diff options
Diffstat (limited to 'config/pf-blocker')
| -rwxr-xr-x | config/pf-blocker/pfblocker.inc | 358 | ||||
| -rw-r--r-- | config/pf-blocker/pfblocker.php | 12 | ||||
| -rwxr-xr-x | config/pf-blocker/pfblocker.xml | 4 | ||||
| -rwxr-xr-x | config/pf-blocker/pfblocker_lists.xml | 8 |
4 files changed, 201 insertions, 181 deletions
diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc index bb8268a1..58b93bb5 100755 --- a/config/pf-blocker/pfblocker.inc +++ b/config/pf-blocker/pfblocker.inc @@ -3,7 +3,7 @@ pfblocker.inc part of the Postfix package for pfSense Copyright (C) 2010 Erik Fonnesbeck - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2012 Marcello Coutinho All rights reserved. @@ -70,55 +70,63 @@ function pfblocker_Range2CIDR($ip_min, $ip_max) { if ($bits < 0) return ""; #identify first ip on range network - $network=long2ip(bindec(substr(decbin($ip_min_long),0,$bits).preg_replace("/\d/","0",substr(decbin($ip_min_long),0,(32-$bits))))); + $network=long2ip( $ip_min_long & ((1<<32)-(1<<(32-$bits))-1) ); #print decbin($ip_min_long)."\n".$network."\n"; - return $network . "/". (32 -strlen(decbin($ip_max_long - $ip_min_long))); + return $network . "/". $bits; } -function sync_package_pfblocker() { +function sync_package_pfblocker($cron="") { global $g,$config; - if ($g['booting'] == true){ - print "no action during boot process...\n"; - } - else{ - conf_mount_rw(); - #apply fetch timeout to pfsense-utils.inc - $pfsense_utils=file_get_contents('/etc/inc/pfsense-utils.inc'); - $new_pfsense_utils=preg_replace("/\/usr\/bin\/fetch -q/","/usr/bin/fetch -T 5 -q",$pfsense_utils); - if ($new_pfsense_utils != $pfsense_utils){ - file_put_contents('/etc/inc/pfsense-utils.inc',$new_pfsense_utils, LOCK_EX); - } - $pfblocker_enable=$config['installedpackages']['pfblocker']['config'][0]['enable_cb']; - $pfblocker_config=$config['installedpackages']['pfblocker']['config'][0]; - $table_limit =($config['system']['maximumtableentries']!= ""?$config['system']['maximumtableentries']:"100000"); - #get local web gui configuration - $web_local=($config['system']['webgui']['protocol'] != ""?$config['system']['webgui']['protocol']:"http"); - $port = $config['system']['webgui']['port']; - if($port == "") { - if($config['system']['webgui']['protocol'] == "http"){ - $port = "80"; - } - else{ - $port = "443"; + + # detect boot process or update via cron + if (is_array($_POST) && $cron==""){ + if (!preg_match("/\w+/",$_POST['__csrf_magic'])){ + log_error("No pfBlocker action during boot process."); + return; } } - $web_local .= "://127.0.0.1:".$port.'/pfblocker.php'; + + log_error("Starting pfBlocker sync process."); + conf_mount_rw(); - #check folders - $pfbdir='/usr/local/pkg/pfblocker'; - $pfb_alias_dir='/usr/local/pkg/pfblocker_aliases'; - $pfsense_alias_dir='/var/db/aliastables/'; - if (!is_dir($pfbdir)){ - mkdir ($pfbdir,0755); - } - if (!is_dir($pfb_alias_dir)){ - mkdir ($pfb_alias_dir,0755); + #apply fetch timeout to pfsense-utils.inc + $pfsense_utils=file_get_contents('/etc/inc/pfsense-utils.inc'); + $new_pfsense_utils=preg_replace("/\/usr\/bin\/fetch -q/","/usr/bin/fetch -T 5 -q",$pfsense_utils); + if ($new_pfsense_utils != $pfsense_utils){ + file_put_contents('/etc/inc/pfsense-utils.inc',$new_pfsense_utils, LOCK_EX); + } + $pfblocker_enable=$config['installedpackages']['pfblocker']['config'][0]['enable_cb']; + $pfblocker_config=$config['installedpackages']['pfblocker']['config'][0]; + $table_limit =($config['system']['maximumtableentries']!= ""?$config['system']['maximumtableentries']:"100000"); + + #get local web gui configuration + $web_local=($config['system']['webgui']['protocol'] != ""?$config['system']['webgui']['protocol']:"http"); + $port = $config['system']['webgui']['port']; + if($port == "") { + if($config['system']['webgui']['protocol'] == "http"){ + $port = "80"; } - if (! is_dir($pfsense_alias_dir)){ - mkdir ($pfsense_alias_dir,0755); + else{ + $port = "443"; + } } + $web_local .= "://127.0.0.1:".$port.'/pfblocker.php'; + + #check folders + $pfbdir='/usr/local/pkg/pfblocker'; + $pfb_alias_dir='/usr/local/pkg/pfblocker_aliases'; + $pfsense_alias_dir='/var/db/aliastables/'; + if (!is_dir($pfbdir)){ + mkdir ($pfbdir,0755); + } + if (!is_dir($pfb_alias_dir)){ + mkdir ($pfb_alias_dir,0755); + } + if (! is_dir($pfsense_alias_dir)){ + mkdir ($pfsense_alias_dir,0755); + } - $continents= array( "Africa" => "pfBlockerAfrica", + $continents= array( "Africa" => "pfBlockerAfrica", "Antartica" => "pfBlockerAntartica", "Asia" => "pfBlockerAsia", "Europe" => "pfBlockerEurope", @@ -127,110 +135,114 @@ function sync_package_pfblocker() { "South America" => "pfBlockerSouthAmerica", "Top Spammers" => "pfBlockerTopSpammers"); - #create rules vars and arrays - $new_aliases=array(); - $new_aliases_list=array(); - $permit_inbound=array(); - $permit_outbound=array(); - $deny_inbound=array(); - $deny_outbound=array(); - $aliases_list=array(); - #check if pfblocker is enabled or not. - $deny_action_inbound=($pfblocker_config['inbound_deny_action']!= ""?$pfblocker_config['inbound_deny_action']:"block"); - $deny_action_outbound=($pfblocker_config['outbound_deny_action']!= ""?$pfblocker_config['outbound_deny_action']:"reject"); - $base_rule= array( "id" => "", - "tag"=> "", - "tagged"=> "", - "max"=> "", - "max-src-nodes"=>"", - "max-src-conn"=> "", - "max-src-states"=>"", - "statetimeout"=>"", - "statetype"=>"keep state", - "os"=> ""); - ############################################# - # Assign Countries # - ############################################# - foreach ($continents as $continent => $pfb_alias){ - ${$continent}=""; - if (is_array($config['installedpackages']['pfblocker'.strtolower(preg_replace('/ /','',$continent))]['config'])){ - $continent_config=$config['installedpackages']['pfblocker'.strtolower(preg_replace('/ /','',$continent))]['config'][0]; - if ($continent_config['action'] != 'Disabled' && $continent_config['action'] != '' && $pfblocker_enable == "on"){ - foreach (explode(",", $continent_config['countries']) as $iso){ - #var_dump ($iso); - if ($iso <> "" && file_exists($pfbdir.'/'.$iso.'.txt')){ - ${$continent} .= file_get_contents($pfbdir.'/'.$iso.'.txt'); - } + #create rules vars and arrays + $new_aliases=array(); + $new_aliases_list=array(); + $permit_inbound=array(); + $permit_outbound=array(); + $deny_inbound=array(); + $deny_outbound=array(); + $aliases_list=array(); + + #check if pfblocker is enabled or not. + $deny_action_inbound=($pfblocker_config['inbound_deny_action']!= ""?$pfblocker_config['inbound_deny_action']:"block"); + $deny_action_outbound=($pfblocker_config['outbound_deny_action']!= ""?$pfblocker_config['outbound_deny_action']:"reject"); + $base_rule= array( "id" => "", + "tag"=> "", + "tagged"=> "", + "max"=> "", + "max-src-nodes"=>"", + "max-src-conn"=> "", + "max-src-states"=>"", + "statetimeout"=>"", + "statetype"=>"keep state", + "os"=> ""); + + ############################################# + # Assign Countries # + ############################################# + foreach ($continents as $continent => $pfb_alias){ + ${$continent}=""; + if (is_array($config['installedpackages']['pfblocker'.strtolower(preg_replace('/ /','',$continent))]['config'])){ + $continent_config=$config['installedpackages']['pfblocker'.strtolower(preg_replace('/ /','',$continent))]['config'][0]; + if ($continent_config['action'] != 'Disabled' && $continent_config['action'] != '' && $pfblocker_enable == "on"){ + foreach (explode(",", $continent_config['countries']) as $iso){ + #var_dump ($iso); + if ($iso <> "" && file_exists($pfbdir.'/'.$iso.'.txt')){ + ${$continent} .= file_get_contents($pfbdir.'/'.$iso.'.txt'); } - if($continent_config['countries'] != "" && $pfblocker_enable == "on"){ - #write alias files - file_put_contents($pfb_alias_dir.'/'.$pfb_alias.'.txt',${$continent},LOCK_EX); - file_put_contents($pfsense_alias_dir.'/'.$pfb_alias.'.txt',${$continent}, LOCK_EX); - #Create alias config - $new_aliases_list[]=$pfb_alias; - $new_aliases[]=array( "name"=> $pfb_alias, - "url"=> $web_local.'?pfb='.$pfb_alias, - "updatefreq"=> "32", - "address"=>"", - "descr"=> "pfBlocker country list", - "type"=> "urltable", - "detail"=> "DO NOT EDIT THIS ALIAS"); - #Create rule if action permits - switch($continent_config['action']){ - case "Deny_Both": - $rule = $base_rule; - $rule["type"] = $deny_action_inbound; - $rule["descr"]= "$pfb_alias auto rule"; - $rule["source"]= array("address"=> $pfb_alias); - $rule["destination"]=array("any"=>""); - if ($pfblocker_config['enable_log']){ - $rule["log"]=""; - } - $deny_inbound[]=$rule; - case "Deny_Outbound": - $rule = $base_rule; - $rule["type"] = $deny_action_outbound; - $rule["descr"]= "$pfb_alias auto rule"; - $rule["source"]=array("any"=>""); - $rule["destination"]= array("address"=> $pfb_alias); - if ($pfblocker_config['enable_log']){ - $rule["log"]=""; - } - $deny_outbound[]=$rule; - break; - case "Deny_Inbound": - $rule = $base_rule; - $rule["type"] = $deny_action_inbound; - $rule["descr"]= "$pfb_alias auto rule"; - $rule["source"]= array("address"=> $pfb_alias); - $rule["destination"]=array("any"=>""); - if ($pfblocker_config['enable_log']){ - $rule["log"]=""; - } - $deny_inbound[]=$rule; - break; - case "Permit_Outbound": - $rule = $base_rule; - $rule["type"] = "pass"; - $rule["descr"]= "$pfb_alias auto rule"; - $rule["source"]=array("any"=>""); - $rule["destination"]= array("address"=> $pfb_alias); - if ($pfblocker_config['enable_log']){ - $rule["log"]=""; - } - $permit_outbound[]=$rule; - break; - case "Permit_Inbound": - $rule = $base_rule; - $rule["type"] = "pass"; - $rule["descr"]= "$pfb_alias auto rule"; - $rule["source"]= array("address"=> $pfb_alias); - $rule["destination"]=array("any"=>""); - if ($pfblocker_config['enable_log']){ - $rule["log"]=""; - } - $permit_inbound[]=$rule; - break; + } + if($continent_config['countries'] != "" && $pfblocker_enable == "on"){ + #write alias files + file_put_contents($pfb_alias_dir.'/'.$pfb_alias.'.txt',${$continent},LOCK_EX); + file_put_contents($pfsense_alias_dir.'/'.$pfb_alias.'.txt',${$continent}, LOCK_EX); + + #Create alias config + $new_aliases_list[]=$pfb_alias; + $new_aliases[]=array( "name"=> $pfb_alias, + "url"=> $web_local.'?pfb='.$pfb_alias, + "updatefreq"=> "32", + "address"=>"", + "descr"=> "pfBlocker country list", + "type"=> "urltable", + "detail"=> "DO NOT EDIT THIS ALIAS"); + + #Create rule if action permits + switch($continent_config['action']){ + case "Deny_Both": + $rule = $base_rule; + $rule["type"] = $deny_action_inbound; + $rule["descr"]= "$pfb_alias auto rule"; + $rule["source"]= array("address"=> $pfb_alias); + $rule["destination"]=array("any"=>""); + if ($pfblocker_config['enable_log']){ + $rule["log"]=""; + } + $deny_inbound[]=$rule; + case "Deny_Outbound": + $rule = $base_rule; + $rule["type"] = $deny_action_outbound; + $rule["descr"]= "$pfb_alias auto rule"; + $rule["source"]=array("any"=>""); + $rule["destination"]= array("address"=> $pfb_alias); + if ($pfblocker_config['enable_log']){ + $rule["log"]=""; + } + $deny_outbound[]=$rule; + break; + case "Deny_Inbound": + $rule = $base_rule; + $rule["type"] = $deny_action_inbound; + $rule["descr"]= "$pfb_alias auto rule"; + $rule["source"]= array("address"=> $pfb_alias); + $rule["destination"]=array("any"=>""); + if ($pfblocker_config['enable_log']){ + $rule["log"]=""; + } + $deny_inbound[]=$rule; + break; + case "Permit_Outbound": + $rule = $base_rule; + $rule["type"] = "pass"; + $rule["descr"]= "$pfb_alias auto rule"; + $rule["source"]=array("any"=>""); + $rule["destination"]= array("address"=> $pfb_alias); + if ($pfblocker_config['enable_log']){ + $rule["log"]=""; + } + $permit_outbound[]=$rule; + break; + case "Permit_Inbound": + $rule = $base_rule; + $rule["type"] = "pass"; + $rule["descr"]= "$pfb_alias auto rule"; + $rule["source"]= array("address"=> $pfb_alias); + $rule["destination"]=array("any"=>""); + if ($pfblocker_config['enable_log']){ + $rule["log"]=""; + } + $permit_inbound[]=$rule; + break; } } @@ -276,16 +288,6 @@ function sync_package_pfblocker() { $new_file=""; if (is_array($url_list)){ foreach ($url_list as $line){ - # CIDR format 192.168.0.0/16 - if (preg_match("/(\d+\.\d+\.\d+\.\d+\/\d+)/",$line,$matches)){ - ${$alias}.= $matches[1]."\n"; - $new_file.= $matches[1]."\n"; - } - # Single ip addresses - if (preg_match("/(\d+\.\d+\.\d+\.\d+)\s+/",$line,$matches)){ - ${$alias}.= $matches[1]."/32\n"; - $new_file.= $matches[1]."/32\n"; - } # Network range 192.168.0.0-192.168.0.254 if (preg_match("/(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)/",$line,$matches)){ $cidr= pfblocker_Range2CIDR($matches[1],$matches[2]); @@ -294,6 +296,16 @@ function sync_package_pfblocker() { $new_file.= $cidr."\n"; } } + # CIDR format 192.168.0.0/16 + else if (preg_match("/(\d+\.\d+\.\d+\.\d+\/\d+)/",$line,$matches)){ + ${$alias}.= $matches[1]."\n"; + $new_file.= $matches[1]."\n"; + } + # Single ip addresses + else if (preg_match("/(\d+\.\d+\.\d+\.\d+)\s+/",$line,$matches)){ + ${$alias}.= $matches[1]."/32\n"; + $new_file.= $matches[1]."/32\n"; + } } } if ($new_file != ""){ @@ -317,12 +329,12 @@ function sync_package_pfblocker() { #create alias $new_aliases_list[]=$alias; $new_aliases[]=array( "name"=> $alias, - "url"=> $web_local.'?pfb='.$alias, - "updatefreq"=> "32", - "address"=>"", - "descr"=> "pfBlocker user list", - "type"=> "urltable", - "detail"=> "DO NOT EDIT THIS ALIAS"); + "url"=> $web_local.'?pfb='.$alias, + "updatefreq"=> "32", + "address"=>"", + "descr"=> "pfBlocker user list", + "type"=> "urltable", + "detail"=> "DO NOT EDIT THIS ALIAS"); #Create rule if action permits switch($list['action']){ case "Deny_Both": @@ -456,23 +468,32 @@ function sync_package_pfblocker() { } if ($message == ""){ - $last_iface=""; $rules=$config['filter']['rule']; $new_rules=array(); - # The assumption is that the rules in the config come in groups by interface then priority. - # e.g. all rules for WAN (highest priority first), then for LAN then for OPT1 etc. - # Note that floating rules (interface is "") can appear mixed in the list. + $interfaces_processed=array(); + # The rules in the config come in priority order, + # but the interface to which each rule applies can be all mixed up in the list. + # e.g. some WAN rules, then some LAN rules, then some floating rules, then more + # LAN rules, some OPT1 rules, some more LAN rules and so on. + # So we have to allow for this, and only add pfBlocker rules the first time an + # interface is found in the rules list. foreach ($rules as $rule){ - # If this next rule is for a non-blank interface, different to the previous interface, + # If this next rule is for a non-blank interface, different from any interface already processed, # then add any needed pfblocker rules to the interface. This puts pfblocker rules at the # top of the list for each interface, after any built-in rules (e.g. anti-lockout) - if (($rule['interface'] != "") && ($rule['interface'] <> $last_iface)){ - $last_iface = $rule['interface']; + $found_new_interface = TRUE; + foreach ($interfaces_processed as $processed_interface){ + if ($processed_interface == $rule['interface']){ + $found_new_interface = FALSE; + } + } + if (($rule['interface'] != "") && ($found_new_interface)){ + $interfaces_processed[] = $rule['interface']; #apply pfblocker rules if enabled #Inbound foreach ($inbound_interfaces as $inbound_interface){ - if ($inbound_interface==$last_iface){ + if ($inbound_interface==$rule['interface']){ #permit rules if (is_array($permit_inbound)){ foreach ($permit_inbound as $cb_rules){ @@ -491,7 +512,7 @@ function sync_package_pfblocker() { } #Outbound foreach ($outbound_interfaces as $outbound_interface){ - if ($outbound_interface==$last_iface){ + if ($outbound_interface==$rule['interface']){ #permit rules if (is_array($permit_outbound)){ foreach ($permit_outbound as $cb_rules){ @@ -582,7 +603,6 @@ function sync_package_pfblocker() { } conf_mount_ro(); } -} function pfblocker_validate_input($post, &$input_errors) { global $config; diff --git a/config/pf-blocker/pfblocker.php b/config/pf-blocker/pfblocker.php index af489b81..17fb10e7 100644 --- a/config/pf-blocker/pfblocker.php +++ b/config/pf-blocker/pfblocker.php @@ -10,11 +10,11 @@ function get_networks($pfb){ print $return; } -# to be uncomented when this packages gets stable state -#if($_SERVER['REMOTE_ADDR']== '127.0.0.1'){ -if (preg_match("/(\w+)/",$_REQUEST['pfb'],$matches)) - get_networks($matches[1]); -#} +if($_SERVER['REMOTE_ADDR']== '127.0.0.1'){ + if (preg_match("/(\w+)/",$_REQUEST['pfb'],$matches)){ + get_networks($matches[1]); + } + } if ($argv[1]=='uc') pfblocker_get_countries(); if ($argv[1]=='cron'){ @@ -50,7 +50,7 @@ if ($argv[1]=='cron'){ if ($updates > 0){ include "/usr/local/pkg/pfblocker.inc"; - sync_package_pfblocker(); + sync_package_pfblocker("cron"); } } diff --git a/config/pf-blocker/pfblocker.xml b/config/pf-blocker/pfblocker.xml index 650f2909..b4da539c 100755 --- a/config/pf-blocker/pfblocker.xml +++ b/config/pf-blocker/pfblocker.xml @@ -230,8 +230,8 @@ <fielddescr>Donation</fielddescr> <fieldname>donation</fieldname> <type>checkbox</type> - <description><![CDATA[If you like this package, please <a target=_new href='http://www.pfsense.org/index.php?option=com_content&task=view&id=47&Itemid=77'>donate to pfSense project</a>.<br> - If you want that your donation goes to these package developers, make a note on donation forwarding it to us.<br>]]></description> + <description><![CDATA[If you like this package, please <a target=_new href='http://www.pfsense.org/index.php?option=com_content&task=view&id=47&Itemid=77'>donate to the pfSense project</a>.<br> + If you want your donation to go to these package developers, make a note on the donation forwarding it to us.<br>]]></description> </field> </fields> <custom_php_install_command> diff --git a/config/pf-blocker/pfblocker_lists.xml b/config/pf-blocker/pfblocker_lists.xml index b9f92b9c..4bde4b49 100755 --- a/config/pf-blocker/pfblocker_lists.xml +++ b/config/pf-blocker/pfblocker_lists.xml @@ -129,7 +129,7 @@ <description><![CDATA[Enter lists Alias Names.<br> Example: Badguys<br> Do not include pfBlocker name, it's done by package.<br> - <strong>International, special or space caracters will be ignored in firewall alias names.</strong><br>]]></description> + <strong>International, special or space characters will be ignored in firewall alias names.</strong><br>]]></description> <type>input</type> <size>20</size> </field> @@ -142,8 +142,8 @@ <field> <fielddescr><![CDATA[Lists]]></fielddescr> <fieldname>none</fieldname> - <description><![CDATA['Format' - Choose the file format that url will retrieve or local file format.<br> - 'Url or local file' - Add direct link to list (Example: <a target=_new href='http://list.iblocklist.com/?list=bt_ads&fileformat=p2p&archiveformat=gz'>Ads</a>, + <description><![CDATA['Format' - Choose the file format that URL will retrieve or local file format.<br> + 'URL or local file' - Add direct link to list (Example: <a target=_new href='http://list.iblocklist.com/?list=bt_ads&fileformat=p2p&archiveformat=gz'>Ads</a>, <a target=_new href='http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p&archiveformat=gz'>Spyware</a>, <a target=_new href='http://list.iblocklist.com/?list=bt_proxy&fileformat=p2p&archiveformat=gz'>Proxies</a> )<br> <br><strong>Note: </strong><br> @@ -165,7 +165,7 @@ </options> </rowhelperfield> <rowhelperfield> - <fielddescr>Url or localfile</fielddescr> + <fielddescr>URL or localfile</fielddescr> <fieldname>url</fieldname> <type>input</type> <size>75</size> |