'] = $_POST['tls_certs_store_retention']; $config['installedpackages']['suricata']['config'][0]['dns_log_limit_size'] = $_POST['dns_log_limit_size']; $config['installedpackages']['suricata']['config'][0]['dns_log_retention'] = $_POST['dns_log_retention']; $config['installedpackages']['suricata']['config'][0]['eve_log_limit_size'] = $_POST['eve_log_limit_size']; @@ -588,6 +593,19 @@ if ($savemsg) { </td> </tr> <tr> + <td class="vncell" width="22%" valign="top"><?=gettext("Captured TLS Certs Retention Period");?></td> + <td width="78%" class="vtable"><select name="tls_certs_store_retention" class="formselect" id="tls_certs_store_retention"> + <?php foreach ($retentions as $k => $p): ?> + <option value="<?=$k;?>" + <?php if ($k == $pconfig['tls_certs_store_retention']) echo "selected"; ?>> + <?=htmlspecialchars($p);?></option> + <?php endforeach; ?> + </select> <?=gettext("Choose retention period for captured TLS Certs. Default is ") . "<strong>" . gettext("7 days."). "</strong>";?><br/><br/> + <?=gettext("When custom rules with tls.store are enabled, Suricata captures Certificates, along with metadata, ") . + gettext("for later analysis. This setting determines how long files remain in the Certs folder before they are automatically deleted.");?> + </td> +</tr> +<tr> <td width="22%"></td> <td width="78%" class="vexpl"><input name="save" type="submit" class="formbtn" value="Save"/> <input name="ResetAll" type="submit" class="formbtn" value="Reset" title="<?php echo diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php index 75e13315..384033b3 100644 --- a/config/suricata/suricata_migrate_config.php +++ b/config/suricata/suricata_migrate_config.php @@ -94,6 +94,96 @@ if (empty($config['installedpackages']['suricata']['config'][0]['et_iqrisk_enabl $updated_cfg = true; } +/**********************************************************/ +/* Set default log size and retention limits if not set */ +/**********************************************************/ +if (!isset($config['installedpackages']['suricata']['config'][0]['alert_log_retention']) && $config['installedpackages']['suricata']['config'][0]['alert_log_retention'] != '0') { + $config['installedpackages']['suricata']['config'][0]['alert_log_retention'] = "336"; + $updated_cfg = true; +} +if (!isset($config['installedpackages']['suricata']['config'][0]['alert_log_limit_size']) && $config['installedpackages']['suricata']['config'][0]['alert_log_limit_size'] != '0') { + $config['installedpackages']['suricata']['config'][0]['alert_log_limit_size'] = "500"; + $updated_cfg = true; +} + +if (!isset($config['installedpackages']['suricata']['config'][0]['block_log_retention']) && $config['installedpackages']['suricata']['config'][0]['block_log_retention'] != '0') { + $config['installedpackages']['suricata']['config'][0]['block_log_retention'] = "336"; + $updated_cfg = true; +} +if (!isset($config['installedpackages']['suricata']['config'][0]['block_log_limit_size']) && $config['installedpackages']['suricata']['config'][0]['block_log_limit_size'] != '0') { + $config['installedpackages']['suricata']['config'][0]['block_log_limit_size'] = "500"; + $updated_cfg = true; +} + +if (!isset($config['installedpackages']['suricata']['config'][0]['dns_log_retention']) && $config['installedpackages']['suricata']['config'][0]['dns_log_retention'] != '0') { + $config['installedpackages']['suricata']['config'][0]['dns_log_retention'] = "168"; + $updated_cfg = true; +} +if (!isset($config['installedpackages']['suricata']['config'][0]['dns_log_limit_size']) && $config['installedpackages']['suricata']['config'][0]['dns_log_limit_size'] != '0') { + $config['installedpackages']['suricata']['config'][0]['dns_log_limit_size'] = "750"; + $updated_cfg = true; +} + +if (!isset($config['installedpackages']['suricata']['config'][0]['eve_log_retention']) && $config['installedpackages']['suricata']['config'][0]['eve_log_retention'] != '0') { + $config['installedpackages']['suricata']['config'][0]['eve_log_retention'] = "168"; + $updated_cfg = true; +} +if (!isset($config['installedpackages']['suricata']['config'][0]['eve_log_limit_size']) && $config['installedpackages']['suricata']['config'][0]['eve_log_limit_size'] != '0') { + $config['installedpackages']['suricata']['config'][0]['eve_log_limit_size'] = "5000"; + $updated_cfg = true; +} + +if (!isset($config['installedpackages']['suricata']['config'][0]['files_json_log_retention']) && $config['installedpackages']['suricata']['config'][0]['files_json_log_retention'] != '0') { + $config['installedpackages']['suricata']['config'][0]['files_json_log_retention'] = "168"; + $updated_cfg = true; +} +if (!isset($config['installedpackages']['suricata']['config'][0]['files_json_log_limit_size']) && $config['installedpackages']['suricata']['config'][0]['files_json_log_limit_size'] != '0') { + $config['installedpackages']['suricata']['config'][0]['files_json_log_limit_size'] = "1000"; + $updated_cfg = true; +} + +if (!isset($config['installedpackages']['suricata']['config'][0]['http_log_retention']) && $config['installedpackages']['suricata']['config'][0]['http_log_retention'] != '0') { + $config['installedpackages']['suricata']['config'][0]['http_log_retention'] = "168"; + $updated_cfg = true; +} +if (!isset($config['installedpackages']['suricata']['config'][0]['http_log_limit_size']) && $config['installedpackages']['suricata']['config'][0]['http_log_limit_size'] != '0') { + $config['installedpackages']['suricata']['config'][0]['http_log_limit_size'] = "1000"; + $updated_cfg = true; +} + +if (!isset($config['installedpackages']['suricata']['config'][0]['stats_log_retention']) && $config['installedpackages']['suricata']['config'][0]['stats_log_retention'] != '0') { + $config['installedpackages']['suricata']['config'][0]['stats_log_retention'] = "168"; + $updated_cfg = true; +} +if (!isset($config['installedpackages']['suricata']['config'][0]['stats_log_limit_size']) && $config['installedpackages']['suricata']['config'][0]['stats_log_limit_size'] != '0') { + $config['installedpackages']['suricata']['config'][0]['stats_log_limit_size'] = "500"; + $updated_cfg = true; +} + +if (!isset($config['installedpackages']['suricata']['config'][0]['tls_log_retention']) && $config['installedpackages']['suricata']['config'][0]['tls_log_retention'] != '0') { + $config['installedpackages']['suricata']['config'][0]['tls_log_retention'] = "336"; + $updated_cfg = true; +} +if (!isset($config['installedpackages']['suricata']['config'][0]['tls_log_limit_size']) && $config['installedpackages']['suricata']['config'][0]['tls_log_limit_size'] != '0') { + $config['installedpackages']['suricata']['config'][0]['tls_log_limit_size'] = "500"; + $updated_cfg = true; +} + +if (!isset($config['installedpackages']['suricata']['config'][0]['file_store_retention']) && $config['installedpackages']['suricata']['config'][0]['file_store_retention'] != '0') { + $config['installedpackages']['suricata']['config'][0]['file_store_retention'] = "168"; + $updated_cfg = true; +} + +if (!isset($config['installedpackages']['suricata']['config'][0]['tls_certs_store_retention']) && $config['installedpackages']['suricata']['config'][0]['tls_certs_store_retention'] != '0') { + $config['installedpackages']['suricata']['config'][0]['tls_certs_store_retention'] = "168"; + $updated_cfg = true; +} + +if (!isset($config['installedpackages']['suricata']['config'][0]['u2_archive_log_retention']) && $config['installedpackages']['suricata']['config'][0]['u2_archive_log_retention'] != '0') { + $config['installedpackages']['suricata']['config'][0]['u2_archive_log_retention'] = "168"; + $updated_cfg = true; +} + // Now process the interface-specific settings foreach ($rule as &$r) { @@ -196,87 +286,88 @@ foreach ($rule as &$r) { } /******************************************************************/ - /* Create default log size and retention limits if not set */ + /* Remove per interface default log size and retention limits */ + /* if they were set by early bug. */ /******************************************************************/ - if (!isset($pconfig['alert_log_retention']) && $pconfig['alert_log_retention'] != '0') { - $pconfig['alert_log_retention'] = "336"; + if (isset($pconfig['alert_log_retention'])) { + unset($pconfig['alert_log_retention']); $updated_cfg = true; } - if (!isset($pconfig['alert_log_limit_size']) && $pconfig['alert_log_limit_size'] != '0') { - $pconfig['alert_log_limit_size'] = "500"; + if (isset($pconfig['alert_log_limit_size'])) { + unset($pconfig['alert_log_limit_size']); $updated_cfg = true; } - if (!isset($pconfig['block_log_retention']) && $pconfig['block_log_retention'] != '0') { - $pconfig['block_log_retention'] = "336"; + if (isset($pconfig['block_log_retention'])) { + unset($pconfig['block_log_retention']); $updated_cfg = true; } - if (!isset($pconfig['block_log_limit_size']) && $pconfig['block_log_limit_size'] != '0') { - $pconfig['block_log_limit_size'] = "500"; + if (isset($pconfig['block_log_limit_size'])) { + unset($pconfig['block_log_limit_size']); $updated_cfg = true; } - if (!isset($pconfig['dns_log_retention']) && $pconfig['dns_log_retention'] != '0') { - $pconfig['dns_log_retention'] = "168"; + if (isset($pconfig['dns_log_retention'])) { + unset($pconfig['dns_log_retention']); $updated_cfg = true; } - if (!isset($pconfig['dns_log_limit_size']) && $pconfig['dns_log_limit_size'] != '0') { - $pconfig['dns_log_limit_size'] = "750"; + if (isset($pconfig['dns_log_limit_size'])) { + unset($pconfig['dns_log_limit_size']); $updated_cfg = true; } - if (!isset($pconfig['eve_log_retention']) && $pconfig['eve_log_retention'] != '0') { - $pconfig['eve_log_retention'] = "168"; + if (isset($pconfig['eve_log_retention'])) { + unset($pconfig['eve_log_retention']); $updated_cfg = true; } - if (!isset($pconfig['eve_log_limit_size']) && $pconfig['eve_log_limit_size'] != '0') { - $pconfig['eve_log_limit_size'] = "5000"; + if (isset($pconfig['eve_log_limit_size'])) { + unset($pconfig['eve_log_limit_size']); $updated_cfg = true; } - if (!isset($pconfig['files_json_log_retention']) && $pconfig['files_json_log_retention'] != '0') { - $pconfig['files_json_log_retention'] = "168"; + if (isset($pconfig['files_json_log_retention'])) { + unset($pconfig['files_json_log_retention']); $updated_cfg = true; } - if (!isset($pconfig['files_json_log_limit_size']) && $pconfig['files_json_log_limit_size'] != '0') { - $pconfig['files_json_log_limit_size'] = "1000"; + if (isset($pconfig['files_json_log_limit_size'])) { + unset($pconfig['files_json_log_limit_size']); $updated_cfg = true; } - if (!isset($pconfig['http_log_retention']) && $pconfig['http_log_retention'] != '0') { - $pconfig['http_log_retention'] = "168"; + if (isset($pconfig['http_log_retention'])) { + unset($pconfig['http_log_retention']); $updated_cfg = true; } - if (!isset($pconfig['http_log_limit_size']) && $pconfig['http_log_limit_size'] != '0') { - $pconfig['http_log_limit_size'] = "1000"; + if (isset($pconfig['http_log_limit_size'])) { + unset($pconfig['http_log_limit_size']); $updated_cfg = true; } - if (!isset($pconfig['stats_log_retention']) && $pconfig['stats_log_retention'] != '0') { - $pconfig['stats_log_retention'] = "168"; + if (isset($pconfig['stats_log_retention'])) { + unset($pconfig['stats_log_retention']); $updated_cfg = true; } - if (!isset($pconfig['stats_log_limit_size']) && $pconfig['stats_log_limit_size'] != '0') { - $pconfig['stats_log_limit_size'] = "500"; + if (isset($pconfig['stats_log_limit_size'])) { + unset($pconfig['stats_log_limit_size']); $updated_cfg = true; } - if (!isset($pconfig['tls_log_retention']) && $pconfig['tls_log_retention'] != '0') { - $pconfig['tls_log_retention'] = "336"; + if (isset($pconfig['tls_log_retention'])) { + unset($pconfig['tls_log_retention']); $updated_cfg = true; } - if (!isset($pconfig['tls_log_limit_size']) && $pconfig['tls_log_limit_size'] != '0') { - $pconfig['tls_log_limit_size'] = "500"; + if (isset($pconfig['tls_log_limit_size'])) { + unset($pconfig['tls_log_limit_size']); $updated_cfg = true; } - if (!isset($pconfig['file_store_retention']) && $pconfig['file_store_retention'] != '0') { - $pconfig['file_store_retention'] = "168"; + if (isset($pconfig['file_store_retention'])) { + unset($pconfig['file_store_retention']); $updated_cfg = true; } - if (!isset($pconfig['u2_archive_log_retention']) && $pconfig['u2_archive_log_retention'] != '0') { - $pconfig['u2_archive_log_retention'] = "168"; + if (isset($pconfig['u2_archive_log_retention'])) { + unset($pconfig['u2_archive_log_retention']); $updated_cfg = true; } diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index 61d37130..aec8983e 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -281,8 +281,8 @@ if (empty($config['installedpackages']['suricata']['config'][0]['forcekeepsettin conf_mount_ro(); // Update Suricata package version in configuration -$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "2.1.4"; -write_config("Suricata pkg v2.1.4: post-install configuration saved."); +$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "2.1.5"; +write_config("Suricata pkg v2.1.5: post-install configuration saved."); // Done with post-install, so clear flag unset($g['suricata_postinstall']); diff --git a/config/syslog-ng/syslog-ng.inc b/config/syslog-ng/syslog-ng.inc index 818ae123..bbec3a7c 100644 --- a/config/syslog-ng/syslog-ng.inc +++ b/config/syslog-ng/syslog-ng.inc @@ -37,7 +37,11 @@ require_once('service-utils.inc'); if(!function_exists("filter_configure")) require_once("filter.inc"); -define("SYSLOGNG_BASEDIR", "/usr/pbi/syslog-ng-" . php_uname("m") . "/"); +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version == "2.1" || $pf_version == "2.2") + define("SYSLOGNG_BASEDIR", "/usr/pbi/syslog-ng-" . php_uname("m") . "/"); +else + define("SYSLOGNG_BASEDIR", "/usr/local/"); function syslogng_get_real_interface_address($interface) { $interface = convert_friendly_interface_to_real_interface_name($interface); diff --git a/config/systempatches/system_patches.php b/config/systempatches/system_patches.php index 43c8c22b..97e00b32 100644 --- a/config/systempatches/system_patches.php +++ b/config/systempatches/system_patches.php @@ -180,11 +180,11 @@ include("head.inc"); <td width="5%" class="list"> </td> <td width="5%" class="listhdrr"><?=gettext("Description");?></td> <td width="60%" class="listhdrr"><?=gettext("URL/ID");?></td> +<td width="5%" class="listhdrr"><?=gettext("Status");?></td> <td width="5%" class="listhdrr"><?=gettext("Fetch");?></td> -<td width="5%" class="listhdrr"><?=gettext("Test");?></td> -<td width="5%" class="listhdrr"><?=gettext("Apply");?></td> -<td width="5%" class="listhdr"><?=gettext("Revert");?></td> +<td width="5%" class="listhdrr"><?=gettext("Apply");?>/<br /><?=gettext("Revert");?></td> <td width="5%" class="listhdr"><?=gettext("Auto Apply");?></td> +<td width="5%" class="listhdrr"><?=gettext("Test");?></td> <td width="5%" class="list"> <table border="0" cellspacing="0" cellpadding="1" summary="buttons"> <tr><td width="17"> @@ -213,39 +213,50 @@ foreach ($a_patches as $thispatch): <?=$thispatch['descr'];?> </td> <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> - <?php - if (!empty($thispatch['location'])) - echo $thispatch['location']; - elseif (!empty($thispatch['patch'])) - echo gettext("Saved Patch"); + if (!empty($thispatch['location'])) + echo $thispatch['location']; + elseif (!empty($thispatch['patch'])) { + // saved patch with no location => manually entered/user defined + echo gettext("User-defined"); + } ?> </td> - <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> - <?php if (empty($thispatch['patch'])): ?> - <a href="system_patches.php?id=<?=$i;?>&act=fetch"><?php echo gettext("Fetch"); ?></a> - <?php elseif (!empty($thispatch['location'])): ?> - <a href="system_patches.php?id=<?=$i;?>&act=fetch"><?php echo gettext("Re-Fetch"); ?></a> - <?php endif; ?> + + <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';" nowrap> + <?php + if ($can_apply) { + echo gettext("Valid, not applied"); + } elseif ($can_revert) { + echo gettext("Valid, applied"); + } elseif (empty($thispatch['patch'])) { + echo gettext("Unknown, no code stored"); + } else { + echo gettext("Not valid, does not match"); + } + ?> </td> + <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> - <?php if (!empty($thispatch['patch'])): ?> - <a href="system_patches.php?id=<?=$i;?>&act=test"><?php echo gettext("Test"); ?></a> + <?php if (!empty($thispatch['location'])): ?> + <a href="system_patches.php?id=<?=$i;?>&act=fetch"><?php echo gettext(empty($thispatch['patch']) ? "Fetch" : "Re-Fetch"); ?></a> <?php endif; ?> </td> <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> <?php if ($can_apply): ?> <a href="system_patches.php?id=<?=$i;?>&act=apply"><?php echo gettext("Apply"); ?></a> - <?php endif; ?> - </td> - <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> - <?php if ($can_revert): ?> + <?php elseif ($can_revert): ?> <a href="system_patches.php?id=<?=$i;?>&act=revert"><?php echo gettext("Revert"); ?></a> <?php endif; ?> </td> <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> <?= isset($thispatch['autoapply']) ? "Yes" : "No" ?> </td> + <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> + <?php if (!empty($thispatch['patch'])): ?> + <a href="system_patches.php?id=<?=$i;?>&act=test"><?php echo gettext("Test"); ?></a> + <?php endif; ?> + </td> <td valign="middle" class="list" nowrap> <table border="0" cellspacing="0" cellpadding="1" summary="edit"> <tr> diff --git a/config/tinydns/tinydns.inc b/config/tinydns/tinydns.inc index 047383ff..5effa10c 100644 --- a/config/tinydns/tinydns.inc +++ b/config/tinydns/tinydns.inc @@ -1163,7 +1163,7 @@ function tinydns_dnscache_forwarding_servers($index) { exec("rm -R {$g['varetc_path']}/dnscache/root/servers/"); exec("/bin/mkdir -p {$g['varetc_path']}/dnscache{$index}/root/servers/"); if (intval($config['version']) >= 6) - if (file_exists("{$g['varetc_path']}/nameserver_*")) { + if (!empty(glob("{$g['varetc_path']}/nameserver_*"))) { exec("/bin/cat {$g['varetc_path']}/nameserver_* > {$g['varetc_path']}/dnscache{$index}/root/servers/@"); } else { $fw = fopen("{$g['varetc_path']}/dnscache{$index}/root/servers/@", "w"); diff --git a/config/vnstat2/vnstat2.inc b/config/vnstat2/vnstat2.inc index c875be52..ca8d869d 100644 --- a/config/vnstat2/vnstat2.inc +++ b/config/vnstat2/vnstat2.inc @@ -1,15 +1,16 @@ <?php + require_once("util.inc"); + function vnstat_install_deinstall() { conf_mount_rw(); global $config; -// Remove Vnstat package and files + // Remove Vnstat package and files exec("rm -d -R /usr/local/www/vnstat2"); exec("rm -d -R /usr/local/www/vnstati"); exec("rm -d -R /usr/local/pkg/vnstat2"); exec("rm /usr/local/etc/vnstat.conf"); - -// Remove vnstat cron entry from config.xml + // Remove vnstat cron entry from config.xml vnstat2_install_cron(false); conf_mount_ro(); } @@ -17,11 +18,12 @@ function vnstat_install_deinstall() { function vnstat2_install_cron($vnstat_cron_value) { global $config; $is_installed = false; - if(!$config['cron']['item']) + if (!$config['cron']['item']) { return; + } $x=0; foreach($config['cron']['item'] as $item) { - if(strstr($item['command'], "/usr/local/pkg/vnstat2/vnstat2.sh")) { + if (strstr($item['command'], "/usr/local/pkg/vnstat2/vnstat2.sh")) { $is_installed = true; break; } @@ -29,23 +31,23 @@ function vnstat2_install_cron($vnstat_cron_value) { } switch($vnstat_cron_value) { case true: - if(!$is_installed) { + if (!$is_installed) { $cron_item = array(); $cron_item['minute'] = "*/1"; - $cron_item['hour'] = "*"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/local/pkg/vnstat2/vnstat2.sh"; - $config['cron']['item'][] = $cron_item; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/local/pkg/vnstat2/vnstat2.sh"; + $config['cron']['item'][] = $cron_item; write_config(); configure_cron(); } break; case false: - if($is_installed == true) { - if($x > 0) { + if ($is_installed == true) { + if ($x > 0) { unset($config['cron']['item'][$x]); write_config(); } @@ -55,8 +57,7 @@ function vnstat2_install_cron($vnstat_cron_value) { } } - -function change_vnstat_conf(){ +function change_vnstat_conf() { conf_mount_rw(); global $config; $config['installedpackages']['vnstat2']['config'][0]['monthrotate'] = $_POST['monthrotate']; @@ -64,21 +65,19 @@ function change_vnstat_conf(){ write_conf_f(); write_config(); - if ($config['installedpackages']['vnstat2']['config'][0]['vnstat_phpfrontend'] == "on"){ - vnstat_php_frontend(); - } - else { - exec("[ -d /usr/local/www/vnstat2 ] && rm -d -R /usr/local/www/vnstat2"); + if ($config['installedpackages']['vnstat2']['config'][0]['vnstat_phpfrontend'] == "on") { + vnstat_php_frontend(); + } else { + exec("[ -d /usr/local/www/vnstat2 ] && rm -d -R /usr/local/www/vnstat2"); } conf_mount_ro(); } -function write_conf_f(){ +function write_conf_f() { global $config; $monthrotate = $config['installedpackages']['vnstat2']['config'][0]['monthrotate']; -// ************ Write new vnstat.conf ***************** - + // ************ Write new vnstat.conf ***************** $vnstat_conf_file = <<<EOF # vnStat 1.10 config file ## @@ -108,9 +107,9 @@ CTxD "-" EOF; $hf2 = fopen("/usr/local/etc/vnstat.conf","w"); - if(!$hf2) { - log_error("could not open /usr/local/etc/vnstat.conf for writing"); - exit; + if (!$hf2) { + log_error("could not open /usr/local/etc/vnstat.conf for writing"); + exit; } fwrite($hf2, $vnstat_conf_file); fclose($hf2); @@ -145,7 +144,7 @@ function create_vnstat_output() { } function vnstat_link_config() { -// Check for pbi install and arch type then create symlinks + // Check for pbi install and arch type then create symlinks if (file_exists('/usr/pbi/vnstat-' . php_uname("m"))) { $conf_path = "/usr/local/etc/vnstat.conf"; $pbi_conf_path = "/usr/pbi/vnstat-" . php_uname("m") . "/etc/vnstat.conf"; @@ -179,14 +178,14 @@ function vnstat_create_nic_dbs() { foreach ($leftovers as $nic) { exec("/usr/local/bin/vnstat -u -i ". escapeshellarg($nic)); } - conf_mount_ro(); } function vnstat_install_config() { $vnstat_db_prefix = "/conf/vnstat"; + global $config; conf_mount_rw(); -// Create vnstat database dir where it also will work for nanobsd + // Create vnstat database dir where it also will work for nanobsd if (is_dir("/usr/local/pkg/vnstat2/vnstat")) { @rename("/usr/local/pkg/vnstat2/vnstat", $vnstat_db_prefix); } @@ -194,141 +193,140 @@ function vnstat_install_config() { @mkdir($vnstat_db_prefix); } vnstat_link_config(); -// Add MonthRotate value to config.xml and write /usr/local/etc/vnstat.conf - if ($config['installedpackages']['vnstat2']['config'][0]['monthrotate'] == ""){ + // Add MonthRotate value to config.xml and write /usr/local/etc/vnstat.conf + if ($config['installedpackages']['vnstat2']['config'][0]['monthrotate'] == "") { $config['installedpackages']['vnstat2']['config'][0]['monthrotate'] = "1"; } - if ($config['installedpackages']['vnstat2']['config'][0]['vnstat_phpfrontend'] == "on"){ + if ($config['installedpackages']['vnstat2']['config'][0]['vnstat_phpfrontend'] == "on") { vnstat_php_frontend(); } write_conf_f(); -// Add cron job to config.xml + // Add cron job to config.xml vnstat2_install_cron(true); vnstat_create_nic_dbs(); write_config(); conf_mount_ro(); } -function vnstat_php_frontend(){ +function vnstat_php_frontend() { global $config; -// Copy vnstat_php_frontend to www + // Copy vnstat_php_frontend to www exec("/bin/cp -a /usr/local/pkg/vnstat2/vnstat_php_frontend/. /usr/local/www/vnstat2/"); -// Find information to be writing in config.php + // Find information to be writing in config.php // $iface_list_array_items - exec("ls /conf/vnstat/ | grep -v '\.'", $vnstat_nic_in); - $iface_list_array_items = implode("', '", $vnstat_nic_in); - $iface_list_array = "\$iface_list = array('$iface_list_array_items');"; - // $iface_title_array_items - $iface_title_array_items = array(); - $iface_title_array_items2 = array(); - foreach ($vnstat_nic_in as $vnstat_nic_out) - { - $ifdescrs = array('wan' => 'WAN', 'lan' => 'LAN'); + exec("ls /conf/vnstat/ | grep -v '\.'", $vnstat_nic_in); + $iface_list_array_items = implode("', '", $vnstat_nic_in); + $iface_list_array = "\$iface_list = array('$iface_list_array_items');"; + // $iface_title_array_items + $iface_title_array_items = array(); + $iface_title_array_items2 = array(); + foreach ($vnstat_nic_in as $vnstat_nic_out) { + $ifdescrs = array('wan' => 'WAN', 'lan' => 'LAN'); for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { $ifdescrs['opt' . $j] = $config['interfaces']['opt' . $j]['descr']; } - foreach ($ifdescrs as $ifdescr => $ifname): - $real_nic_names3 = get_real_interface($ifdescr); - If ($real_nic_names3 == $vnstat_nic_out) - { - $ifname_out = convert_friendly_interface_to_friendly_descr($ifdescr); - $iface_title_array_items = "\$iface_title['$vnstat_nic_out'] = '$ifname_out';\n"; - array_push($iface_title_array_items2, $iface_title_array_items); - } - endforeach; + foreach ($ifdescrs as $ifdescr => $ifname) { + $real_nic_names3 = get_real_interface($ifdescr); + if ($real_nic_names3 == $vnstat_nic_out) { + $ifname_out = convert_friendly_interface_to_friendly_descr($ifdescr); + $iface_title_array_items = "\$iface_title['$vnstat_nic_out'] = '$ifname_out';\n"; + array_push($iface_title_array_items2, $iface_title_array_items); + } + } } - $iface_title_array = implode($iface_title_array_items2); + $iface_title_array = implode($iface_title_array_items2); // php in php static items // added to new items for the front end version 1.5.1 - $locale = "\$locale = 'en_US.UTF-8';"; - $language = "\$language = 'en';"; - $vnstat_bin2 = "\$vnstat_bin = '/usr/local/bin/vnstat';"; - $data_dir2 = "\$data_dir = './dumps';"; - $graph_format2 ="\$graph_format='svg';"; - $colorscheme2 = "\$colorscheme['light'] = array("; - $colorscheme3 = "\$colorscheme['red'] = array("; - $colorscheme4 = "\$colorscheme['pfSense'] = array("; -// ************ Write new config.php ****************** - $config_file = <<<EOF + $locale = "\$locale = 'en_US.UTF-8';"; + $language = "\$language = 'en';"; + $vnstat_bin2 = "\$vnstat_bin = '/usr/local/bin/vnstat';"; + $data_dir2 = "\$data_dir = './dumps';"; + $graph_format2 ="\$graph_format='svg';"; + $colorscheme2 = "\$colorscheme['light'] = array("; + $colorscheme3 = "\$colorscheme['red'] = array("; + $colorscheme4 = "\$colorscheme['pfSense'] = array("; + // ************ Write new config.php ****************** + $config_file = <<<EOF <?php - // - // vnStat PHP frontend 1.5.1 (c)2006-2008 Bjorge Dijkstra (bjd@jooz.net) - // - // This program is free software; you can redistribute it and/or modify - // it under the terms of the GNU General Public License as published by - // the Free Software Foundation; either version 2 of the License, or - // (at your option) any later version. - // - // This program is distributed in the hope that it will be useful, - // but WITHOUT ANY WARRANTY; without even the implied warranty of - // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - // GNU General Public License for more details. - // - // You should have received a copy of the GNU General Public License - // along with this program; if not, write to the Free Software - // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - // - // - // see file COPYING or at http://www.gnu.org/licenses/gpl.html - // for more information. - // - //error_reporting(E_ALL | E_NOTICE); - - // - // configuration parameters - // - // edit these to reflect your particular situation - // -$locale -$language - // list of network interfaces monitored by vnStat -$iface_list_array + // + // vnStat PHP frontend 1.5.1 (c)2006-2008 Bjorge Dijkstra (bjd@jooz.net) + // + // This program is free software; you can redistribute it and/or modify + // it under the terms of the GNU General Public License as published by + // the Free Software Foundation; either version 2 of the License, or + // (at your option) any later version. + // + // This program is distributed in the hope that it will be useful, + // but WITHOUT ANY WARRANTY; without even the implied warranty of + // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + // GNU General Public License for more details. + // + // You should have received a copy of the GNU General Public License + // along with this program; if not, write to the Free Software + // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + // + // + // see file COPYING or at http://www.gnu.org/licenses/gpl.html + // for more information. + // + //error_reporting(E_ALL | E_NOTICE); - // - // optional names for interfaces - // if there's no name set for an interface then the interface identifier - // will be displayed instead -$iface_title_array + // + // configuration parameters + // + // edit these to reflect your particular situation + // + $locale + $language + // list of network interfaces monitored by vnStat + $iface_list_array - // - // There are two possible sources for vnstat data. If the - // variable is set then vnstat is called directly from the PHP script - // to get the interface data. - // - // The other option is to periodically dump the vnstat interface data to - // a file (e.g. by a cronjob). In that case the variable - // must be cleared and set to the location where the dumps - // are stored. Dumps must be named 'vnstat_dump_'. - // - // You can generate vnstat dumps with the command: - // vnstat --dumpdb -i > /path/to/data_dir/vnstat_dump_ - // -$vnstat_bin2 -$data_dir2 + // + // optional names for interfaces + // if there's no name set for an interface then the interface identifier + // will be displayed instead + $iface_title_array - // graphics format to use: svg or png -$graph_format2 - - // Font to use for PNG graphs - define('GRAPH_FONT',dirname(__FILE__).'/VeraBd.ttf'); + // + // There are two possible sources for vnstat data. If the + // variable is set then vnstat is called directly from the PHP script + // to get the interface data. + // + // The other option is to periodically dump the vnstat interface data to + // a file (e.g. by a cronjob). In that case the variable + // must be cleared and set to the location where the dumps + // are stored. Dumps must be named 'vnstat_dump_'. + // + // You can generate vnstat dumps with the command: + // vnstat --dumpdb -i > /path/to/data_dir/vnstat_dump_ + // + $vnstat_bin2 + $data_dir2 - // Font to use for SVG graphs - define('SVG_FONT', 'Verdana'); + // graphics format to use: svg or png + $graph_format2 - // color schemes - // colors are defined as R,G,B,ALPHA quads where R, G and B range from 0-255 - // and ALPHA from 0-127 where 0 is opaque and 127 completely transparent. - // - define('DEFAULT_COLORSCHEME', 'pfSense'); + // Font to use for PNG graphs + define('GRAPH_FONT',dirname(__FILE__).'/VeraBd.ttf'); + + // Font to use for SVG graphs + define('SVG_FONT', 'Verdana'); + + // color schemes + // colors are defined as R,G,B,ALPHA quads where R, G and B range from 0-255 + // and ALPHA from 0-127 where 0 is opaque and 127 completely transparent. + // + define('DEFAULT_COLORSCHEME', 'pfSense'); ?> EOF; - $hf = fopen("/usr/local/www/vnstat2/config.php","w"); - if(!$hf) { - log_error("could not open /usr/local/www/vnstat2/config.php for writing"); - exit; - } - fwrite($hf, $config_file); - fclose($hf); + $hf = fopen("/usr/local/www/vnstat2/config.php","w"); + if (!$hf) { + log_error("could not open /usr/local/www/vnstat2/config.php for writing"); + exit; + } + fwrite($hf, $config_file); + fclose($hf); } + ?> diff --git a/config/vnstat2/vnstat2.xml b/config/vnstat2/vnstat2.xml index 94b7cfc1..f696850a 100644 --- a/config/vnstat2/vnstat2.xml +++ b/config/vnstat2/vnstat2.xml @@ -2,10 +2,10 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> <packagegui> - <copyright></copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + <copyright></copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> <name>vnstat2</name> <version>11.2,3</version> <title>Vnstat2</title> @@ -203,36 +203,36 @@ <type>select</type> <size>3</size> <default_value>1</default_value> - <options> - <option><name>1</name><value>1</value></option> - <option><name>2</name><value>2</value></option> - <option><name>3</name><value>3</value></option> - <option><name>4</name><value>4</value></option> - <option><name>5</name><value>5</value></option> - <option><name>6</name><value>6</value></option> - <option><name>7</name><value>7</value></option> - <option><name>8</name><value>8</value></option> - <option><name>9</name><value>9</value></option> - <option><name>10</name><value>10</value></option> - <option><name>11</name><value>11</value></option> - <option><name>12</name><value>12</value></option> - <option><name>13</name><value>13</value></option> - <option><name>14</name><value>14</value></option> - <option><name>15</name><value>15</value></option> - <option><name>16</name><value>16</value></option> - <option><name>17</name><value>17</value></option> - <option><name>18</name><value>18</value></option> - <option><name>19</name><value>19</value></option> - <option><name>20</name><value>20</value></option> - <option><name>21</name><value>21</value></option> - <option><name>22</name><value>22</value></option> - <option><name>23</name><value>23</value></option> - <option><name>24</name><value>24</value></option> - <option><name>25</name><value>25</value></option> - <option><name>26</name><value>26</value></option> - <option><name>27</name><value>27</value></option> - <option><name>28</name><value>28</value></option> - </options> + <options> + <option><name>1</name><value>1</value></option> + <option><name>2</name><value>2</value></option> + <option><name>3</name><value>3</value></option> + <option><name>4</name><value>4</value></option> + <option><name>5</name><value>5</value></option> + <option><name>6</name><value>6</value></option> + <option><name>7</name><value>7</value></option> + <option><name>8</name><value>8</value></option> + <option><name>9</name><value>9</value></option> + <option><name>10</name><value>10</value></option> + <option><name>11</name><value>11</value></option> + <option><name>12</name><value>12</value></option> + <option><name>13</name><value>13</value></option> + <option><name>14</name><value>14</value></option> + <option><name>15</name><value>15</value></option> + <option><name>16</name><value>16</value></option> + <option><name>17</name><value>17</value></option> + <option><name>18</name><value>18</value></option> + <option><name>19</name><value>19</value></option> + <option><name>20</name><value>20</value></option> + <option><name>21</name><value>21</value></option> + <option><name>22</name><value>22</value></option> + <option><name>23</name><value>23</value></option> + <option><name>24</name><value>24</value></option> + <option><name>25</name><value>25</value></option> + <option><name>26</name><value>26</value></option> + <option><name>27</name><value>27</value></option> + <option><name>28</name><value>28</value></option> + </options> </field> <field> <description>Enable vnstat php frontend (Note that no login will be needed)</description> @@ -246,4 +246,3 @@ <custom_php_install_command>vnstat_install_config();</custom_php_install_command> <custom_php_deinstall_command>vnstat_install_deinstall();</custom_php_deinstall_command> </packagegui> - diff --git a/config/vnstat2/vnstati.xml b/config/vnstat2/vnstati.xml index 7cd3f3be..84a104dd 100644 --- a/config/vnstat2/vnstati.xml +++ b/config/vnstat2/vnstati.xml @@ -2,10 +2,10 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> <packagegui> - <copyright></copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + <copyright></copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> <name>vnstat2</name> <version>1.0</version> <title>Vnstat2</title> @@ -54,4 +54,3 @@ <custom_php_install_command>vnstat_install_config();</custom_php_install_command> <custom_php_deinstall_command>vnstat_install_deinstall();</custom_php_deinstall_command> </packagegui> - diff --git a/config/vnstat2/vnstatoutput.xml b/config/vnstat2/vnstatoutput.xml index 9d2e3d05..5062be1f 100644 --- a/config/vnstat2/vnstatoutput.xml +++ b/config/vnstat2/vnstatoutput.xml @@ -2,10 +2,10 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> <packagegui> - <copyright></copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + <copyright></copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> <name>vnstat2</name> <version>1.0</version> <title>Vnstat2</title> @@ -54,4 +54,3 @@ <custom_php_install_command>vnstat_install_config();</custom_php_install_command> <custom_php_deinstall_command>vnstat_install_deinstall();</custom_php_deinstall_command> </packagegui> - diff --git a/config/vnstat2/www/diag_vnstat.php b/config/vnstat2/www/diag_vnstat.php index 04e03911..5e6524c7 100644 --- a/config/vnstat2/www/diag_vnstat.php +++ b/config/vnstat2/www/diag_vnstat.php @@ -1,30 +1,30 @@ <?php /* $Id$ */ /* - diag_pf_info.php - Copyright (C) 2010 Scott Ullrich - All rights reserved. + diag_pf_info.php + Copyright (C) 2010 Scott Ullrich + All rights reserved. - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ /* @@ -44,7 +44,7 @@ require("guiconfig.inc"); $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); $pgtitle = gettext("Vnstat2 summary "); -if($_REQUEST['getactivity']) { +if ($_REQUEST['getactivity']) { $text = `vnstat`; $text .= "<p/>"; echo $text; @@ -80,7 +80,7 @@ include("head.inc"); if ($pf_version < 2.0) echo "<p class=\"pgtitle\">{$pgtitle}</p>"; echo "<a href=$myurl/pkg_edit.php?xml=vnstatoutput.xml&id=0>Go Back</a><br />"; - if($savemsg) { + if ($savemsg) { echo "<div id='savemsg'>"; print_info_box($savemsg); echo "</div>"; @@ -89,25 +89,27 @@ include("head.inc"); print_input_errors($input_errors); ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> - <table id="backuptable" class="tabcont" align="center" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td> - <center> - <table> - <tr><td> - <div name='cpuactivitydiv' id='cpuactivitydiv'> - <b><?=gettext("Gathering vnstat information, please wait...");?> - </div> - </td></tr> - </table> - </td> - </tr> - </table> - </div> - </td> - </tr> + <tr> + <td> + <table id="backuptable" class="tabcont" align="center" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td> + <center> + <table> + <tr> + <td> + <div name='cpuactivitydiv' id='cpuactivitydiv'> + <b><?=gettext("Gathering vnstat information, please wait...");?> + </div> + </td> + </tr> + </table> + </td> + </tr> + </table> + </div> + </td> + </tr> </table> </form> <?php include("fend.inc"); ?> diff --git a/config/vnstat2/www/diag_vnstat2.php b/config/vnstat2/www/diag_vnstat2.php index e5ce1de5..504fd534 100644 --- a/config/vnstat2/www/diag_vnstat2.php +++ b/config/vnstat2/www/diag_vnstat2.php @@ -1,30 +1,30 @@ <?php /* $Id$ */ /* - diag_system_pftop.php - Copyright (C) 2008-2009 Scott Ullrich - All rights reserved. + diag_system_pftop.php + Copyright (C) 2008-2009 Scott Ullrich + All rights reserved. - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ /* @@ -46,11 +46,12 @@ $bbbb = convert_real_interface_to_friendly_descr($aaaa); $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); $pgtitle = gettext("Vnstat2 info for $bbbb ($aaaa)"); -if($_REQUEST['getactivity']) { - if($_REQUEST['sorttype']) +if ($_REQUEST['getactivity']) { + if ($_REQUEST['sorttype']) { $sorttype = escapeshellarg($_REQUEST['sorttype']); - else - $sorttype = gettext("-h"); + } else { + $sorttype = gettext("-h"); + } $text = `vnstat -i $aaaa {$sorttype}`; echo $text; exit; @@ -58,10 +59,11 @@ if($_REQUEST['getactivity']) { include("head.inc"); -if($_REQUEST['sorttype']) +if ($_REQUEST['sorttype']) { $sorttype = htmlentities($_REQUEST['sorttype']); -else +} else { $sorttype = "-h"; +} ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> @@ -87,16 +89,18 @@ else <div id='maincontent'> <?php include("fbegin.inc"); - if ($pf_version < 2.0) + if ($pf_version < 2.0) { echo "<p class=\"pgtitle\">{$pgtitle}</p>"; - echo "<a href=$myurl/pkg_edit.php?xml=vnstatoutput.xml&id=0>Go Back</a><br />"; - if($savemsg) { + } + echo "<a href=$myurl/pkg_edit.php?xml=vnstatoutput.xml&id=0>Go Back</a><br />"; + if ($savemsg) { echo "<div id='savemsg'>"; print_info_box($savemsg); echo "</div>"; } - if ($input_errors) + if ($input_errors) { print_input_errors($input_errors); + } ?> <form method="post"> <?=gettext("Sort type:"); ?> @@ -107,29 +111,31 @@ else <option value='-m'><?=gettext("Show traffic for months.");?></option> <option value='-t'><?=gettext("Show all time top10 traffic.");?></option> <option value='-tr'><?=gettext("Calculate 5sec. of traffic.");?></option> - <option value='-w'><?=gettext("Show traffic for 7 days, current and previous week.");?></option> + <option value='-w'><?=gettext("Show traffic for 7 days, current and previous week.");?></option> </select> <p/> <table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> - <table id="backuptable" class="tabcont" align="center" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td> - <center> - <table> - <tr><td> - <div name='cpuactivitydiv' id='cpuactivitydiv'> - <b><?=gettext("Gathering vnstat activity, please wait...");?> - </div> - </td></tr> - </table> - </td> - </tr> - </table> - </div> - </td> - </tr> + <tr> + <td> + <table id="backuptable" class="tabcont" align="center" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td> + <center> + <table> + <tr> + <td> + <div name='cpuactivitydiv' id='cpuactivitydiv'> + <b><?=gettext("Gathering vnstat activity, please wait...");?> + </div> + </td> + </tr> + </table> + </td> + </tr> + </table> + </div> + </td> + </tr> </table> </form> <?php include("fend.inc"); ?> diff --git a/config/vnstat2/www/vnstati.php b/config/vnstat2/www/vnstati.php index e5ddcd21..01eca208 100644 --- a/config/vnstat2/www/vnstati.php +++ b/config/vnstat2/www/vnstati.php @@ -14,4 +14,3 @@ echo "<center><p class=\"pgtitle\">{$pgtitle}</p>"; <center><img src="vnstat2_img.php?image=newpicture3.png" style="border:1px solid black; center;"><br /> <center><img src="vnstat2_img.php?image=newpicture4.png" style="border:1px solid black; center;"><br /> <?php include("fend.inc"); ?> - diff --git a/config/zabbix-lts/zabbix-lts.inc b/config/zabbix-agent-lts/zabbix-agent-lts.inc index 450b78a1..e3e5570c 100644 --- a/config/zabbix-lts/zabbix-lts.inc +++ b/config/zabbix-agent-lts/zabbix-agent-lts.inc @@ -2,7 +2,7 @@ /* $Id$ */ /* ========================================================================== */ /* - zabbix-lts.inc + zabbix-agent-lts.inc part of the Zabbix package for pfSense Copyright (C) 2013 Danilo G. Baio Copyright (C) 2013 Marcello Coutinho @@ -38,8 +38,15 @@ require_once("functions.inc"); require_once("pkg-utils.inc"); require_once("globals.inc"); -function php_install_zabbix_lts(){ - sync_package_zabbix_lts(); +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version == "2.1" || $pf_version == "2.2") { + define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix22-agent-' . php_uname("m")); +} else { + define('ZABBIX_AGENT_BASE', '/usr/local'); +} + +function php_install_zabbix_agent_lts(){ + sync_package_zabbix_agent_lts(); } function php_deinstall_zabbix_agent_lts(){ @@ -47,69 +54,33 @@ function php_deinstall_zabbix_agent_lts(){ conf_mount_rw(); - define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix22-agent-' . php_uname("m")); - exec("/usr/bin/killall zabbix_agentd"); unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/rc.d/zabbix_agentd_lts.sh"); unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix22/zabbix_agentd.conf"); - unlink_if_exists("/var/log/zabbix-lts/zabbix_agentd_lts.log"); - unlink_if_exists("/var/run/zabbix-lts/zabbix_agentd_lts.pid"); - - if (!is_array($config['installedpackages']['zabbixproxylts'])){ - if (is_dir("/var/log/zabbix-lts")) - exec("/bin/rm -r /var/log/zabbix-lts/"); - if (is_dir("/var/run/zabbix-lts")) - exec("/bin/rm -r /var/run/zabbix-lts/"); - } + unlink_if_exists("/var/log/zabbix-agent-lts/zabbix_agentd_lts.log"); + unlink_if_exists("/var/run/zabbix-agent-lts/zabbix_agentd_lts.pid"); - conf_mount_ro(); -} - -function php_deinstall_zabbix_proxy_lts(){ - global $config, $g; - - conf_mount_rw(); - - define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix22-proxy-' . php_uname("m")); - - exec("/usr/bin/killall zabbix_proxy"); - unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/rc.d/zabbix_proxy_lts.sh"); - unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix22/zabbix_proxy.conf"); - unlink_if_exists("/var/log/zabbix-lts/zabbix_proxy_lts.log"); - unlink_if_exists("/var/run/zabbix-lts/zabbix_proxy_lts.pid"); - - if (!is_array($config['installedpackages']['zabbixagentlts'])){ - if (is_dir("/var/log/zabbix-lts")) - exec("/bin/rm -r /var/log/zabbix-lts/"); - if (is_dir("/var/run/zabbix-lts")) - exec("/bin/rm -r /var/run/zabbix-lts/"); - } + if (is_dir("/var/log/zabbix-agent-lts")) { + exec("/bin/rm -r /var/log/zabbix-agent-lts/"); + } - if (is_dir("/var/db/zabbix-lts")) - exec("/bin/rm -r /var/db/zabbix-lts/"); + if (is_dir("/var/run/zabbix-agent-lts")) { + exec("/bin/rm -r /var/run/zabbix-agent-lts/"); + } conf_mount_ro(); } -function validate_input_zabbix_lts($post, &$input_errors){ +function validate_input_zabbix_agent_lts($post, &$input_errors){ - if (isset($post['proxyenabled'])){ - if (!is_numericint($post['serverport'])) { - $input_errors[]='Server Port is not numeric.'.$ServerPort; - } - - if (!is_numericint($post['configfrequency'])) { - $input_errors[]='Config Frequency is not numeric.'; - } - } - if (isset($post['agentenabled'])){ + if (isset($post['agentenabled'])) { if (!preg_match("/\w+/", $post['server'])) { $input_errors[]='Server field is required.'; - } + } if (!preg_match("/\w+/", $post['hostname'])) { $input_errors[]='Hostname field is required.'; - } + } if ($post['listenip'] != '') { if (!is_ipaddr_configured($post['listenip']) && !preg_match("/(127.0.0.1|0.0.0.0)/",$post['listenip'])) { @@ -165,39 +136,11 @@ function validate_input_zabbix_lts($post, &$input_errors){ } } -function sync_package_zabbix_lts(){ +function sync_package_zabbix_agent_lts(){ global $config, $g; conf_mount_rw(); - define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix22-agent-' . php_uname("m")); - define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix22-proxy-' . php_uname("m")); - - #check zabbix proxy config - if (is_array($config['installedpackages']['zabbixproxylts'])){ - $zbproxy_config = $config['installedpackages']['zabbixproxylts']['config'][0]; - if ($zbproxy_config['proxyenabled']=="on"){ - $Mode=(is_numericint($zbproxy_config['proxymode'])?$zbproxy_config['proxymode'] : 0); - $AdvancedParams=base64_decode($zbproxy_config['advancedparams']); - - $zbproxy_conf_file = <<< EOF -Server={$zbproxy_config['server']} -ServerPort={$zbproxy_config['serverport']} -Hostname={$zbproxy_config['hostname']} -PidFile=/var/run/zabbix-lts/zabbix_proxy_lts.pid -DBName=/var/db/zabbix-lts/proxy.db -LogFile=/var/log/zabbix-lts/zabbix_proxy_lts.log -ConfigFrequency={$zbproxy_config['configfrequency']} -FpingLocation=/usr/local/sbin/fping -#there's currently no fping6 (IPv6) dependency in the package, but if there was, the binary would likely also be in /usr/local/sbin -Fping6Location=/usr/local/sbin/fping6 -ProxyMode={$Mode} -{$AdvancedParams} - -EOF; - file_put_contents(ZABBIX_PROXY_BASE . "/etc/zabbix22/zabbix_proxy.conf", strtr($zbproxy_conf_file, array("\r" => ""))); - } - } /* check zabbix agent settings*/ if (is_array($config['installedpackages']['zabbixagentlts'])){ $zbagent_config = $config['installedpackages']['zabbixagentlts']['config'][0]; @@ -219,8 +162,8 @@ ListenIP={$ListenIp} ListenPort={$ListenPort} RefreshActiveChecks={$RefreshActChecks} DebugLevel=3 -PidFile=/var/run/zabbix-lts/zabbix_agentd_lts.pid -LogFile=/var/log/zabbix-lts/zabbix_agentd_lts.log +PidFile=/var/run/zabbix-agent-lts/zabbix_agentd_lts.pid +LogFile=/var/log/zabbix-agent-lts/zabbix_agentd_lts.log LogFileSize=1 Timeout={$TimeOut} BufferSend={$BufferSend} @@ -278,58 +221,26 @@ EOF; /*check startup script files*/ /* create a few directories and ensure the sample files are in place */ - if (!is_dir(ZABBIX_PROXY_BASE . "/etc/zabbix22")) - exec("/bin/mkdir -p " . ZABBIX_PROXY_BASE . "/etc/zabbix22"); + if (!is_dir(ZABBIX_AGENT_BASE . "/etc/zabbix22")) + exec("/bin/mkdir -p " . ZABBIX_AGENT_BASE . "/etc/zabbix22"); $dir_checks = <<< EOF -if [ ! -d /var/log/zabbix-lts ] +if [ ! -d /var/log/zabbix-agent-lts ] then - /bin/mkdir -p /var/log/zabbix-lts - /usr/sbin/chmod 755 /var/log/zabbix-lts + /bin/mkdir -p /var/log/zabbix-agent-lts + /usr/sbin/chmod 755 /var/log/zabbix-agent-lts fi -/usr/sbin/chown -R zabbix:zabbix /var/log/zabbix-lts +/usr/sbin/chown -R zabbix:zabbix /var/log/zabbix-agent-lts -if [ ! -d /var/run/zabbix-lts ] +if [ ! -d /var/run/zabbix-agent-lts ] then - /bin/mkdir -p /var/run/zabbix-lts - /usr/sbin/chmod 755 /var/run/zabbix-lts + /bin/mkdir -p /var/run/zabbix-agent-lts + /usr/sbin/chmod 755 /var/run/zabbix-agent-lts fi -/usr/sbin/chown -R zabbix:zabbix /var/run/zabbix-lts - -if [ ! -d /var/db/zabbix-lts ] - then - /bin/mkdir -p /var/db/zabbix-lts - /usr/sbin/chmod 755 /var/db/zabbix-lts - fi -/usr/sbin/chown -R zabbix:zabbix /var/db/zabbix-lts +/usr/sbin/chown -R zabbix:zabbix /var/run/zabbix-agent-lts EOF; - $zproxy_rcfile="/usr/local/etc/rc.d/zabbix_proxy_lts.sh"; - if (is_array($zbproxy_config) && $zbproxy_config['proxyenabled']=="on"){ - $zproxy_start= strtr($dir_checks, array("\r" => "")). "\necho \"Starting Zabbix Proxy LTS\"...\n"; - /* start zabbix proxy */ - $zproxy_start .= ZABBIX_PROXY_BASE . "/sbin/zabbix_proxy\n"; - - $zproxy_stop = "echo \"Stopping Zabbix Proxy LTS\"\n"; - $zproxy_stop .= "/usr/bin/killall zabbix_proxy\n"; - $zproxy_stop .= "/bin/sleep 5\n"; - - /* write out rc.d start/stop file */ - write_rcfile(array( - "file" => "zabbix_proxy_lts.sh", - "start" => $zproxy_start, - "stop" => $zproxy_stop - ) - ); - mwexec("{$zproxy_rcfile} restart"); - }else{ - if (file_exists($zproxy_rcfile)){ - mwexec("{$zproxy_rcfile} stop"); - unlink($zproxy_rcfile); - } - } - $zagent_rcfile="/usr/local/etc/rc.d/zabbix_agentd_lts.sh"; if (is_array($zbagent_config) && $zbagent_config['agentenabled']=="on"){ $zagent_start .= strtr($dir_checks, array("\r" => "")). "\necho \"Starting Zabbix Agent LTS...\"\n"; diff --git a/config/zabbix-lts/zabbix-agent-lts.xml b/config/zabbix-agent-lts/zabbix-agent-lts.xml index b098eb62..c58ac04c 100644 --- a/config/zabbix-lts/zabbix-agent-lts.xml +++ b/config/zabbix-agent-lts/zabbix-agent-lts.xml @@ -41,13 +41,12 @@ <name>zabbixagentlts</name> <title>Services: Zabbix Agent LTS</title> <category>Monitoring</category> - <version>0.8.3</version> - <include_file>/usr/local/pkg/zabbix-lts.inc</include_file> + <version>0.8.5</version> + <include_file>/usr/local/pkg/zabbix-agent-lts.inc</include_file> <addedit_string>Zabbix Agent LTS has been created/modified.</addedit_string> <delete_string>Zabbix Agent LTS has been deleted.</delete_string> - <restart_command>/usr/local/etc/rc.d/zabbix_agentd_lts.sh restart</restart_command> <additional_files_needed> - <item>https://packages.pfsense.org/packages/config/zabbix-lts/zabbix-lts.inc</item> + <item>https://packages.pfsense.org/packages/config/zabbix-agent-lts/zabbix-agent-lts.inc</item> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> </additional_files_needed> @@ -168,12 +167,12 @@ <description>User-defined parameter to monitor. There can be several user-defined parameters. Value has form, example: UserParameter=users,who|wc -l</description> </field> </fields> - <custom_php_install_command>sync_package_zabbix_lts();</custom_php_install_command> + <custom_php_install_command>sync_package_zabbix_agent_lts();</custom_php_install_command> <custom_php_command_before_form></custom_php_command_before_form> <custom_php_after_head_command></custom_php_after_head_command> <custom_php_after_form_command></custom_php_after_form_command> - <custom_php_validation_command>validate_input_zabbix_lts($_POST, $input_errors);</custom_php_validation_command> + <custom_php_validation_command>validate_input_zabbix_agent_lts($_POST, $input_errors);</custom_php_validation_command> <custom_add_php_command></custom_add_php_command> - <custom_php_resync_config_command>sync_package_zabbix_lts();</custom_php_resync_config_command> + <custom_php_resync_config_command>sync_package_zabbix_agent_lts();</custom_php_resync_config_command> <custom_php_deinstall_command>php_deinstall_zabbix_agent_lts();</custom_php_deinstall_command> </packagegui> diff --git a/config/zabbix-proxy-lts/zabbix-proxy-lts.inc b/config/zabbix-proxy-lts/zabbix-proxy-lts.inc new file mode 100644 index 00000000..bc9864f4 --- /dev/null +++ b/config/zabbix-proxy-lts/zabbix-proxy-lts.inc @@ -0,0 +1,237 @@ +<?php +/* $Id$ */ +/* ========================================================================== */ +/* + zabbix-proxy-lts.inc + part of the Zabbix package for pfSense + Copyright (C) 2013 Danilo G. Baio + Copyright (C) 2013 Marcello Coutinho + + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ +require_once("util.inc"); +require_once("functions.inc"); +require_once("pkg-utils.inc"); +require_once("globals.inc"); + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version == "2.1" || $pf_version == "2.2") { + define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix22-proxy-' . php_uname("m")); +} else { + define('ZABBIX_PROXY_BASE', '/usr/local'); +} + +function php_install_zabbix_proxy_lts(){ + sync_package_zabbix_proxy_lts(); +} + +function php_deinstall_zabbix_proxy_lts(){ + global $config, $g; + + conf_mount_rw(); + + exec("/usr/bin/killall zabbix_proxy"); + unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/rc.d/zabbix_proxy_lts.sh"); + unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix22/zabbix_proxy_lts.conf"); + unlink_if_exists("/var/log/zabbix-proxy-lts/zabbix_proxy_lts.log"); + unlink_if_exists("/var/run/zabbix-proxy-lts/zabbix_proxy_lts.pid"); + + if (is_dir("/var/log/zabbix-proxy-lts")) { + exec("/bin/rm -r /var/log/zabbix-proxy-lts/"); + } + if (is_dir("/var/run/zabbix-proxy-lts")) { + exec("/bin/rm -r /var/run/zabbix-proxy-lts/"); + } + if (is_dir("/var/db/zabbix-proxy-lts")) { + exec("/bin/rm -r /var/db/zabbix-proxy-lts/"); + } + + conf_mount_ro(); +} + +function validate_input_zabbix_proxy_lts($post, &$input_errors){ + if (isset($post['proxyenabled'])) { + if (!preg_match("/\w+/", $post['server'])) { + $input_errors[]='Server field is required.'; + } + + if (!is_numericint($post['serverport'])) { + $input_errors[]='Server Port is not numeric.'.$ServerPort; + } + + if (!preg_match("/\w+/", $post['hostname'])) { + $input_errors[]='Hostname field is required.'; + } + + if (!is_numericint($post['configfrequency'])) { + $input_errors[]='Config Frequency is not numeric.'; + } + } +} + +function sync_package_zabbix_proxy_lts(){ + global $config, $g; + + conf_mount_rw(); + + #check zabbix proxy config + if (is_array($config['installedpackages']['zabbixproxylts'])){ + $zbproxy_config = $config['installedpackages']['zabbixproxylts']['config'][0]; + if ($zbproxy_config['proxyenabled']=="on"){ + $Mode=(is_numericint($zbproxy_config['proxymode'])?$zbproxy_config['proxymode'] : 0); + $AdvancedParams=base64_decode($zbproxy_config['advancedparams']); + + $zbproxy_conf_file = <<< EOF +Server={$zbproxy_config['server']} +ServerPort={$zbproxy_config['serverport']} +Hostname={$zbproxy_config['hostname']} +PidFile=/var/run/zabbix-proxy-lts/zabbix_proxy_lts.pid +DBName=/var/db/zabbix-proxy-lts/proxy.db +LogFile=/var/log/zabbix-proxy-lts/zabbix_proxy_lts.log +ConfigFrequency={$zbproxy_config['configfrequency']} +FpingLocation=/usr/local/sbin/fping +#there's currently no fping6 (IPv6) dependency in the package, but if there was, the binary would likely also be in /usr/local/sbin +Fping6Location=/usr/local/sbin/fping6 +ProxyMode={$Mode} +{$AdvancedParams} + +EOF; + file_put_contents(ZABBIX_PROXY_BASE . "/etc/zabbix22/zabbix_proxy.conf", strtr($zbproxy_conf_file, array("\r" => ""))); + } + } + + $want_sysctls = array( + 'kern.ipc.shmall' => '2097152', + 'kern.ipc.shmmax' => '2147483648', + 'kern.ipc.semmsl' => '250' + ); + $sysctls = array(); + #check sysctl file values + $sc_file=""; + if (file_exists("/etc/sysctl.conf")) { + $sc = file("/etc/sysctl.conf"); + foreach ($sc as $line) { + list($sysk, $sysv) = explode("=", $line, 2); + if (preg_match("/\w/",$line) && !array_key_exists($sysk, $want_sysctls)) + $sc_file.=$line; + } + } + foreach ($want_sysctls as $ws=> $wv) { + $sc_file .= "{$ws}={$wv}\n"; + exec("/sbin/sysctl {$ws}={$wv}"); + } + file_put_contents("/etc/sysctl.conf", $sc_file); + + #check bootloader values + $lt_file=""; + $want_tunables = array( + 'kern.ipc.semopm' => '100', + 'kern.ipc.semmni' => '128', + 'kern.ipc.semmns' => '32000', + 'kern.ipc.shmmni' => '4096' + ); + $tunables = array(); + if (file_exists("/boot/loader.conf")) { + $lt = file("/boot/loader.conf"); + foreach ($lt as $line) { + list($tunable, $val) = explode("=", $line, 2); + if (preg_match("/\w/",$line) && !array_key_exists($tunable, $want_tunables)) + $lt_file.=$line; + } + } + foreach ($want_tunables as $wt => $wv) { + $lt_file.= "{$wt}={$wv}\n"; + } + file_put_contents("/boot/loader.conf", $lt_file); + + /*check startup script files*/ + /* create a few directories and ensure the sample files are in place */ + if (!is_dir(ZABBIX_PROXY_BASE . "/etc/zabbix22")) + exec("/bin/mkdir -p " . ZABBIX_PROXY_BASE . "/etc/zabbix22"); + + $dir_checks = <<< EOF + + if [ ! -d /var/log/zabbix-proxy-lts ]; then + /bin/mkdir -p /var/log/zabbix-proxy-lts + /usr/sbin/chmod 755 /var/log/zabbix-proxy-lts + fi + /usr/sbin/chown -R zabbix:zabbix /var/log/zabbix-proxy-lts + + if [ ! -d /var/run/zabbix-proxy-lts ]; then + /bin/mkdir -p /var/run/zabbix-proxy-lts + /usr/sbin/chmod 755 /var/run/zabbix-proxy-lts + fi + /usr/sbin/chown -R zabbix:zabbix /var/run/zabbix-proxy-lts + + if [ ! -d /var/db/zabbix-proxy-lts ]; then + /bin/mkdir -p /var/db/zabbix-proxy-lts + /usr/sbin/chmod 755 /var/db/zabbix-proxy-lts + fi + /usr/sbin/chown -R zabbix:zabbix /var/db/zabbix-proxy-lts + +EOF; + + $pid_check = <<< EOF + + /bin/pgrep -anx zabbix_proxy 2>/dev/null + if [ "\$?" -eq "0" ]; then + /usr/bin/killall -9 zabbix_proxy + /bin/rm -f /var/run/zabbix-proxy-lts/zabbix_proxy_lts.pid + fi + +EOF; + + $zproxy_rcfile="/usr/local/etc/rc.d/zabbix_proxy_lts.sh"; + if (is_array($zbproxy_config) && $zbproxy_config['proxyenabled']=="on"){ + $zproxy_start = strtr($dir_checks, array("\r" => "")); + $zproxy_start .= "\techo \"Starting Zabbix Proxy LTS\"...\n"; + $zproxy_start .= "\t" . ZABBIX_PROXY_BASE . "/sbin/zabbix_proxy\n"; + + $zproxy_stop = "echo \"Stopping Zabbix Proxy LTS\"\n"; + $zproxy_stop .= "\t/usr/bin/killall zabbix_proxy\n"; + $zproxy_stop .= "\t/bin/sleep 5\n"; + $zproxy_stop .= strtr($pid_check, array("\r" => "")); + + /* write out rc.d start/stop file */ + write_rcfile(array( + "file" => "zabbix_proxy_lts.sh", + "start" => $zproxy_start, + "stop" => $zproxy_stop + ) + ); + mwexec("{$zproxy_rcfile} restart"); + }else{ + if (file_exists($zproxy_rcfile)){ + mwexec("{$zproxy_rcfile} stop"); + unlink($zproxy_rcfile); + } + } + + conf_mount_ro(); +} + +?> diff --git a/config/zabbix-lts/zabbix-proxy-lts.xml b/config/zabbix-proxy-lts/zabbix-proxy-lts.xml index de9f1e1c..15111aa5 100644 --- a/config/zabbix-lts/zabbix-proxy-lts.xml +++ b/config/zabbix-proxy-lts/zabbix-proxy-lts.xml @@ -41,13 +41,12 @@ <name>zabbixproxylts</name> <title>Services: Zabbix Proxy LTS</title> <category>Monitoring</category> - <version>0.8.3</version> - <include_file>/usr/local/pkg/zabbix-lts.inc</include_file> + <version>0.8.5</version> + <include_file>/usr/local/pkg/zabbix-proxy-lts.inc</include_file> <addedit_string>Zabbix Proxy has been created/modified.</addedit_string> <delete_string>Zabbix Proxy has been deleted.</delete_string> - <restart_command>/usr/local/etc/rc.d/zabbix_proxy_lts.sh restart</restart_command> <additional_files_needed> - <item>https://packages.pfsense.org/packages/config/zabbix-lts/zabbix-lts.inc</item> + <item>https://packages.pfsense.org/packages/config/zabbix-proxy-lts/zabbix-proxy-lts.inc</item> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> </additional_files_needed> @@ -139,12 +138,12 @@ <description>Advanced parameters. There are some rarely used parameters that sometimes need to be defined. Value has form, example: StartDiscoverers=10</description> </field> </fields> - <custom_php_install_command>sync_package_zabbix_lts();</custom_php_install_command> + <custom_php_install_command>sync_package_zabbix_proxy_lts();</custom_php_install_command> <custom_php_command_before_form></custom_php_command_before_form> <custom_php_after_head_command></custom_php_after_head_command> <custom_php_after_form_command></custom_php_after_form_command> - <custom_php_validation_command>validate_input_zabbix_lts($_POST, $input_errors);</custom_php_validation_command> + <custom_php_validation_command>validate_input_zabbix_proxy_lts($_POST, $input_errors);</custom_php_validation_command> <custom_add_php_command></custom_add_php_command> - <custom_php_resync_config_command>sync_package_zabbix_lts();</custom_php_resync_config_command> + <custom_php_resync_config_command>sync_package_zabbix_proxy_lts();</custom_php_resync_config_command> <custom_php_deinstall_command>php_deinstall_zabbix_proxy_lts();</custom_php_deinstall_command> </packagegui> diff --git a/pkg_config.10.xml b/pkg_config.10.xml index 176d3d43..3d977045 100644 --- a/pkg_config.10.xml +++ b/pkg_config.10.xml @@ -2,7 +2,7 @@ <!-- pfSense packages --> <pfsensepkgs> <copy_packages_to_host_ssh_port>22</copy_packages_to_host_ssh_port> -<copy_packages_to_host_ssh>packagecopy@files.pfsense.org</copy_packages_to_host_ssh> +<copy_packages_to_host_ssh>packagecopy@files.atx.pfsense.org</copy_packages_to_host_ssh> <copy_packages_to_folder_ssh>/usr/local/www/files/packages/10/All/</copy_packages_to_folder_ssh> <depends_on_package_base_url>https://files.pfsense.org/packages/10/All/</depends_on_package_base_url> <packages> @@ -49,6 +49,7 @@ <maintainer>marcellocoutinho@gmail.com robreg@zsurob.hu</maintainer> <configurationfile>asterisk.xml</configurationfile> <after_install_info>Please visit the Asterisk tab on status menu.</after_install_info> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>bind</name> @@ -69,6 +70,7 @@ <port>dns/bind99</port> </build_pbi> <build_options>bind_UNSET_FORCE=IDN REPLACE_BASE FIXED_RRSET GSSAPI LARGE_FILE;bind_SET_FORCE=IPV6 LINKS SSL THREADS XML DLZ_FILESYSTEM FILTER_AAAA SIGCHASE RRL</build_options> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>Filer</name> @@ -82,6 +84,7 @@ <required_version>2.2</required_version> <maintainer>bscholer@cshl.edu</maintainer> <configurationfile>filer.xml</configurationfile> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>Strikeback</name> @@ -125,7 +128,7 @@ <category>Firewall</category> <pkginfolink>https://forum.pfsense.org/index.php?topic=86212.0</pkginfolink> <config_file>https://packages.pfsense.org/packages/config/pfblockerng/pfblockerng.xml</config_file> - <version>1.08</version> + <version>1.09</version> <status>Stable</status> <required_version>2.2</required_version> <maintainer>BBCan177@gmail.com</maintainer> @@ -158,7 +161,7 @@ <conflicts>haproxy-devel</conflicts> <depends_on_package_pbi>haproxy-devel-1.5.11-##ARCH##.pbi</depends_on_package_pbi> <build_pbi> - <ports_before>security/openssl</ports_before> + <ports_before>security/openssl lang/lua53</ports_before> <custom_name>haproxy-devel</custom_name> <port>net/haproxy</port> </build_pbi> @@ -172,21 +175,21 @@ Supports ACLs for smart backend switching.]]></descr> <website>http://haproxy.1wt.eu/</website> <category>Services</category> - <version>0.23</version> + <version>0.26</version> <status>Release</status> <required_version>2.2</required_version> <config_file>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy.xml</config_file> <configurationfile>haproxy.xml</configurationfile> - <run_depends>sbin/haproxy:net/haproxy</run_depends> + <run_depends>sbin/haproxy:net/haproxy-devel</run_depends> <port_category>net</port_category> <conflicts>haproxy</conflicts> <depends_on_package_pbi>haproxy-devel-1.5.11-##ARCH##.pbi</depends_on_package_pbi> <build_pbi> <ports_before>security/openssl</ports_before> <custom_name>haproxy-devel</custom_name> - <port>net/haproxy</port> + <port>net/haproxy-devel</port> </build_pbi> - <build_options>WITH_OPENSSL_PORT=yes;haproxy_UNSET_FORCE=DPCRE;haproxy_SET_FORCE=OPENSSL SPCRE</build_options> + <build_options>WITH_OPENSSL_PORT=yes;haproxy_UNSET_FORCE=DPCRE;haproxy_SET_FORCE=OPENSSL SPCRE LUA</build_options> </package> <package> <name>Apache with mod_security-dev</name> @@ -198,7 +201,7 @@ In addition this package allows URL forwarding which can be convenient for hosting multiple websites behind pfSense using 1 IP address.<br> <b>Backup your location config before updating from 0.2.x to 0.3 package version.</b>]]></descr> <category>Network Management</category> - <version>0.43</version> + <version>0.44</version> <status>ALPHA</status> <required_version>2.2</required_version> <config_file>https://packages.pfsense.org/packages/config/apache_mod_security-dev/apache_virtualhost.xml</config_file> @@ -216,6 +219,7 @@ </build_pbi> <build_options>apache24_UNSET_FORCE=MPM_PREFORK;apache24_SET_FORCE=MPM_EVENT SLOTMEM_SHM MOST_ENABLED_MODULES MPM_SHARED SESSION_ENABLED_MODULES PROXY_ENABLED_MODULES SESSION_ENABLED_MODULES;mod_security_SET_FORCE=MLOGC</build_options> <after_install_info>Please visit the ProxyServer settings tab and set the service up so that it may be started.</after_install_info> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>Proxy Server with mod_security</name> @@ -258,7 +262,7 @@ <ports_after>net/avahi-app devel/dbus</ports_after> </build_pbi> <depends_on_package_pbi>avahi-0.6.31-##ARCH##.pbi</depends_on_package_pbi> - <version>v1.09</version> + <version>1.09</version> <status>BETA</status> <required_version>2.2</required_version> <config_file>https://packages.pfsense.org/packages/config/avahi/avahi.xml</config_file> @@ -289,12 +293,14 @@ <website>http://www.ntop.org/</website> <descr>ntopng (replaces ntop) is a network probe that shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user's terminal. In Web mode it acts as a Web server, creating an HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics.</descr> <category>Network Management</category> + <port_category>net</port_category> + <run_depends>bin/ntopng:net/ntopng bin/redis-cli:databases/redis bin/gdbmtool:databases/gdbm share/fonts/webfonts/arial.ttf:x11-fonts/webfonts bin/acyclic:graphics/graphviz</run_depends> <depends_on_package_pbi>ntopng-1.2.1-##ARCH##.pbi</depends_on_package_pbi> <build_pbi> <ports_before>databases/redis databases/gdbm net/GeoIP x11-fonts/font-util x11-fonts/webfonts graphics/graphviz</ports_before> <port>net/ntopng</port> </build_pbi> - <version>1.2.1 v0.5</version> + <version>0.7</version> <status>ALPHA</status> <required_version>2.2</required_version> <config_file>https://packages.pfsense.org/packages/config/ntopng/ntopng.xml</config_file> @@ -326,6 +332,7 @@ <status>Stable</status> <required_version>2.2</required_version> <configurationfile>tftp.xml</configurationfile> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>PHPService</name> @@ -348,7 +355,7 @@ <category>System</category> <pkginfolink></pkginfolink> <config_file>https://packages.pfsense.org/packages/config/backup/backup.xml</config_file> - <version>0.1.6</version> + <version>0.1.7</version> <status>Beta</status> <required_version>2.2</required_version> <maintainer>markjcrane@gmail.com</maintainer> @@ -390,14 +397,14 @@ <category>Security</category> <run_depends>bin/snort:security/snort</run_depends> <port_category>security</port_category> - <depends_on_package_pbi>snort-2.9.7.2-##ARCH##.pbi</depends_on_package_pbi> + <depends_on_package_pbi>snort-2.9.7.3-##ARCH##.pbi</depends_on_package_pbi> <build_pbi> <port>security/snort</port> <ports_after>security/barnyard2</ports_after> </build_pbi> <build_options>barnyard2_UNSET_FORCE=ODBC PGSQL PRELUDE;barnyard2_SET_FORCE=GRE IPV6 MPLS MYSQL PORT_PCAP BRO;snort_SET_FORCE=BARNYARD PERFPROFILE SOURCEFIRE GRE IPV6 NORMALIZER APPID;snort_UNSET_FORCE=PULLEDPORK FILEINSPECT HA</build_options> <config_file>https://packages.pfsense.org/packages/config/snort/snort.xml</config_file> - <version>3.2.4</version> + <version>3.2.6</version> <required_version>2.2</required_version> <status>Stable</status> <configurationfile>/snort.xml</configurationfile> @@ -419,6 +426,7 @@ <status>Stable</status> <required_version>2.2</required_version> <configurationfile>olsrd.xml</configurationfile> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>routed</name> @@ -452,6 +460,7 @@ <facilityname>spamd</facilityname> <logfilename>spamd.log</logfilename> </logging> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>Postfix Forwarder</name> @@ -474,6 +483,7 @@ <port>mail/postfix</port> </build_pbi> <build_options>postfix_SET_FORCE=PCRE SASL2 SPF TLS</build_options> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>Dansguardian</name> @@ -521,6 +531,7 @@ <ports_after>shells/bash mail/pyzor mail/dcc-dccd security/clamav mail/spamassassin</ports_after> </build_pbi> <build_options>mailscanner_UNSET_FORCE=BDC CLAMAVMODULE;mailscanner_SET_FORCE=SPAMASSASSIN CLAMAV;spamassassin_SET_FORCE=DCC</build_options> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>siproxd</name> @@ -535,7 +546,7 @@ <build_pbi> <port>net/siproxd</port> </build_pbi> - <version>1.0.3</version> + <version>1.0.4</version> <status>Beta</status> <required_version>2.2</required_version> <configurationfile>siproxd.xml</configurationfile> @@ -547,10 +558,11 @@ <config_file>https://packages.pfsense.org/packages/config/openbgpd/openbgpd.xml</config_file> <port_category>net</port_category> <run_depends>sbin/bgpctl:net/openbgpd</run_depends> + <conflicts>Quagga_OSPF</conflicts> <build_pbi> <port>net/openbgpd</port> </build_pbi> - <version>0.9.3_1</version> + <version>0.9.3_3</version> <status>STABLE</status> <pkginfolink>https://doc.pfsense.org/index.php/OpenBGPD_package</pkginfolink> <required_version>2.2</required_version> @@ -562,7 +574,7 @@ <descr>High performance web proxy report (LightSquid). Proxy realtime stat (SQStat). Requires squid HTTP proxy.</descr> <website>http://lightsquid.sf.net/</website> <category>Network Report</category> - <version>2.39</version> + <version>2.41</version> <maintainer>dv_serg@mail.ru</maintainer> <port_category>www</port_category> <run_depends>libexec/lightsquid/ip2name.list:www/lightsquid</run_depends> @@ -599,6 +611,7 @@ </build_pbi> <build_options>sarg_UNSET_FORCE=PHP</build_options> <after_install_info>Please visit sarg settings on Status Menu to configure sarg.</after_install_info> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>Ipguard-dev</name> @@ -621,6 +634,7 @@ <port>security/ipguard</port> </build_pbi> <after_install_info>Please visit ipguard settings on the Firewall Menu to configure.</after_install_info> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>Varnish3</name> @@ -644,6 +658,7 @@ <ports_after>lang/gcc</ports_after> </build_pbi> <build_options>gcc_UNSET_FORCE=JAVA</build_options> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>vnstat2</name> @@ -657,20 +672,21 @@ <build_pbi> <port>net/vnstat</port> </build_pbi> - <version>1.12_3</version> + <version>1.12_4</version> <status>Stable</status> <required_version>2.2</required_version> <maintainer>crazypark2@yahoo.dk</maintainer> <config_file>https://packages.pfsense.org/packages/config/vnstat2/vnstat2.xml</config_file> <configurationfile>vnstat2.xml</configurationfile> <after_install_info></after_install_info> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>dns-server</name> <descr>pfSense version of TinyDNS which features failover host support</descr> <website>http://cr.yp.to/djbdns.html</website> <category>Services</category> - <version>1.0.6.21</version> + <version>1.0.6.22</version> <status>Beta</status> <pkginfolink>https://doc.pfsense.org/index.php/Tinydns_package</pkginfolink> <required_version>2.2</required_version> @@ -684,6 +700,7 @@ <port>dns/djbdns</port> </build_pbi> <build_options>ucspi-tcp_SET_FORCE=IPV6;djbdns_SET_FORCE=SRV;djbdns_UNSET_FORCE=DUMPCACHE IGNOREIP JUMBO PERSISTENT_MMAP</build_options> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>Open-VM-Tools</name> @@ -771,6 +788,7 @@ <build_pbi> <port>net-im/imspector</port> </build_pbi> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>nut</name> @@ -789,6 +807,7 @@ <port>sysutils/nut</port> </build_pbi> <pkginfolink>https://doc.pfsense.org/index.php/Nut_package</pkginfolink> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>diag_new_states</name> @@ -801,6 +820,7 @@ <status>BETA</status> <config_file>https://packages.pfsense.org/packages/config/diag_states_pt/diag_new_states.xml</config_file> <configurationfile>https://packages.pfsense.org/packages/config/diag_states_pt/diag_new_states.xml</configurationfile> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>darkstat</name> @@ -826,16 +846,16 @@ <descr>pfflowd converts OpenBSD PF status messages (sent via the pfsync interface) to Cisco NetFlow datagrams. These datagrams may be sent (via UDP) to a host of one's choice. Utilising the OpenBSD stateful packet filter infrastructure means that flow tracking is very fast and accurate.</descr> <category>Network Management</category> <config_file>https://packages.pfsense.org/packages/config/pfflowd/pfflowd.xml</config_file> - <depends_on_package_pbi>pfflowd-0.8-##ARCH##.pbi</depends_on_package_pbi> - <version>1.0.2</version> + <depends_on_package_pbi>pfflowd-0.8_1-##ARCH##.pbi</depends_on_package_pbi> + <version>1.0.3</version> <status>Stable</status> <required_version>2.2</required_version> <configurationfile>pfflowd.xml</configurationfile> <port_category>net</port_category> - <run_depends>sbin/pfflowd:net/pfflowd-0.8</run_depends> + <run_depends>sbin/pfflowd:net/pfflowd</run_depends> <build_pbi> <custom_name>pfflowd</custom_name> - <port>net/pfflowd-0.8</port> + <port>net/pfflowd</port> </build_pbi> </package> <package> @@ -855,6 +875,7 @@ <build_pbi> <port>net/widentd</port> </build_pbi> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>freeradius2</name> @@ -865,7 +886,7 @@ On pfSense docs there is a how-to which could help you on porting users.]]></descr> <pkginfolink>https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package</pkginfolink> <category>System</category> - <version>1.6.12</version> + <version>1.6.14</version> <status>RC1</status> <required_version>2.2</required_version> <maintainer>nachtfalkeaw@web.de</maintainer> @@ -901,14 +922,15 @@ <port>net-mgmt/bandwidthd</port> </build_pbi> <build_options>libgd_UNSET_FORCE=FONTCONFIG XPM</build_options> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>stunnel</name> <website>http://www.stunnel.org/</website> <descr>An SSL encryption wrapper between remote client and local or remote servers. </descr> <category>Network Management</category> - <depends_on_package_pbi>stunnel-5.07-##ARCH##.pbi</depends_on_package_pbi> - <version>5.07</version> + <depends_on_package_pbi>stunnel-5.20-##ARCH##.pbi</depends_on_package_pbi> + <version>5.20</version> <status>Stable</status> <pkginfolink>https://doc.pfsense.org/index.php/Stunnel_package</pkginfolink> <required_version>2.2</required_version> @@ -920,6 +942,7 @@ <port>security/stunnel</port> </build_pbi> <build_options>stunnel_SET_FORCE=PTHREAD LIBWRAP;stunnel_UNSET_FORCE=FORK UCONTEXT IPV6</build_options> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>iperf</name> @@ -955,6 +978,7 @@ <build_pbi> <port>benchmarks/netio</port> </build_pbi> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>mtr-nox11</name> @@ -993,6 +1017,7 @@ <build_options>squid_UNSET_FORCE=DNS_HELPER IPFILTER PINGER STACKTRACES STRICT_HTTP_DESC USERAGENT_LOG WCCPV2;squid_SET_FORCE=PF LDAP_AUTH NIS_AUTH SASL_AUTH ARP_ACL AUFS CACHE_DIGESTS CARP COSS DELAY_POOLS FOLLOW_XFF HTCP IDENT KERB_AUTH KQUEUE LARGEFILE REFERER_LOG SNMP SSL VIA_DB WCCP;SQUID_UID=proxy;SQUID_GID=proxy</build_options> <config_file>https://packages.pfsense.org/packages/config/squid/squid.xml</config_file> <configurationfile>squid.xml</configurationfile> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>squid3</name> @@ -1003,10 +1028,12 @@ <pkginfolink>https://forum.pfsense.org/index.php/topic,48347.0.html</pkginfolink> <website>http://www.squid-cache.org/</website> <category>Network</category> - <version>3.4.10_2 pkg 0.2.8</version> + <version>0.2.8</version> <status>beta</status> <required_version>2.2</required_version> <maintainer>marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer> + <run_depends>sbin/squid:www/squid libexec/squid/squid_radius_auth:www/squid_radius_auth lib/c_icap/virus_scan.so:www/c-icap-modules lib/c_icap/squidclamav.so:www/squidclamav</run_depends> + <port_category>www</port_category> <build_pbi> <ports_before>www/libwww security/cyrus-sasl2</ports_before> <port>www/squid</port> @@ -1060,6 +1087,7 @@ </build_pbi> <build_options>lcdproc_SET_FORCE=USB</build_options> <after_install_info>Please set the service options in Services-LCDproc before running the service.</after_install_info> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>arpwatch</name> @@ -1123,11 +1151,14 @@ </package> <package> <name>OpenVPN Client Export Utility</name> + <internal_name>openvpn-client-export</internal_name> <descr>Allows a pre-configured OpenVPN Windows Client or Mac OSX's Viscosity configuration bundle to be exported directly from pfSense.</descr> <category>Security</category> <depends_on_package_pbi>zip-3.0_1-##ARCH##.pbi p7zip-9.20.1_2-##ARCH##.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/archivers/p7zip</build_port_path> <build_port_path>/usr/ports/archivers/zip</build_port_path> + <port_category>security</port_category> + <run_depends>share/openvpn/client-export/template/config-import:security/openvpn-client-export bin/zip:archivers/zip bin/7z:archivers/p7zip</run_depends> <version>1.2.16</version> <status>RELEASE</status> <required_version>2.2</required_version> @@ -1153,6 +1184,7 @@ <configurationfile>havp.xml</configurationfile> <maintainer>dv_serg@mail.ru</maintainer> <after_install_info>Please check the HAVP settings.</after_install_info> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>blinkled</name> @@ -1166,6 +1198,8 @@ <configurationfile>blinkled.xml</configurationfile> <pkginfolink>https://doc.pfsense.org/index.php/BlinkLED_Package</pkginfolink> <website>https://doc.pfsense.org/index.php/BlinkLED_Package</website> + <port_category>sysutils</port_category> + <run_depends>bin/blinkled:sysutils/blinkled</run_depends> <build_pbi> <port>sysutils/blinkled</port> </build_pbi> @@ -1178,6 +1212,7 @@ <version>0.2.1</version> <status>Beta</status> <maintainer>jimp@pfsense.org</maintainer> + <port_category>sysutils</port_category> <required_version>2.2</required_version> <config_file>https://packages.pfsense.org/packages/config/gwled/gwled.xml</config_file> <configurationfile>gwled.xml</configurationfile> @@ -1191,6 +1226,7 @@ <status>BETA</status> <required_version>2.2</required_version> <configurationfile>widget-havp.xml</configurationfile> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>Dashboard Widget: Antivirus Status</name> @@ -1201,14 +1237,17 @@ <status>BETA</status> <required_version>2.2</required_version> <configurationfile>widget-havp.xml</configurationfile> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>RRD Summary</name> + <internal_name>RRD_Summary</internal_name> <descr>RRD Summary Page, which will give a total amount of traffic passed In/Out during this and the previous month.</descr> <category>System</category> <version>1.1</version> <status>Beta</status> <maintainer>jimp@pfsense.org</maintainer> + <port_category>sysutils</port_category> <required_version>2.2</required_version> <config_file>https://packages.pfsense.org/packages/config/rrd-summary/rrd-summary.xml</config_file> <configurationfile>rrd-summary.xml</configurationfile> @@ -1243,6 +1282,7 @@ <required_version>2.2</required_version> <maintainer>erik@erikkristensen.com</maintainer> <configurationfile>nrpe2.xml</configurationfile> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>Check_mk agent</name> @@ -1255,11 +1295,12 @@ <port>sysutils/muse</port> </build_pbi> <config_file>https://packages.pfsense.org/packages/config/checkmk-agent/checkmk.xml</config_file> - <version>v0.1.2</version> + <version>0.1.3</version> <status>RC1</status> <required_version>2.2</required_version> <maintainer>marcellocoutinho@gmail.com</maintainer> <configurationfile>checkmk.xml</configurationfile> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>SSHDCond</name> @@ -1272,26 +1313,32 @@ <config_file>https://packages.pfsense.org/packages/config/sshdcond/sshdcond.xml</config_file> <maintainer>namezero@afim.info</maintainer> <configurationfile>sshdcond.xml</configurationfile> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>mailreport</name> <descr>Allows you to setup periodic e-mail reports containing command output, log file contents, and RRD graphs.</descr> <category>Network Management</category> - <version>2.3</version> + <version>2.3_1</version> <status>Stable</status> + <port_category>mail</port_category> <required_version>2.2</required_version> <config_file>https://packages.pfsense.org/packages/config/mailreport/mailreport.xml</config_file> <configurationfile>mailreport.xml</configurationfile> </package> <package> <name>Quagga OSPF</name> + <internal_name>Quagga_OSPF</internal_name> <descr>OSPF routing protocol using Quagga -- WARNING! Installs files to the same place as OpenBGPD. Installing both will break things.</descr> <maintainer>jimp@pfsense.org</maintainer> - <version>0.99.22.3.1_2 v0.6.5</version> + <version>0.6.5</version> <category>Routing</category> <status>BETA</status> <depends_on_package_pbi>quagga-0.99.23.1_2-##ARCH##.pbi</depends_on_package_pbi> <config_file>https://packages.pfsense.org/packages/config/quagga_ospfd/quagga_ospfd.xml</config_file> + <port_category>net</port_category> + <run_depends>sbin/watchquagga:net/quagga</run_depends> + <conflicts>OpenBGPD</conflicts> <build_pbi> <port>net/quagga</port> </build_pbi> @@ -1301,12 +1348,14 @@ </package> <package> <name>System Patches</name> + <internal_name>System_Patches</internal_name> <descr>A package to apply and maintain custom system patches.</descr> <maintainer>jimp@pfsense.org</maintainer> <version>1.0.3</version> <category>System</category> <status>RELEASE</status> <config_file>https://packages.pfsense.org/packages/config/systempatches/systempatches.xml</config_file> + <port_category>sysutils</port_category> <pkginfolink></pkginfolink> <required_version>2.2</required_version> <configurationfile>systempatches.xml</configurationfile> @@ -1328,9 +1377,9 @@ <maintainer>marcioc.antao@gmail.com</maintainer> <configurationfile>bacula-client.xml</configurationfile> <after_install_info>Please visit the bacula client tab on services menu.</after_install_info> + <maximum_version>2.2.999</maximum_version> </package> <package> - <!-- This does not exist yet, this is here to trigger a PBI build --> <name>urlsnarf</name> <pkginfolink>https://forum.pfsense.org/</pkginfolink> <descr><![CDATA[HTTP URL Sniffer (console/shell only)]]></descr> @@ -1346,9 +1395,9 @@ <port>security/dsniff</port> </build_pbi> <depends_on_package_pbi>dsniff-2.4b1-##ARCH##.pbi</depends_on_package_pbi> + <maximum_version>2.2.999</maximum_version> </package> <package> - <!-- This does not exist yet, this is here to trigger a PBI build --> <name>iftop</name> <pkginfolink>https://forum.pfsense.org/</pkginfolink> <descr><![CDATA[Realtime interface monitor (console/shell only)]]></descr> @@ -1359,13 +1408,14 @@ <config_file>https://packages.pfsense.org/packages/config/iftop/iftop.xml</config_file> <maintainer>jimp@pfsense.org</maintainer> <configurationfile>iftop.xml</configurationfile> + <port_category>net-mgmt</port_category> + <run_depends>sbin/iftop:net-mgmt/iftop</run_depends> <build_pbi> <port>net-mgmt/iftop</port> </build_pbi> <depends_on_package_pbi>iftop-0.17-##ARCH##.pbi</depends_on_package_pbi> </package> <package> - <!-- This does not exist yet, this is here to trigger a pkg build --> <name>git</name> <pkginfolink>https://forum.pfsense.org/</pkginfolink> <descr><![CDATA[GIT Source Code Management (console/shell only)]]></descr> @@ -1377,10 +1427,13 @@ <maintainer>jimp@pfsense.org</maintainer> <configurationfile>git.xml</configurationfile> <build_options>git_UNSET_FORCE=GITWEB GUI HTMLDOCS CVS P4 SVN;git_SET_FORCE=CONTRIB CURL ETCSHELLS ICONV NLS PERL</build_options> + <port_category>devel</port_category> + <run_depends>bin/git:devel/git-lite</run_depends> <build_pbi> <port>devel/git</port> </build_pbi> <depends_on_package_pbi>git-2.2.1-##ARCH##.pbi</depends_on_package_pbi> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>tinc</name> @@ -1402,16 +1455,19 @@ <logfilename>tinc.log</logfilename> <logtab>tinc</logtab> </logging> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>syslog-ng</name> <website>http://www.balabit.com/network-security/syslog-ng/</website> <descr>Syslog-ng syslog server. This service is not intended to replace the default pfSense syslog server but rather acts as an independent syslog server.</descr> <category>Services</category> - <version>3.6.2_3 pkg.v.1.0.6</version> + <version>1.0.6</version> <status>ALPHA</status> <required_version>2.2</required_version> <depends_on_package_pbi>syslog-ng-3.6.2_3-##ARCH##.pbi</depends_on_package_pbi> + <port_category>sysutils</port_category> + <run_depends>sbin/syslog-ng:sysutils/syslog-ng</run_depends> <build_pbi> <ports_before>sysutils/logrotate</ports_before> <port>sysutils/syslog-ng</port> @@ -1422,17 +1478,20 @@ </package> <package> <name>Zabbix Agent LTS</name> + <internal_name>zabbix-agent</internal_name> <descr>LTS (Long Term Support) release of Zabbix Monitoring agent. Zabbix LTS releases are supported for Zabbix customers during five (5) years i.e. 3 years of Full Support (general, critical and security issues) and 2 additional years of Limited Support (critical and security issues only). Zabbix LTS version release will result in change of the first version number. More info in http://www.zabbix.com/life_cycle_and_release_policy.php </descr> <category>Services</category> - <config_file>https://packages.pfsense.org/packages/config/zabbix-lts/zabbix-agent-lts.xml</config_file> - <version>zabbix-agent-lts-2.2.7 pkg v0.8.3</version> + <config_file>https://packages.pfsense.org/packages/config/zabbix-agent-lts/zabbix-agent-lts.xml</config_file> + <version>0.8.5</version> <status>BETA</status> <required_version>2.2</required_version> <configurationfile>zabbix-agent-lts.xml</configurationfile> <maintainer>dbaio@bsd.com.br</maintainer> + <port_category>net-mgmt</port_category> + <run_depends>sbin/zabbix_agent:net-mgmt/zabbix22-agent</run_depends> <build_pbi> <custom_name>zabbix22-agent</custom_name> <port>net-mgmt/zabbix22-agent</port> @@ -1441,17 +1500,20 @@ </package> <package> <name>Zabbix Proxy LTS</name> + <internal_name>zabbix-proxy</internal_name> <descr>LTS (Long Term Support) release of Zabbix agent proxy. Zabbix LTS releases are supported for Zabbix customers during five (5) years i.e. 3 years of Full Support (general, critical and security issues) and 2 additional years of Limited Support (critical and security issues only). Zabbix LTS version release will result in change of the first version number. More info in http://www.zabbix.com/life_cycle_and_release_policy.php </descr> <category>Services</category> - <config_file>https://packages.pfsense.org/packages/config/zabbix-lts/zabbix-proxy-lts.xml</config_file> - <version>zabbix-proxy-lts-2.2.7 pkg v0.8.3</version> + <config_file>https://packages.pfsense.org/packages/config/zabbix-proxy-lts/zabbix-proxy-lts.xml</config_file> + <version>0.8.5</version> <status>BETA</status> <required_version>2.2</required_version> <configurationfile>zabbix-proxy-lts.xml</configurationfile> <maintainer>dbaio@bsd.com.br</maintainer> + <port_category>net-mgmt</port_category> + <run_depends>sbin/zabbix_proxy:net-mgmt/zabbix22-proxy</run_depends> <build_pbi> <custom_name>zabbix22-proxy</custom_name> <port>net-mgmt/zabbix22-proxy</port> @@ -1478,6 +1540,7 @@ <port>net-mgmt/zabbix24-agent</port> </build_pbi> <depends_on_package_pbi>zabbix24-agent-2.4.3-##ARCH##.pbi</depends_on_package_pbi> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>Zabbix-2 Proxy</name> @@ -1499,6 +1562,7 @@ </build_pbi> <build_options>zabbix24_SET_FORCE=SQLITE IPV6;zabbix24_UNSET_FORCE=MYSQL JABBER GSSAPI</build_options> <depends_on_package_pbi>zabbix24-proxy-2.4.3-##ARCH##.pbi</depends_on_package_pbi> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>sudo</name> @@ -1511,6 +1575,8 @@ <config_file>https://packages.pfsense.org/packages/config/sudo/sudo.xml</config_file> <maintainer>jimp@pfsense.org</maintainer> <configurationfile>sudo.xml</configurationfile> + <port_category>security</port_category> + <run_depends>bin/sudo:security/sudo</run_depends> <build_pbi> <port>security/sudo</port> </build_pbi> @@ -1518,6 +1584,7 @@ </package> <package> <name>Service Watchdog</name> + <internal_name>Service_Watchdog</internal_name> <descr>Monitors for stopped services and restarts them.</descr> <maintainer>jimp@pfsense.org</maintainer> <version>1.6</version> @@ -1535,11 +1602,13 @@ <category>Network Management</category> <config_file>https://packages.pfsense.org/packages/config/softflowd/softflowd.xml</config_file> <depends_on_package_pbi>softflowd-0.9.8_2-##ARCH##.pbi</depends_on_package_pbi> - <version>0.9.8_2 pkg v1.1</version> + <version>1.1</version> <status>Beta</status> <required_version>2.2</required_version> <configurationfile>softflowd.xml</configurationfile> <maintainer></maintainer> + <port_category>net-mgmt</port_category> + <run_depends>sbin/softflowd:net-mgmt/softflowd</run_depends> <build_pbi> <port>net-mgmt/softflowd</port> </build_pbi> @@ -1560,6 +1629,7 @@ </build_pbi> <build_options>apcupsd_SET_FORCE=APCSMART_DRV APCDUMB_DRV PCNET_DRV USB TCP_WRAPPERS SNMP_DRV;apcupsd_UNSET_FORCE=CLIENT_ONLY CGI SNMP_DRV_OLD TEST_DRV GAPCMON</build_options> <depends_on_package_pbi>apcupsd-3.14.12_1-##ARCH##.pbi</depends_on_package_pbi> + <maximum_version>2.2.999</maximum_version> </package> <package> <name>LADVD</name> @@ -1570,6 +1640,8 @@ <status>BETA</status> <depends_on_package_pbi>ladvd-1.0.4_1-##ARCH##.pbi</depends_on_package_pbi> <config_file>https://packages.pfsense.org/packages/config/ladvd/ladvd.xml</config_file> + <port_category>net</port_category> + <run_depends>sbin/ladvd:net/ladvd</run_depends> <build_pbi> <port>net/ladvd</port> </build_pbi> @@ -1582,25 +1654,29 @@ <website>http://suricata-ids.org/</website> <descr><![CDATA[High Performance Network IDS, IPS and Security Monitoring engine by OISF.]]></descr> <category>Security</category> - <version>2.0.6 pkg v2.1.4</version> + <version>2.1.5</version> <status>Stable</status> <required_version>2.2</required_version> <config_file>https://packages.pfsense.org/packages/config/suricata/suricata.xml</config_file> <configurationfile>suricata.xml</configurationfile> + <port_category>security</port_category> + <run_depends>bin/suricata:security/suricata</run_depends> <build_pbi> <port>security/suricata</port> <ports_after>security/barnyard2</ports_after> </build_pbi> <build_options>barnyard2_UNSET_FORCE=ODBC PGSQL PRELUDE;barnyard2_SET_FORCE=GRE IPV6 MPLS MYSQL PORT_PCAP BRO;suricata_SET_FORCE=IPFW PORTS_PCAP GEOIP JSON NSS LUAJIT HTP_PORT;suricata_UNSET_FORCE=PRELUDE TESTS SC LUA</build_options> - <depends_on_package_pbi>suricata-2.0.6-##ARCH##.pbi</depends_on_package_pbi> + <depends_on_package_pbi>suricata-2.0.8_1-##ARCH##.pbi</depends_on_package_pbi> </package> <package> <name>FTP Client Proxy</name> + <internal_name>FTP_Client_Proxy</internal_name> <descr><![CDATA[Basic FTP Client Proxy using ftp-proxy from FreeBSD]]></descr> <maintainer>jimp@pfsense.org</maintainer> <version>0.2</version> <category>Services</category> <status>Beta</status> + <port_category>ftp</port_category> <config_file>https://packages.pfsense.org/packages/config/ftpproxy/ftpproxy.xml</config_file> <required_version>2.2</required_version> <configurationfile>ftpproxy.xml</configurationfile> diff --git a/pkg_config.8.xml b/pkg_config.8.xml index 2b80b127..22dd3af6 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -389,7 +389,7 @@ <ports_before>databases/redis databases/gdbm net/GeoIP x11-fonts/font-util x11-fonts/webfonts graphics/graphviz</ports_before> <port>net/ntopng</port> </build_pbi> - <version>1.1 v0.5</version> + <version>1.1 v0.6</version> <status>ALPHA</status> <required_version>2.1.4</required_version> <config_file>https://packages.pfsense.org/packages/config/ntopng/ntopng.xml</config_file> @@ -445,7 +445,7 @@ <pkginfolink></pkginfolink> <config_file>https://packages.pfsense.org/packages/config/backup/backup.xml</config_file> <depends_on_package_base_url>https://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <version>0.1.6</version> + <version>0.1.7</version> <status>Beta</status> <required_version>1.2</required_version> <maintainer>markjcrane@gmail.com</maintainer> @@ -651,7 +651,7 @@ <build_pbi> <port>net/openbgpd</port> </build_pbi> - <version>0.9.2</version> + <version>0.9.2_1</version> <status>STABLE</status> <pkginfolink>https://doc.pfsense.org/index.php/OpenBGPD_package</pkginfolink> <required_version>1.3</required_version> @@ -665,7 +665,7 @@ <descr>High performance web proxy report (LightSquid). Proxy realtime stat (SQStat). Requires squid HTTP proxy.</descr> <website>http://lightsquid.sf.net/</website> <category>Network Report</category> - <version>2.39</version> + <version>2.41</version> <maintainer>dv_serg@mail.ru</maintainer> <depends_on_package_base_url>https://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <depends_on_package>lightsquid-1.8_2.tbz</depends_on_package> @@ -779,7 +779,7 @@ <depends_on_package>vnstat-1.11.tbz</depends_on_package> <depends_on_package_pbi>vnstat-1.11_1-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/net/vnstat</build_port_path> - <version>1.11_1,3</version> + <version>1.11_1,4</version> <status>Stable</status> <required_version>2.0</required_version> <maintainer>bryan.paradis@gmail.com</maintainer> @@ -991,7 +991,7 @@ <required_version>2.0</required_version> <configurationfile>pfflowd.xml</configurationfile> <maintainer></maintainer> - <build_port_path>/usr/ports/net/pfflowd-0.8</build_port_path> + <build_port_path>/usr/ports/net/pfflowd</build_port_path> </package> <package> <name>widentd</name> @@ -1041,7 +1041,7 @@ On pfSense docs there is a how-to which could help you on porting users.]]></descr> <pkginfolink>https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package</pkginfolink> <category>System</category> - <version>1.6.12</version> + <version>1.6.14</version> <status>RC1</status> <required_version>2.1</required_version> <maintainer>nachtfalkeaw@web.de</maintainer> @@ -1610,7 +1610,7 @@ <name>mailreport</name> <descr>Allows you to setup periodic e-mail reports containing command output, log file contents, and RRD graphs.</descr> <category>Network Management</category> - <version>2.3</version> + <version>2.3_1</version> <status>Stable</status> <required_version>2.0</required_version> <config_file>https://packages.pfsense.org/packages/config/mailreport/mailreport.xml</config_file> diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index 8e821af7..db285614 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -376,7 +376,7 @@ <ports_before>databases/redis databases/gdbm net/GeoIP x11-fonts/font-util x11-fonts/webfonts graphics/graphviz</ports_before> <port>net/ntopng</port> </build_pbi> - <version>1.1 v0.5</version> + <version>1.1 v0.6</version> <status>ALPHA</status> <required_version>2.1.4</required_version> <config_file>https://packages.pfsense.org/packages/config/ntopng/ntopng.xml</config_file> @@ -432,7 +432,7 @@ <pkginfolink></pkginfolink> <config_file>https://packages.pfsense.org/packages/config/backup/backup.xml</config_file> <depends_on_package_base_url>https://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <version>0.1.6</version> + <version>0.1.7</version> <status>Beta</status> <required_version>1.2</required_version> <maintainer>markjcrane@gmail.com</maintainer> @@ -638,7 +638,7 @@ <build_pbi> <port>net/openbgpd</port> </build_pbi> - <version>0.9.2</version> + <version>0.9.2_1</version> <status>STABLE</status> <pkginfolink>https://doc.pfsense.org/index.php/OpenBGPD_package</pkginfolink> <required_version>1.3</required_version> @@ -652,7 +652,7 @@ <descr>High performance web proxy report (LightSquid). Proxy realtime stat (SQStat). Requires squid HTTP proxy.</descr> <website>http://lightsquid.sf.net/</website> <category>Network Report</category> - <version>2.39</version> + <version>2.41</version> <maintainer>dv_serg@mail.ru</maintainer> <depends_on_package_base_url>https://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> <depends_on_package>lightsquid-1.8_2.tbz</depends_on_package> @@ -766,7 +766,7 @@ <depends_on_package>vnstat-1.11.tbz</depends_on_package> <depends_on_package_pbi>vnstat-1.11_1-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/net/vnstat</build_port_path> - <version>1.11_1,3</version> + <version>1.11_1,4</version> <status>Stable</status> <required_version>2.0</required_version> <maintainer>bryan.paradis@gmail.com</maintainer> @@ -978,7 +978,7 @@ <required_version>2.0</required_version> <configurationfile>pfflowd.xml</configurationfile> <maintainer></maintainer> - <build_port_path>/usr/ports/net/pfflowd-0.8</build_port_path> + <build_port_path>/usr/ports/net/pfflowd</build_port_path> </package> <package> <name>widentd</name> @@ -1028,7 +1028,7 @@ On pfSense docs there is a how-to which could help you on porting users.]]></descr> <pkginfolink>https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package</pkginfolink> <category>System</category> - <version>1.6.12</version> + <version>1.6.14</version> <status>RC1</status> <required_version>2.1</required_version> <maintainer>nachtfalkeaw@web.de</maintainer> @@ -1597,7 +1597,7 @@ <name>mailreport</name> <descr>Allows you to setup periodic e-mail reports containing command output, log file contents, and RRD graphs.</descr> <category>Network Management</category> - <version>2.3</version> + <version>2.3_1</version> <status>Stable</status> <required_version>2.0</required_version> <config_file>https://packages.pfsense.org/packages/config/mailreport/mailreport.xml</config_file> |