aboutsummaryrefslogtreecommitdiffstats
path: root/config/pfblockerng/pfblockerng.inc
diff options
context:
space:
mode:
Diffstat (limited to 'config/pfblockerng/pfblockerng.inc')
-rw-r--r--config/pfblockerng/pfblockerng.inc265
1 files changed, 140 insertions, 125 deletions
diff --git a/config/pfblockerng/pfblockerng.inc b/config/pfblockerng/pfblockerng.inc
index 793bf7a4..a1ee6abc 100644
--- a/config/pfblockerng/pfblockerng.inc
+++ b/config/pfblockerng/pfblockerng.inc
@@ -48,9 +48,11 @@ require_once("services.inc");
# [ $pfb ] pfBlockerNG Global Array for Paths and Variables. This needs to be called to get the Updated Settings.
function pfb_global() {
-
global $g,$config,$pfb;
+ # Collect pfSense Version
+ $pfb['pfsenseversion'] = substr(trim(file_get_contents("/etc/version")),0,3);
+
# Folders
$pfb['dbdir'] = "{$g['vardb_path']}/pfblockerng";
$pfb['aliasdir'] = "{$g['vardb_path']}/aliastables";
@@ -77,9 +79,6 @@ function pfb_global() {
$pfb['supptxt'] = "{$pfb['dbdir']}/pfbsuppression.txt";
$pfb['script'] = 'sh /usr/local/pkg/pfblockerng/pfblockerng.sh';
- # Collect pfSense Version
- $pfb['pfsenseversion'] = substr(trim(file_get_contents("/etc/version")),0,3);
-
# General Variables
$pfb['config'] = $config['installedpackages']['pfblockerng']['config'][0];
@@ -461,9 +460,9 @@ function sync_package_pfblockerng($cron = "") {
}
- #############################################
- # Configure ARRAYS #
- #############################################
+ #################################
+ # Configure ARRAYS #
+ #################################
$continents = array ( "Africa" => "pfB_Africa",
"Antartica" => "pfB_Antartica",
@@ -522,9 +521,9 @@ function sync_package_pfblockerng($cron = "") {
);
- #############################################
- # Configure Rule Suffix #
- #############################################
+ #########################################
+ # Configure Rule Suffix #
+ #########################################
# Discover if any Rules are AutoRules (If no AutoRules found, $pfb['autorules'] is FALSE, Skip Rules Re-Order )
# To configure Auto Rule Suffix. pfBlockerNG must be disabled to change Suffix and to avoid Duplicate Rules
@@ -594,9 +593,9 @@ function sync_package_pfblockerng($cron = "") {
}
- #############################################
- # Configure INBOUND/OUTBOUND INTERFACES #
- #############################################
+ #########################################################
+ # Configure INBOUND/OUTBOUND INTERFACES #
+ #########################################################
# Collect pfSense Interface Order
$ifaces = get_configured_interface_list();
@@ -660,9 +659,9 @@ function sync_package_pfblockerng($cron = "") {
}
- #############################################
- # Clear Removed Lists from Masterfiles #
- #############################################
+ #################################################
+ # Clear Removed Lists from Masterfiles #
+ #################################################
# Process to keep Masterfiles in Sync with Valid Lists from config.conf file.
$pfb['sync_master'] = TRUE;
@@ -886,9 +885,9 @@ function sync_package_pfblockerng($cron = "") {
}
}
- ##############################################
- # Clear Match/Pass/ET/Original Files/Folders #
- ##############################################
+ #########################################################
+ # Clear Match/Pass/ET/Original Files/Folders #
+ #########################################################
# When pfBlockerNG is Disabled and 'Keep Blocklists' is Disabled.
if ($pfb['enable'] == "" && $pfb['keep'] == "" && !$pfb['install']) {
@@ -907,17 +906,17 @@ function sync_package_pfblockerng($cron = "") {
}
- #############################################
- # Create Suppression Txt File #
- #############################################
+ #########################################
+ # Create Suppression Txt File #
+ #########################################
if ($pfb['enable'] == "on" && $pfb['supp'] == "on")
pfb_create_suppression_file();
- #############################################
- # Assign Countries #
- #############################################
+ #################################
+ # Assign Countries #
+ #################################
foreach ($continents as $continent => $pfb_alias) {
if (is_array($config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'])) {
@@ -1143,9 +1142,9 @@ function sync_package_pfblockerng($cron = "") {
# UNSET variables
unset ($continent, $continent_existing, $continent_new);
- #############################################
- # Download and Collect IPv4/IPv6 lists #
- #############################################
+ #################################################
+ # Download and Collect IPv4/IPv6 lists #
+ #################################################
# IPv4 REGEX Definitions
$pfb['range'] = '/((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))-((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))/';
@@ -1156,21 +1155,25 @@ function sync_package_pfblockerng($cron = "") {
# IPv4 preg_replace Regex Filter array
$pfb_ipreg = array();
- $pfb_ipreg[0] = '/\b0+(?=\d)/'; # Remove any Leading Zeros in each Octet
- $pfb_ipreg[1] = '/\s/'; # Remove any Whitespaces
- $pfb_ipreg[2] = '/127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/'; # Remove any Loopback Addresses 127/8
- $pfb_ipreg[3] = '/0\.0\.0\.0/'; # Remove 0.0.0.0
+ $pfb_ipreg[0] = '/\b0+(?=\d)/'; # Remove any Leading Zeros in each Octet
+ $pfb_ipreg[1] = '/\s/'; # Remove any Whitespaces
+ $pfb_ipreg[2] = '/127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/'; # Remove any Loopback Addresses 127/8
+ $pfb_ipreg[3] = '/0\.0\.0\.0\/32/'; # Remove 0.0.0.0/32
+ $pfb_ipreg[4] = '/0\.0\.0\.0/'; # Remove 0.0.0.0
# IPv6 REGEX Definitions -- ** Still Needs some Adjustment on Regex Definition for IPv6 **
# https://mebsd.com/coding-snipits/php-regex-ipv6-with-preg_match.html
$pattern1 = '([A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}';
- $pattern2 = '([A-Fa-f0-9]{1,4}::([A-Fa-f0-9]{1,4}:){0,5}[A-Fa-f0-9]{1,4}';
+ $pattern2 = '[A-Fa-f0-9]{1,4}::([A-Fa-f0-9]{1,4}:){0,5}[A-Fa-f0-9]{1,4}';
$pattern3 = '([A-Fa-f0-9]{1,4}:){2}:([A-Fa-f0-9]{1,4}:){0,4}[A-Fa-f0-9]{1,4}';
$pattern4 = '([A-Fa-f0-9]{1,4}:){3}:([A-Fa-f0-9]{1,4}:){0,3}[A-Fa-f0-9]{1,4}';
$pattern5 = '([A-Fa-f0-9]{1,4}:){4}:([A-Fa-f0-9]{1,4}:){0,2}[A-Fa-f0-9]{1,4}';
$pattern6 = '([A-Fa-f0-9]{1,4}:){5}:([A-Fa-f0-9]{1,4}:){0,1}[A-Fa-f0-9]{1,4}';
$pattern7 = '([A-Fa-f0-9]{1,4}:){6}:[A-Fa-f0-9]{1,4}';
- $pfb['ipv6'] = "/^($pattern1)$|^($pattern2)$|^($pattern3)$|^($pattern4)$|^($pattern5)$|^($pattern6)$|^($pattern7)$/";
+ $pattern8 = '[A-Fa-f0-9]{1,4}:[A-Fa-f0-9]{1,4}:[A-Fa-f0-9]{1,4}::\/[0-9]{2}';
+ $pattern9 = '[A-Fa-f0-9]{1,4}:([A-Fa-f0-9]{1,4}::)\/[0-9]{2}';
+ $pattern10 = '[A-Fa-f0-9]{1,4}::\/[0-9]{2}';
+ $pfb['ipv6'] = "/^($pattern1)$|^($pattern2)$|^($pattern3)$|^($pattern4)$|^($pattern5)$|^($pattern6)$|^($pattern7)$|^($pattern8)$|^($pattern9)$|^($pattern10)$/";
$pfb['supp_update'] = FALSE;
$list_type = array ("pfblockernglistsv4" => "_v4", "pfblockernglistsv6" => "_v6");
@@ -1230,7 +1233,7 @@ function sync_package_pfblockerng($cron = "") {
$host = @parse_url($row['url']);
$list_url = "{$row['url']}";
if ($row['format'] != "rsync" || $row['format'] != "html") {
- if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) {
+ if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) {
$remote_tds = "local";
} else {
$remote_tds = @implode(preg_grep("/Last-Modified/", get_headers($list_url)));
@@ -1382,12 +1385,14 @@ function sync_package_pfblockerng($cron = "") {
if (!empty($url_list)) {
if ($row['format'] == "gz" && $vtype == "_v4") {
foreach ($url_list as $line) {
- # Network range 192.168.0.0-192.168.0.254
- if (preg_match($pfb['range'],$line,$matches)) {
- $a_cidr = ip_range_to_subnet_array_temp2($matches[1],$matches[2]);
- if (!empty($a_cidr)) {
- foreach ($a_cidr as $cidr) {
- $new_file .= preg_replace($pfb_ipreg,'',$cidr) . "\n";
+ if (!preg_match("/^#/", $line)) {
+ # Network range 192.168.0.0-192.168.0.254
+ if (preg_match($pfb['range'],$line,$matches)) {
+ $a_cidr = ip_range_to_subnet_array_temp2($matches[1],$matches[2]);
+ if (!empty($a_cidr)) {
+ foreach ($a_cidr as $cidr) {
+ $new_file .= preg_replace($pfb_ipreg,'',$cidr) . "\n";
+ }
}
}
}
@@ -1396,44 +1401,52 @@ function sync_package_pfblockerng($cron = "") {
elseif ($row['format'] == "block" && $vtype == "_v4") {
foreach ($url_list as $line) {
- # Block Type '218.77.79.0 218.77.79.255 24'
- if (preg_match($pfb['block'],$line,$matches)) {
- $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "/24\n";
+ if (!preg_match("/^#/", $line)) {
+ # Block Type '218.77.79.0 218.77.79.255 24'
+ if (preg_match($pfb['block'],$line,$matches)) {
+ $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "/24\n";
+ }
}
}
}
elseif ($row['format'] == "html" && $vtype == "_v4") {
foreach ($url_list as $line) {
- # CIDR format 192.168.0.0/16
- if (preg_match($pfb['cidr'],$line,$matches)) {
- $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n";
- }
- # Single ip addresses
- elseif (preg_match($pfb['s_html'],$line,$matches)) {
- $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n";
+ if (!preg_match("/^#/", $line)) {
+ # CIDR format 192.168.0.0/16
+ if (preg_match($pfb['cidr'],$line,$matches)) {
+ $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n";
+ }
+ # Single ip addresses
+ elseif (preg_match($pfb['s_html'],$line,$matches)) {
+ $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n";
+ }
}
}
}
elseif ($vtype == "_v6") {
foreach ($url_list as $line) {
- # IPv6 Regex Match
- if (preg_match($pfb['ipv6'],$line,$matches)) {
- $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n";
+ if (!preg_match("/^#/", $line)) {
+ # IPv6 Regex Match
+ if (preg_match($pfb['ipv6'],$line,$matches)) {
+ $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n";
+ }
}
}
}
else {
foreach ($url_list as $line) {
- # CIDR format 192.168.0.0/16
- if (preg_match($pfb['cidr'],$line,$matches)) {
- $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n";
- }
- # Single ip addresses
- elseif (preg_match($pfb['single'],$line,$matches)) {
- $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n";
+ if (!preg_match("/^#/", $line)) {
+ # CIDR format 192.168.0.0/16
+ if (preg_match($pfb['cidr'],$line,$matches)) {
+ $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n";
+ }
+ # Single ip addresses
+ elseif (preg_match($pfb['single'],$line,$matches)) {
+ $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n";
+ }
}
}
}
@@ -1510,7 +1523,7 @@ function sync_package_pfblockerng($cron = "") {
$ip2 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", "\"^$1\.$2\.$3\.\"", $ip);
# Only Perform these Checks if they are not "localfiles"
- if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) {
+ if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) {
$log = " [ {$alias} {$header_url} ] Local File Failure \n";
pfb_logger("{$log}","2");
} else {
@@ -1646,9 +1659,9 @@ function sync_package_pfblockerng($cron = "") {
}
- #############################################
- # REPUTATION PROCESSES #
- #############################################
+ #################################
+ # REPUTATION PROCESSES #
+ #################################
# IP Reputation processes (pdup and ddup)
if ($pfb['pdup'] == "on" && $pfb['dupcheck'] && !$pfb['save'] && $pfb['enable'] == "on") {
@@ -1660,9 +1673,9 @@ function sync_package_pfblockerng($cron = "") {
exec ("{$pfb['script']} dedup x {$pfb['dmax']} {$pfb['dedup']} {$pfb['ccexclude']} {$pfb['ccwhite']} {$pfb['ccblack']} >> {$pfb['log']} 2>&1");
}
- #############################################
- # CONFIGURE ALIASES #
- #############################################
+ #################################
+ # CONFIGURE ALIASES #
+ #################################
$list_type = array ("pfblockernglistsv4" => "_v4", "pfblockernglistsv6" => "_v6");
foreach ($list_type as $ip_type => $vtype) {
@@ -1871,9 +1884,9 @@ function sync_package_pfblockerng($cron = "") {
${$alias} = "";
- #############################################
- # UPDATE PfSENSE ALIAS TABLES #
- #############################################
+ #########################################
+ # UPDATE pfSense ALIAS TABLES #
+ #########################################
#update pfsense alias table
if (is_array($config['aliases']['alias'])) {
@@ -1910,9 +1923,9 @@ function sync_package_pfblockerng($cron = "") {
unset($new_aliases, $cbalias);
- #############################################
- # Assign rules #
- #############################################
+ #########################
+ # Assign Rules #
+ #########################
# Only Execute if AutoRules are defined or if an Alias has been removed.
if ($pfb['autorules'] || $pfb['enable'] == "" || $pfb['remove']) {
@@ -2178,50 +2191,9 @@ function sync_package_pfblockerng($cron = "") {
unset ($other_rules,$fother_rules,$permit_rules,$fpermit_rules,$match_rules,$fmatch_rules);
}
- #############################################
- # Define/Apply CRON Jobs #
- #############################################
-
- # Clear any existing pfBlockerNG Cron Jobs
- install_cron_job("pfblockerng.php cron", false);
-
- # Replace Cron job with any User Changes to $pfb_min
- if ($pfb['enable'] == "on") {
- # Define pfBlockerNG CRON Job
- $pfb_cmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> {$pfb['log']} 2>&1";
- # $pfb['min'] ( User Defined Variable. Variable defined at start of Script )
- $pfb_hour = "*";
- $pfb_mday = "*";
- $pfb_month = "*";
- $pfb_wday = "*";
- $pfb_who = "root";
-
- install_cron_job($pfb_cmd, true, $pfb['min'], $pfb_hour, $pfb_mday, $pfb_month, $pfb_wday, $pfb_who);
- }
-
- # Clear any existing pfBlockerNG MaxMind CRON Job
- install_cron_job("pfblockerng.php dc", false);
-
- if ($pfb['enable'] == "on") {
- # Define pfBlockerNG MaxMind CRON Job
- $pfb_gcmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php dc >> {$pfb['geolog']} 2>&1";
-
- # MaxMind GeoIP Cron Hour is randomized between 0-23 Hour to minimize effect on MaxMind Website
-
- $pfb_gmin = "0";
- $pfb_ghour = rand(0,23);
- $pfb_gmday = "1,2,3,4,5,6,7";
- $pfb_gmonth = "*";
- $pfb_gwday = "2";
- $pfb_gwho = "root";
-
- install_cron_job($pfb_gcmd, true, $pfb_gmin, $pfb_ghour, $pfb_gmday, $pfb_gmonth, $pfb_gwday, $pfb_gwho);
- }
-
-
- #############################################
- # Closing Processes #
- #############################################
+ #################################
+ # Closing Processes #
+ #################################
#uncheck Reusing Existing Downloads Check box
if (!$pfb['save'] && $pfb['enable'] == "on")
@@ -2234,11 +2206,13 @@ function sync_package_pfblockerng($cron = "") {
if ($pfb['autorules'] && $rules != $new_rules || $pfb['enable'] == "" || $pfb['remove']) {
require_once("filter.inc");
- $log = "\n===[ Aliastables / Rules ]================================\n\n";
- pfb_logger("{$log}","1");
+ if (!$pfb['save']) {
+ $log = "\n===[ Aliastables / Rules ]================================\n\n";
+ pfb_logger("{$log}","1");
- $log = "Firewall Rule Changes Found, Applying Filter Reload \n";
- pfb_logger("{$log}","1");
+ $log = "Firewall Rule Changes Found, Applying Filter Reload \n";
+ pfb_logger("{$log}","1");
+ }
# Remove all pfBlockerNG Alias tables
if (!empty($aliases_list)) {
@@ -2291,9 +2265,9 @@ function sync_package_pfblockerng($cron = "") {
#sync config
pfblockerng_sync_on_changes();
- #############################################
- # FINAL REPORTING #
- #############################################
+ #################################
+ # FINAL REPORTING #
+ #################################
# Only run with CRON or Force Invoked Process
if ((!$pfb['save'] && $pfb['dupcheck'] && $pfb['enable'] == "on") || $pfb['summary']) {
@@ -2305,6 +2279,47 @@ function sync_package_pfblockerng($cron = "") {
$log = "\n\n UPDATE PROCESS ENDED [ NOW ]\n";
pfb_logger("{$log}","1");
}
+
+
+ #########################################
+ # Define/Apply CRON Jobs #
+ #########################################
+
+ # Clear any existing pfBlockerNG Cron Jobs
+ install_cron_job("pfblockerng.php cron", false);
+
+ # Replace Cron job with any User Changes to $pfb_min
+ if ($pfb['enable'] == "on") {
+ # Define pfBlockerNG CRON Job
+ $pfb_cmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> {$pfb['log']} 2>&1";
+ # $pfb['min'] ( User Defined Variable. Variable defined at start of Script )
+ $pfb_hour = "*";
+ $pfb_mday = "*";
+ $pfb_month = "*";
+ $pfb_wday = "*";
+ $pfb_who = "root";
+
+ install_cron_job($pfb_cmd, true, $pfb['min'], $pfb_hour, $pfb_mday, $pfb_month, $pfb_wday, $pfb_who);
+ }
+
+ # Clear any existing pfBlockerNG MaxMind CRON Job
+ install_cron_job("pfblockerng.php dc", false);
+
+ if ($pfb['enable'] == "on") {
+ # Define pfBlockerNG MaxMind CRON Job
+ $pfb_gcmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php dc >> {$pfb['geolog']} 2>&1";
+
+ # MaxMind GeoIP Cron Hour is randomized between 0-23 Hour to minimize effect on MaxMind Website
+
+ $pfb_gmin = "0";
+ $pfb_ghour = rand(0,23);
+ $pfb_gmday = "1,2,3,4,5,6,7";
+ $pfb_gmonth = "*";
+ $pfb_gwday = "2";
+ $pfb_gwho = "root";
+
+ install_cron_job($pfb_gcmd, true, $pfb_gmin, $pfb_ghour, $pfb_gmday, $pfb_gmonth, $pfb_gwday, $pfb_gwho);
+ }
}