diff options
Diffstat (limited to 'config')
-rw-r--r-- | config/pfblockerng/pfblockerng.inc | 1237 | ||||
-rw-r--r-- | config/pfblockerng/pfblockerng.php | 312 | ||||
-rw-r--r-- | config/pfblockerng/pfblockerng.priv.inc | 6 | ||||
-rw-r--r-- | config/pfblockerng/pfblockerng.sh | 13 | ||||
-rw-r--r-- | config/pfblockerng/pfblockerng.widget.php | 453 | ||||
-rw-r--r-- | config/pfblockerng/pfblockerng.xml | 194 | ||||
-rw-r--r-- | config/pfblockerng/pfblockerng_alerts.php | 381 | ||||
-rw-r--r-- | config/pfblockerng/pfblockerng_diag_dns.php | 23 | ||||
-rw-r--r-- | config/pfblockerng/pfblockerng_log.php | 31 | ||||
-rw-r--r-- | config/pfblockerng/pfblockerng_sync.xml | 14 | ||||
-rw-r--r-- | config/pfblockerng/pfblockerng_top20.xml | 130 | ||||
-rw-r--r-- | config/pfblockerng/pfblockerng_update.php | 164 | ||||
-rw-r--r-- | config/pfblockerng/pfblockerng_v4lists.xml | 232 | ||||
-rw-r--r-- | config/pfblockerng/pfblockerng_v6lists.xml | 226 |
14 files changed, 2191 insertions, 1225 deletions
diff --git a/config/pfblockerng/pfblockerng.inc b/config/pfblockerng/pfblockerng.inc index 26eeb5e5..379ce223 100644 --- a/config/pfblockerng/pfblockerng.inc +++ b/config/pfblockerng/pfblockerng.inc @@ -46,7 +46,7 @@ require_once("pfsense-utils.inc"); require_once("globals.inc"); require_once("services.inc"); -# [ $pfb ] pfBlockerNG Global Array for Paths and Variables. This needs to be called to get the Updated Settings. +// [ $pfb ] pfBlockerNG Global Array for Paths and Variables. This needs to be called to get the Updated Settings. function pfb_global() { global $g,$config,$pfb; @@ -58,10 +58,7 @@ function pfb_global() { $prefix = "/usr/local"; } - # Collect pfSense Version - $pfb['pfsenseversion'] = substr(trim(file_get_contents("/etc/version")),0,3); - - # Folders + // Folders $pfb['dbdir'] = "{$g['vardb_path']}/pfblockerng"; $pfb['aliasdir'] = "{$g['vardb_path']}/aliastables"; $pfb['logdir'] = "{$g['varlog_path']}/pfblockerng"; @@ -71,39 +68,49 @@ function pfb_global() { $pfb['matchdir'] = "{$pfb['dbdir']}/match"; $pfb['permitdir'] = "{$pfb['dbdir']}/permit"; $pfb['origdir'] = "{$pfb['dbdir']}/original"; - $pfb['ccdir'] = $prefix . "/share/GeoIP"; + $pfb['ccdir'] = "{$prefix}/share/GeoIP"; - # Create Folders if not Exist. + // Create Folders if not Exist. $folder_array = array ("{$pfb['dbdir']}","{$pfb['logdir']}","{$pfb['ccdir']}","{$pfb['origdir']}","{$pfb['nativedir']}","{$pfb['denydir']}","{$pfb['matchdir']}","{$pfb['permitdir']}","{$pfb['aliasdir']}"); foreach ($folder_array as $folder) { safe_mkdir ("{$folder}",0755); } - # Files - $pfb['master'] = "{$pfb['dbdir']}/masterfile"; - $pfb['errlog'] = "{$pfb['logdir']}/error.log"; - $pfb['geolog'] = "{$pfb['logdir']}/geoip.log"; - $pfb['log'] = "{$pfb['logdir']}/pfblockerng.log"; - $pfb['supptxt'] = "{$pfb['dbdir']}/pfbsuppression.txt"; - $pfb['script'] = 'sh /usr/local/pkg/pfblockerng/pfblockerng.sh'; - $pfb['aliasarchive'] = $prefix . "/etc/aliastables.tar.bz2"; - - # General Variables - $pfb['config'] = $config['installedpackages']['pfblockerng']['config'][0]; - - # Enable/Disable of pfBlockerNG - $pfb['enable'] = $pfb['config']['enable_cb']; - # Keep Blocklists on pfBlockerNG Disable - $pfb['keep'] = $pfb['config']['pfb_keep']; - # Enable Suppression - $pfb['supp'] = $pfb['config']['suppression']; - # Max Lines in pfblockerng.log file - $pfb['logmax'] = $pfb['config']['log_maxlines']; - $pfb['iplocal'] = $config['interfaces']['lan']['ipaddr']; - # Disable Country Database CRON Updates - $pfb['cc'] = $pfb['config']['database_cc']; - - # Set pfBlockerNG to Disabled on 'Re-Install' + // Files + $pfb['master'] = "{$pfb['dbdir']}/masterfile"; + $pfb['errlog'] = "{$pfb['logdir']}/error.log"; + $pfb['geolog'] = "{$pfb['logdir']}/geoip.log"; + $pfb['log'] = "{$pfb['logdir']}/pfblockerng.log"; + $pfb['supptxt'] = "{$pfb['dbdir']}/pfbsuppression.txt"; + $pfb['script'] = 'sh /usr/local/pkg/pfblockerng/pfblockerng.sh'; + $pfb['aliasarchive'] = "{$prefix}/etc/aliastables.tar.bz2"; + + // General Variables + $pfb['config'] = $config['installedpackages']['pfblockerng']['config'][0]; + + // Enable/Disable of pfBlockerNG + $pfb['enable'] = $pfb['config']['enable_cb']; + // Keep Blocklists on pfBlockerNG Disable + $pfb['keep'] = $pfb['config']['pfb_keep']; + // Enable Suppression + $pfb['supp'] = $pfb['config']['suppression']; + // Max Lines in pfblockerng.log file + $pfb['logmax'] = $pfb['config']['log_maxlines']; + // Lan IP Address + $pfb['iplocal'] = $config['interfaces']['lan']['ipaddr']; + // Disable Country Database CRON Updates + $pfb['cc'] = $pfb['config']['database_cc']; + + // User Defined CRON Start Minute + $pfb['min'] = $pfb['config']['pfb_min']; + // Start hour of the Scheduler + $pfb['hour'] = $pfb['config']['pfb_hour']; + // Hour cycle for Scheduler + $pfb['interval'] = $pfb['config']['pfb_interval']; + // Start hour of the 'Once a day' Schedule + $pfb['24hour'] = $pfb['config']['pfb_dailystart']; + + // Set pfBlockerNG to Disabled on 'Re-Install' if (isset($pfb['install']) && $pfb['install']) { $pfb['enable'] = ""; $pfb['install'] = FALSE; @@ -112,38 +119,51 @@ function pfb_global() { pfb_global(); -# Set Max PHP Memory Setting +// Set Max PHP Memory Setting $uname = posix_uname(); -if ($uname['machine'] == 'amd64') +if ($uname['machine'] == 'amd64') { ini_set('memory_limit', '256M'); +} -# Function to decode to Alias Custom Entry Box. +// Function to decode to Alias Custom entry box. function pfbng_text_area_decode($text) { - return preg_replace('/\r\n/', "\n",base64_decode($text)); + $customlist = explode("\r\n", base64_decode($text)); + foreach ($customlist as $line) { + if (substr(trim($line), 0, 1) != '#' && !empty($line)) { + if (strpos($line, '#')) { + $custom .= trim(strstr($line, '#', TRUE)) . "\n"; + } else { + $custom .= $line . "\n"; + } + } + } + return $custom; } -# Manage Log File Line Limit +// Manage Log File Line Limit function pfb_log_mgmt() { global $pfb; pfb_global(); if ($pfb['logmax'] == "nolimit") { - # Skip Log Mgmt + // Skip Log Mgmt } else { - exec("/usr/bin/tail -n {$pfb['logmax']} {$pfb['log']} > /tmp/pfblog; /bin/mv -f /tmp/pfblog {$pfb['log']}"); + if (file_exists($pfb['log'])) { + exec("/usr/bin/tail -n {$pfb['logmax']} {$pfb['log']} > /tmp/pfblog; /bin/mv -f /tmp/pfblog {$pfb['log']}"); + } } } -# Record Log Messsages to pfBlockerNG Log File and/or Error Log File. +// Record Log Messsages to pfBlockerNG Log File and/or Error Log File. function pfb_logger($log, $type) { global $g,$pfb,$pfbarr; $now = date("m/d/y G:i:s", time()); - # Only log timestamp if new + // Only log timestamp if new if (preg_match("/NOW/", $log)) { if ($now == $pfb['pnow']) { $log = str_replace("[ NOW ]", "", "{$log}"); @@ -164,9 +184,9 @@ function pfb_logger($log, $type) { } -# Determine Folder Location for 'List' -function pfb_determine_list_detail($list) { - global $g,$pfb,$pfbarr; +// Determine 'List' Details +function pfb_determine_list_detail($list="", $header_url="", $confconfig="", $key="") { + global $pfb,$pfbarr,$config; $pfbarr = array(); if (in_array($list,array('Match_Both','Match_Inbound','Match_Outbound','Alias_Match'))) { @@ -179,7 +199,7 @@ function pfb_determine_list_detail($list) { $pfbarr['skip'] = FALSE; $pfbarr['folder'] = "{$pfb['nativedir']}"; } else { - # Deny + // Deny $pfbarr['skip'] = TRUE; $pfbarr['folder'] = "{$pfb['denydir']}"; } @@ -191,10 +211,180 @@ function pfb_determine_list_detail($list) { $pfbarr['descr'] = " Auto "; } + // Determine length of Header to format log Output + if (strlen($header_url) > 19) { + $pfbarr['logtab'] = ""; + } + elseif (strlen($header_url) > 11) { + $pfbarr['logtab'] = "\t"; + } + elseif (strlen($header_url) < 4) { + $pfbarr['logtab'] = "\t\t\t"; + } + else { + $pfbarr['logtab'] = "\t\t"; + } + + if ($confconfig != "") { + // Configure Autoports/Protocol and Auto Destination if required. + $autotype = array( 'autoports' => 'aliasports', 'autodest' => 'aliasdest'); + $aports = ""; $adest = ""; + $pfbarr['aproto'] = $config['installedpackages'][$confconfig]['config'][$key]['autoproto']; + foreach ($autotype as $akey => $atype) { + if ($config['installedpackages'][$confconfig]['config'][$key][$akey] == "on" && is_array($config['aliases']['alias'])) { + foreach ($config['aliases']['alias'] as $palias) { + if ($palias['name'] == $config['installedpackages'][$confconfig]['config'][$key][$atype]) { + if (!empty($palias['address'])) { + switch($akey) { + case "autoports": + $pfbarr['aports'] = $config['installedpackages'][$confconfig]['config'][$key][$atype]; + break; + case "autodest": + $pfbarr['adest'] = $config['installedpackages'][$confconfig]['config'][$key][$atype]; + break; + } + } + } + } + } + } + } return $pfbarr; } -# Create Suppression Alias + +// Determine if Cron Task requires updating +function pfblockerng_cron_exists($crontask, $pfb_min, $pfb_hour) { + global $config; + + if (is_array($config['cron']['item'])) { + foreach ($config['cron']['item'] as $item) { + if (strpos($item['command'], $crontask) !== FALSE) { + if ($item['minute'] != $pfb_min) { + return FALSE; + } + if ($pfb_hour == 'maxmind' && !empty($item['hour'])) { + // Maxmind hour is randomized. Skip comparison. + return TRUE; + } + if ($item['hour'] != $pfb_hour) { + return FALSE; + } + return TRUE; + } + } + } + return FALSE; +} + + +// Calculate the cron task base hour setting +function pfb_cron_base_hour() { + global $pfb; + + if ($pfb['interval'] == 1) { + return; + } + + if ($pfb['interval'] == 2) { + // 2 Hour Schedule Converter + $shour = intval(substr($pfb['hour'], 0, 2)); + $sch2 = strval($shour); + for ($i=0; $i<11; $i++) { + $shour += 2; + if ($shour >= 24) + $shour -= 24; + $sch2 .= "," . strval($shour); + } + $sch2 = explode(",", $sch2); + sort($sch2); + return $sch2; + } + + if ($pfb['interval'] == 3) { + // 3 Hour Schedule Converter + $shour = intval(substr($pfb['hour'], 0, 2)); + $sch3 = strval($shour); + for ($i=0; $i<7; $i++) { + $shour += 3; + if ($shour >= 24) + $shour -= 24; + $sch3 .= "," . strval($shour); + } + $sch3 = explode(",", $sch3); + sort($sch3); + return $sch3; + } + + if ($pfb['interval'] == 4) { + // 4 Hour Schedule Converter + $shour = intval(substr($pfb['hour'], 0, 2)); + $sch4 = strval($shour); + for ($i=0; $i<5; $i++) { + $shour += 4; + if ($shour >= 24) + $shour -= 24; + $sch4 .= "," . strval($shour); + } + $sch4 = explode(",", $sch4); + sort($sch4); + return $sch4; + } + + if ($pfb['interval'] == 6) { + // 6 Hour Schedule Converter + $shour = intval(substr($pfb['hour'], 0, 2)); + $sch6 = strval($shour); + for ($i=0; $i<3; $i++) { + $shour += 6; + if ($shour >= 24) + $shour -= 24; + $sch6 .= "," . strval($shour); + } + $sch6 = explode(",", $sch6); + sort($sch6); + return $sch6; + } + + if ($pfb['interval'] == 8) { + // 8 Hour Schedule Converter + $shour = intval(substr($pfb['hour'], 0, 2)); + $sch8 = strval($shour); + for ($i=0; $i<2; $i++) { + $shour += 8; + if ($shour >= 24) + $shour -= 24; + $sch8 .= "," . strval($shour); + } + $sch8 = explode(",", $sch8); + sort($sch8); + return $sch8; + } + + if ($pfb['interval'] == 12) { + // 12 Hour Schedule Converter + $shour = intval(substr($pfb['hour'], 0, 2)); + $sch12 = strval($shour) . ","; + $shour += 12; + if ($shour >= 24) + $shour -= 24; + $sch12 .= strval($shour); + $sch12 = explode(",", $sch12); + sort($sch12); + return $sch12; + } + + if ($pfb['interval'] == 24) { + return array($pfb['24hour']); + } + + // Default to hourly schedule + $pfb['interval'] = 1; + return; +} + + +// Create Suppression Alias function pfb_create_suppression_alias() { global $config; @@ -212,11 +402,11 @@ function pfb_create_suppression_alias() { "detail" => "" ); $config['aliases']['alias'] = $new_aliases; - write_config(); + $pfb['cron_mod'] = TRUE; } -# Create Suppression file from Alias +// Create Suppression file from Alias function pfb_create_suppression_file() { global $config,$pfb; @@ -235,19 +425,20 @@ function pfb_create_suppression_file() { if ($pfb['found']) { $pfb_suppress = str_replace(" ", "\n", $config['aliases']['alias'][$pfb_id]['address']); if (!empty($pfb_suppress)) { - @file_put_contents("{$pfb['supptxt']}",$pfb_suppress, LOCK_EX); + @file_put_contents("{$pfb['supptxt']}", $pfb_suppress, LOCK_EX); } else { unlink_if_exists("{$pfb['supptxt']}"); } } else { - # Delete Suppression File if Alias is Empty. + // Delete Suppression File if Alias is Empty. unlink_if_exists("{$pfb['supptxt']}"); } } // Call Function to Create Suppression Alias. - if (!$pfb['found']) + if (!$pfb['found']) { pfb_create_suppression_alias(); + } } @@ -306,7 +497,7 @@ function ip_range_to_subnet_array_temp2($ip1, $ip2) { // already checked for the edge case where end = start+1 and start ends in 0x1, above, so it's safe } - // this is the only edge case arising from increment/decrement. + // this is the only edge case arising from increment/decrement. // it happens if the range at start of loop is exactly 2 adjacent ips, that spanned the 1->0 gap. (we will have enumerated both by now) if (strcmp($ip2bin, $ip1bin) < 0) @@ -393,18 +584,21 @@ function pfb_aliastables($mode) { } } - if ($msg != "") + if ($msg != "") { pfb_logger("{$msg}","1"); + $pfb['cron_mod'] = TRUE; + } } -# Main pfBlockerNG Function +// Main pfBlockerNG Function function sync_package_pfblockerng($cron = "") { global $g,$config,$pfb,$pfbarr; pfb_global(); + $pfb['cron_mod'] = FALSE; // Flag to check for mods to the config.xml file. - # Detect Boot Process or Update via CRON + // Detect Boot Process or Update via CRON if (isset($_POST) && $cron == "") { if (!preg_match("/\w+/",$_POST['__csrf_magic'])) { log_error("[pfBlockerNG] Sync terminated during boot process."); @@ -418,7 +612,7 @@ function sync_package_pfblockerng($cron = "") { $pfb['save'] = TRUE; } - # Start of pfBlockerNG Logging to 'pfblockerng.log' + // Start of pfBlockerNG Logging to 'pfblockerng.log' if ($pfb['enable'] == "on" && !$pfb['save']) { $log = " UPDATE PROCESS START [ NOW ]\n"; pfb_logger("{$log}","1"); @@ -432,13 +626,15 @@ function sync_package_pfblockerng($cron = "") { // Call function for NanoBSD/Ramdisk processes. pfb_aliastables("conf"); - # Collect pfSense Max Table Size Entry - $pfb['table_limit'] = ($config['system']['maximumtableentries'] != "" ? $config['system']['maximumtableentries'] : "2000000"); - - # If Table limit not defined, set Default to 2M - $config['system']['maximumtableentries'] = "{$pfb['table_limit']}"; + // Collect pfSense Max Table Size Entry + if (empty($config['system']['maximumtableentries'])) { + // If Table limit not defined, set Default to 2M + $config['system']['maximumtableentries'] = "2000000"; + $pfb['cron_mod'] = TRUE; + } + $pfb['table_limit'] = $config['system']['maximumtableentries']; - # Collect local web gui configuration + // Collect local web gui configuration $pfb['weblocal'] = ($config['system']['webgui']['protocol'] != "" ? $config['system']['webgui']['protocol'] : "http"); $pfb['port'] = $config['system']['webgui']['port']; if ($pfb['port'] == "") { @@ -450,72 +646,57 @@ function sync_package_pfblockerng($cron = "") { } $pfb['weblocal'] .= "://127.0.0.1:{$pfb['port']}/pfblockerng/pfblockerng.php"; - # Define Inbound/Outbound Action is not user selected. + // Define Inbound/Outbound Action is not user selected. $pfb['deny_action_inbound'] = ($pfb['config']['inbound_deny_action'] != "" ? $pfb['config']['inbound_deny_action'] : "block"); $pfb['deny_action_outbound'] = ($pfb['config']['outbound_deny_action'] != "" ? $pfb['config']['outbound_deny_action'] : "reject"); - # Validation check to see if the Original pfBlocker package is Enabled - $pfb['validate']= $pfb['config']['pfblocker_cb']; - # User Defined CRON Start Minute - $pfb['min'] = $pfb['config']['pfb_min']; - # Reloads Existing Blocklists without Downloading New Lists + // Reloads Existing Blocklists without Downloading New Lists $pfb['reuse'] = $pfb['config']['pfb_reuse']; - # Enable OpenVPN AutoRules + // Enable OpenVPN AutoRules $pfb['openvpn'] = $pfb['config']['openvpn_action']; - # Enable/Disable Floating Auto-Rules + // Enable/Disable Floating Auto-Rules $pfb['float'] = $pfb['config']['enable_float']; - # Enable Remove of Duplicate IPs utilizing Grepcidr + // Enable Remove of Duplicate IPs utilizing Grepcidr $pfb['dup'] = $pfb['config']['enable_dup']; - # Order of the Auto-Rules + // Order of the Auto-Rules $pfb['order'] = $pfb['config']['pass_order']; - # Suffix used for Auto-Rules + // Suffix used for Auto-Rules $pfb['suffix'] = $pfb['config']['autorule_suffix']; - # Reputation Variables + // Reputation Variables $pfb['config_rep'] = $config['installedpackages']['pfblockerngreputation']['config'][0]; - # Enable/Disable Reputation + // Enable/Disable Reputation $pfb['rep'] = $pfb['config_rep']['enable_rep']; - # Enable/Disable 'pDup' + // Enable/Disable 'pDup' $pfb['pdup'] = $pfb['config_rep']['enable_pdup']; - # Enable/Disable 'dDup' + // Enable/Disable 'dDup' $pfb['dedup'] = ($pfb['config_rep']['enable_dedup'] != "" ? $pfb['config_rep']['enable_dedup'] : "x"); - # 'Max' variable setting for Reputation + // 'Max' variable setting for Reputation $pfb['max'] = ($pfb['config_rep']['p24_max_var'] != "" ? $pfb['config_rep']['p24_max_var'] : "x"); - # 'dMax' variable setting for Reputation + // 'dMax' variable setting for Reputation $pfb['dmax'] = ($pfb['config_rep']['p24_dmax_var'] != "" ? $pfb['config_rep']['p24_dmax_var'] : "x"); - # 'pMax' variable setting for Reputation + // 'pMax' variable setting for Reputation $pfb['pmax'] = ($pfb['config_rep']['p24_pmax_var'] != "" ? $pfb['config_rep']['p24_pmax_var'] : "x"); - # Action for Whitelist Country Category + // Action for Whitelist Country Category $pfb['ccwhite'] = $pfb['config_rep']['ccwhite']; - # Action for Blacklist Country Category + // Action for Blacklist Country Category $pfb['ccblack'] = $pfb['config_rep']['ccblack']; - # List of Countries in the Whitelist Category + // List of Countries in the Whitelist Category $pfb['ccexclude']= ($pfb['config_rep']['ccexclude'] != "" ? $pfb['config_rep']['ccexclude'] : "x"); - # Emerging Threats IQRisk Block Categories + // Emerging Threats IQRisk Block Categories $pfb['etblock'] = ($pfb['config_rep']['etblock'] != "" ? $pfb['config_rep']['etblock'] : "x"); - # Emerging Threats IQRisk Match Categories + // Emerging Threats IQRisk Match Categories $pfb['etmatch'] = ($pfb['config_rep']['etmatch'] != "" ? $pfb['config_rep']['etmatch'] : "x"); - # Perform a Force Update on ET Categories + // Perform a Force Update on ET Categories $pfb['etupdate']= $pfb['config_rep']['et_update']; - # Variables + // Variables - # Starting Variable to Skip rep, pdup and dedeup functions if no changes are required + // Starting Variable to Skip rep, pdup and dedeup functions if no changes are required $pfb['dupcheck'] = FALSE; - ## $pfb['save'] is used to determine if User pressed "Save" Button to avoid Collision with CRON. - ## This is defined in each pfBlockerNG XML Files - - # Validation Check to ensure pfBlocker and pfBlockerNG are not running at the same time. - if ($pfb['validate'] == "") { - # Collect pfBlocker Enabled Status from config file - $pfb['validate_chk'] = $config['installedpackages']['pfblocker']['config'][0]['enable_cb']; - if ($pfb['validate_chk'] == "on") { - $log = "\n The Package 'pfBlocker' is currently Enabled. Either Disable pfBlocker, or 'Disable Validation Check' in pfBlockerNG \n"; - pfb_logger("{$log}","1"); - return; - } - } + // $pfb['save'] is used to determine if User pressed "Save" Button to avoid Collision with CRON. + // This is defined in each pfBlockerNG XML Files ################################# @@ -533,8 +714,8 @@ function sync_package_pfblockerng($cron = "") { "Proxy and Satellite" => "pfB_PS" ); - #create rules vars and arrays - # Array used to Collect Changes to Aliases to be saved to Config + // create rules vars and arrays + // Array used to Collect Changes to Aliases to be saved to Config $new_aliases = array(); $new_aliases_list = array(); $continent_existing = array(); @@ -543,14 +724,14 @@ function sync_package_pfblockerng($cron = "") { $permit_outbound = array(); $deny_inbound = array(); $deny_outbound = array(); - # An Array of all Aliases (Active and non-Active) + // An Array of all Aliases (Active and non-Active) $aliases_list = array(); - # This is an Array of Aliases that Have Updated Lists via CRON/Force Update when 'Reputation' disabled. + // This is an Array of Aliases that Have Updated Lists via CRON/Force Update when 'Reputation' disabled. $pfb_alias_lists = array(); - # This is an Array of All Active Aliases used when 'Reputation' enabled + // This is an Array of All Active Aliases used when 'Reputation' enabled $pfb_alias_lists_all = array(); - # Base Rule Array + // Base Rule Array $base_rule_reg = array( "id" => "", "tag" => "", "tagged" => "", @@ -563,7 +744,7 @@ function sync_package_pfblockerng($cron = "") { "os" => "" ); - # Floating Rules, Base Rule Array + // Floating Rules, Base Rule Array $base_rule_float = array("id" => "", "tag" => "", "tagged" => "", @@ -583,8 +764,8 @@ function sync_package_pfblockerng($cron = "") { # Configure Rule Suffix # ######################################### - # Discover if any Rules are AutoRules (If no AutoRules found, $pfb['autorules'] is FALSE, Skip Rules Re-Order ) - # To configure Auto Rule Suffix. pfBlockerNG must be disabled to change Suffix and to avoid Duplicate Rules + // Discover if any Rules are AutoRules (If no AutoRules found, $pfb['autorules'] is FALSE, Skip Rules Re-Order ) + // To configure Auto Rule Suffix. pfBlockerNG must be disabled to change Suffix and to avoid Duplicate Rules $pfb['autorules'] = FALSE; $pfb['found'] = FALSE; foreach ($continents as $continent => $pfb_alias) { @@ -610,16 +791,16 @@ function sync_package_pfblockerng($cron = "") { } } - #Configure Auto Rule Suffix. pfBlockerNG must be disabled to change Suffix and to avoid Duplicate Rules - # Count Number of Rules with 'pfB_' + // Configure Auto Rule Suffix. pfBlockerNG must be disabled to change Suffix and to avoid Duplicate Rules + // Count Number of Rules with 'pfB_' $count = 0; if (is_array($config['filter']['rule'])) { foreach ($config['filter']['rule'] as $rule) { - # Collect any pre-existing Suffix + // Collect any pre-existing Suffix if (preg_match("/pfB_\w+(\s.*)/",$rule['descr'], $pfb_suffix_real) && $count == 0) { $pfb_suffix_match = $pfb_suffix_real[1]; } - # Query for Existing pfB Rules + // Query for Existing pfB Rules if (preg_match("/pfB_/",$rule['descr'])) { $count++; break; @@ -627,7 +808,7 @@ function sync_package_pfblockerng($cron = "") { } } - # Change Suffix only if No pfB Rules Found and Auto Rules are Enabled. + // Change Suffix only if No pfB Rules Found and Auto Rules are Enabled. if ($pfb['autorules'] && $count == 0) { switch ($pfb['suffix']) { case "autorule": @@ -642,10 +823,10 @@ function sync_package_pfblockerng($cron = "") { } } else { if ($pfb['autorules']) { - # Use existing Suffix Match + // Use existing Suffix Match $pfb['suffix'] = $pfb_suffix_match; } else { - # Leave Rule Suffix 'Blank' + // Leave Rule Suffix 'Blank' $pfb['suffix'] = ""; } } @@ -655,50 +836,52 @@ function sync_package_pfblockerng($cron = "") { # Configure INBOUND/OUTBOUND INTERFACES # ######################################################### - # Collect pfSense Interface Order + // Collect pfSense Interface Order $ifaces = get_configured_interface_list(); if (!empty($pfb['config']['inbound_interface'])) { - # Sort Interface Array to match pfSense Interface order to allow Floating Rules to populate. + // Sort Interface Array to match pfSense Interface order to allow Floating Rules to populate. $selected_interfaces = explode(",",$pfb['config']['inbound_interface']); - # Sort pfBlockerNG Interface order to pfSense Interface Order + // Sort pfBlockerNG Interface order to pfSense Interface Order $sort_interfaces = array_intersect($ifaces, $selected_interfaces); $implode_interfaces = ltrim(implode(",",$sort_interfaces), ","); - # CSV String for Inbound Interfaces for 'pfB_' Match Rules + // CSV String for Inbound Interfaces for 'pfB_' Match Rules $pfb['inbound_floating'] = $implode_interfaces; $pfb['inbound_interfaces_float'] = explode(" ",$implode_interfaces); - # Assign Inbound Base Rule/Interfaces + // Assign Inbound Base Rule/Interfaces if ($pfb['float'] == "on") { - # Define Base Firewall Floating Rules Settings + // Define Base Firewall Floating Rules Settings $base_rule = $base_rule_float; $pfb['inbound_interfaces'] = $pfb['inbound_interfaces_float']; } else { - # Define Base Firewall Rules Settings + // Define Base Firewall Rules Settings $base_rule = $base_rule_reg; $pfb['inbound_interfaces'] = explode(",",$pfb['config']['inbound_interface']); } } else { - # Define Empty Variable/Array + // Define Empty Variable/Array $pfb['inbound_interfaces_float'] = ""; $pfb['inbound_interfaces'] = array(); } if (!empty($pfb['config']['outbound_interface'])) { - # Sort Interface Array to match pfSense Interface order to allow Floating Rules to populate. + // Sort Interface Array to match pfSense Interface order to allow Floating Rules to populate. $selected_interfaces = explode(",",$pfb['config']['outbound_interface']); - # Sort pfBlockerNG Interface order to pfSense Interface Order + // Sort pfBlockerNG Interface order to pfSense Interface Order $sort_interfaces = array_intersect($ifaces, $selected_interfaces); // If OpenVPN Interfaces are not in dropdown menu - if ($pfb['openvpn'] == "on" && $config['openvpn']['openvpn-server'] || $pfb['openvpn'] == "on" && $config['openvpn']['openvpn-client']) - if (!in_array("openvpn",$sort_interfaces)) + if ($pfb['openvpn'] == "on" && $config['openvpn']['openvpn-server'] || $pfb['openvpn'] == "on" && $config['openvpn']['openvpn-client']) { + if (!in_array("openvpn",$sort_interfaces)) { array_push($sort_interfaces, "openvpn"); + } + } $implode_interfaces = ltrim(implode(",",$sort_interfaces), ","); - # CSV String for Outbound Interfaces for 'pfB_' Match Rules + // CSV String for Outbound Interfaces for 'pfB_' Match Rules $pfb['outbound_floating'] = $implode_interfaces; $pfb['outbound_interfaces_float'] = explode(" ",$implode_interfaces); - # Assign Outbound Base Rule/Interfaces + // Assign Outbound Base Rule/Interfaces if ($pfb['float'] == "on") { $base_rule = $base_rule_float; $pfb['outbound_interfaces'] = $pfb['outbound_interfaces_float']; @@ -706,12 +889,14 @@ function sync_package_pfblockerng($cron = "") { $base_rule = $base_rule_reg; $pfb['outbound_interfaces'] = explode(",",$pfb['config']['outbound_interface']); // If OpenVPN Interfaces are not in dropdown menu - if ($pfb['openvpn'] == "on" && $config['openvpn']['openvpn-server'] || $pfb['openvpn'] == "on" && $config['openvpn']['openvpn-client']) - if (!in_array("openvpn",$sort_interfaces)) + if ($pfb['openvpn'] == "on" && $config['openvpn']['openvpn-server'] || $pfb['openvpn'] == "on" && $config['openvpn']['openvpn-client']) { + if (!in_array("openvpn",$sort_interfaces)) { array_push($pfb['outbound_interfaces'], "openvpn"); + } + } } } else { - # Define Empty Variable/Array + // Define Empty Variable/Array $pfb['outbound_interfaces_float'] = ""; $pfb['outbound_interfaces'] = array(); } @@ -721,12 +906,13 @@ function sync_package_pfblockerng($cron = "") { # Clear Removed Lists from Masterfiles # ################################################# - # Process to keep Masterfiles in Sync with Valid Lists from config.conf file. + // Process to keep Masterfiles in Sync with Valid Lists from config.conf file. $pfb['sync_master'] = TRUE; - # Don't execute this function when pfBlockerNG is Disabled and 'Keep Blocklists' is enabled. - if ($pfb['enable'] == "" && $pfb['keep'] == "on") + // Don't execute this function when pfBlockerNG is Disabled and 'Keep Blocklists' is enabled. + if ($pfb['enable'] == "" && $pfb['keep'] == "on") { $pfb['sync_master'] = FALSE; + } if ($pfb['sync_master']) { $pfb['existing']['match']['type'] = "match"; @@ -754,7 +940,7 @@ function sync_package_pfblockerng($cron = "") { $cont_type = array ("countries4" => "_v4", "countries6" => "_v6"); foreach ($cont_type as $c_type => $vtype) { if ($continent_config[$c_type] != "") { - # Set Parameters for 'Match', 'Permit', 'Native' and 'Deny' + // Set Parameters for 'Match', 'Permit', 'Native' and 'Deny' if (in_array($continent_config['action'],array('Match_Both','Match_Inbound','Match_Outbound','Alias_Match'))) { $pfb['existing']['match'][] = "{$pfb_alias}{$vtype}"; } elseif (in_array($continent_config['action'],array('Permit_Both','Permit_Inbound','Permit_Outbound','Alias_Permit'))){ @@ -770,7 +956,7 @@ function sync_package_pfblockerng($cron = "") { } } - # Find all Enabled IPv4/IPv6 Lists + // Find all Enabled IPv4/IPv6 Lists $list_type = array ("pfblockernglistsv4" => "_v4", "pfblockernglistsv6" => "_v6"); foreach ($list_type as $ip_type => $vtype) { if ($config['installedpackages'][$ip_type]['config'] != "" && $pfb['enable'] == "on") { @@ -782,9 +968,9 @@ function sync_package_pfblockerng($cron = "") { } else { $pfb_alias = "{$row['header']}_v6"; } - # Collect Enabled Lists + // Collect Enabled Lists if ($row['url'] != "" && $row['state'] != "Disabled") { - # Set Parameters for 'Match', 'Permit', 'Native' and 'Deny' + // Set Parameters for 'Match', 'Permit', 'Native' and 'Deny' if (in_array($list['action'],array('Match_Both','Match_Inbound','Match_Outbound','Alias_Match'))) { $pfb['existing']['match'][] = "{$pfb_alias}"; } elseif (in_array($list['action'],array('Permit_Both','Permit_Inbound','Permit_Outbound','Alias_Permit'))) { @@ -801,7 +987,7 @@ function sync_package_pfblockerng($cron = "") { } } - # Find all Enabled IPv4 'Custom List' Header Names and Check if 'Emerging Threats Update' and 'Custom List Update' Needs Force Updating + // Find all Enabled IPv4 'Custom List' Header Names and Check if 'Emerging Threats Update' and 'Custom List Update' Needs Force Updating $list_type = array ("pfblockernglistsv4" => "_v4", "pfblockernglistsv6" => "_v6"); foreach ($list_type as $ip_type => $vtype) { if ($config['installedpackages'][$ip_type]['config'] != "" && $pfb['enable'] == "on") { @@ -809,27 +995,28 @@ function sync_package_pfblockerng($cron = "") { foreach ($config['installedpackages'][$ip_type]['config'] as $list) { if (is_array($list['row']) && $list['action'] != "Disabled") { $count++; - # Check if 'Emerging Threats Update' Needs Updating before next CRON Event. + // Check if 'Emerging Threats Update' Needs Updating before next CRON Event. if (is_array($list['row']) && $row['state'] != "Disabled" && $pfb['etupdate'] == "enabled" && $vtype == "_v4") { foreach ($list['row'] as $row) { $aliasname = $row['header']; if ($row['format'] == "et") { unlink_if_exists("{$pfb['denydir']}/{$aliasname}.txt"); $config['installedpackages']['pfblockerngreputation']['config'][0]['et_update'] = "disabled"; + $pfb['cron_mod'] = TRUE; break; } } } } - # Collect Enabled Custom List Box Aliases + // Collect Enabled Custom List Box Aliases if (pfbng_text_area_decode($list['custom']) != "") { if ($vtype == "_v4") { $pfb_alias = "{$list['aliasname']}_custom"; } else { $pfb_alias = "{$list['aliasname']}_custom_v6"; } - # Determine Folder Location for 'List' + // Determine Folder Location for 'List' if (in_array($list['action'],array('Match_Both','Match_Inbound','Match_Outbound','Alias_Match'))) { $pfb['existing']['match'][] = "{$pfb_alias}"; $pfbfolder = "{$pfb['matchdir']}"; @@ -843,18 +1030,19 @@ function sync_package_pfblockerng($cron = "") { $pfb['existing']['deny'][] = "{$pfb_alias},"; // Add Trailing ',' $pfbfolder = "{$pfb['denydir']}"; } - # Determine if 'Custom List' Needs Force Updating before next CRON Event. + // Determine if 'Custom List' Needs Force Updating before next CRON Event. if ($list['custom_update'] == "enabled") { unlink_if_exists("{$pfbfolder}/{$pfb_alias}.txt"); - # Uncheck 'Enabled' in List 'Custom_update' Setting + // Uncheck 'Enabled' in List 'Custom_update' Setting $config['installedpackages'][$ip_type]['config'][$count]['custom_update'] = "disabled"; + $pfb['cron_mod'] = TRUE; } } } } } - # Collect all .txt file Names for each List Type + // Collect all .txt file Names for each List Type $list_types = array('match' => $pfb['matchdir'], 'permit' => $pfb['permitdir'], 'deny' => $pfb['denydir'], 'native' => $pfb['nativedir']); foreach ($list_types as $type => $pfbfolder) { $pfb_files = glob("$pfbfolder/*.txt"); @@ -868,12 +1056,12 @@ function sync_package_pfblockerng($cron = "") { } } - # Flag to execute pfctl and Rules Ordering + // Flag to execute pfctl and Rules Ordering $pfb['remove'] = FALSE; - # Execute Final Summary as a List was Removed + // Execute Final Summary as a List was Removed $pfb['summary'] = FALSE; - # Process to Remove Lists from Masterfile/DB Folder if they do not Exist + // Process to Remove Lists from Masterfile/DB Folder if they do not Exist if (isset($pfb['existing'])) { foreach ($pfb['existing'] as $pfb_exist) { $existing_type = $pfb_exist['type']; @@ -888,7 +1076,7 @@ function sync_package_pfblockerng($cron = "") { if ($f_result != "") { $log = "[ Removing List(s) : {$f_result} ]\n"; pfb_logger("{$log}","1"); - # Script to Remove un-associated Lists + // Script to Remove un-associated Lists exec ("{$pfb['script']} remove x x x {$f_result} >> {$pfb['log']} 2>&1"); $pfb['summary'] = TRUE; $pfb['remove'] = TRUE; @@ -898,13 +1086,13 @@ function sync_package_pfblockerng($cron = "") { case "permit": case "native": $results = array_diff($pfb_act, $pfb_exist); - # This variable ($f_result) used in next section below. + // This variable ($f_result) used in next section below. $f_result = implode($results); if (!empty($results)) { - foreach ($results as $pfb_results) { - $log = "[ Removing List(s) : {$pfb_results} ]\n"; + foreach ($results as $pfb_result) { + $log = "[ Removing List : {$pfb_result} ]\n"; pfb_logger("{$log}","1"); - unlink_if_exists("{$pfbfolder}/{$pfb_results}.txt"); + unlink_if_exists("{$pfbfolder}/{$pfb_result}.txt"); } $pfb['summary'] = TRUE; $pfb['remove'] = TRUE; @@ -912,12 +1100,12 @@ function sync_package_pfblockerng($cron = "") { break; } - # Allow Rebuilding of Changed Aliase to purge 'SKIP' Lists (when pfBlockerNG is Enabled) + // Allow rebuilding of changed Alias to purge 'SKIP' Lists (when pfBlockerNG is enabled) $list_type = array ("pfblockernglistsv4" => "_v4", "pfblockernglistsv6" => "_v6"); foreach ($list_type as $ip_type => $vtype) { if ($f_result != "" && $pfb['enable'] == "on") { foreach ($results as $removed_header) { - if ($config['installedpackages'][$ip_type]['config'] != "" && $pfb['enable'] == "on") { + if ($config['installedpackages'][$ip_type]['config'] != "") { foreach ($config['installedpackages'][$ip_type]['config'] as $list) { $alias = "pfB_" . preg_replace("/\W/","",$list['aliasname']); if (is_array($list['row'])) { @@ -926,7 +1114,7 @@ function sync_package_pfblockerng($cron = "") { if ($row['header'] == $removed) { $pfb['summary'] = TRUE; $pfb['remove'] = TRUE; - # Add Alias to Update Array + // Add Alias to Update Array $pfb_alias_lists[] = "{$alias}"; $pfb_alias_lists_all[] = "{$alias}"; } @@ -947,7 +1135,7 @@ function sync_package_pfblockerng($cron = "") { # Clear Match/Pass/ET/Original Files/Folders # ######################################################### - # When pfBlockerNG is Disabled and 'Keep Blocklists' is Disabled. + // When pfBlockerNG is Disabled and 'Keep Blocklists' is Disabled. if ($pfb['enable'] == "" && $pfb['keep'] == "" && !$pfb['install']) { $log = "\n Removing DB Files/Folders \n"; pfb_logger("{$log}","1"); @@ -964,12 +1152,13 @@ function sync_package_pfblockerng($cron = "") { } - ######################################### - # Create Suppression Txt File # - ######################################### + ################################################# + # Create IP Suppression Txt File # + ################################################# - if ($pfb['enable'] == "on" && $pfb['supp'] == "on") + if ($pfb['enable'] == "on" && $pfb['supp'] == "on") { pfb_create_suppression_file(); + } ################################# @@ -979,18 +1168,23 @@ function sync_package_pfblockerng($cron = "") { foreach ($continents as $continent => $pfb_alias) { if (is_array($config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'])) { $continent_config = $config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'][0]; + $cc_name = 'pfblockerng' . strtolower(preg_replace('/ /','',$continent)); if ($continent_config['action'] != "Disabled" && $pfb['enable'] == "on") { - # Determine Folder Location for Alias (return array $pfbarr) - pfb_determine_list_detail($continent_config['action']); - $pfb['skip'] = $pfbarr['skip']; - $pfb_descr = $pfbarr['descr']; - $pfbfolder = $pfbarr['folder']; - // Determine if Continent Lists require Action (IPv4 and IPv6) $cont_type = array ("countries4" => "_v4", "countries6" => "_v6"); foreach ($cont_type as $c_type => $vtype) { + // Determine 'List' details (return array $pfbarr) + pfb_determine_list_detail($continent_config['action'], "{$pfb_alias}{$vtype}", $cc_name, "0"); + $pfb['skip'] = $pfbarr['skip']; + $pfb_descr = $pfbarr['descr']; + $pfbfolder = $pfbarr['folder']; + $log_tab = $pfbarr['logtab']; + $aports = $pfbarr['aports']; + $adest = $pfbarr['adest']; + $aproto = $pfbarr['aproto']; + $continent = ""; if ($continent_config[$c_type] != "") { @@ -1001,48 +1195,40 @@ function sync_package_pfblockerng($cron = "") { } } - if (file_exists($pfb['origdir'] . '/' . $pfb_alias . $vtype . '.orig')) + if (file_exists($pfb['origdir'] . '/' . $pfb_alias . $vtype . '.orig')) { $continent_existing = preg_replace('/\s/', '', file ($pfb['origdir'] . '/' . $pfb_alias . $vtype . '.orig')); - + } // Collect New Continent Data for comparison. Cleanup Array for Comparison $continent_new = preg_split ('/$\R?^/m', $continent); $line = count ( $continent_new ) - 1; $match = $continent_new[$line]; $continent_new[$line] = rtrim($match, "\n"); - # Check if pfBlockerNG pfctl Continent Tables are Empty (pfBlockerNG was Disabled w/ "keep", then Re-enabled) + // Check if pfBlockerNG pfctl Continent Tables are Empty (pfBlockerNG was Disabled w/ "keep", then Re-enabled) $pfctlck = exec ("/sbin/pfctl -vvsTables | grep -A1 {$pfb_alias}{$vtype} | awk '/Addresses/ {s+=$2}; END {print s}'"); if (empty($pfctlck) && file_exists($pfbfolder . '/' . $pfb_alias . $vtype . '.txt')) { $file_cont = file_get_contents($pfbfolder . '/' . $pfb_alias . $vtype . '.txt'); @file_put_contents($pfb['aliasdir'] . '/' . $pfb_alias . $vtype . '.txt',$file_cont, LOCK_EX); - # PFCTL - Update Only Aliases that have been updated. ('Reputation' Disabled) + // PFCTL - Update Only Aliases that have been updated. ('Reputation' Disabled) $pfb_alias_lists[] = "{$pfb_alias}{$vtype}"; } - # Collect Active Alias Lists (Used for pfctl Update when 'Reputation' is enabled). + // Collect Active Alias Lists (Used for pfctl Update when 'Reputation' is enabled). $pfb_alias_lists_all[] = "{$pfb_alias}{$vtype}"; // Compare Existing (Original File) and New Continent Data if ($continent_new === $continent_existing && !empty($pfctlck) && file_exists($pfbfolder . '/' . $pfb_alias . $vtype . '.txt') && $pfb['reuse'] == "") { - # Format Log into clean Tab Spaces - $string_final = "{$pfb_alias}{$vtype}"; - if (strlen($string_final) > 10) { - $log_tab = "\t"; - } else { - $log_tab = "\t\t"; - } - if (!$pfb['save']) { - $log = "\n[ {$pfb_alias}{$vtype} ] {$log_tab} exists, Reloading File [ NOW ]\n"; + $log = "\n[ {$pfb_alias}{$vtype} ]{$log_tab} exists, Reloading File [ NOW ]"; pfb_logger("{$log}","1"); } } else { // Do not proceed with Changes on User 'Save' if (!$pfb['save']) { - $log = "\n[ {$pfb_alias}{$vtype} ] {$log_tab} Changes Found... Updating \n"; + $log = "\n[ {$pfb_alias}{$vtype} ]{$log_tab} Changes Found... Updating \n"; pfb_logger("{$log}","1"); - # Test to Skip d-dup and p-dup functions when changes are found. + // Test to Skip d-dup and p-dup functions when changes are found. $pfb['dupcheck'] = TRUE; $pfb_alias_lists[] = "{$pfb_alias}{$vtype}"; @@ -1061,11 +1247,12 @@ function sync_package_pfblockerng($cron = "") { @file_put_contents($pfb['aliasdir'] . '/' . $pfb_alias . $vtype . '.txt',$continent, LOCK_EX); } - # Check if File Exists and is >0 in Size and Save alias file + // Check if File Exists and is > 0 in Size and Save alias file $file_chk = "0"; $cont_chk = "{$pfbfolder}/{$pfb_alias}{$vtype}.txt"; - if (file_exists($cont_chk) && @filesize($cont_chk) >0) + if (file_exists($cont_chk) && @filesize($cont_chk) > 0) { $file_chk = exec ("/usr/bin/grep -cv '^#\|^$' {$cont_chk}"); + } if ($file_chk == "0" || $file_chk == "1") { $new_file = "1.1.1.1\n"; @@ -1077,9 +1264,8 @@ function sync_package_pfblockerng($cron = "") { } } - if (file_exists($pfbfolder . '/' . $pfb_alias . $vtype . '.txt')) { - #Create alias config + // Create alias config $new_aliases_list[] = "{$pfb_alias}{$vtype}"; $pfb_contlog = $continent_config['aliaslog']; @@ -1093,7 +1279,7 @@ function sync_package_pfblockerng($cron = "") { "detail" => "DO NOT EDIT THIS ALIAS" ); - #Create rule if action permits + // Create rule if action permits switch ($continent_config['action']) { case "Deny_Both": case "Deny_Outbound": @@ -1105,7 +1291,7 @@ function sync_package_pfblockerng($cron = "") { $rule['direction'] = "any"; $rule['descr']= "{$pfb_alias}{$vtype}{$pfb['suffix']}"; $rule['source'] = array("any" => ""); - $rule['destination'] = array ("address" => "{$pfb_alias}{$vtype}"); + $rule['destination'] = array("address" => "{$pfb_alias}{$vtype}"); if ($pfb['config']['enable_log'] == "on" || $pfb_contlog == "enabled") $rule['log'] = ""; $deny_outbound[] = $rule; @@ -1120,7 +1306,19 @@ function sync_package_pfblockerng($cron = "") { $rule['direction'] = "any"; $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; $rule['source'] = array("address" => "{$pfb_alias}{$vtype}"); - $rule['destination'] = array ("any" => ""); + if (!empty($adest) && !empty($aports)) { + $rule['destination'] = array("address" => "{$adest}", "port" => "{$aports}"); + } elseif (!empty($adest) && empty($aports)) { + $rule['destination'] = array("address" => "{$adest}"); + } elseif (empty($adest) && !empty($aports)) { + $rule['destination'] = array("any" => "", "port" => "{$aports}"); + } else { + $rule['destination'] = array("any" => ""); + } + if (!empty($adest) && $continent_config['autonot'] == "on") + $rule['destination']['not'] = ""; + if (!empty($aproto)) + $rule['protocol'] = "{$aproto}"; if ($pfb['config']['enable_log'] == "on" || $pfb_contlog == "enabled") $rule['log'] = ""; $deny_inbound[] = $rule; @@ -1150,7 +1348,19 @@ function sync_package_pfblockerng($cron = "") { $rule['direction'] = "any"; $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; $rule['source'] = array("address"=> "{$pfb_alias}{$vtype}"); - $rule['destination'] = array ("any" => ""); + if (!empty($adest) && !empty($aports)) { + $rule['destination'] = array("address" => "{$adest}", "port" => "{$aports}"); + } elseif (!empty($adest) && empty($aports)) { + $rule['destination'] = array("address" => "{$adest}"); + } elseif (empty($adest) && !empty($aports)) { + $rule['destination'] = array("any" => "", "port" => "{$aports}"); + } else { + $rule['destination'] = array("any" => ""); + } + if (!empty($adest) && $continent_config['autonot'] == "on") + $rule['destination']['not'] = ""; + if (!empty($aproto)) + $rule['protocol'] = "{$aproto}"; if ($pfb['config']['enable_log'] == "on" || $pfb_contlog == "enabled") $rule['log'] = ""; $permit_inbound[] = $rule; @@ -1163,8 +1373,8 @@ function sync_package_pfblockerng($cron = "") { $rule['ipprotocol'] = "inet6"; $rule['direction'] = "any"; $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; - $rule['source'] = array ("any" => ""); - $rule['destination'] = array ("address" => "{$pfb_alias}{$vtype}"); + $rule['source'] = array("any" => ""); + $rule['destination'] = array("address" => "{$pfb_alias}{$vtype}"); if ($pfb['config']['enable_log'] == "on" || $pfb_contlog == "enabled") $rule['log'] = ""; $match_outbound[] = $rule; @@ -1178,49 +1388,61 @@ function sync_package_pfblockerng($cron = "") { $rule['direction'] = "any"; $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; $rule['source'] = array ("address" => "{$pfb_alias}{$vtype}"); - $rule['destination'] = array ( "any" => ""); + if (!empty($adest) && !empty($aports)) { + $rule['destination'] = array("address" => "{$adest}", "port" => "{$aports}"); + } elseif (!empty($adest) && empty($aports)) { + $rule['destination'] = array("address" => "{$adest}"); + } elseif (empty($adest) && !empty($aports)) { + $rule['destination'] = array("any" => "", "port" => "{$aports}"); + } else { + $rule['destination'] = array("any" => ""); + } + if (!empty($adest) && $continent_config['autonot'] == "on") + $rule['destination']['not'] = ""; + if (!empty($aproto)) + $rule['protocol'] = "{$aproto}"; if ($pfb['config']['enable_log'] == "on" || $pfb_contlog == "enabled") $rule['log'] = ""; $match_inbound[] = $rule; break; } } else { - #unlink continent list if any + // unlink continent list if any unlink_if_exists($pfb['aliasdir'] . '/' . $pfb_alias . $vtype . '.txt'); } } } } - #mark pfctl aliastable for cleanup + // mark pfctl aliastable for cleanup if (!in_array($pfb_alias, $aliases_list)) { $aliases_list[] = "{$pfb_alias}{$vtype}"; } } } - # UNSET variables + // UNSET variables unset ($continent, $continent_existing, $continent_new); ################################################# # Download and Collect IPv4/IPv6 lists # ################################################# - # IPv4 REGEX Definitions + // IPv4 REGEX Definitions $pfb['range'] = '/((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))-((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))/'; $pfb['block'] = '/(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[ 0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.([0]{1})\s+/'; - $pfb['cidr'] = '/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)?\/[0-9]{2}/'; + $pfb['cidr'] = '/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)?\/([0-9]{2}|[0-9]{1})/'; $pfb['single'] = '/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\s+/'; $pfb['s_html'] = '/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/'; - # IPv4 preg_replace Regex Filter array + // IPv4 preg_replace Regex Filter array $pfb_ipreg = array(); - $pfb_ipreg[0] = '/\b0+(?=\d)/'; # Remove any Leading Zeros in each Octet - $pfb_ipreg[1] = '/\s/'; # Remove any Whitespaces - $pfb_ipreg[2] = '/127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/'; # Remove any Loopback Addresses 127/8 - $pfb_ipreg[3] = '/0\.0\.0\.0\/32/'; # Remove 0.0.0.0/32 - $pfb_ipreg[4] = '/0\.0\.0\.0/'; # Remove 0.0.0.0 - - # IPv6 REGEX Definitions -- ** Still Needs some Adjustment on Regex Definition for IPv6 ** - # https://mebsd.com/coding-snipits/php-regex-ipv6-with-preg_match.html + $pfb_ipreg[0] = '/\b0+(?=\d)/'; // Remove any Leading Zeros in each Octet + $pfb_ipreg[1] = '/\s/'; // Remove any Whitespaces + $pfb_ipreg[2] = '/\/32/'; // Remove any /32 CIDR + $pfb_ipreg[3] = '/127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/'; // Remove any Loopback Addresses 127/8 + $pfb_ipreg[4] = '/0\.0\.0\.0/'; // Remove 0.0.0.0 + + // IPv6 REGEX Definitions -- ** Still Needs some Adjustment on Regex Definition for IPv6 ** + // https://mebsd.com/coding-snipits/php-regex-ipv6-with-preg_match.html $pattern1 = '([A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}'; $pattern2 = '[A-Fa-f0-9]{1,4}::([A-Fa-f0-9]{1,4}:){0,5}[A-Fa-f0-9]{1,4}'; $pattern3 = '([A-Fa-f0-9]{1,4}:){2}:([A-Fa-f0-9]{1,4}:){0,4}[A-Fa-f0-9]{1,4}'; @@ -1239,28 +1461,22 @@ function sync_package_pfblockerng($cron = "") { if ($config['installedpackages'][$ip_type]['config'] != "") { foreach ($config['installedpackages'][$ip_type]['config'] as $list) { if ($list['action'] != "Disabled" && $pfb['enable'] == "on" && !$pfb['save'] && is_array($list['row'])) { - # Capture Alias Name + // capture Alias Name $alias = "pfB_" . preg_replace("/\W/","",$list['aliasname']); foreach ($list['row'] as $row) { if ($row['url'] != "" && $row['state'] != "Disabled") { - # Determine Folder Location for Alias (return array $pfbarr) - pfb_determine_list_detail($list['action']); - $pfb['skip'] = $pfbarr['skip']; - $pfbfolder = $pfbarr['folder']; - if ($vtype == "_v4") { $header_url = "{$row['header']}"; } else { $header_url = "{$row['header']}_v6"; } - # Format Log into clean Tab Spaces - if (strlen($header_url) > 10) { - $log_tab = "\t"; - } else { - $log_tab = "\t\t"; - } + // Determine 'List' details (return array $pfbarr) + pfb_determine_list_detail($list['action'], $header_url, "", ""); + $pfb['skip'] = $pfbarr['skip']; + $pfbfolder = $pfbarr['folder']; + $log_tab = $pfbarr['logtab']; // Empty Header Field Validation Check if (empty($header_url) || preg_match("/\W/",$header_url)) { @@ -1269,33 +1485,35 @@ function sync_package_pfblockerng($cron = "") { continue; } - # Collect Active Alias List (Used for pfctl Update when 'Reputation' is enabled. + // Collect Active Alias List (Used for pfctl Update when 'Reputation' is enabled. $pfb_alias_lists_all[] = "{$alias}"; if (file_exists($pfbfolder . '/' . $header_url . '.txt') && $pfb['reuse'] == "") { if ($row['state'] == "Hold") { - $log = "\n[ {$header_url} ] {$log_tab} Static Hold [ NOW ]\n"; + $log = "\n[ {$header_url} ]{$log_tab} Static Hold [ NOW ]"; } else { - $log = "\n[ {$header_url} ] {$log_tab} exists, Reloading File [ NOW ]\n"; + $log = "\n[ {$header_url} ]{$log_tab} exists, Reloading File [ NOW ]"; } pfb_logger("{$log}","1"); } else { if ($pfb['reuse'] == "on" && file_exists($pfb['origdir'] . '/' . $header_url . '.orig')) { - $log = "\n[ {$header_url} ] {$log_tab} Using Previously Downloaded File [ NOW ]\n"; + $log = "\n[ {$header_url} ]{$log_tab} Using Previously Downloaded File [ NOW ]"; } else { - $log = "\n[ {$header_url} ] {$log_tab} Downloading New File [ NOW ]\n"; - } + $log = "\n[ {$header_url} ]{$log_tab} Downloading New File [ NOW ]"; + } pfb_logger("{$log}","1"); - # Perform Remote URL Date/Time Stamp checks - $host = @parse_url($row['url']); $list_url = "{$row['url']}"; - if ($row['format'] != "rsync" || $row['format'] != "html") { - if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) { - $remote_tds = "local"; - } else { - $remote_tds = @implode(preg_grep("/Last-Modified/", get_headers($list_url))); - $remote_tds = preg_replace("/^Last-Modified: /","", $remote_tds); + if (!$pfb['reuse'] == "on") { + // Perform Remote URL Date/Time Stamp checks + $host = @parse_url($row['url']); + if ($row['format'] != "rsync" || $row['format'] != "html") { + if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) { + $remote_tds = "local"; + } else { + $remote_tds = @implode(preg_grep("/Last-Modified/", get_headers($list_url))); + $remote_tds = preg_replace("/^Last-Modified: /","", $remote_tds); + } } } @@ -1303,7 +1521,7 @@ function sync_package_pfblockerng($cron = "") { if ($row['format'] == "gz" || $row['format'] == "gz_2") { $file_dwn = "{$pfb['origdir']}/{$header_url}.gz"; if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse + // File Exists/Reuse } else { $url_gz = "{$row['url']}"; $file_gz = @file_get_contents($url_gz); @@ -1317,11 +1535,11 @@ function sync_package_pfblockerng($cron = "") { $url_list = @gzfile($file_dwn); } - # IBlock Large Files mixed with IPs and Domains. PHP mem of 256M can't handle very large Files. + // IBlock Large Files mixed with IPs and Domains. PHP mem of 256M can't handle very large Files. if ($row['format'] == "gz_lg") { $file_dwn = "{$pfb['origdir']}/{$header_url}.gz"; if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse + // File Exists/Reuse } else { $url_gz = "{$row['url']}"; $file_gz = @file_get_contents($url_gz); @@ -1339,12 +1557,12 @@ function sync_package_pfblockerng($cron = "") { elseif ($row['format'] == "zip") { $file_dwn = "{$pfb['origdir']}/{$header_url}.zip"; if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse + // File Exists/Reuse } else { $url_zip = "{$row['url']}"; if (!$file_zip = @file_get_contents($url_zip)) { $error = error_get_last(); - $log = "\n [ {$header_url} ] {$error['message']} \n"; + $log = "\n [ {$header_url} ] {$error['message']}\n"; pfb_logger("{$log}","2"); } else { @file_put_contents($file_dwn, $file_zip, LOCK_EX); @@ -1362,9 +1580,9 @@ function sync_package_pfblockerng($cron = "") { elseif ($row['format'] == "et") { $file_dwn = "{$pfb['origdir']}/{$header_url}.gz"; - # Script to Call ET IQRISK Process + // Script to Call ET IQRISK Process if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse + // File Exists/Reuse } else { $url_et = "{$row['url']}"; $file_et = @file_get_contents($url_et); @@ -1381,9 +1599,9 @@ function sync_package_pfblockerng($cron = "") { elseif ($row['format'] == "xlsx") { $file_dwn = "{$pfb['origdir']}/{$header_url}.zip"; - # Script to Call XLSX Process + // Script to Call XLSX Process if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse + // File Exists/Reuse } else { $url_xlsx = "{$row['url']}"; $file_xlsx = @file_get_contents($url_xlsx); @@ -1417,11 +1635,11 @@ function sync_package_pfblockerng($cron = "") { elseif ($row['format'] == "html" || $row['format'] == "block") { $file_dwn = "{$pfb['origdir']}/{$header_url}.raw"; if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse + // File Exists/Reuse $return = 0; } else { $url_html = "{$row['url']}"; - exec ("/usr/bin/fetch -v -o {$file_dwn} -T 20 {$url_html}",$output,$return); + exec ("/usr/bin/fetch -v -o {$file_dwn} -T 20 '{$url_html}'",$output,$return); } if ($return == 0) $url_list = @file($file_dwn); @@ -1430,7 +1648,7 @@ function sync_package_pfblockerng($cron = "") { elseif ($row['format'] == "rsync") { $file_dwn = "{$pfb['origdir']}/{$header_url}.orig"; if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse + // File Exists/Reuse } else { $url_rsync = "{$row['url']}"; exec ("/usr/local/bin/rsync --timeout=5 {$url_rsync} {$file_dwn}"); @@ -1438,13 +1656,13 @@ function sync_package_pfblockerng($cron = "") { $url_list = @file($file_dwn); } - #extract range lists + // extract range lists $new_file = ""; if (!empty($url_list)) { if ($row['format'] == "gz" && $vtype == "_v4") { foreach ($url_list as $line) { if (!preg_match("/^#/", $line)) { - # Network range 192.168.0.0-192.168.0.254 + // Network range 192.168.0.0-192.168.0.254 if (preg_match($pfb['range'],$line,$matches)) { $a_cidr = ip_range_to_subnet_array_temp2($matches[1],$matches[2]); if (!empty($a_cidr)) { @@ -1460,7 +1678,7 @@ function sync_package_pfblockerng($cron = "") { elseif ($row['format'] == "block" && $vtype == "_v4") { foreach ($url_list as $line) { if (!preg_match("/^#/", $line)) { - # Block Type '218.77.79.0 218.77.79.255 24' + // Block Type '218.77.79.0 218.77.79.255 24' if (preg_match($pfb['block'],$line,$matches)) { $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "/24\n"; } @@ -1471,11 +1689,11 @@ function sync_package_pfblockerng($cron = "") { elseif ($row['format'] == "html" && $vtype == "_v4") { foreach ($url_list as $line) { if (!preg_match("/^#/", $line)) { - # CIDR format 192.168.0.0/16 + // CIDR format 192.168.0.0/16 if (preg_match($pfb['cidr'],$line,$matches)) { $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } - # Single ip addresses + // Single ip addresses elseif (preg_match($pfb['s_html'],$line,$matches)) { $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } @@ -1486,7 +1704,7 @@ function sync_package_pfblockerng($cron = "") { elseif ($vtype == "_v6") { foreach ($url_list as $line) { if (!preg_match("/^#/", $line)) { - # IPv6 Regex Match + // IPv6 Regex Match if (preg_match($pfb['ipv6'],$line,$matches)) { $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } @@ -1497,11 +1715,20 @@ function sync_package_pfblockerng($cron = "") { else { foreach ($url_list as $line) { if (!preg_match("/^#/", $line)) { - # CIDR format 192.168.0.0/16 - if (preg_match($pfb['cidr'],$line,$matches)) { + // Network range 192.168.0.0-192.168.0.254 + if (preg_match($pfb['range'],$line,$matches)) { + $a_cidr = ip_range_to_subnet_array_temp2($matches[1],$matches[2]); + if (!empty($a_cidr)) { + foreach ($a_cidr as $cidr) { + $new_file .= preg_replace($pfb_ipreg,'',$cidr) . "\n"; + } + } + } + // CIDR format 192.168.0.0/16 + elseif (preg_match($pfb['cidr'],$line,$matches)) { $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } - # Single ip addresses + // Single ip addresses elseif (preg_match($pfb['single'],$line,$matches)) { $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } @@ -1510,17 +1737,18 @@ function sync_package_pfblockerng($cron = "") { } } - # Check to see if Blocklist actually Failed Download or has no IPs listed. + // Check to see if Blocklist actually Failed Download or has no IPs listed. if ($row['format'] == "html" || $row['format'] == "block") { $url_chk = $file_dwn; } else { $url_chk = "{$pfb['origdir']}/{$header_url}.orig"; } - # Check if File Exists and is >0 in Size + // Check if File Exists and is > 0 in Size $file_chk = ""; - if (file_exists($url_chk) && @filesize($url_chk) >0) + if (file_exists($url_chk) && @filesize($url_chk) > 0) { $file_chk = exec ("/usr/bin/grep -cv '^#\|^$' {$url_chk}"); + } if ($file_chk == "0") { $new_file = "1.1.1.1\n"; @@ -1531,41 +1759,42 @@ function sync_package_pfblockerng($cron = "") { if ($new_file != "") { if ($row['format'] == "gz" || $row['format'] == "gz_2" || $row['format'] == "html" || $row['format'] == "block") { - # Re-Save these formats as original file + // Re-Save these formats as original file $url_other = $new_file; @file_put_contents($pfb['origdir'] . '/' . $header_url . '.orig',$url_other, LOCK_EX); } - # Save List to '.txt' format in appropriate Folder + // Save List to '.txt' format in appropriate Folder @file_put_contents($pfbfolder . '/' .$header_url . '.txt',$new_file, LOCK_EX); if ($pfb['rep'] == "on" && $pfb['skip'] && $vtype == "_v4") { - # Script to Call p24 Process + // Script to Call p24 Process exec ("{$pfb['script']} p24 {$header_url} {$pfb['max']} {$pfb['dedup']} {$pfb['ccexclude']} {$pfb['ccwhite']} {$pfb['ccblack']} >> {$pfb['log']} 2>&1"); } if ($pfb['dup'] == "on" && $pfb['skip'] && $vtype == "_v4") { - # Script to call Duplication Check Process + // Script to call Duplication Check Process exec ("{$pfb['script']} duplicate {$header_url} >> {$pfb['log']} 2>&1"); } - # PFCTL - Update Only Aliases that have been updated only. + // PFCTL - Update Only Aliases that have been updated only. $pfb_alias_lists[] = "{$alias}"; - # Launch d-dup and p-dup functions when changes are found. - if ($pfb['skip'] && $vtype == "_v4") + // Launch d-dup and p-dup functions when changes are found. + if ($pfb['skip'] && $vtype == "_v4") { $pfb['dupcheck'] = TRUE; - # Enable Suppression Process due to Updates - if ($pfb['supp'] == "on" && $vtype == "_v4") + } + // Enable Suppression Process due to Updates + if ($pfb['supp'] == "on" && $vtype == "_v4") { $pfb['supp_update'] = TRUE; - + } } else { - # Log FAILED Downloads and Check if Firewall or Snort/Suricata is Blocking Host + // Log FAILED Downloads and Check if Firewall or Snort/Suricata is Blocking Host $log = "\n [ {$alias} {$header_url} ] Download FAIL [ NOW ]\n"; pfb_logger("{$log}","2"); - # Rebuild Previous List File from contents of Masterfile + // Rebuild Previous List File from contents of Masterfile if ($pfb['skip'] && $vtype == "_v4") { - # Search with trailing Whitespace to match exact Header in Masterfile + // Search with trailing Whitespace to match exact Header in Masterfile $header_url2 = $header_url . "[[:space:]]"; $file_chk = exec ("/usr/bin/grep {$header_url2} {$pfb['master']} | grep -c ^"); @@ -1575,17 +1804,17 @@ function sync_package_pfblockerng($cron = "") { exec ("/usr/bin/grep {$header_url2} {$pfb['master']} | cut -d' ' -f2 > {$pfbfolder}/{$header_url}.txt"); } } - # A "Space" string Variable + // A "Space" string Variable $sp = " "; $ip = @gethostbyname($host['host']); $ip2 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", "\"^$1\.$2\.$3\.\"", $ip); - # Only Perform these Checks if they are not "localfiles" + // Only Perform these Checks if they are not "localfiles" if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) { $log = " [ {$alias} {$header_url} ] Local File Failure \n"; pfb_logger("{$log}","2"); } else { - # only perform these steps if an 'IP' is found. + // only perform these steps if an 'IP' is found. if (!empty($ip)) { // Query for Exact IP Match $result_b1 = array(); @@ -1596,7 +1825,7 @@ function sync_package_pfblockerng($cron = "") { // Query Snort/Suricata snort2c IP Block Table $snort_pfb = exec("/sbin/pfctl -t snort2c -T show | grep {$ip}"); - # If an exact IP Match is not found report any First Three IP Octets. + // If an exact IP Match is not found report any First Three IP Octets. if (!empty($result_b1)) { $final_b1 = implode("\n ", $result_b1); $log = " [ {$alias} {$header_url}, {$ip} ] Firewall IP Block Found in : \n{$sp}{$final_b1}\n"; @@ -1618,12 +1847,12 @@ function sync_package_pfblockerng($cron = "") { } } } - # UNSET variables + // UNSET variables unset ($file_gz,$file_zip,$file_et,$file_xlsx,$url_other,$url_list); } } } - #check custom network list + // check custom network list if (pfbng_text_area_decode($list['custom']) != "") { if ($vtype == "_v4") { @@ -1632,27 +1861,21 @@ function sync_package_pfblockerng($cron = "") { $aliascustom = "{$list['aliasname']}_custom_v6"; } - # Format Log into clean Tab Spaces - if (strlen($aliascustom) > 10) { - $log_tab = "\t"; - } else { - $log_tab = "\t\t"; - } - - # Collect Active Alias List (Used for pfctl Update when 'Reputation' is enabled. + // Collect Active Alias List (Used for pfctl Update when 'Reputation' is enabled. $pfb_alias_lists_all[] = "{$alias}"; - # Determine Folder Location for Alias (return array $pfbarr) - pfb_determine_list_detail($list['action']); - $pfb['skip'] = $pfbarr['skip']; - $pfbfolder = $pfbarr['folder']; + // Determine 'List' details (return array $pfbarr) + pfb_determine_list_detail($list['action'], $aliascustom, "", ""); + $pfb['skip'] = $pfbarr['skip']; + $pfbfolder = $pfbarr['folder']; + $log_tab = $pfbarr['logtab']; if (file_exists($pfbfolder . '/' . $aliascustom . '.txt') && $pfb['reuse'] == "") { - $log = "\n[ {$aliascustom} ] {$log_tab} exists, Reloading File [ NOW ]\n"; + $log = "\n[ {$aliascustom} ]{$log_tab} exists, Reloading File [ NOW ]"; pfb_logger("{$log}","1"); } else { $url_list = array(); - $log = "\n[ {$aliascustom} ] {$log_tab} Loading Custom File [ NOW ]\n"; + $log = "\n[ {$aliascustom} ]{$log_tab} Loading Custom File [ NOW ]\n"; pfb_logger("{$log}","1"); $custom_list = pfbng_text_area_decode($list['custom']) . "\n"; @@ -1663,16 +1886,8 @@ function sync_package_pfblockerng($cron = "") { if (!empty($url_list)) { foreach ($url_list as $line) { if ($vtype == "_v4") { - # CIDR format 192.168.0.0/16 - if (preg_match($pfb['cidr'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; - } - # Single ip addresses - elseif (preg_match($pfb['s_html'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; - } - # Network range 192.168.0.0-192.168.0.254 - elseif (preg_match($pfb['range'],$line,$matches)) { + // Network range 192.168.0.0-192.168.0.254 + if (preg_match($pfb['range'],$line,$matches)) { $a_cidr = ip_range_to_subnet_array_temp2($matches[1],$matches[2]); if (!empty($a_cidr)) { foreach ($a_cidr as $cidr) { @@ -1680,8 +1895,16 @@ function sync_package_pfblockerng($cron = "") { } } } + // CIDR format 192.168.0.0/16 + elseif (preg_match($pfb['cidr'],$line,$matches)) { + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; + } + // Single ip addresses + elseif (preg_match($pfb['s_html'],$line,$matches)) { + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; + } } else { - # IPv6 Regex + // IPv6 Regex if (preg_match($pfb['ipv6'],$line,$matches)) { $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } @@ -1690,19 +1913,20 @@ function sync_package_pfblockerng($cron = "") { } if ($new_file != "") { - # PFCTL - Collect Only Aliases that have been updated only. + // PFCTL - Collect Only Aliases that have been updated only. $pfb_alias_lists[] = "{$alias}"; - # Collect Updated lists for Suppression Process + // Collect Updated lists for Suppression Process @file_put_contents($pfbfolder . '/'. $aliascustom . '.txt',$new_file, LOCK_EX); - # Enable Suppression Process due to Updates - if ($pfb['supp'] == "on" && $vtype == "_v4") + // Enable Suppression Process due to Updates + if ($pfb['supp'] == "on" && $vtype == "_v4") { $pfb['supp_update'] = TRUE; + } if ($pfb['rep'] == "on" && $pfb['skip'] && $vtype == "_v4") { - # Script to Call p24 Process + // Script to Call p24 Process exec ("{$pfb['script']} p24 {$aliascustom} {$pfb['max']} {$pfb['dedup']} {$pfb['ccexclude']} {$pfb['ccwhite']} {$pfb['ccblack']} >> {$pfb['log']} 2>&1"); } if ($pfb['dup'] == "on" && $pfb['skip'] && $vtype == "_v4") { - # Script to call Duplication Check Process + // Script to call Duplication Check Process exec ("{$pfb['script']} duplicate {$aliascustom} >> {$pfb['log']} 2>&1"); } } else { @@ -1721,13 +1945,13 @@ function sync_package_pfblockerng($cron = "") { # REPUTATION PROCESSES # ################################# - # IP Reputation processes (pdup and ddup) + // IP Reputation processes (pdup and ddup) if ($pfb['pdup'] == "on" && $pfb['dupcheck'] && !$pfb['save'] && $pfb['enable'] == "on") { - # Script to run pdup process + // Script to run pdup process exec ("{$pfb['script']} pdup x {$pfb['pmax']} >> {$pfb['log']} 2>&1"); } if ($pfb['dedup'] == "on" && $pfb['dupcheck'] && !$pfb['save'] && $pfb['enable'] == "on") { - # Script to run dedup process + // Script to run dedup process exec ("{$pfb['script']} dedup x {$pfb['dmax']} {$pfb['dedup']} {$pfb['ccexclude']} {$pfb['ccwhite']} {$pfb['ccblack']} >> {$pfb['log']} 2>&1"); } @@ -1739,28 +1963,33 @@ function sync_package_pfblockerng($cron = "") { foreach ($list_type as $ip_type => $vtype) { if ($config['installedpackages'][$ip_type]['config'] != "" && $pfb['enable'] == "on") { $runonce = 0; - foreach ($config['installedpackages'][$ip_type]['config'] as $list) { + foreach ($config['installedpackages'][$ip_type]['config'] as $key => $list) { $alias = "pfB_" . preg_replace("/\W/","",$list['aliasname']); - # Determine Folder Location for Alias (return array $pfbarr) - pfb_determine_list_detail($list['action']); + // Determine 'List' details (return array $pfbarr) + pfb_determine_list_detail($list['action'], "", $ip_type, $key); $pfb['skip'] = $pfbarr['skip']; $pfb_descr = $pfbarr['descr']; $pfbfolder = $pfbarr['folder']; + $aports = $pfbarr['aports']; + $adest = $pfbarr['adest']; + $aproto = $pfbarr['aproto']; // Re-Save Only Aliases that have been updated only. // When 'Reputation' is used, all Aliases need to be Updated. $final_alias = array(); if ($pfb['dedup'] == "on" || $pfb['pdup'] == "on") { - if (!empty($pfb_alias_lists_all)) + if (!empty($pfb_alias_lists_all)) { $final_alias = array_unique($pfb_alias_lists_all); + } } else { - if (!empty($pfb_alias_lists)) + if (!empty($pfb_alias_lists)) { $final_alias = array_unique($pfb_alias_lists); + } } if ($list['action'] != "Disabled") { - #remove empty lists files if any + // remove empty lists files if any if (is_array($list['row'])) { $update = 0; ${$alias} = ""; @@ -1773,20 +2002,20 @@ function sync_package_pfblockerng($cron = "") { } $pfctlck = exec ("/sbin/pfctl -vvsTables | grep -A1 {$alias} | awk '/Addresses/ {s+=$2}; END {print s}'"); - # Update Alias if List File Exists and its been updated or if the Alias URL Table is Empty. + // Update Alias if List File Exists and its been updated or if the Alias URL Table is Empty. if (file_exists($pfbfolder . "/" . $header_url . ".txt") && in_array($alias, $final_alias) || file_exists($pfbfolder . "/" . $header_url . ".txt") && empty($pfctlck)) { - # Script to run Suppression process (Print Header Only) + // Script to run Suppression process (Print Header Only) if ($pfb['supp'] == "on" && $vtype == "_v4" && $runonce == 0 && $pfb['supp_update']) { exec ("{$pfb['script']} suppress x x x suppressheader >> {$pfb['log']} 2>&1"); $runonce++; } - # Script to run Suppression Process (Body) + // Script to run Suppression Process (Body) if ($pfb['supp'] == "on" && $vtype == "_v4" && $pfb['supp_update']) { if ($pfb['dup'] == "on" || !$pfb['skip']) { - # Execute if Duplication Process is Enabled or List is Permit or Match + // Execute if Duplication Process is Enabled or List is Permit or Match exec ("{$pfb['script']} suppress x x x {$header_url}\|{$pfbfolder}/ >> {$pfb['log']} 2>&1"); } else { - # Execute if Duplication Process is Disabled + // Execute if Duplication Process is Disabled exec ("{$pfb['script']} suppress x x off {$header_url}\|{$pfbfolder}/ >> {$pfb['log']} 2>&1"); } } @@ -1797,14 +2026,14 @@ function sync_package_pfblockerng($cron = "") { } } - #check custom network list + // check custom network list if ($vtype == "_v4") { $aliasname = "{$list['aliasname']}_custom"; } else { $aliasname = "{$list['aliasname']}_custom_v6"; } - # Update Alias if List File Exists and its been updated or if the Alias URL Table is Empty. + // Update Alias if List File Exists and its been updated or if the Alias URL Table is Empty. $pfctlck = exec ("/sbin/pfctl -vvsTables | grep -A1 {$alias} | awk '/Addresses/ {s+=$2}; END {print s}'"); if (pfbng_text_area_decode($list['custom']) != "") { @@ -1813,7 +2042,7 @@ function sync_package_pfblockerng($cron = "") { $update++; } } - # Determine Validity of Alias URL Tables/Rules. ie: Don't create Empty URL Tables or Aliases + // Determine Validity of Alias URL Tables/Rules. ie: Don't create Empty URL Tables or Aliases if (${$alias} == "" && empty($pfctlck)) { unlink_if_exists($pfb['aliasdir'] . '/' . $alias. '.txt'); } else { @@ -1823,7 +2052,7 @@ function sync_package_pfblockerng($cron = "") { } $alias_log = $list['aliaslog']; - #create alias + // create alias $new_aliases_list[] = "{$alias}"; $new_aliases[] = array( "name" => "{$alias}", @@ -1835,7 +2064,7 @@ function sync_package_pfblockerng($cron = "") { "detail" => "DO NOT EDIT THIS ALIAS" ); - #Create rule if action permits + // Create rule if action permits switch ($list['action']) { case "Deny_Both": case "Deny_Outbound": @@ -1862,7 +2091,19 @@ function sync_package_pfblockerng($cron = "") { $rule['direction'] = "any"; $rule['descr'] = "{$alias}{$pfb['suffix']}"; $rule['source'] = array("address" => "{$alias}"); - $rule['destination'] = array ("any" => ""); + if (!empty($adest) && !empty($aports)) { + $rule['destination'] = array ("address" => "{$adest}", "port" => "{$aports}"); + } elseif (!empty($adest) && empty($aports)) { + $rule['destination'] = array ("address" => "{$adest}"); + } elseif (empty($adest) && !empty($aports)) { + $rule['destination'] = array ("any" => "", "port" => "{$aports}"); + } else { + $rule['destination'] = array ("any" => ""); + } + if (!empty($adest) && $list['autonot'] == "on") + $rule['destination']['not'] = ""; + if (!empty($aproto)) + $rule['protocol'] = "{$aproto}"; if ($pfb['config']['enable_log'] == "on" || $alias_log == "enabled") $rule['log'] = ""; $deny_inbound[] = $rule; @@ -1892,7 +2133,19 @@ function sync_package_pfblockerng($cron = "") { $rule['direction'] = "any"; $rule['descr'] = "{$alias}{$pfb['suffix']}"; $rule['source'] = array ("address" => "{$alias}"); - $rule['destination'] = array ("any" => ""); + if (!empty($adest) && !empty($aports)) { + $rule['destination'] = array ("address" => "{$adest}", "port" => "{$aports}"); + } elseif (!empty($adest) && empty($aports)) { + $rule['destination'] = array ("address" => "{$adest}"); + } elseif (empty($adest) && !empty($aports)) { + $rule['destination'] = array ("any" => "", "port" => "{$aports}"); + } else { + $rule['destination'] = array ("any" => ""); + } + if (!empty($adest) && $list['autonot'] == "on") + $rule['destination']['not'] = ""; + if (!empty($aproto)) + $rule['protocol'] = "{$aproto}"; if ($pfb['config']['enable_log'] == "on" || $alias_log == "enabled") $rule['log'] = ""; $permit_inbound[] = $rule; @@ -1920,25 +2173,37 @@ function sync_package_pfblockerng($cron = "") { $rule['direction'] = "any"; $rule['descr'] = "{$alias}{$pfb['suffix']}"; $rule['source'] = array ("address" => "{$alias}"); - $rule['destination'] = array ("any" => ""); + if (!empty($adest) && !empty($aports)) { + $rule['destination'] = array ("address" => "{$adest}", "port" => "{$aports}"); + } elseif (!empty($adest) && empty($aports)) { + $rule['destination'] = array ("address" => "{$adest}"); + } elseif (empty($adest) && !empty($aports)) { + $rule['destination'] = array ("any" => "", "port" => "{$aports}"); + } else { + $rule['destination'] = array ("any" => ""); + } + if (!empty($adest) && $list['autonot'] == "on") + $rule['destination']['not'] = ""; + if (!empty($aproto)) + $rule['protocol'] = "{$aproto}"; if ($pfb['config']['enable_log'] == "on" || $alias_log == "enabled") $rule['log'] = ""; $match_inbound[] = $rule; break; } } - #mark pfctl aliastable for cleanup + // mark pfctl aliastable for cleanup if (!in_array($alias, $aliases_list)) { $aliases_list[] = "{$alias}"; } } else { - #unlink previous pfblockerNG alias list if any + // unlink previous pfblockerNG alias list if any unlink_if_exists($pfb['aliasdir'] . '/' . $alias . '.txt'); } } } } - # Clear Variables + // Clear Variables ${$alias} = ""; @@ -1946,38 +2211,39 @@ function sync_package_pfblockerng($cron = "") { # UPDATE pfSense ALIAS TABLES # ######################################### - #update pfsense alias table + // update pfsense alias table if (is_array($config['aliases']['alias'])) { foreach ($config['aliases']['alias'] as $cbalias) { - if (preg_match("/pfB_/",$cbalias['name'])) { - #mark pfctl aliastable for cleaning + if (substr($cbalias['name'], 0, 4) == 'pfB_') { + // mark pfctl aliastable for cleaning if (!in_array($cbalias['name'], $aliases_list)) { - $aliases_list[] = $cbalias['name']; #mark aliastable for cleaning + $aliases_list[] = $cbalias['name']; // mark aliastable for cleaning } - #remove previous aliastable file if alias is not defined any more + // remove previous aliastable file if alias is not defined any more if (!in_array($cbalias['name'], $new_aliases_list)) { unlink_if_exists($pfb['aliasdir'] . '/' . $cbalias['name'] . ".txt"); } } else { $new_aliases[] = $cbalias; - # Check Table Size + // Check Table Size if (file_exists($pfb['aliasdir'] . '/' . $alias . '.txt') && $message == "") { preg_match("/(\d+)/",exec("/usr/bin/grep -c ^ " . $pfb['aliasdir'] . '/' . $alias . '.txt'),$matches); } if (($matches[1] * 2.1) >= $pfb['table_limit']) { - #alias table too large + // alias table too large $message = "{$alias} alias table is too large. Reduce networks in list or increase 'Firewall Maximum Table Entries' value to at least " . (int)($matches[1] * 2.1) . ' in "system - advanced - Firewall/NAT" . '; } } } } - #apply new alias table to xml + // apply new alias table to xml if ($message == "") { $config['aliases']['alias'] = $new_aliases; + $pfb['cron_mod'] = TRUE; } - # UNSET Variables + // UNSET Variables unset($new_aliases, $cbalias); @@ -1985,7 +2251,7 @@ function sync_package_pfblockerng($cron = "") { # Assign Rules # ######################### - # Only Execute if AutoRules are defined or if an Alias has been removed. + // Only Execute if AutoRules are defined or if an Alias has been removed. if ($pfb['autorules'] || $pfb['enable'] == "" || $pfb['remove']) { if (count($deny_inbound) > 0 || count($permit_inbound) > 0 || count($match_inbound) > 0) { if ($pfb['inbound_interfaces'] == "") { @@ -2007,9 +2273,9 @@ function sync_package_pfblockerng($cron = "") { $fmatch_rules = array(); $fother_rules = array(); - # Collect All Existing Rules + // Collect All Existing Rules $rules = $config['filter']['rule']; - # Collect Existing pfSense Rules 'Pass', 'Match' and 'Other' pfSense rules into new Arrays. + // Collect Existing pfSense Rules 'Pass', 'Match' and 'Other' pfSense rules into new Arrays. if (!empty($rules)) { foreach ($rules as $rule) { if (!preg_match("/pfB_.*" . $pfb['suffix'] . "/",$rule['descr'])) { @@ -2083,7 +2349,7 @@ function sync_package_pfblockerng($cron = "") { } } - # Define Inbound Interface Rules + // Define Inbound Interface Rules if (!empty($pfb['inbound_interfaces'])) { $counter = 0; foreach ($pfb['inbound_interfaces'] as $inbound_interface) { @@ -2099,7 +2365,7 @@ function sync_package_pfblockerng($cron = "") { $new_rules[] = $cb_rules; } } - # Match Inbound Rules defined as Floating Only. + // Match Inbound Rules defined as Floating Only. if (!empty($match_inbound) && $counter == 0) { foreach ($match_inbound as $cb_rules) { $cb_rules['interface'] = $pfb['inbound_floating']; @@ -2144,7 +2410,7 @@ function sync_package_pfblockerng($cron = "") { } } - # Define Outbound Interface Rules + // Define Outbound Interface Rules if (!empty($pfb['outbound_interfaces'])) { $counter = 0; foreach ($pfb['outbound_interfaces'] as $outbound_interface) { @@ -2160,7 +2426,7 @@ function sync_package_pfblockerng($cron = "") { $new_rules[] = $cb_rules; } } - # Match Outbound Rules defined as Floating Only. + // Match Outbound Rules defined as Floating Only. if (!empty($match_outbound) && $counter == 0) { foreach ($match_outbound as $cb_rules) { $cb_rules['interface'] = $pfb['outbound_floating']; @@ -2238,30 +2504,29 @@ function sync_package_pfblockerng($cron = "") { } } - # Save New Rule Order to Config + // Save New Rule Order to Config $config['filter']['rule'] = $new_rules; } - $log = "\n {$message} \n"; - pfb_logger("{$log}","1"); + if (!empty($message)) { + $log = "\n {$message}\n"; + pfb_logger("{$log}","1"); + } - # UNSET arrays + // UNSET arrays unset ($cb_rules,$permit_inbound,$permit_outbound,$deny_inbound,$deny_outbound,$match_inbound,$match_outbound); unset ($other_rules,$fother_rules,$permit_rules,$fpermit_rules,$match_rules,$fmatch_rules); } + // Set flag to Update config file. + if ($pfb['autorules'] && $rules != $new_rules) { + $pfb['cron_mod'] = TRUE; + } ################################# - # Closing Processes # + # pfSense Integration # ################################# - #uncheck Reusing Existing Downloads Check box - if (!$pfb['save'] && $pfb['enable'] == "on") - $config['installedpackages']['pfblockerng']['config'][0]['pfb_reuse'] = ""; - - # Save all Changes to pfSense config file - write_config(); - - # If 'Rule Changes' are found, utilize the 'filter_configure()' function, if not, utilize 'pfctl replace' command + // If 'Rule Changes' are found, utilize the 'filter_configure()' function, if not, utilize 'pfctl replace' command if ($pfb['autorules'] && $rules != $new_rules || $pfb['enable'] == "" || $pfb['remove']) { require_once("filter.inc"); @@ -2269,79 +2534,88 @@ function sync_package_pfblockerng($cron = "") { $log = "\n===[ Aliastables / Rules ]================================\n\n"; pfb_logger("{$log}","1"); - $log = "Firewall Rule Changes Found, Applying Filter Reload \n"; + $log = "Firewall Rule Changes Found, Applying Filter Reload\n"; pfb_logger("{$log}","1"); } - # Remove all pfBlockerNG Alias tables + // Remove all pfBlockerNG Alias tables if (!empty($aliases_list)) { foreach ($aliases_list as $table) { exec ("/sbin/pfctl -t " . escapeshellarg($table) . " -T kill 2>&1", $pfb_null); } } - #load filter file which will create the pfctl tables + // load filter file which will create the pfctl tables filter_configure(); // Call function for NanoBSD/Ramdisk processes. pfb_aliastables("update"); } else { - # Don't Execute on User 'Save' + // Don't Execute on User 'Save' if (!$pfb['save']) { - $log = "\n===[ Aliastables / Rules ]================================\n\n"; + $log = "\n\n===[ Aliastables / Rules ]================================\n\n"; pfb_logger("{$log}","1"); - $log = "No Changes to Firewall Rules, Skipping Filter Reload \n"; + $log = "No Changes to Firewall Rules, Skipping Filter Reload\n"; pfb_logger("{$log}","1"); // Re-Save Only Aliases that have been updated only. // When 'Reputation' is used, all Aliases Need to be Updated. $final_alias = array(); if ($pfb['dedup'] == "on" || $pfb['pdup'] == "on") { - if (!empty($pfb_alias_lists_all)) + if (!empty($pfb_alias_lists_all)) { $final_alias = array_unique($pfb_alias_lists_all); + } } else { - if (!empty($pfb_alias_lists)) + if (!empty($pfb_alias_lists)) { $final_alias = array_unique($pfb_alias_lists); + } } if (!empty($final_alias)) { foreach ($final_alias as $final) { - $log = "\n Updating: {$final} \n"; + $log = "\n Updating: {$final}\n"; pfb_logger("{$log}","1"); $result_pfctl = ""; - exec ("/sbin/pfctl -t " . escapeshellarg($final) . " -T replace -f " . $pfb['aliasdir'] . "/" . escapeshellarg($final) . ".txt 2>&1", $result_pfctl); - $log = implode($result_pfctl); + if (file_exists("{$pfb['aliasdir']}/{$final}.txt")) { + exec ("/sbin/pfctl -t " . escapeshellarg($final) . " -T replace -f " . $pfb['aliasdir'] . "/" . escapeshellarg($final) . ".txt 2>&1", $result_pfctl); + $log = implode($result_pfctl); + } + else { + $log = "Aliastable file not found\n"; + } pfb_logger("{$log}","1"); } + pfb_logger("\n","1"); // Call function for NanoBSD/Ramdisk processes. pfb_aliastables("update"); } else { - $log = "\nNo Changes to Aliases, Skipping pfctl Update \n"; + $log = "No Changes to Aliases, Skipping pfctl Update\n"; pfb_logger("{$log}","1"); } } } - # UNSET Variables + // UNSET Variables unset($rules, $new_rules); - #sync config + // sync config pfblockerng_sync_on_changes(); + ################################# # FINAL REPORTING # ################################# - # Only run with CRON or Force Invoked Process + // Only run with CRON or Force Invoked Process if ((!$pfb['save'] && $pfb['dupcheck'] && $pfb['enable'] == "on") || $pfb['summary']) { - # Script to run Final Script Processes. + // Script to run Final Script Processes. exec ("{$pfb['script']} closing {$pfb['dup']} >> {$pfb['log']} 2>&1"); } - if ($pfb['enable'] == "on" && !$pfb['save']) { - $log = "\n\n UPDATE PROCESS ENDED [ NOW ]\n"; + if ($pfb['enable'] == "on" && !$pfb['save'] || $pfb['summary']) { + $log = "\n UPDATE PROCESS ENDED [ NOW ]\n"; pfb_logger("{$log}","1"); } @@ -2350,32 +2624,40 @@ function sync_package_pfblockerng($cron = "") { # Define/Apply CRON Jobs # ######################################### - # Clear any existing pfBlockerNG Cron Jobs - install_cron_job("pfblockerng.php cron", false); - - # Replace Cron job with any User Changes to $pfb_min + // Replace Cron job with any User Changes to $pfb_min if ($pfb['enable'] == "on") { - # Define pfBlockerNG CRON Job + // Define pfBlockerNG CRON Job $pfb_cmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> {$pfb['log']} 2>&1"; - # $pfb['min'] ( User Defined Variable. Variable defined at start of Script ) - $pfb_hour = "*"; + // $pfb['min'] ( User Defined Variable. Variable defined at start of Script ) + + // Define Cron hour (Cron Interval & Start Hour) + if ($pfb['interval'] == 1) { + $pfb_hour = "*"; + } elseif ($pfb['interval'] == 24) { + $pfb_hour = $pfb['24hour']; + } else { + $pfb_hour = implode(",", pfb_cron_base_hour()); + } + $pfb_mday = "*"; $pfb_month = "*"; $pfb_wday = "*"; $pfb_who = "root"; - install_cron_job($pfb_cmd, true, $pfb['min'], $pfb_hour, $pfb_mday, $pfb_month, $pfb_wday, $pfb_who); + // Determine if Cron Task requires updating + if (!pfblockerng_cron_exists($pfb_cmd, $pfb['min'], $pfb_hour)) { + install_cron_job($pfb_cmd, true, $pfb['min'], $pfb_hour, $pfb_mday, $pfb_month, $pfb_wday, $pfb_who); + } + } + else { + // Clear any existing pfBlockerNG Cron Jobs + install_cron_job("pfblockerng.php cron", false); } - - # Clear any existing pfBlockerNG MaxMind CRON Job - install_cron_job("pfblockerng.php dc", false); if ($pfb['enable'] == "on") { - # Define pfBlockerNG MaxMind CRON Job + // Define pfBlockerNG MaxMind CRON Job $pfb_gcmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php dc >> {$pfb['geolog']} 2>&1"; - - # MaxMind GeoIP Cron Hour is randomized between 0-23 Hour to minimize effect on MaxMind Website - + // MaxMind GeoIP Cron Hour is randomized between 0-23 Hour to minimize effect on MaxMind Website $pfb_gmin = "0"; $pfb_ghour = rand(0,23); $pfb_gmday = "1,2,3,4,5,6,7"; @@ -2383,32 +2665,61 @@ function sync_package_pfblockerng($cron = "") { $pfb_gwday = "2"; $pfb_gwho = "root"; - install_cron_job($pfb_gcmd, true, $pfb_gmin, $pfb_ghour, $pfb_gmday, $pfb_gmonth, $pfb_gwday, $pfb_gwho); + // Determine if Cron Task requires updating + if (!pfblockerng_cron_exists($pfb_gcmd, $pfb_gmin, 'maxmind')) { + install_cron_job($pfb_gcmd, true, $pfb_gmin, $pfb_ghour, $pfb_gmday, $pfb_gmonth, $pfb_gwday, $pfb_gwho); + } + } + else { + // Clear any existing pfBlockerNG Cron Jobs + install_cron_job("pfblockerng.php dc", false); + } + + + ################################# + # Closing Processes # + ################################# + + // uncheck Reusing Existing Downloads Check box + if (!$pfb['save'] && $pfb['enable'] == "on" && $pfb['reuse'] == "on") { + $config['installedpackages']['pfblockerng']['config'][0]['pfb_reuse'] = ""; + $pfb['cron_mod'] = TRUE; + } + + // Only save config.xml changes if changes are found. + // Temporay to ensure all conditions are defined before fully enabling this feature + if ($pfb['cron_mod'] || !$pfb['cron_mod']) { + write_config("pfBlockerNG: Save settings"); } } function pfblockerng_validate_input($post, &$input_errors) { global $config; + foreach ($post as $key => $value) { - if (empty($value)) - continue; - if ($key == "message_size_limit" && !is_numeric($value)) - $input_errors[] = "Message size limit must be numeric."; - if ($key == "process_limit" && !is_numeric($value)) - $input_errors[] = "Process limit must be numeric."; - if ($key == "freq" && (!preg_match("/^\d+(h|m|d)$/",$value) || $value == 0)) - $input_errors[] = "A valid number with a time reference is required for the field 'Frequency'"; - if (substr($key, 0, 2) == "dc" && !is_hostname($value)) - $input_errors[] = "{$value} is not a valid host name."; - if (substr($key, 0, 6) == "domain" && is_numeric(substr($key, 6))) { - if (!is_domain($value)) - $input_errors[] = "{$value} is not a valid domain name."; - } else if (substr($key, 0, 12) == "mailserverip" && is_numeric(substr($key, 12))) { - if (empty($post['domain' . substr($key, 12)])) - $input_errors[] = "Domain for {$value} cannot be blank."; - if (!is_ipaddr($value) && !is_hostname($value)) - $input_errors[] = "{$value} is not a valid IP address or host name."; + + if (substr($key, 0, 3) == "url" && is_numeric( substr($key, 3, (strlen($key) - 3))) ) { + if (empty($value)) { + $input_url_empty = TRUE; + continue; + } + if (substr($value, 0, 1) == ' ') { + $input_errors[] = "Leading whitespace not allowed in URL field"; + } + } + + if (substr($key, 0, 6) == "header" && is_numeric( substr($key, 6, (strlen($key) - 6))) ) { + if ($input_url_empty && empty($value)) { + $input_url_empty = FALSE; + continue; + } + if ($input_url_empty && !empty($value)) { + $input_errors[] = "No URL Defined."; + } + if (substr($value, 0, 1) == ' ' || empty($value)) { + $input_errors[] = "Header field must be defined."; + } } } } @@ -2422,9 +2733,10 @@ function pfblockerng_php_install_command() { // Remove previously used CC folder location if exists @rmdir_recursive("{$pfb['dbdir']}/cc"); - # Uncompress Country Code File - exec("/usr/bin/tar -jx -C {$pfb['ccdir']} -f {$pfb['dbdir']}/countrycodes.tar.bz2"); - # Download MaxMind Files and Create Country Code files and Build Continent XML Files + // Uncompress Country Code File + @copy("{$pfb['dbdir']}/countrycodes.tar.bz2", "{$pfb['ccdir']}/countrycodes.tar.bz2"); + exec("/usr/bin/tar -jx -C {$pfb['ccdir']} -f {$pfb['ccdir']}/countrycodes.tar.bz2"); + // Download MaxMind Files and Create Country Code files and Build Continent XML Files update_output_window(gettext("Downloading MaxMind Country Databases. This may take a minute...")); exec("/bin/sh /usr/local/pkg/pfblockerng/geoipupdate.sh all >> {$pfb['geolog']} 2>&1"); @@ -2441,7 +2753,7 @@ function pfblockerng_php_install_command() { @unlink_if_exists("{$pfb['dbdir']}/GeoIPv6.csv"); @unlink_if_exists("{$pfb['dbdir']}/country_continent.csv"); - # Add Widget to Dashboard + // Add Widget to Dashboard update_output_window(gettext("Adding pfBlockerNG Widget to Dashboard.")); if ($pfb['keep'] == "on" && !empty($pfb['widgets'])) { // Restore previous Widget setting if "Keep" is enabled. @@ -2463,16 +2775,16 @@ function pfblockerng_php_deinstall_command() { require_once("config.inc"); global $config,$pfb; - # Set these two variables to Disable pfBlockerNG on De-Install + // Set these two variables to Disable pfBlockerNG on De-Install $pfb['save'] = TRUE; $pfb['install'] = TRUE; sync_package_pfblockerng(); rmdir_recursive("/usr/local/pkg/pfblockerng"); rmdir_recursive("/usr/local/www/pfblockerng"); - # Maintain pfBlockerNG Settings and Database Files if $pfb['keep'] is ON. + // Maintain pfBlockerNG Settings and Database Files if $pfb['keep'] is ON. if ($pfb['keep'] != "on") { - # Remove pfBlockerNG Log and DB Folder + // Remove pfBlockerNG Log and DB Folder rmdir_recursive("{$pfb['dbdir']}"); rmdir_recursive("{$pfb['logdir']}"); @@ -2485,7 +2797,7 @@ function pfblockerng_php_deinstall_command() { } } - # Remove Settings from Config + // Remove Settings from Config if (is_array($config['installedpackages']['pfblockerng'])) unset($config['installedpackages']['pfblockerng']); if (is_array($config['installedpackages']['pfblockerngglobal'])) @@ -2518,14 +2830,13 @@ function pfblockerng_php_deinstall_command() { unset($config['installedpackages']['pfblockerngproxyandsatellite']); } - # Remove Widget (code from Snort deinstall) + // Remove Widget (code from Snort deinstall) $pfb['widgets'] = $config['widgets']['sequence']; if (!empty($pfb['widgets'])) { $widgetlist = explode(",", $pfb['widgets']); foreach ($widgetlist as $key => $widget) { if (strstr($widget, "pfblockerng-container")) { unset($widgetlist[$key]); - break; } } $config['widgets']['sequence'] = implode(",", $widgetlist); @@ -2540,9 +2851,9 @@ function pfblockerng_sync_on_changes() { // Create Array of Sync Settings and exit if Sync is Disabled. if (is_array($config['installedpackages']['pfblockerngsync']['config'][0])) { $pfb_sync = $config['installedpackages']['pfblockerngsync']['config'][0]; - if ($pfb_sync['varsynconchanges'] == "disabled" || $pfb_sync['varsynconchanges'] == "") + if ($pfb_sync['varsynconchanges'] == "disabled" || $pfb_sync['varsynconchanges'] == "") { return; - + } $synctimeout = $pfb_sync['varsynctimeout']; } else { return; @@ -2553,15 +2864,15 @@ function pfblockerng_sync_on_changes() { if (is_array($config['installedpackages']['pfblockerngsync']['config'])) { switch ($pfb_sync['varsynconchanges']) { case "manual": - if (is_array($pfb_sync[row])) { - $rs = $pfb_sync[row]; + if (is_array($pfb_sync['row'])) { + $rs = $pfb_sync['row']; } else { - log_error("[pfBlockerNG] XMLRPC sync is enabled but there are no replication targets configured."); + log_error("[pfBlockerNG] Manual XMLRPC sync is enabled but there are no replication targets configured."); return; } break; case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])) { $system_carp = $config['installedpackages']['carpsettings']['config'][0]; $rs[0]['varsyncipaddress'] = $system_carp['synchronizetoip']; $rs[0]['varsyncusername'] = $system_carp['username']; @@ -2575,11 +2886,11 @@ function pfblockerng_sync_on_changes() { } if ($system_carp['synchronizetoip'] == "") { - log_error("[pfBlockerNG] XMLRPC sync is enabled but there are no replication targets configured."); + log_error("[pfBlockerNG] XMLRPC sync is enabled but there is no sync IP address configured."); return; } } else { - log_error("[pfBlockerNG] XMLRPC sync is enabled but there are no replication targets configured."); + log_error("[pfBlockerNG] Auto XMLRPC sync is enabled but there are no replication targets configured."); return; } break; @@ -2605,8 +2916,9 @@ function pfblockerng_sync_on_changes() { pfblockerng_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout); } } - if ($success) + if ($success) { log_error("[pfBlockerNG] XMLRPC sync completed successfully."); + } } } } @@ -2639,9 +2951,9 @@ function pfblockerng_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $p } /* Test key variables and set defaults if empty */ - if (empty($synctimeout)) + if (empty($synctimeout)) { $synctimeout = 150; - + } $url = "{$protocol}://{$sync_to_ip}"; if ($port == "") { $port = $config['system']['webgui']['port']; }; @@ -2656,26 +2968,37 @@ function pfblockerng_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $p /* xml will hold the sections to sync */ $xml = array(); // If User Disabled, remove 'General Tab Customizations' from Sync - if ($config['installedpackages']['pfblockerngsync']['config'][0]['syncinterfaces'] == "") - $xml['pfblockerng'] = $config['installedpackages']['pfblockerng']; - $xml['pfblockerngreputation'] = $config['installedpackages']['pfblockerngreputation']; - $xml['pfblockernglistsv4'] = $config['installedpackages']['pfblockernglistsv4']; - $xml['pfblockernglistsv6'] = $config['installedpackages']['pfblockernglistsv6']; - $xml['pfblockerngtopspammers'] = $config['installedpackages']['pfblockerngtopspammers']; - $xml['pfblockerngafrica'] = $config['installedpackages']['pfblockerngafrica']; - $xml['pfblockerngantartica'] = $config['installedpackages']['pfblockerngantartica']; - $xml['pfblockerngasia'] = $config['installedpackages']['pfblockerngasia']; - $xml['pfblockerngeurope'] = $config['installedpackages']['pfblockerngeurope']; - $xml['pfblockerngnorthamerica'] = $config['installedpackages']['pfblockerngnorthamerica']; - $xml['pfblockerngoceania'] = $config['installedpackages']['pfblockerngoceania']; - $xml['pfblockerngsouthamerica'] = $config['installedpackages']['pfblockerngsouthamerica']; - $xml['pfblockerngproxyandsatellite'] = $config['installedpackages']['pfblockerngproxyandsatellite']; + if ($config['installedpackages']['pfblockerngsync']['config'][0]['syncinterfaces'] == "") { + if (is_array($config['installedpackages']['pfblockerng'])) + $xml['pfblockerng'] = $config['installedpackages']['pfblockerng']; + } + if (is_array($config['installedpackages']['pfblockerngreputation'])) + $xml['pfblockerngreputation'] = $config['installedpackages']['pfblockerngreputation']; + if (is_array($config['installedpackages']['pfblockernglistsv4'])) + $xml['pfblockernglistsv4'] = $config['installedpackages']['pfblockernglistsv4']; + if (is_array($config['installedpackages']['pfblockernglistsv6'])) + $xml['pfblockernglistsv6'] = $config['installedpackages']['pfblockernglistsv6']; + if (is_array($config['installedpackages']['pfblockerngtopspammers'])) + $xml['pfblockerngtopspammers'] = $config['installedpackages']['pfblockerngtopspammers']; + if (is_array($config['installedpackages']['pfblockerngafrica'])) + $xml['pfblockerngafrica'] = $config['installedpackages']['pfblockerngafrica']; + if (is_array($config['installedpackages']['pfblockerngantartica'])) + $xml['pfblockerngantartica'] = $config['installedpackages']['pfblockerngantartica']; + if (is_array($config['installedpackages']['pfblockerngasia'])) + $xml['pfblockerngasia'] = $config['installedpackages']['pfblockerngasia']; + if (is_array($config['installedpackages']['pfblockerngeurope'])) + $xml['pfblockerngeurope'] = $config['installedpackages']['pfblockerngeurope']; + if (is_array($config['installedpackages']['pfblockerngnorthamerica'])) + $xml['pfblockerngnorthamerica'] = $config['installedpackages']['pfblockerngnorthamerica']; + if (is_array($config['installedpackages']['pfblockerngoceania'])) + $xml['pfblockerngoceania'] = $config['installedpackages']['pfblockerngoceania']; + if (is_array($config['installedpackages']['pfblockerngsouthamerica'])) + $xml['pfblockerngsouthamerica'] = $config['installedpackages']['pfblockerngsouthamerica']; + if (is_array($config['installedpackages']['pfblockerngproxyandsatellite'])) + $xml['pfblockerngproxyandsatellite'] = $config['installedpackages']['pfblockerngproxyandsatellite']; /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); + $params = array(XML_RPC_encode($password), XML_RPC_encode($xml)); /* set a few variables needed for sync code borrowed from filter.inc */ log_error("[pfBlockerNG] XMLRPC syncing to {$url}:{$port}."); @@ -2707,4 +3030,4 @@ function pfblockerng_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $p } return $success; } -?> +?>
\ No newline at end of file diff --git a/config/pfblockerng/pfblockerng.php b/config/pfblockerng/pfblockerng.php index 8c0c478d..f69983e2 100644 --- a/config/pfblockerng/pfblockerng.php +++ b/config/pfblockerng/pfblockerng.php @@ -146,10 +146,11 @@ function ip_range_to_subnet_array_temp($ip1, $ip2) { return $out; } -# Set php Memory Limit +// Set php Memory Limit $uname = posix_uname(); -if ($uname['machine'] == "amd64") +if ($uname['machine'] == "amd64") { ini_set('memory_limit', '256M'); +} function pfb_update_check($header_url, $list_url, $url_format, $pfbfolder) { global $pfb; @@ -220,13 +221,12 @@ function pfb_update_check($header_url, $list_url, $url_format, $pfbfolder) { } } - if ($argv[1] == 'update') { sync_package_pfblockerng("cron"); } if ($argv[1] == 'dc') { - # (Options - 'bu' Binary Update for Reputation/Alerts Page, 'all' for Country update and 'bu' options. + // (Options - 'bu' Binary Update for Reputation/Alerts Page, 'all' for Country update and 'bu' options. if ($pfb['cc'] == "") { exec("/bin/sh /usr/local/pkg/pfblockerng/geoipupdate.sh all >> {$pfb['geolog']} 2>&1"); } else { @@ -251,85 +251,13 @@ if ($argv[1] == 'gc') { } if ($argv[1] == 'cron') { + + // Call Base Hour converter + $pfb_sch = pfb_cron_base_hour(); + $hour = date('G'); $dow = date('N'); $pfb['update_cron'] = FALSE; - - # Start hour of the 'Once a day' Schedule - $pfb['dailystart'] = $config['installedpackages']['pfblockerng']['config'][0]['pfb_dailystart']; - # Start hour of the Scheduler - if ($config['installedpackages']['pfblockerng']['config'][0]['pfb_hour'] != "") { - $pfb['hour'] = $config['installedpackages']['pfblockerng']['config'][0]['pfb_hour']; - } else { - $pfb['hour'] = "1"; - } - $updates = 0; - - # 2 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch2 = strval($shour); - for ($i=0; $i<11; $i++) { - $shour += 2; - if ($shour >= 24) - $shour -= 24; - $sch2 .= "," . strval($shour); - } - - # 3 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch3 = strval($shour); - for ($i=0; $i<7; $i++) { - $shour += 3; - if ($shour >= 24) - $shour -= 24; - $sch3 .= "," . strval($shour); - } - - # 4 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch4 = strval($shour); - for ($i=0; $i<5; $i++) { - $shour += 4; - if ($shour >= 24) - $shour -= 24; - $sch4 .= "," . strval($shour); - } - - # 6 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch6 = strval($shour); - for ($i=0; $i<3; $i++) { - $shour += 6; - if ($shour >= 24) - $shour -= 24; - $sch6 .= "," . strval($shour); - } - - # 8 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch8 = strval($shour); - for ($i=0; $i<2; $i++) { - $shour += 8; - if ($shour >= 24) - $shour -= 24; - $sch8 .= "," . strval($shour); - } - - # 12 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch12 = strval($shour) . ","; - $shour += 12; - if ($shour >= 24) - $shour -= 24; - $sch12 .= strval($shour); - - $e_sch2 = explode(",", $sch2); - $e_sch3 = explode(",", $sch3); - $e_sch4 = explode(",", $sch4); - $e_sch6 = explode(",", $sch6); - $e_sch8 = explode(",", $sch8); - $e_sch12 = explode(",", $sch12); - $log = " CRON PROCESS START [ NOW ]\n"; pfb_logger("{$log}","1"); @@ -347,8 +275,8 @@ if ($argv[1] == 'cron') { $header_url = "{$row['header']}_v6"; } - # Determine Folder Location for Alias (return array $pfbarr) - pfb_determine_list_detail($list['action']); + // Determine Folder Location for Alias (return array $pfbarr) + pfb_determine_list_detail($list['action'], "", "", ""); $pfbfolder = $pfbarr['folder']; $list_cron = $list['cron']; @@ -361,7 +289,7 @@ if ($argv[1] == 'cron') { continue; } - # Check if List file exists, if not found run Update + // Check if List file exists, if not found run Update if (!file_exists($pfbfolder . '/' . $header_url . '.txt')) { $log = " Updates Found\n"; pfb_logger("{$log}","1"); @@ -370,42 +298,20 @@ if ($argv[1] == 'cron') { } switch ($list_cron) { - case "01hour": - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "02hours": - if (in_array($hour, $e_sch2)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "03hours": - if (in_array($hour, $e_sch3)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "04hours": - if (in_array($hour, $e_sch4)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "06hours": - if (in_array($hour, $e_sch6)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "08hours": - if (in_array($hour, $e_sch8)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "12hours": - if (in_array($hour, $e_sch12)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; case "EveryDay": - if ($hour == $pfb['dailystart']) + if ($hour == $pfb['24hour']) { pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); + } break; case "Weekly": - if ($hour == $pfb['dailystart'] && $dow == $header_dow) + if ($hour == $pfb['24hour'] && $dow == $header_dow) { pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); + } break; default: + if ($pfb['interval'] == "1" || in_array($hour, $pfb_sch)) { + pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); + } break; } } @@ -415,6 +321,30 @@ if ($argv[1] == 'cron') { } } + // If Continents are Defined, continue with Update Process to determine if further changes are required. + $continents = array ( "Africa" => "pfB_Africa", + "Antartica" => "pfB_Antartica", + "Asia" => "pfB_Asia", + "Europe" => "pfB_Europe", + "North America" => "pfB_NAmerica", + "Oceania" => "pfB_Oceania", + "South America" => "pfB_SAmerica", + "Top Spammers" => "pfB_Top", + "Proxy and Satellite" => "pfB_PS" + ); + + if (!$pfb['update_cron']) { + foreach ($continents as $continent => $pfb_alias) { + if (is_array($config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'])) { + $continent_config = $config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'][0]; + if ($continent_config['action'] != "Disabled" && $pfb['enable'] == "on") { + $pfb['update_cron'] = TRUE; + break; + } + } + } + } + if ($pfb['update_cron']) { sync_package_pfblockerng("cron"); } else { @@ -423,7 +353,7 @@ if ($argv[1] == 'cron') { pfb_logger("{$log}","1"); } - # Call Log Mgmt Function + // Call Log Mgmt Function // If Update GUI 'Manual view' is selected. Last output will be missed. So sleep for 5 secs. sleep(5); pfb_log_mgmt(); @@ -438,7 +368,7 @@ function pfblockerng_uc_countries() { $maxmind_cc4 = "{$pfb['dbdir']}/GeoIPCountryWhois.csv"; $maxmind_cc6 = "{$pfb['dbdir']}/GeoIPv6.csv"; - # Create Folders if not Exist + // Create Folders if not Exist $folder_array = array ("{$pfb['dbdir']}","{$pfb['logdir']}","{$pfb['ccdir']}"); foreach ($folder_array as $folder) { safe_mkdir ("{$folder}",0755); @@ -456,7 +386,7 @@ function pfblockerng_uc_countries() { return; } - # Save Date/Time Stamp to MaxMind version file + // Save Date/Time Stamp to MaxMind version file $maxmind_ver = "MaxMind GeoLite Date/Time Stamps \n\n"; $remote_tds = @implode(preg_grep("/Last-Modified/", get_headers("http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip"))); $maxmind_ver .= "MaxMind_v4 \t" . $remote_tds . "\n"; @@ -738,6 +668,7 @@ $xml = <<<EOF <version>1.0</version> <title>pfBlockerNG: {$cont}</title> <include_file>/usr/local/pkg/pfblockerng/pfblockerng.inc</include_file> + <addedit_string>pfBlockerNG: Save {$cont} settings</addedit_string> <menu> <name>pfBlockerNG: {$cont_name}</name> <tooltiptext>Configure pfBlockerNG</tooltiptext> @@ -824,44 +755,57 @@ $xml = <<<EOF </field> <field> <fielddescr>LINKS</fielddescr> - <fieldname></fieldname> - <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> + <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> + <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> </description> <type>info</type> </field> - <field> - <fielddescr><![CDATA[<br /><strong>IPv4</strong><br />Countries]]></fielddescr> + <field> <fieldname>countries4</fieldname> - <description> - <![CDATA[Select IPv4 Countries you want to take an action on.<br /> - <strong>Use CTRL + CLICK to unselect countries</strong>]]> - </description> + <fielddescr><![CDATA[<strong><center>Countries</center></strong><br /> + <center>Use CTRL + CLICK to unselect countries</center>]]> + </fielddescr> <type>select</type> <options> ${'options4'} </options> <size>${'ftotal4'}</size> <multiple/> + +EOF; + +// Adjust combinefields variable if IPv6 is empty. +if (!empty (${'options6'})) { + $xml .= <<<EOF + <description><![CDATA[<center><br />IPv4 Countries</center>]]></description> + <usecolspan2/> + <combinefields>begin</combinefields> </field> EOF; +} else { + $xml .= <<<EOF + <description><![CDATA[<br />IPv4 Countries]]></description> + </field> + +EOF; +} // Skip IPv6 when Null data found if (!empty (${'options6'})) { $xml .= <<<EOF <field> - <fielddescr><![CDATA[<br /><strong>IPv6</strong><br />Countries]]></fielddescr> <fieldname>countries6</fieldname> - <description> - <![CDATA[Select IPv6 Countries you want to take an action on.<br /> - <strong>Use CTRL + CLICK to unselect countries</strong>]]> - </description> + <description><![CDATA[<br /><center>IPv6 Countries</center>]]></description> <type>select</type> <options> ${'options6'} </options> <size>${'ftotal6'}</size> <multiple/> + <usecolspan2/> + <dontdisplayname/> + <combinefields>end</combinefields> </field> EOF; @@ -870,7 +814,7 @@ EOF; $xml .= <<<EOF <field> <fielddescr>List Action</fielddescr> - <description><![CDATA[<br />Default : <strong>Disabled</strong><br /><br /> + <description><![CDATA[<br />Default: <strong>Disabled</strong><br /><br /> Select the <strong>Action</strong> for Firewall Rules on lists you have selected.<br /><br /> <strong><u>'Disabled' Rules:</u></strong> Disables selection and does nothing to selected Alias.<br /><br /> @@ -901,7 +845,7 @@ $xml .= <<<EOF <li>'Alias Permit' and 'Alias Match' will be saved in the Same folder as the other Permit/Match Auto-Rules</li><br /> <li>'Alias Native' lists are kept in their Native format without any modifications.</li></ul> <strong>When using 'Alias' rules, change (pfB_) to ( pfb_ ) in the beginning of rule description and use the 'Exact' spelling of - the Alias (no trailing Whitespace) </strong> Custom 'Alias' rules with 'pfB_ xxx' description will be removed by package if + the Alias (no trailing Whitespace)</strong> Custom 'Alias' rules with 'pfB_ xxx' description will be removed by package if using Auto Rule Creation.<br /><br /><strong>Tip</strong>: You can create the Auto Rules and remove "<u>auto rule</u>" from the Rule Descriptions, then disable Auto Rules. This method will 'KEEP' these rules from being 'Deleted' which will allow editing for a Custom Alias Configuration<br />]]> @@ -928,9 +872,10 @@ $xml .= <<<EOF <field> <fielddescr>Enable Logging</fielddescr> <fieldname>aliaslog</fieldname> - <description><![CDATA[Default:<strong>Enable</strong><br /> + <description><![CDATA[Default: <strong>Enable</strong><br /> Select - Logging to Status: System Logs: FIREWALL ( Log )<br /> - This can be overriden by the 'Global Logging' Option in the General Tab.]]></description> + This can be overriden by the 'Global Logging' Option in the General Tab.]]> + </description> <type>select</type> <options> <option><name>Enable</name><value>enabled</value></option> @@ -938,9 +883,87 @@ $xml .= <<<EOF </options> </field> <field> - <name><![CDATA[<ul>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or - 'Force Update'</ul>]]> - </name> + <name>Advanced Inbound Firewall Rule Settings</name> + <type>listtopic</type> + </field> + <field> + <type>info</type> + <description><![CDATA[<font color='red'>Note: </font>In general Auto-Rules are created as follows:<br /> + <ul>Inbound - 'any' port, 'any' protocol and 'any' destination<br /> + Outbound - 'any' port, 'any' protocol and 'any' destination address in the lists</ul> + Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.<br /> + <strong>Select the pfSense 'Port' and/or 'Destination' Alias below:</strong>]]> + </description> + </field> + <field> + <fieldname>autoports</fieldname> + <fielddescr>Enable Custom Port</fielddescr> + <type>checkbox</type> + <enablefields>aliasports</enablefields> + <usecolspan2/> + <combinefields>begin</combinefields> + </field> + <field> + <fielddescr>Define Alias</fielddescr> + <fieldname>aliasports</fieldname> + <description><![CDATA[<a href="/firewall_aliases.php?tab=port">Click Here to add/edit Aliases</a> + Do not manually enter port numbers. <br />Do not use 'pfB_' in the Port Alias name.]]> + </description> + <size>21</size> + <type>aliases</type> + <typealiases>port</typealiases> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fieldname>autodest</fieldname> + <fielddescr>Enable Custom Destination</fielddescr> + <type>checkbox</type> + <enablefields>aliasdest,autonot</enablefields> + <usecolspan2/> + <combinefields>begin</combinefields> + </field> + <field> + <fieldname>aliasdest</fieldname> + <description><![CDATA[<a href="/firewall_aliases.php?tab=ip">Click Here to add/edit Aliases</a> + Do not manually enter Addresses(es). <br />Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> + </description> + <size>21</size> + <type>aliases</type> + <typealiases>network</typealiases> + <dontdisplayname/> + <usecolspan2/> + <combinefields/> + </field> + <field> + <fielddescr>Invert</fielddescr> + <fieldname>autonot</fieldname> + <description><![CDATA[<div style="padding-left: 22px;"><strong>Invert</strong> - Option to invert the sense of the match.<br /> + ie - Not (!) Destination Address(es)</div>]]> + </description> + <type>checkbox</type> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fielddescr>Custom Protocol</fielddescr> + <fieldname>autoproto</fieldname> + <description><![CDATA[<strong>Default: any</strong><br />Select the Protocol used for Inbound Firewall Rule(s).]]></description> + <type>select</type> + <options> + <option><name>any</name><value></value></option> + <option><name>TCP</name><value>tcp</value></option> + <option><name>UDP</name><value>udp</value></option> + <option><name>TCP/UDP</name><value>tcp/udp</value></option> + </options> + <size>4</size> + <default_value></default_value> + </field> + <field> + <name><![CDATA[<center>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or + 'Force Update'</center>]]></name> <type>listtopic</type> </field> </fields> @@ -1042,6 +1065,7 @@ $xmlrep = <<<EOF <version>1.0</version> <title>pfBlockerNG: IPv4 Reputation</title> <include_file>/usr/local/pkg/pfblockerng/pfblockerng.inc</include_file> + <addedit_string>pfBlockerNG: Save Reputation Settings</addedit_string> <menu> <name>pfBlockerNG</name> <tooltiptext>Configure pfblockerNG</tooltiptext> @@ -1122,14 +1146,13 @@ $xmlrep = <<<EOF </field> <field> <fielddescr>LINKS</fielddescr> - <fieldname></fieldname> - <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> + <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> + <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> </description> <type>info</type> </field> <field> <fielddescr><![CDATA[<strong>Why Reputation Matters:</strong>]]></fielddescr> - <fieldname></fieldname> <type>info</type> <description><![CDATA[By Enabling '<strong>Reputation</strong>', each Blocklist will be analyzed for Repeat Offenders in each IP Range. <ul>Example: x.x.x.1, x.x.x.2, x.x.x.3, x.x.x.4, x.x.x.5<br /> @@ -1150,7 +1173,6 @@ $xmlrep = <<<EOF <type>listtopic</type> </field> <field> - <fieldname></fieldname> <fielddescr><![CDATA[<br /><strong>Individual List Reputation</strong><br /><br />]]></fielddescr> <type>info</type> <description></description> @@ -1177,13 +1199,11 @@ $xmlrep = <<<EOF </options> </field> <field> - <fieldname></fieldname> <fielddescr><![CDATA[<br /><strong>Collective List Reputation</strong><br /><br />]]></fielddescr> <type>info</type> <description></description> </field> <field> - <fieldname></fieldname> <type>info</type> <description><![CDATA[Once all Blocklists are Downloaded, these two 'additional' processes <strong>[ pMax ] and [ dMax ]</strong><br /> Can be used to Further analyze for Repeat Offenders.<br /> @@ -1244,7 +1264,6 @@ $xmlrep = <<<EOF <type>listtopic</type> </field> <field> - <fieldname>INFO</fieldname> <type>info</type> <description><![CDATA[When performing Queries for Repeat Offenders, you can choose to <strong>ignore</strong> Repeat Offenders in select Countries. The Original Blocklisted IPs remain intact. All other Repeat Offending Country Ranges will be processed.<br /><br /> @@ -1286,7 +1305,7 @@ $xmlrep = <<<EOF </field> <field> <fielddescr><![CDATA[<br /><strong>IPv4</strong><br />Country Exclusion<br /> - <br />Geolite Data by:<br />MaxMind Inc. (ISO 3166)]]></fielddescr> + <br />Geolite Data by: <br />MaxMind Inc. (ISO 3166)]]></fielddescr> <fieldname>ccexclude</fieldname> <description> <![CDATA[Select Countries you want to <strong>Exclude</strong> from the Reputation Process.<br /> @@ -1305,7 +1324,6 @@ $xmlrep = <<<EOF </field> <field> <fielddescr>Subscription Pro. Blocklist</fielddescr> - <fieldname>ETINFO</fieldname> <type>info</type> <description><![CDATA[<strong>Emerging Threats IQRisk</strong> is a Subscription Professional Reputation List.<br /><br /> ET IQRisk Blocklist must be entered in the Lists Tab using the following example: @@ -1429,7 +1447,7 @@ $xmlrep = <<<EOF <field> <fielddescr>Update ET Categories</fielddescr> <fieldname>et_update</fieldname> - <description><![CDATA[Default:<strong>Disable</strong><br /> + <description><![CDATA[Default: <strong>Disable</strong><br /> Select - Enable ET Update if Category Changes are Made.<br /> You can perform a 'Force Update' to enable these changes.<br /> Cron will also resync this list at the next Scheduled Update.]]> @@ -1441,8 +1459,8 @@ $xmlrep = <<<EOF </options> </field> <field> - <name><![CDATA[<ul>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or - 'Force Update'</ul>]]></name> + <name><![CDATA[<center>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or + 'Force Update'</center>]]></name> <type>listtopic</type> </field> </fields> diff --git a/config/pfblockerng/pfblockerng.priv.inc b/config/pfblockerng/pfblockerng.priv.inc index 970ab25f..97cf6288 100644 --- a/config/pfblockerng/pfblockerng.priv.inc +++ b/config/pfblockerng/pfblockerng.priv.inc @@ -8,8 +8,6 @@ $priv_list['page-firewall-pfblockerng']['descr'] = "Allow access to pfBlockerNG $priv_list['page-firewall-pfblockerng']['match'] = array(); $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng.xml*"; $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_reputation.xml*"; -$priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_v4lists.xml*"; -$priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_v6lists.xml*"; $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_top20.xml*"; $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_Africa.xml*"; $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_Asia.xml*"; @@ -19,6 +17,10 @@ $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblocker $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_SouthAmerica.xml*"; $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_ProxyandSatellite.xml*"; $priv_list['page-firewall-pfblockerng']['match'][] = "pkg_edit.php?xml=pfblockerng/pfblockerng_sync.xml*"; + +$priv_list['page-firewall-pfblockerng']['match'][] = "pkg.php?xml=pfblockerng/pfblockerng_v4lists.xml*"; +$priv_list['page-firewall-pfblockerng']['match'][] = "pkg.php?xml=pfblockerng/pfblockerng_v6lists.xml*"; + $priv_list['page-firewall-pfblockerng']['match'][] = "pfblockerng/pfblockerng_update.php*"; $priv_list['page-firewall-pfblockerng']['match'][] = "pfblockerng/pfblockerng_alerts.php*"; $priv_list['page-firewall-pfblockerng']['match'][] = "pfblockerng/pfblockerng_log.php*"; diff --git a/config/pfblockerng/pfblockerng.sh b/config/pfblockerng/pfblockerng.sh index ba0c908b..fcfbcae1 100644 --- a/config/pfblockerng/pfblockerng.sh +++ b/config/pfblockerng/pfblockerng.sh @@ -24,7 +24,7 @@ fi now=$(/bin/date +%m/%d/%y' '%T) -# Application Paths +# Application Locations pathgrepcidr="${prefix}/bin/grepcidr" pathgeoip="${prefix}/bin/geoiplookup" @@ -165,7 +165,7 @@ fi if [ -s "$matchfile" -a ! "$dedup" == "on" -a "$ccwhite" == "match" ]; then mon=$(sed -e 's/^/^/' -e 's/\./\\\./g' $matchfile) for ip in $mon; do - grep $ip $tempfile >> $tempfile2 + grep $ip $tempfile >> $tempfile2 done mcount=$(grep -c ^ $tempfile2) if [ "$ccwhite" == "match" ]; then @@ -372,7 +372,7 @@ if [ -e "$pfbsuppression" ] && [ -s "$pfbsuppression" ]; then fi else if [ "$cc" == "suppressheader" ]; then - echo "===[ Suppression Stats ]========================================"; echo + echo; echo "===[ Suppression Stats ]========================================"; echo printf "%-20s %-10s %-10s %-10s %-10s\n" "List" "Pre" "RFC1918" "Suppress" "Masterfile" echo "----------------------------------------------------------------" exitnow @@ -675,7 +675,6 @@ if [ -s $pfborig$alias".gz" ]; then $pathgunzip -c $pfborig$alias".gz" > $pfborig$alias".raw" # ET CSV Format (IP, Category, Score) - echo; echo "Processing [ $alias ]" while IFS="," read a b c; do # Some ET Categories are not in use (For Future Use) case "$b" in @@ -724,7 +723,7 @@ if [ -s $pfborig$alias".gz" ]; then esac done <"$pfborig$alias.raw" data=$(ls $etdir) - echo "Compiling ET IP IQRisk REP Lists based upon User Selected Categories" + echo; echo "Compiling ET IP IQRisk REP Lists based upon User Selected Categories" printf "%-10s %-25s\n" " Action" "Category" echo "-------------------------------------------" @@ -795,7 +794,7 @@ if [ "$alias" == "on" ]; then sort -o $masterfile $masterfile sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n $mastercat > $tempfile; mv -f $tempfile $mastercat - echo; echo; echo "===[ FINAL Processing ]====================================="; echo + echo; echo "===[ FINAL Processing ]====================================="; echo echo " [ Original count ] [ $fcount ]" count=$(grep -c ^ $masterfile) echo; echo " [ Processed Count ] [ $count ]"; echo @@ -976,4 +975,4 @@ case $1 in exitnow ;; esac -exitnow +exitnow
\ No newline at end of file diff --git a/config/pfblockerng/pfblockerng.widget.php b/config/pfblockerng/pfblockerng.widget.php index 229e084b..c9522cd7 100644 --- a/config/pfblockerng/pfblockerng.widget.php +++ b/config/pfblockerng/pfblockerng.widget.php @@ -15,7 +15,7 @@ snort_alerts.widget.php Copyright (C) 2009 Jim Pingle mod 24-07-2012 - mod 28-02-2014 by Bill Meeks + mod 28-02-2015 by Bill Meeks Javascript and Integration modifications by J. Nieuwenhuizen @@ -42,58 +42,268 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$nocsrf = true; @require_once("/usr/local/www/widgets/include/widget-pfblockerng.inc"); @require_once("/usr/local/pkg/pfblockerng/pfblockerng.inc"); @require_once("guiconfig.inc"); -@require_once("globals.inc"); -@require_once("pfsense-utils.inc"); -@require_once("functions.inc"); pfb_global(); -// Ackwnowlege Failed Downloads +// Image source definition +$pfb['down'] = "<img src ='/themes/{$g['theme']}/images/icons/icon_interface_down.gif' title='No Rules are Defined using this Alias' alt='' />"; +$pfb['up'] = "<img src ='/themes/{$g['theme']}/images/icons/icon_interface_up.gif' title='Rules are Defined using this Alias (# of fw rules defined)' alt='' />"; +$pfb['err'] = "<img src ='/themes/{$g['theme']}/images/icons/icon_wzd_nsaved.png' title='pf Errors found.' alt='' />"; + +// Alternating line shading +$pfb['RowOddClass'] = "style='background-color: #FFFFFF;'"; +$pfb['RowEvenClass'] = "style='background-color: #F0F0F0;'"; +$pfb['RowEvenClass2'] = "style='background-color: #D0D0D0;'"; +$pfb['ColClass'] = "listMRr"; + +$pfb['global'] = &$config['installedpackages']['pfblockerngglobal']; + +// Define default widget customizations +if (!isset($pfb['global']['widget-maxfails'])) { + $pfb['global']['widget-maxfails'] = '3'; +} +if (!isset($pfb['global']['widget-maxpivot'])) { + $pfb['global']['widget-maxpivot'] = '200'; +} +if (!isset($pfb['global']['widget-sortcolumn'])) { + $pfb['global']['widget-sortcolumn'] = 'none'; +} +if (!isset($pfb['global']['widget-sortdir'])) { + $pfb['global']['widget-sortdir'] = 'asc'; +} +if (!isset($pfb['global']['widget-popup'])) { + $pfb['global']['widget-popup'] = 'on'; +} + +// Collect variables +if (is_array($pfb['global'])) { + $pfb['maxfails'] = $pfb['global']['widget-maxfails']; + $pfb['maxpivot'] = $pfb['global']['widget-maxpivot']; + $pfb['sortcolumn'] = $pfb['global']['widget-sortcolumn']; + $pfb['sortdir'] = $pfb['global']['widget-sortdir']; + $pfb['popup'] = $pfb['global']['widget-popup']; +} + +// Save widget customizations +if ($_POST) { + if (is_numeric($_POST['pfb_maxfails'])) { + $pfb['global']['widget-maxfails'] = $_POST['pfb_maxfails']; + } + if (is_numeric($_POST['pfb_maxpivot'])) { + $pfb['global']['widget-maxpivot'] = $_POST['pfb_maxpivot']; + } + if (!empty($_POST['pfb_popup'])) { + $pfb['global']['widget-popup'] = $_POST['pfb_popup']; + } + if (!empty($_POST['pfb_sortcolumn'])) { + $pfb['global']['widget-sortcolumn'] = $_POST['pfb_sortcolumn']; + } + if (!empty($_POST['pfb_sortdir'])) { + $pfb['global']['widget-sortdir'] = $_POST['pfb_sortdir']; + } + write_config("pfBlockerNG: Saved Widget customizations via Dashboard"); + header("Location: ../../index.php"); +} + +// Ackwnowlege failed downloads if (isset($_POST['pfblockerngack'])) { - $clear = exec("/usr/bin/sed -i '' 's/FAIL/Fail/g' {$pfb['errlog']}"); + exec("/usr/bin/sed -i '' 's/FAIL/Fail/g' {$pfb['errlog']}"); header("Location: ../../index.php"); } -// This function will create the counts -function pfBlockerNG_get_counts() { - global $config, $g, $pfb; +// Called by Ajax to update table contents +if (isset($_GET['getNewCounts'])) { + pfBlockerNG_get_table("js"); + return; +} - // Collect Alias Count and Update Date/Time +// Sort widget table according to user configuration +function pfbsort(&$array, $subkey="id", $sort_ascending=FALSE) { + if (empty($array)) { + return; + } + if (count($array)) { + $temp_array[key($array)] = array_shift($array); + } + + foreach ($array as $key => $val) { + $offset = 0; + $found = FALSE; + foreach ($temp_array as $tmp_key => $tmp_val) { + if (!$found and strtolower($val[$subkey]) > strtolower($tmp_val[$subkey])) { + $temp_array = array_merge((array)array_slice($temp_array,0,$offset), array($key => $val), array_slice($temp_array,$offset)); + $found = TRUE; + } + $offset++; + } + if (!$found) { + $temp_array = array_merge($temp_array, array($key => $val)); + } + } + + if ($sort_ascending) { + $array = array_reverse($temp_array); + } else { + $array = $temp_array; + } + return; +} + +// Collect all pfBlockerNG statistics +function pfBlockerNG_get_counts() { + global $config, $pfb; $pfb_table = array(); - $out = "<img src ='/themes/{$g['theme']}/images/icons/icon_interface_down.gif' title=\"No Rules are Defined using this Alias\" alt=\"\" />"; - $in = "<img src ='/themes/{$g['theme']}/images/icons/icon_interface_up.gif' title=\"Rules are Defined using this Alias\" alt=\"\" />"; - if (is_array($config['aliases']['alias'])) { - foreach ($config['aliases']['alias'] as $cbalias) { - if (preg_match("/pfB_/", $cbalias['name'])) { - if (file_exists("{$pfb['aliasdir']}/{$cbalias['name']}.txt")) { - preg_match("/(\d+)/", exec("/usr/bin/grep -cv \"^1\.1\.1\.1\" {$pfb['aliasdir']}/{$cbalias['name']}.txt"), $matches); - $pfb_table[$cbalias['name']] = array("count" => $matches[1], "img" => $out); - $updates = exec("ls -ld {$pfb['aliasdir']}/{$cbalias['name']}.txt | awk '{ print $6,$7,$8 }'", $update); - $pfb_table[$cbalias['name']]['up'] = $updates; + + /* Alias Table Definitions - 'update' - Last Updated Timestamp + 'rule' - Total number of Firewall rules per alias + 'count' - Total Line Count per alias + 'packets' - Total number of pf packets per alias */ + + exec("/sbin/pfctl -vvsTables | grep -A4 'pfB_'", $pfb_pfctl); + if (!empty($pfb_pfctl)) { + foreach($pfb_pfctl as $line) { + $line = trim(str_replace(array( '[', ']' ), '', $line)); + if (substr($line, 0, 1) == '-') { + $pfb_alias = trim(strstr($line, 'pfB', FALSE)); + if (empty($pfb_alias)) { + unset($pfb_alias); + continue; + } + exec("/usr/bin/grep -cv '^1\.1\.1\.1' {$pfb['aliasdir']}/{$pfb_alias}.txt", $match); + $pfb_table[$pfb_alias] = array('count' => $match[1], 'img' => $pfb['down']); + exec("ls -ld {$pfb['aliasdir']}/{$pfb_alias}.txt | awk '{ print $6,$7,$8 }'", $update); + $pfb_table[$pfb_alias]['update'] = $update[0]; + $pfb_table[$pfb_alias]['rule'] = 0; + unset($match, $update); + continue; + } + + if (isset($pfb_alias)) { + if (substr($line, 0, 9) == 'Addresses') { + $addr = trim(substr(strrchr($line, ':'), 1)); + $pfb_table[$pfb_alias]['count'] = $addr; + continue; + } + if (substr($line, 0, 11) == 'Evaluations') { + $packets = trim(substr(strrchr($line, ':'), 1)); + $pfb_table[$pfb_alias]['packets'] = $packets; + unset($pfb_alias); } } } } + else { + // Error. No pf labels found. + $pfb['pfctl'] = TRUE; + } - // Collect if Rules are defined using pfBlockerNG Aliases. + // Determine if firewall rules are defined if (is_array($config['filter']['rule'])) { foreach ($config['filter']['rule'] as $rule) { - if (preg_match("/pfB_/",$rule['source']['address']) || preg_match("/pfb_/",$rule['source']['address'])) { - $pfb_table[$rule['source']['address']]['img'] = $in; + // Skip disabled rules + if (isset($rule['disabled'])) { + continue; + } + if (stripos($rule['source']['address'], "pfb_") !== FALSE) { + $pfb_table[$rule['source']['address']]['img'] = $pfb['up']; + $pfb_table[$rule['source']['address']]['rule'] += 1; } - if (preg_match("/pfB_/",$rule['destination']['address']) || preg_match("/pfb_/",$rule['destination']['address'])) { - $pfb_table[$rule['destination']['address']]['img'] = $in; + if (stripos($rule['destination']['address'], "pfb_") !== FALSE) { + $pfb_table[$rule['destination']['address']]['img'] = $pfb['up']; + $pfb_table[$rule['destination']['address']]['rule'] += 1; } } - return $pfb_table; } + + // Collect packet fence rule numbers + exec("/sbin/pfctl -vv -sr | grep 'pfB_'", $pfrules); + if (!empty($pfrules)) { + foreach ($pfrules as $result) { + // Sample : @112(0) block return in log quick on em1 from any to <pfB_PRI1:160323> label "USER_RULE: pfB_PRI1" + if (preg_match("/@(\d+)\(\d+\).*\<(pfB_\w+):\d+\>/", $result, $rule)) { + $pfb_table[$rule[2]]['rules'] .= $rule[1] . '|'; + } + } + } + + // Sort tables per sort customization + if ($pfb['sortcolumn'] != "none") { + if ($pfb['sortdir'] == "asc") { + pfbsort($pfb_table, $pfb['sortcolumn'], TRUE); + } else { + pfbsort($pfb_table, $pfb['sortcolumn'], FALSE); + } + } + return $pfb_table; } -// Status Indicator if pfBlockerNG is Enabled/Disabled +// Called on initial load and Ajax to update table contents +function pfBlockerNG_get_table($mode="") { + global $pfb; + $counter = 0; $dcounter = 1; $response = ''; + + $pfb_table = pfBlockerNG_get_counts(); + if (!empty($pfb_table)) { + foreach ($pfb_table as $pfb_alias => $values) { + // Add firewall rules count associated with alias + $values['img'] = $values['img'] . "<span title='Alias Firewall Rule count' ><small>({$values['rule']})</small></span>"; + + // If packet fence errors found, display error. + if ($pfb['pfctl']) { + $values['img'] = $pfb['err']; + } + + // Alias table popup + if ($values['count'] > 0 && $pfb['popup'] == "on") { + $alias_popup = rule_popup($pfb_alias, '', '', ''); + $alias_span = $alias_popup['src']; + $alias_span_end = $alias_popup['src_end']; + } + else { + $alias_span = ''; + $alias_span_end = ''; + } + + // Packet column pivot to Alerts Tab + if ($values['packets'] > 0) { + $rules = rtrim($values['rules'], '|'); + if ($values['packets'] > $pfb['maxpivot']) { + $aentries = $pfb['maxpivot']; + } else { + $aentries = $values['packets']; + } + + $packets = "<a target='_new' href='/pfblockerng/pfblockerng_alerts.php?rule={$rules}&entries={$aentries}' "; + $packets .= "style='text-decoration: underline;' title='Click to view these packets in Alerts tab' >{$values['packets']}</a>"; + } + else { + $packets = $values['packets']; + } + + if ($mode == "js") { + echo $response = $alias_span . $pfb_alias . $alias_span_end . "||" . $values['count'] . "||" . $packets . "||" . $values['update'] + . "||" . $values['img'] . "\n"; + } + else { + $RowClass = $counter % 2 ? $pfb['RowEvenClass'] : $pfb['RowOddClass']; + $counter++; + echo (" <tr {$RowClass}> + <td class='listMRr ellipsis'>" . $alias_span . $pfb_alias . $alias_span_end . "</td> + <td class='listMRr' align='center'>{$values['count']}</td> + <td class='listMRr' sorttable_customkey='{$values['packets']}' align='center'>{$packets}</td> + <td class='listMRr' align='center'>{$values['update']}</td> + <td class='listMRr' align='center'>{$values['img']}</td> + </tr>"); + } + } + } +} + +// Status indicator if pfBlockerNG is enabled/disabled if ("{$pfb['enable']}" == "on") { $pfb_status = "/themes/{$g['theme']}/images/icons/icon_pass.gif"; $pfb_msg = "pfBlockerNG is Active."; @@ -102,70 +312,78 @@ if ("{$pfb['enable']}" == "on") { $pfb_msg = "pfBlockerNG is Disabled."; } -// Collect Total IP/Cidr Counts +// Collect total IP/Cidr counts $dcount = exec("cat {$pfb['denydir']}/*.txt | grep -cv '^#\|^$\|^1\.1\.1\.1'"); $pcount = exec("cat {$pfb['permitdir']}/*.txt | grep -cv '^#\|^$\|^1\.1\.1\.1'"); $mcount = exec("cat {$pfb['matchdir']}/*.txt | grep -cv '^#\|^$\|^1\.1\.1\.1'"); $ncount = exec("cat {$pfb['nativedir']}/*.txt | grep -cv '^#\|^$\|^1\.1\.1\.1'"); -// Collect Number of Suppressed Hosts +// Collect number of suppressed hosts if (file_exists("{$pfb['supptxt']}")) { $pfbsupp_cnt = exec ("/usr/bin/grep -c ^ {$pfb['supptxt']}"); } else { $pfbsupp_cnt = 0; } -#check rule count -#(label, evaluations,packets total, bytes total, packets in, bytes in,packets out, bytes out) -$packets = exec("/sbin/pfctl -s labels", $debug); -if (!empty($debug)) { - foreach ($debug as $line) { - // Auto-Rules start with 'pfB_', Alias Rules should start with 'pfb_' and exact spelling of Alias Name. - $line = str_replace("pfb_","pfB_",$line); - if ("{$pfb['pfsenseversion']}" >= '2.2') { - #USER_RULE: pfB_Top auto rule 8494 17 900 17 900 0 0 0 - if (preg_match("/USER_RULE: (\w+).*\s+\d+\s+(\d+)\s+\d+\s+\d+\s+\d+\s+\d+\s+\d+\s+\d+/", $line, $matches)) { - if (isset($matches)) { - ${$matches[1]}+=$matches[2]; - } else { - ${$matches[1]} = 'Err'; - } - } - } else { - #USER_RULE: pfB_Top auto rule 1656 0 0 0 0 0 0 - if (preg_match("/USER_RULE: (\w+).*\s+\d+\s+(\d+)\s+\d+\s+\d+\s+\d+\s+\d+\s+\d+/", $line, $matches)) { - if (isset($matches)) { - ${$matches[1]}+=$matches[2]; - } else { - ${$matches[1]} = 'Err'; - } - } - } - } -} +// Collect any failed downloads +exec("grep $(date +%m/%d/%y) {$pfb['errlog']} | grep 'FAIL'", $results); +$results = array_reverse($results); -// Called by Ajax to update alerts table contents -if (isset($_GET['getNewCounts'])) { - $response = ""; - $pfb_table = pfBlockerNG_get_counts(); - if (!empty($pfb_table)) { - foreach ($pfb_table as $alias => $values){ - if (!isset(${$alias})) { ${$alias} = "-";} - $response .= $alias . "||" . $values['count'] . "||" . ${$alias} . "||" . $values['up'] . "||" . $values['img'] . "\n"; - } - echo $response; - return; - } -} +?> + <!-- Widget customization settings icon --> + <input type="hidden" id="pfblockerng-config" name="pfblockerng-config" value="" /> + <div id="pfblockerng-settings" class="widgetconfigdiv" style="display:none;outline: none;"> + <form action="/widgets/widgets/pfblockerng.widget.php" method="post" name="pfb_iform"> + <table id="widgettable" class="none" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="22%" class="vncellt" valign="top" align="right" ><input type="checkbox" name="pfb_popup" class="formfld unknown" id="pfb_popup" + title="Enabling this option, will Popup a Table showing all of the Alias Table IPs" + value="on" <?php if ($pfb['popup'] == "on") echo 'checked'; ?> /></td> + <td width="78%" class="listr" ><?=gettext("Enable Alias Table Popup");?></td> + </tr> + <tr> + <td width="22%" class="vncellt" valign="top" ><input type="text" size="3" name="pfb_maxfails" class="formfld unknown" id="pfb_maxfails" + title="Tha maximum number of Failed Download Alerts to be shown. Refer to the error.log for add'l details" + value="<?= $pfb['maxfails'] ?>" /></td> + <td width="78%" class="listr" ><?=gettext("Enter number of download fails to display (default:3)");?></td> + </tr> + <tr> + <td width="22%" class="vncellt" valign="top" ><input type="text" size="3" name="pfb_maxpivot" class="formfld unknown" id="pfb_maxpivot" + title="The maximum number of Packets to pivot to the Alerts Tab" + value="<?= $pfb['maxpivot'] ?>" /></td> + <td width="78%" class="listr" ><?=gettext("Enter 'max' Packets for Alerts Tab pivot (default:200)");?></td> + </tr> + <tr> + <td width="22" class="vncellt" valign="top" > + <select name="pfb_sortcolumn" id="pfb_sortcolumn" class="formselect" title="The Column to be sorted" > + <?php + $pfbsort = array( 'none' => 'None', 'alias' => 'Alias', 'count' => 'Count', + 'packets' => 'Packets', 'updated' => 'Updated' + ); + foreach ($pfbsort as $sort => $sorttype): ?> + <option value="<?=$sort; ?>" <?php if ($sort == $pfb['sortcolumn']) echo 'selected'; ?> ><?=$sorttype; ?></option> + <?php endforeach; ?> + </select></td> + <td width="78%" class="listr" ><?=gettext("Enter Sort Column");?></td> + </tr> + </table> -// Report any Failed Downloads -$results = array(); -$fails = exec("grep $(date +%m/%d/%y) {$pfb['errlog']} | grep 'FAIL'", $results); + <table id="widgettablesummary" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="92%" class="vncellt" > <?=gettext("Sort");?> + <input name="pfb_sortdir" type="radio" value="asc" <?php if ($pfb['sortdir'] == "asc") echo 'checked'; ?> /> + <?=gettext("Ascending");?> + <input name="pfb_sortdir" type="radio" value="des" <?php if ($pfb['sortdir'] == "des") echo 'checked'; ?> /> + <?=gettext("Descending");?></td> + <td width="8%" class="vncellt" valign="top" ><input id="pfb_submit" name="pfb_submit" type="submit" class="formbtns" value="Save" /></td> + </tr> + </table> + </form> + </div> -// Print widget Status Bar Items -?> + <!-- Print widget status bar items --> <div class="marinarea"> - <table border="0" cellspacing="0" cellpadding="0"> + <table id="pfb_table" border="0" cellspacing="0" cellpadding="0"> <thead> <tr> <td valign="middle"> <img src="<?= $pfb_status ?>" width="13" height="13" border="0" title="<?=gettext($pfb_msg) ?>" alt="" /></td> @@ -187,12 +405,14 @@ $fails = exec("grep $(date +%m/%d/%y) {$pfb['errlog']} | grep 'FAIL'", $results) <?=gettext(" Supp:"); echo(" <strong>" . $pfbsupp_cnt . "</strong>"); ?> <?php endif; ?></td> <td valign="middle"> </td> - <td valign="top"><a href="pfblockerng/pfblockerng_log.php"><img src="/themes/<?=$g['theme']; ?>/images/icons/icon_logs.gif" width="13" height="13" border="0" title="<?=gettext("View pfBlockerNG Logs TAB") ?>" alt="" /></a> + <td valign="top"><a href="pfblockerng/pfblockerng_log.php"><img src="/themes/<?=$g['theme']; ?>/images/icons/icon_logs.gif" + width="13" height="13" border="0" title="<?=gettext("View pfBlockerNG Logs TAB") ?>" alt="" /></a> <td valign="top"> <?php if (!empty($results)): ?> <!--Hide "Ack" Button when Failed Downloads are Empty--> <form action="/widgets/widgets/pfblockerng.widget.php" method="post" name="widget_pfblockerng_ack"> <input type="hidden" value="clearack" name="pfblockerngack" /> - <input class="vexpl" type="image" name="pfblockerng_ackbutton" src="/themes/<?=$g['theme']; ?>/images/icons/icon_x.gif" width="14" height="14" border="0" title="<?=gettext("Clear Failed Downloads") ?>"/> + <input class="vexpl" type="image" name="pfblockerng_ackbutton" src="/themes/<?=$g['theme']; ?>/images/icons/icon_x.gif" + width="14" height="14" border="0" title="<?=gettext("Clear Failed Downloads") ?>"/> </form> <?php endif; ?> </td> @@ -205,76 +425,53 @@ $fails = exec("grep $(date +%m/%d/%y) {$pfb['errlog']} | grep 'FAIL'", $results) <tbody id="pfb-fails"> <?php -if ("{$pfb['pfsenseversion']}" > '2.0') { - $alertRowEvenClass = "listMReven"; - $alertRowOddClass = "listMRodd"; - $alertColClass = "listMRr"; -} else { - $alertRowEvenClass = "listr"; - $alertRowOddClass = "listr"; - $alertColClass = "listr"; -} - -# Last errors first -$results = array_reverse($results); - +// Report any failed downloads $counter = 0; -# Max errors to display -$maxfailcount = 3; if (!empty($results)) { foreach ($results as $result) { - $alertRowClass = $counter % 2 ? $alertRowEvenClass : $alertRowOddClass; - if (!isset(${$alias})) { ${$alias} = "-";} - echo(" <tr class='" . $alertRowClass . "'><td class='" . $alertColClass . "'>" . $result . "</td><tr>"); + $RowClass = $counter % 2 ? $pfb['RowEvenClass'] : $pfb['RowOddClass']; + echo(" <tr " . $RowClass . "><td class='" . $pfb['ColClass'] . "'>" . $result . "</td><tr>"); $counter++; - if ($counter > $maxfailcount) { - # To many errors stop displaying - echo(" <tr class='" . $alertRowClass . "'><td class='" . $alertColClass . "'>" . (count($results) - $maxfailcount) . " more error(s)...</td><tr>"); + if ($counter > $pfb['maxfails']) { + // To many errors stop displaying + echo(" <tr " . $RowClass . "><td class='" . $pfb['ColClass'] . "'>" . (count($results) - $pfb['maxfails']) . " more error(s)...</td><tr>"); break; } } } -// Print Main Table Header ?> + <!-- Print main table header --> </tbody> </table> - <table id="pfb-tbl" width="100%" border="0" cellspacing="0" cellpadding="0"> + <table id="pfb-tbl" width="100%" class="sortable" border="0" cellspacing="0" cellpadding="0"> <thead> - <tr> - <th class="widgetsubheader" align="center"><?=gettext("Alias");?></th> - <th title="The count can be a mixture of Single IPs or CIDR values" class="widgetsubheader" align="center"><?=gettext("Count");?></th> - <th title="Packet Counts can be cleared by the pfSense filter_configure() function. Make sure Rule Descriptions start with 'pfB_'" class="widgetsubheader" align="center"><?=gettext("Packets");?></th> - <th title="Last Update (Date/Time) of the Alias " class="widgetsubheader" align="center"><?=gettext("Updated");?></th> - <th class="widgetsubheader" align="center"><?php echo $out; ?><?php echo $in; ?></th> + <tr class="sortableHeaderRowIdentifier"> + <th class="widgetsubheader" axis="string" align="center"><?=gettext("Alias");?></th> + <th title="The count can be a mixture of Single IPs or CIDR values" class="widgetsubheader" axis="string" + align="center"><?=gettext("Count");?></th> + <th title="Packet Counts can be cleared by the pfSense filter_configure() function. Make sure Rule Descriptions start with 'pfB_'" + class="widgetsubheader" axis="string" align="center"><?=gettext("Packets");?></th> + <th title="Last Update (Date/Time) of the Alias " class="widgetsubheader" axis="string" align="center"><?=gettext("Updated");?></th> + <th class="widgetsubheader" axis="string" align="center"><?php echo $pfb['down']; ?><?php echo $pfb['up']; ?></th> </tr> </thead> <tbody id="pfbNG-entries"> -<?php -// Print Main Table Body -$pfb_table = pfBlockerNG_get_counts(); -$counter=0; -if (is_array($pfb_table)) { - foreach ($pfb_table as $alias => $values) { - $evenRowClass = $counter % 2 ? " listMReven" : " listMRodd"; - if (!isset(${$alias})) { ${$alias} = "-";} - echo(" <tr class='" . $evenRowClass . "'> - <td class='listMRr ellipsis'>{$alias}</td> - <td class='listMRr' align='center'>{$values['count']}</td> - <td class='listMRr' align='center'>{${$alias}}</td> - <td class='listMRr' align='center'>{$values['up']}</td> - <td class='listMRr' align='center'>{$values['img']}</td> - </tr>"); - $counter++; - } -} -?> +<!-- Print main table body, subsequent refresh by javascript function --> +<?php pfBlockerNG_get_table(); ?> + </tbody> </table> <script type="text/javascript"> //<![CDATA[ - var pfBlockerNGupdateDelay = 10000; // update every 10000 ms +<!-- update every 10000 ms --> + var pfBlockerNGupdateDelay = 10000; + +<!-- needed to display the widget settings menu --> + selectIntLink = "pfblockerng-configure"; + textlink = document.getElementById(selectIntLink); + textlink.style.display = "inline"; //]]> </script>
\ No newline at end of file diff --git a/config/pfblockerng/pfblockerng.xml b/config/pfblockerng/pfblockerng.xml index 67deab8d..218b22e1 100644 --- a/config/pfblockerng/pfblockerng.xml +++ b/config/pfblockerng/pfblockerng.xml @@ -49,9 +49,10 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>pfblockerng</name> - <version>1.08</version> + <version>1.09</version> <title>pfBlockerNG: General Settings</title> <include_file>/usr/local/pkg/pfblockerng/pfblockerng.inc</include_file> + <addedit_string>pfBlockerNG: Save General Settings</addedit_string> <menu> <name>pfBlockerNG</name> <configfile>pfblockerng.xml</configfile> @@ -219,45 +220,83 @@ <field> <fielddescr>LINKS</fielddescr> <fieldname></fieldname> - <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]></description> + <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> + <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> + </description> <type>info</type> </field> <field> - <fielddescr><![CDATA[<strong>Enable pfBlockerNG</strong>]]></fielddescr> + <fielddescr>Enable pfBlockerNG</fielddescr> <fieldname>enable_cb</fieldname> <type>checkbox</type> - <description><![CDATA[Note - with "Keep settings" enabled, pfBlockerNG will maintain run state on Installation/Upgrade<br /> - If "Keep Settings" is not "enabled" on pkg Install/De-Install, all Settings will be Wiped!]]></description> + <description><![CDATA[<div style="padding-right: 56px;">Enable/Disable</div>]]></description> + <usecolspan2/> + <combinefields>begin</combinefields> </field> <field> - <fielddescr><![CDATA[<strong>Keep Settings</strong>/Lists After Disable/Re-Install/De-Install]]></fielddescr> <fieldname>pfb_keep</fieldname> <type>checkbox</type> - <description>Keep Settings and Lists intact when pfBlockerNG is Disabled or After pfBlockerNG Re-Install/De-Install</description> + <description><![CDATA[Keep Settings: <br /><font color='red'>Note:</font> - with 'Keep settings' enabled, pfBlockerNG will maintain run state + on Installation/Upgrade<br />If 'Keep Settings' is not 'enabled' on pkg Install/De-Install, all Settings will be Wiped!<br /><br /> + <font color='red'>Note: </font>To clear all downloaded lists, uncheck these two checkboxes and 'Save'. + re-check both boxes and run a 'Force Update']]> + </description> <default_value>on</default_value> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fielddescr>CRON Settings</fielddescr> + <combinefields>begin</combinefields> + </field> + <field> + <fielddescr>Hour Interval</fielddescr> + <fieldname>pfb_interval</fieldname> + <description><![CDATA[Default: <strong>Every hour</strong><br /> + Select the cron Hour Interval. The interval selected will be used with the Start min/hour below.<br /> + <strong>Ensure that all List 'Update Settings' are within the selected Interval/Start Hour Settings.</strong>]]> + </description> + <type>select</type> + <options> + <option><name>Every hour</name><value>1</value></option> + <option><name>Every 2 hours</name><value>2</value></option> + <option><name>Every 3 hours</name><value>3</value></option> + <option><name>Every 4 hours</name><value>4</value></option> + <option><name>Every 6 hours</name><value>6</value></option> + <option><name>Every 8 hours</name><value>8</value></option> + <option><name>Every 12 hours</name><value>12</value></option> + <option><name>Once a day</name><value>24</value></option> + </options> + <default_value>1</default_value> + <combinefields/> </field> <field> - <fielddescr>CRON MIN Start Time</fielddescr> + <fielddescr>Start Min</fielddescr> <fieldname>pfb_min</fieldname> - <description><![CDATA[Default: <strong> : 00</strong><br /> - Select Cron Update Minute ]]></description> + <description><![CDATA[Default: <strong>:00</strong><br /> + Select Cron Update Minute]]> + </description> <type>select</type> <options> - <option><name> : 00</name><value>0</value></option> - <option><name> : 15</name><value>15</value></option> - <option><name> : 30</name><value>30</value></option> - <option><name> : 45</name><value>45</value></option> + <option><name>: 00</name><value>0</value></option> + <option><name>: 15</name><value>15</value></option> + <option><name>: 30</name><value>30</value></option> + <option><name>: 45</name><value>45</value></option> </options> + <default_value>0</default_value> + <combinefields/> </field> <field> - <fielddescr>CRON Base Hour Start Time</fielddescr> + <fielddescr>Start Hour</fielddescr> <fieldname>pfb_hour</fieldname> - <description><![CDATA[Default: <strong> 1 </strong><br /> - Select Cron Base Start Hour ]]></description> + <description><![CDATA[Default: <strong>0</strong><br /> + Select the Start Hour]]> + </description> <type>select</type> <options> - <option><name>1</name><value>0</value></option> - <option><name>0</name><value>1</value></option> + <option><name>0</name><value>0</value></option> + <option><name>1</name><value>1</value></option> <option><name>2</name><value>2</value></option> <option><name>3</name><value>3</value></option> <option><name>4</name><value>4</value></option> @@ -281,17 +320,17 @@ <option><name>22</name><value>22</value></option> <option><name>23</name><value>23</value></option> </options> + <default_value>0</default_value> + <combinefields/> </field> <field> - <fielddescr>'Daily/Weekly' Start Hour</fielddescr> + <fielddescr><![CDATA['Daily/Weekly'<br />Start Hour]]></fielddescr> <fieldname>pfb_dailystart</fieldname> - <description><![CDATA[Default: <strong> 1 </strong><br /> - Select 'Daily' Schedule Start Hour <br /> - This is used for the 'Daily/Weekly' Scheduler Only.]]></description> + <description><![CDATA[Default: <strong>0</strong><br />This is used for the 'Daily/Weekly' Scheduler Only.]]></description> <type>select</type> <options> - <option><name>1</name><value>0</value></option> - <option><name>0</name><value>1</value></option> + <option><name>0</name><value>0</value></option> + <option><name>1</name><value>1</value></option> <option><name>2</name><value>2</value></option> <option><name>3</name><value>3</value></option> <option><name>4</name><value>4</value></option> @@ -315,6 +354,8 @@ <option><name>22</name><value>22</value></option> <option><name>23</name><value>23</value></option> </options> + <default_value>0</default_value> + <combinefields>end</combinefields> </field> <field> <fielddescr>Enable De-Duplication</fielddescr> @@ -327,17 +368,20 @@ <fieldname>suppression</fieldname> <type>checkbox</type> <description><![CDATA[This will prevent Selected IPs from being Blocked. Only for IPv4 Lists (/32 and /24).<br /> - Country Blocking Lists cannot be Suppressed.<br /> - This will also remove any RFC1918 addresses from all Lists.<br /><br /> + Country Blocking Lists cannot be Suppressed.<br />This will also remove any RFC1918 addresses from all Lists.<br /><br /> Alerts can be Suppressed using the '+' icon in the Alerts Tab and IPs added to the 'pfBlockerNGSuppress' Alias<br /> - A Blocked IP in a CIDR other than /24 will need to be Suppressed by an 'Permit Outbound' Firewall Rule]]> + A Blocked IP in a CIDR other than /32 or /24 will need a 'Whitelist Alias' w/ List Action: 'Permit Outbound' Firewall Rule + <br />Do not use the pfBlockerNGSuppress Alias in a Firewall Rule. + This alias is used during the cron download process only.]]> </description> </field> <field> <fielddescr>Global Enable Logging</fielddescr> <fieldname>enable_log</fieldname> <type>checkbox</type> - <description>Enable Global Logging to Status: System Logs: FIREWALL ( Log ). This overrides any Log Settings in the Alias Tabs.</description> + <description><![CDATA[Firewall Rule logging - Enable Global Logging to [ Status: System Logs: FIREWALL Log ]<br /> + This overrides any Log Settings in the Alias Tabs.]]> + </description> </field> <field> <fielddescr>Disable MaxMind Country Database CRON Updates</fielddescr> @@ -350,8 +394,9 @@ <field> <fielddescr>Logfile Size</fielddescr> <fieldname>log_maxlines</fieldname> - <description><![CDATA[Default:<strong>20000</strong><br /> - Select number of Lines to Keep in Log File]]></description> + <description><![CDATA[Default: <strong>20000</strong><br /> + Select number of Lines to keep in the pfblockerng.log and dnsbl.log files]]> + </description> <type>select</type> <options> <option><name>20000</name><value>20000</value></option> @@ -361,72 +406,89 @@ <option><name>100000</name><value>100000</value></option> <option><name>No Limit</name><value>nolimit</value></option> </options> + <default_value>20000</default_value> </field> <field> - <name><![CDATA[Interface/Rules Configuration]]> </name> + <name><![CDATA[Interface/Rules Configuration]]></name> <type>listtopic</type> </field> <field> - <fielddescr>Inbound Interface(s)</fielddescr> + <fielddescr>Inbound Firewall Rules</fielddescr> + <combinefields>begin</combinefields> + </field> + <field> <fieldname>inbound_interface</fieldname> + <fielddescr>Interface(s)</fielddescr> <description>Select the Inbound interface(s) you want to Apply Auto Rules to</description> <type>interfaces_selection</type> <hideinterfaceregex>loopback</hideinterfaceregex> <required/> <multiple/> + <combinefields/> </field> <field> - <fielddescr> - Rule Action</fielddescr> + <fielddescr>Rule Action</fielddescr> <fieldname>inbound_deny_action</fieldname> - <description><![CDATA[Default:<strong>Block</strong><br /> - Select 'Rule Action' for Inbound Rules]]></description> + <description><![CDATA[Default: <strong>Block</strong><br />Select 'Rule Action' for Inbound Rules]]></description> <type>select</type> <options> <option><name>Block</name><value>block</value></option> <option><name>Reject</name><value>reject</value></option> </options> + <default_value>block</default_value> + <required/> + <combinefields>end</combinefields> </field> <field> - <fielddescr>Outbound Interface(s)</fielddescr> + <fielddescr>Outbound Firewall Rules</fielddescr> + <combinefields>begin</combinefields> + </field> + <field> + <fielddescr>Interface(s)</fielddescr> <fieldname>outbound_interface</fieldname> <description>Select the Outbound interface(s) you want to Apply Auto Rules to</description> <type>interfaces_selection</type> <hideinterfaceregex>loopback</hideinterfaceregex> <required/> <multiple/> + <combinefields/> </field> <field> - <fielddescr> - Rule Action</fielddescr> + <fielddescr>Rule Action</fielddescr> <fieldname>outbound_deny_action</fieldname> - <description><![CDATA[Default:<strong>Reject</strong><br /> - Select 'Rule Action' for Outbound rules]]></description> + <description><![CDATA[Default: <strong>Reject</strong><br />Select 'Rule Action' for Outbound rules]]></description> <type>select</type> <options> <option><name>Reject</name><value>reject</value></option> <option><name>Block</name><value>block</value></option> </options> + <default_value>reject</default_value> + <required/> + <combinefields>end</combinefields> </field> <field> - <fielddescr><![CDATA[<strong>OpenVPN Interface</strong>]]></fielddescr> + <fielddescr>OpenVPN Interface</fielddescr> <fieldname>openvpn_action</fieldname> <type>checkbox</type> <description>Select to add Auto-Rules for OpenVPN. These will be added to 'Floating Rules' or OpenVPN Rules Tab.</description> </field> <field> - <fielddescr><![CDATA[<strong>Floating Rules</strong>]]></fielddescr> + <fielddescr>Floating Rules</fielddescr> <fieldname>enable_float</fieldname> <type>checkbox</type> - <description><![CDATA[<strong>Enabled: </strong> Auto-Rules will be generated in the 'Floating Rules' Tab<br /><br /> + <description><![CDATA[<strong>Enabled:</strong> Auto-Rules will be generated in the 'Floating Rules' Tab<br /><br /> <strong>Disabled:</strong> Auto-Rules will be generated in the Selected Inbound/Outbound Interfaces<br /><br /> - <strong>Rules will be ordered by the selection below.</strong>]]></description> + <strong>Rules will be ordered by the selection below.</strong>]]> + </description> </field> <field> - <fielddescr><![CDATA[<strong>Rule Order</strong>]]></fielddescr> + <fielddescr>Rule Order</fielddescr> <fieldname>pass_order</fieldname> - <description><![CDATA[<br />Default Order: <strong> | pfB_Block/Reject | All other Rules | (original format)<br /></strong><br /> + <description><![CDATA[<br />Default Order:<strong> | pfB_Block/Reject | All other Rules | (original format)<br /></strong><br /> Select The '<strong>Order</strong>' of the Rules<br /> Selecting 'original format', sets pfBlockerNG rules at the top of the Firewall TAB.<br /> - Selecting any other 'Order' will re-order <strong>all the Rules to the format indicated!</strong>]]></description> + Selecting any other 'Order' will re-order <strong>all the Rules to the format indicated!</strong>]]> + </description> <type>select</type> <options> <option><name>| pfB_Block/Reject | All other Rules | (original format)</name><value>order_0</value></option> @@ -434,48 +496,48 @@ <option><name>| pfB_Pass/Match | pfSense Pass/Match | pfB_Block/Reject |</name><value>order_2</value></option> <option><name>| pfB_Pass/Match | pfB_Block/Reject | pfSense Pass/Match |</name><value>order_3</value></option> </options> + <default_value>order_0</default_value> </field> <field> - <fielddescr><![CDATA[<strong>Auto Rule Suffix</strong>]]></fielddescr> + <fielddescr>Auto Rule Suffix</fielddescr> <fieldname>autorule_suffix</fieldname> - <description><![CDATA[Default:<strong>auto rule</strong><br /> - Select 'Auto Rule' Description Suffix for Auto Defined rules. pfBlockerNG Must be Disabled to Modify Suffix]]></description> + <description><![CDATA[Default: <strong>auto rule</strong><br /> + Select 'Auto Rule' Description Suffix for Auto Defined rules. pfBlockerNG Must be Disabled to Modify Suffix]]> + </description> <type>select</type> <options> <option><name>auto rule</name><value>autorule</value></option> <option><name>Null (no suffix)</name><value>standard</value></option> <option><name>AR</name><value>ar</value></option> </options> + <default_value>autorule</default_value> </field> <field> - <name><![CDATA[Acknowledgements]]> </name> + <name><![CDATA[Acknowledgements]]></name> <type>listtopic</type> </field> <field> <fielddescr>Credits</fielddescr> <fieldname>credits</fieldname> <type>info</type> - <description><![CDATA[<strong> - pfBlockerNG</strong> Created in 2015 by <a target=_new href='https://forum.pfsense.org/index.php?action=profile;u=238481'>BBcan177.</a> - <br /><br />Based upon pfBlocker by Marcello Coutinho and Tom Schaefer.<br /> + <description><![CDATA[<strong>pfBlockerNG </strong> + Created in 2015 by <a target=_new href='https://forum.pfsense.org/index.php?action=profile;u=238481'>BBcan177.</a><br /><br /> + Based upon pfBlocker by Marcello Coutinho and Tom Schaefer.<br /> Country Database GeoLite distributed under the Creative Commons Attribution-ShareAlike 3.0 Unported License by: MaxMind Inc. @ <a target=_new href='http://www.maxmind.com'>MaxMind.com</a>. - The Database is Automatically Updated the First Tuesday of Each Month]]></description> - </field> - <field> - <fielddescr>pfBlocker Validation Check</fielddescr> - <fieldname>pfblocker_cb</fieldname> - <type>checkbox</type> - <description>Disable pfBlockerNG if the pfBlocker package is Enabled. Click to Disable this validation check.</description> + The Database is Automatically Updated the First Tuesday of Each Month]]> + </description> </field> <field> - <fielddescr>Gold Membership</fielddescr> + <fielddescr>Support</fielddescr> <type>info</type> - <description><![CDATA[If you like this package, please Support pfSense by subscribing to a <a target=_new href='https://portal.pfsense.org/gold-subscription.php'>Gold Membership</a><br /> or support the developer @ BBCan177@gmail.com]]></description> + <description><![CDATA[This package has been developed by BBcan177.<br /> + If you like this package, please support the developer @ BBCan177@gmail.com.]]> + </description> </field> <field> - <name><![CDATA[<ul>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or - 'Force Update'</ul>]]></name> + <name><![CDATA[<center>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or + 'Force Update'</center>]]></name> <type>listtopic</type> </field> </fields> @@ -493,4 +555,4 @@ $pfb['save'] = TRUE; sync_package_pfblockerng(); </custom_php_resync_config_command> -</packagegui> +</packagegui>
\ No newline at end of file diff --git a/config/pfblockerng/pfblockerng_alerts.php b/config/pfblockerng/pfblockerng_alerts.php index 0b251295..bfb15c07 100644 --- a/config/pfblockerng/pfblockerng_alerts.php +++ b/config/pfblockerng/pfblockerng_alerts.php @@ -57,7 +57,7 @@ if (isset($_REQUEST['getpfhostname'])) { require_once("util.inc"); require_once("guiconfig.inc"); require_once("/usr/local/pkg/pfblockerng/pfblockerng.inc"); -global $rule_list; +global $rule_list, $pfb_localsub; pfb_global(); $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); @@ -69,26 +69,25 @@ if ($pfs_version == "2.2") { } // Application Paths -$pathgeoip = $prefix . "/bin/geoiplookup"; -$pathgeoip6 = $prefix . "/bin/geoiplookup6"; +$pathgeoip = "{$prefix}/bin/geoiplookup"; +$pathgeoip6 = "{$prefix}/bin/geoiplookup6"; // Define File Locations $filter_logfile = "{$g['varlog_path']}/filter.log"; -$pathgeoipdat = $prefix . "/share/GeoIP/GeoIP.dat"; -$pathgeoipdat6 = $prefix . "/share/GeoIP/GeoIPv6.dat"; - -// Define Alerts Log filter Rollup window variable. (Alert Filtering Code adapted from B.Meeks - Snort Package) -$pfb['filterlogentries'] = FALSE; +$pathgeoipdat = "{$prefix}/share/GeoIP/GeoIP.dat"; +$pathgeoipdat6 = "{$prefix}/share/GeoIP/GeoIPv6.dat"; // Emerging Threats IQRisk Header Name Reference $pfb['et_header'] = TRUE; $et_header = $config['installedpackages']['pfblockerngreputation']['config'][0]['et_header']; -if (empty($et_header)) +if (empty($et_header)) { $pfb['et_header'] = FALSE; +} // Collect pfBlockerNGSuppress Alias and Create pfbsuppression.txt -if ($pfb['supp'] == "on") +if ($pfb['supp'] == "on") { pfb_create_suppression_file(); +} // Collect Number of Suppressed Hosts if (file_exists("{$pfb['supptxt']}")) { @@ -97,62 +96,88 @@ if (file_exists("{$pfb['supptxt']}")) { $pfbsupp_cnt = 0; } -// Collect pfBlockerNG Rule Names and Number -$rule_list = array(); -$results = array(); -$data = exec ("/sbin/pfctl -vv -sr | grep 'pfB_'", $results); - -if (!isset($config['installedpackages']['pfblockerngglobal']['pfbdenycnt'])) - $config['installedpackages']['pfblockerngglobal']['pfbdenycnt'] = '25'; -if (!isset($config['installedpackages']['pfblockerngglobal']['pfbpermitcnt'])) - $config['installedpackages']['pfblockerngglobal']['pfbpermitcnt'] = '5'; -if (!isset($config['installedpackages']['pfblockerngglobal']['pfbmatchcnt'])) - $config['installedpackages']['pfblockerngglobal']['pfbmatchcnt'] = '5'; -if (empty($config['installedpackages']['pfblockerngglobal']['alertrefresh'])) - $config['installedpackages']['pfblockerngglobal']['alertrefresh'] = 'off'; -if (empty($config['installedpackages']['pfblockerngglobal']['hostlookup'])) - $config['installedpackages']['pfblockerngglobal']['hostlookup'] = 'off'; +$pfb['global'] = &$config['installedpackages']['pfblockerngglobal']; -if (isset($_POST['save'])) { - if (!is_array($config['installedpackages']['pfblockerngglobal'])) - $config['installedpackages']['pfblockerngglobal'] = array(); - $config['installedpackages']['pfblockerngglobal']['alertrefresh'] = $_POST['alertrefresh'] ? 'on' : 'off'; - $config['installedpackages']['pfblockerngglobal']['hostlookup'] = $_POST['hostlookup'] ? 'on' : 'off'; - if (is_numeric($_POST['pfbdenycnt'])) - $config['installedpackages']['pfblockerngglobal']['pfbdenycnt'] = $_POST['pfbdenycnt']; - if (is_numeric($_POST['pfbpermitcnt'])) - $config['installedpackages']['pfblockerngglobal']['pfbpermitcnt'] = $_POST['pfbpermitcnt']; - if (is_numeric($_POST['pfbmatchcnt'])) - $config['installedpackages']['pfblockerngglobal']['pfbmatchcnt'] = $_POST['pfbmatchcnt']; +if (!isset($pfb['global']['pfbdenycnt'])) { + $pfb['global']['pfbdenycnt'] = '25'; +} +if (!isset($pfb['global']['pfbpermitcnt'])) { + $pfb['global']['pfbpermitcnt'] = '5'; +} +if (!isset($pfb['global']['pfbmatchcnt'])) { + $pfb['global']['pfbmatchcnt'] = '5'; +} +if (!isset($pfb['global']['pfbdnscnt'])) { + $pfb['global']['pfbdnscnt'] = '5'; +} +if (empty($pfb['global']['alertrefresh'])) { + $pfb['global']['alertrefresh'] = 'off'; +} +if (empty($pfb['global']['hostlookup'])) { + $pfb['global']['hostlookup'] = 'off'; +} +if (isset($_POST['save'])) { + if (!is_array($pfb['global'])) { + $pfb['global'] = array(); + } + $pfb['global']['alertrefresh'] = $_POST['alertrefresh'] ? 'on' : 'off'; + $pfb['global']['hostlookup'] = $_POST['hostlookup'] ? 'on' : 'off'; + if (is_numeric($_POST['pfbdenycnt'])) { + $pfb['global']['pfbdenycnt'] = $_POST['pfbdenycnt']; + } + if (is_numeric($_POST['pfbpermitcnt'])) { + $pfb['global']['pfbpermitcnt'] = $_POST['pfbpermitcnt']; + } + if (is_numeric($_POST['pfbmatchcnt'])) { + $pfb['global']['pfbmatchcnt'] = $_POST['pfbmatchcnt']; + } + if (is_numeric($_POST['pfbdnscnt'])) { + $pfb['global']['pfbdnscnt'] = $_POST['pfbdnscnt']; + } write_config("pfBlockerNG pkg: updated ALERTS tab settings."); header("Location: " . $_SERVER['PHP_SELF']); exit; } -if (is_array($config['installedpackages']['pfblockerngglobal'])) { - $alertrefresh = $config['installedpackages']['pfblockerngglobal']['alertrefresh']; - $hostlookup = $config['installedpackages']['pfblockerngglobal']['hostlookup']; - $pfbdenycnt = $config['installedpackages']['pfblockerngglobal']['pfbdenycnt']; - $pfbpermitcnt = $config['installedpackages']['pfblockerngglobal']['pfbpermitcnt']; - $pfbmatchcnt = $config['installedpackages']['pfblockerngglobal']['pfbmatchcnt']; +if (is_array($pfb['global'])) { + $alertrefresh = $pfb['global']['alertrefresh']; + $hostlookup = $pfb['global']['hostlookup']; + $pfbdenycnt = $pfb['global']['pfbdenycnt']; + $pfbpermitcnt = $pfb['global']['pfbpermitcnt']; + $pfbmatchcnt = $pfb['global']['pfbmatchcnt']; + $pfbdnscnt = $pfb['global']['pfbdnscnt']; +} + + +// Define Alerts Log filter Rollup window variable and collect Widget Alert Pivot details +if (isset($_REQUEST['rule'])) { + $filterfieldsarray[0] = $_REQUEST['rule']; + $pfbdenycnt = $pfbpermitcnt = $pfbmatchcnt = $_REQUEST['entries']; + $pfb['filterlogentries'] = TRUE; +} +else { + $pfb['filterlogentries'] = FALSE; } function pfb_match_filter_field($flent, $fields) { foreach ($fields as $key => $field) { - if ($field == null) + if ($field == null) { continue; + } if ((strpos($field, '!') === 0)) { $field = substr($field, 1); $field_regex = str_replace('/', '\/', str_replace('\/', '/', $field)); - if (@preg_match("/{$field_regex}/i", $flent[$key])) + if (@preg_match("/{$field_regex}/i", $flent[$key])) { return false; + } } else { $field_regex = str_replace('/', '\/', str_replace('\/', '/', $field)); - if (!@preg_match("/{$field_regex}/i", $flent[$key])) + if (!@preg_match("/{$field_regex}/i", $flent[$key])) { return false; + } } } return true; @@ -185,23 +210,22 @@ if ($_POST['filterlogentries_clear']) { } -// Collect pfBlockerNG Firewall Rules +// Collect pfBlockerNG Rule Names and Number +$rule_list = array(); +exec("/sbin/pfctl -vv -sr | grep 'pfB_'", $results); if (!empty($results)) { foreach ($results as $result) { - # Find Rule Descriptions + // Find Rule Descriptions $descr = ""; - if (preg_match("/USER_RULE: (\w+)/",$result,$desc)) + if (preg_match("/USER_RULE: (\w+)/",$result,$desc)) { $descr = $desc[1]; - - if ($pfb['pfsenseversion'] >= '2.2') { - preg_match ("/@(\d+)\(/",$result, $rule); - } else { - preg_match ("/@(\d+)\s/",$result, $rule); } + preg_match ("/@(\d+)\(/",$result, $rule); + $id = $rule[1]; - # Create array of Rule Description and pfctl Rule Number + // Create array of Rule Description and pfctl Rule Number $rule_list['id'][] = $id; $rule_list[$id]['name'] = $descr; } @@ -291,8 +315,9 @@ if (isset($_POST['addsuppress'])) { } // Call Function to Create Suppression Alias if not found. - if (!$pfb['found']) + if (!$pfb['found']) { pfb_create_suppression_alias(); + } // Save New Suppress IP to pfBlockerNGSuppress Alias if (in_array($ip . '/' . $cidr, $pfb_sup_list)) { @@ -332,12 +357,13 @@ if (isset($_POST['addsuppress'])) { if ($pfb['found'] || $pfb['update']) { // Save all Changes to pfsense config file - write_config(); + write_config("pfBlockerNG: Added {$ip} to IP Suppress List"); } } } } + // Host Resolve Function lookup function getpfbhostname($type = 'src', $hostip, $countme = 0) { $hostnames['src'] = ''; @@ -347,10 +373,18 @@ function getpfbhostname($type = 'src', $hostip, $countme = 0) { } -// Determine if Alert Host 'Dest' is within the Local Lan IP Range. -function check_lan_dest($lan_ip,$lan_mask,$dest_ip,$dest_mask="32") { - $result = check_subnets_overlap($lan_ip, $lan_mask, $dest_ip, $dest_mask); - return $result; +// For subnet addresses - Determine if Alert Host 'Dest' is within a Local IP Range. +function ip_in_pfb_localsub($subnet) { + global $pfb_localsub; + + if (!empty($pfb_localsub)) { + foreach ($pfb_localsub as $line) { + if (ip_in_subnet($subnet, $line)) { + return true; + } + } + } + return false; } @@ -373,16 +407,18 @@ function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermi $pfbalert = array(); $log_split = ""; - if (!preg_match("/(.*)\s(.*)\sfilterlog:\s(.*)$/", $logent, $log_split)) + if (!preg_match("/(.*)\s(.*)\sfilterlog:\s(.*)$/", $logent, $log_split)) { continue; + } list($all, $pfbalert[99], $host, $rule) = $log_split; $rule_data = explode(",", $rule); $pfbalert[0] = $rule_data[0]; // Rulenum // Skip Alert if Rule is not a pfBNG Alert - if (!in_array($pfbalert[0], $rule_list['id'])) + if (!in_array($pfbalert[0], $rule_list['id'])) { continue; + } $pfbalert[1] = $rule_data[4]; // Realint $pfbalert[3] = $rule_data[6]; // Act @@ -415,8 +451,9 @@ function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermi } // Skip Repeated Alerts - if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) + if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) { continue; + } $pfbalert[2] = convert_real_interface_to_friendly_descr($rule_data[4]); // Friendly Interface Name $pfbalert[6] = str_replace("TCP", "TCP-", strtoupper($pfbalert[6]), $pfbalert[6]) . $pfbalert[11]; // Protocol Flags @@ -474,12 +511,14 @@ include_once("head.inc"); include_once("fbegin.inc"); /* refresh every 60 secs */ -if ($alertrefresh == 'on') +if ($alertrefresh == 'on') { echo "<meta http-equiv=\"refresh\" content=\"60;url={$_SERVER['PHP_SELF']}\" />\n"; +} if ($savemsg) { print_info_box($savemsg); } +$skipcount = 0; $counter = 0; ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> @@ -518,17 +557,22 @@ if ($savemsg) { <tr> <td width="10%" class="vncell"><?php echo gettext('Alert Settings'); ?></td> <td width="90%" class="vtable"> - <input name="pfbdenycnt" type="text" class="formfld unknown" id="pdbdenycnt" size="1" title="Enter the number of 'Deny' Alerts to Show" value="<?=htmlspecialchars($pfbdenycnt);?>"/> + <input name="pfbdenycnt" type="text" class="formfld unknown" id="pdbdenycnt" size="1" + title="Enter the number of 'Deny' Alerts to Show" value="<?=htmlspecialchars($pfbdenycnt);?>"/> <?php printf(gettext('%sDeny%s. ') , '<strong>', '</strong>'); ?> - <input name="pfbpermitcnt" type="text" class="formfld unknown" id="pdbpermitcnt" size="1" title="Enter the number of 'Permit' Alerts to Show" value="<?=htmlspecialchars($pfbpermitcnt);?>"/> + <input name="pfbpermitcnt" type="text" class="formfld unknown" id="pdbpermitcnt" size="1" + title="Enter the number of 'Permit' Alerts to Show" value="<?=htmlspecialchars($pfbpermitcnt);?>"/> <?php printf(gettext('%sPermit%s. '), '<strong>', '</strong>'); ?> - <input name="pfbmatchcnt" type="text" class="formfld unknown" id="pdbmatchcnt" size="1" title="Enter the number of 'Match' Alerts to Show" value="<?=htmlspecialchars($pfbmatchcnt); ?>"/> + <input name="pfbmatchcnt" type="text" class="formfld unknown" id="pdbmatchcnt" size="1" + title="Enter the number of 'Match' Alerts to Show" value="<?=htmlspecialchars($pfbmatchcnt); ?>"/> <?php printf(gettext('%sMatch%s.'), '<strong>', '</strong>'); ?> - <?php echo gettext(' Click to Auto-Refresh');?> <input name="alertrefresh" type="checkbox" value="on" title="Click to enable Auto-Refresh of this Tab once per minute" + <?php echo gettext(' Click to Auto-Refresh');?> <input name="alertrefresh" type="checkbox" value="on" + title="Click to enable Auto-Refresh of this Tab once per minute" <?php if ($config['installedpackages']['pfblockerngglobal']['alertrefresh']=="on") echo "checked"; ?>/> - <?php echo gettext(' Click to Auto-Resolve');?> <input name="hostlookup" type="checkbox" value="on" title="Click to enable Auto-Resolve of Hostnames. Country Blocks/Permit/Match Lists will not auto-resolve" + <?php echo gettext(' Click to Auto-Resolve');?> <input name="hostlookup" type="checkbox" value="on" + title="Click to enable Auto-Resolve of Hostnames. Country Blocks/Permit/Match Lists will not auto-resolve" <?php if ($config['installedpackages']['pfblockerngglobal']['hostlookup']=="on") echo "checked"; ?>/> <input name="save" type="submit" class="formbtns" value="Save" title="<?=gettext('Save settings');?>"/><br /> @@ -542,7 +586,8 @@ if ($savemsg) { <tr id="filter_enable_row" style="display:<?php if (!$pfb['filterlogentries']) {echo "table-row;";} else {echo "none;";} ?>"> <td width="10%" class="vncell"><?php echo gettext('Filter Options'); ?></td> <td width="90%" class="vtable"> - <input name="show_filter" id="show_filter" type="button" class="formbtns" value="<?=gettext("Show Filter");?>" onclick="enable_showFilter();" /> + <input name="show_filter" id="show_filter" type="button" class="formbtns" value="<?=gettext("Show Filter");?>" + onclick="enable_showFilter();" /> <?=gettext("Click to display advanced filtering options dialog");?> </td> </tr> @@ -552,48 +597,67 @@ if ($savemsg) { <tr> <td valign="top"> <div align="center"><?=gettext("Date");?></div> - <div align="center"><input id="filterlogentries_date" name="filterlogentries_date" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[99] ?>" /></div> + <div align="center"><input id="filterlogentries_date" name="filterlogentries_date" class="formfld search" + type="text" size="15" value="<?= $filterfieldsarray[99] ?>" /></div> </td> <td valign="top"> - <div align="center"><?=gettext("Interface");?></div> - <div align="center"><input id="filterlogentries_int" name="filterlogentries_int" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[2] ?>" /></div> + <div align="center"><?=gettext("Source IP Address");?></div> + <div align="center"><input id="filterlogentries_srcip" name="filterlogentries_srcip" class="formfld search" + type="text" size="28" value="<?= $filterfieldsarray[7] ?>" /></div> </td> <td valign="top"> - <div align="center"><?=gettext("Rule Number Only");?></div> - <div align="center"><input id="filterlogentries_rule" name="filterlogentries_rule" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[0] ?>" /></div> + <div align="center"><?=gettext("Source Port");?></div> + <div align="center"><input id="filterlogentries_srcport" name="filterlogentries_srcport" class="formfld search" + type="text" size="5" value="<?= $filterfieldsarray[9] ?>" /></div> </td> <td valign="top"> - <div align="center"><?=gettext("Protocol");?></div> - <div align="center"><input id="filterlogentries_proto" name="filterlogentries_proto" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[6] ?>" /></div> + <div align="center"><?=gettext("Interface");?></div> + <div align="center"><input id="filterlogentries_int" name="filterlogentries_int" class="formfld search" + type="text" size="15" value="<?= $filterfieldsarray[2] ?>" /></div> </td> </tr> <tr> <td valign="top"> - <div align="center"><?=gettext("Source IP Address");?></div> - <div align="center"><input id="filterlogentries_srcip" name="filterlogentries_srcip" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[7] ?>" /></div> - </td> - <td valign="top"> - <div align="center"><?=gettext("Source Port");?></div> - <div align="center"><input id="filterlogentries_srcport" name="filterlogentries_srcport" class="formfld search" type="text" size="5" value="<?= $filterfieldsarray[9] ?>" /></div> + <div align="center"><?=gettext("Rule Number Only");?></div> + <div align="center"><input id="filterlogentries_rule" name="filterlogentries_rule" class="formfld search" + type="text" size="15" value="<?= $filterfieldsarray[0] ?>" /></div> </td> <td valign="top"> <div align="center"><?=gettext("Destination IP Address");?></div> - <div align="center"><input id="filterlogentries_dstip" name="filterlogentries_dstip" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[8] ?>" /></div> + <div align="center"><input id="filterlogentries_dstip" name="filterlogentries_dstip" class="formfld search" + type="text" size="28" value="<?= $filterfieldsarray[8] ?>" /></div> </td> <td valign="top"> <div align="center"><?=gettext("Destination Port");?></div> - <div align="center"><input id="filterlogentries_dstport" name="filterlogentries_dstport" class="formfld search" type="text" size="5" value="<?= $filterfieldsarray[10] ?>" /></div> + <div align="center"><input id="filterlogentries_dstport" name="filterlogentries_dstport" class="formfld search" + type="text" size="5" value="<?= $filterfieldsarray[10] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Protocol");?></div> + <div align="center"><input id="filterlogentries_proto" name="filterlogentries_proto" class="formfld search" + type="text" size="15" value="<?= $filterfieldsarray[6] ?>" /></div> + </td> + <td valign="top" colspan="3"> + </td> </tr> - <td colspan="5" style="vertical-align:bottom"> - <br /><?printf(gettext('Regex Style Matching Only! %1$s Regular Expression Help link%2$s.'), '<a target="_blank" href="http://www.php.net/manual/en/book.pcre.php">', '</a>');?> <?=gettext("Precede with exclamation (!) as first character to exclude match.) ");?> + <tr> + <td colspan="3" style="vertical-align:bottom"> + <br /><?printf(gettext('Regex Style Matching Only! %1$s Regular Expression Help link%2$s.'), ' + <a target="_blank" href="http://www.php.net/manual/en/book.pcre.php">', '</a>');?> + <?=gettext("Precede with exclamation (!) as first character to exclude match.) ");?> <br /><?printf(gettext("Example: ( ^80$ - Match Port 80, ^80$|^8080$ - Match both port 80 & 8080 ) "));?><br /> + </td> </tr> <tr> - <td colspan="1" style="vertical-align:bottom"> - <div align="left"><input id="filterlogentries_submit" name="filterlogentries_submit" type="submit" class="formbtns" value="<?=gettext("Apply Filter");?>" title="<?=gettext("Apply filter"); ?>" /> - <input id="filterlogentries_clear" name="filterlogentries_clear" type="submit" class="formbtns" value="<?=gettext("Clear");?>" title="<?=gettext("Remove filter");?>" /> - <input id="filterlogentries_hide" name="filterlogentries_hide" type="button" class="formbtns" value="<?=gettext("Hide");?>" onclick="enable_hideFilter();" title="<?=gettext("Hide filter options");?>" /></div> + <td colspan="3" style="vertical-align:bottom"> + <div align="left"><input id="filterlogentries_submit" name="filterlogentries_submit" type="submit" + class="formbtns" value="<?=gettext("Apply Filter");?>" title="<?=gettext("Apply filter"); ?>" /> + <input id="filterlogentries_clear" name="filterlogentries_clear" type="submit" + class="formbtns" value="<?=gettext("Clear");?>" title="<?=gettext("Remove filter");?>" /> + <input id="filterlogentries_hide" name="filterlogentries_hide" type="button" + class="formbtns" value="<?=gettext("Hide");?>" onclick="enable_hideFilter();" + title="<?=gettext("Hide filter options");?>" /></div> </td> </tr> </table> @@ -601,7 +665,7 @@ if ($savemsg) { </tr> <!--Create Three Output Windows 'Deny', 'Permit' and 'Match'--> -<?php foreach (array ("Deny" => $pfb['denydir'] . " " . $pfb['nativedir'], "Permit" => $pfb['permitdir'], "Match" => $pfb['matchdir']) as $type => $pfbfolder ): +<?php foreach (array ( "Deny" => $pfb['denydir'] . " " . $pfb['nativedir'], "Permit" => $pfb['permitdir'], "Match" => $pfb['matchdir']) as $type => $pfbfolder ): switch($type) { case "Deny": $rtype = "block"; @@ -612,15 +676,16 @@ if ($savemsg) { $pfbentries = "{$pfbpermitcnt}"; break; case "Match": - if ($pfb['pfsenseversion'] >= '2.2') { - $rtype = "unkn(%u)"; - } else { - $rtype = "unkn(11)"; - } + $rtype = "unkn(%u)"; $pfbentries = "{$pfbmatchcnt}"; break; } + // Skip Table output if $pfbentries is zero. + if ($pfbentries == 0 && $skipcount != 2) { + $skipcount++; + continue; + } ?> <table id="maintable" class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6"> <tr> @@ -660,30 +725,27 @@ if ($savemsg) { <?php $pfb['runonce'] = TRUE; -if (isset($pfb['load'])) +if (isset($pfb['load'])) { $pfb['runonce'] = FALSE; +} // Execute the following once per refresh if ($pfb['runonce']) { $pfb['load'] = TRUE; + $resolvecounter = 0; $fields_array = array(); - // pfSense versions below 2.2 have the Logfiles in two lines. - if ($pfb['pfsenseversion'] >= '2.2') { - $pfblines = exec("/usr/local/sbin/clog {$filter_logfile} | /usr/bin/grep -c ^"); - } else { - $pfblines = (exec("/usr/local/sbin/clog {$filter_logfile} | /usr/bin/grep -c ^") /2 ); - } - + $pfblines = exec("/usr/local/sbin/clog {$filter_logfile} | /usr/bin/grep -c ^"); $fields_array = conv_log_filter_lite($filter_logfile, $pfblines, $pfblines, $pfbdenycnt, $pfbpermitcnt, $pfbmatchcnt); $continents = array('pfB_Africa','pfB_Antartica','pfB_Asia','pfB_Europe','pfB_NAmerica','pfB_Oceania','pfB_SAmerica','pfB_Top'); - $supp_ip_txt .= "Clicking this Suppression Icon, will immediately remove the Block.\n\nSuppressing a /32 CIDR is better than Suppressing the full /24"; + $supp_ip_txt = "Clicking this Suppression Icon, will immediately remove the Block.\n\nSuppressing a /32 CIDR is better than Suppressing the full /24"; $supp_ip_txt .= " CIDR.\nThe Host will be added to the pfBlockerNG Suppress Alias Table.\n\nOnly 32 or 24 CIDR IPs can be Suppressed with the '+' Icon."; $supp_ip_txt .= "\nTo manually add Host(s), edit the 'pfBlockerNGSuppress' Alias in the Alias Tab.\nManual entries will not remove existing Blocked Hosts"; // Array of all Local IPs for Alert Analysis $pfb_local = array(); + $pfb_localsub = array(); // Collect Gateway IP Addresses for Inbound/Outbound List matching $int_gateway = get_interfaces_with_gateway(); @@ -697,12 +759,16 @@ if ($pfb['runonce']) { // Collect Virtual IP Aliases for Inbound/Outbound List Matching if (is_array($config['virtualip']['vip'])) { foreach ($config['virtualip']['vip'] as $list) { - if ($list['type'] == "single" && $list['subnet_bits'] == "32") - $pfb_local[] = $list['subnet']; - elseif ($list['type'] == "single" || $list['type'] == "network") - $pfb_local = array_merge (subnet_expand ("{$list['subnet']}/{$list['subnet_bits']}"), $pfb_local); + if ($list['subnet'] != "" && $list['subnet_bits'] != "") { + if ($list['subnet_bits'] >= 24) { + $pfb_local = array_merge(subnetv4_expand("{$list['subnet']}/{$list['subnet_bits']}"), $pfb_local); + } else { + $pfb_localsub[] = "{$list['subnet']}/{$list['subnet_bits']}"; + } + } } } + // Collect NAT IP Addresses for Inbound/Outbound List Matching if (is_array($config['nat']['rule'])) { foreach ($config['nat']['rule'] as $natent) { @@ -711,7 +777,7 @@ if ($pfb['runonce']) { } // Collect 1:1 NAT IP Addresses for Inbound/Outbound List Matching - if(is_array($config['nat']['onetoone'])) { + if (is_array($config['nat']['onetoone'])) { foreach ($config['nat']['onetoone'] as $onetoone) { $pfb_local[] = $onetoone['source']['address']; } @@ -729,17 +795,27 @@ if ($pfb['runonce']) { } } } - // Remove any Duplicate IPs - $pfb_local = array_unique($pfb_local); - // Determine Lan IP Address and Mask - if (is_array($config['interfaces']['lan'])) { - $lan_ip = $config['interfaces']['lan']['ipaddr']; - $lan_mask = $config['interfaces']['lan']['subnet']; + // Collect all Interface Addresses for Inbound/Outbound List Matching + if (is_array($config['interfaces'])) { + foreach ($config['interfaces'] as $int) { + if ($int['ipaddr'] != "dhcp") { + if ($int['ipaddr'] != "" && $int['subnet'] != "") { + if ($int['subnet'] >= 24) { + $pfb_local = array_merge(subnetv4_expand("{$int['ipaddr']}/{$int['subnet']}"), $pfb_local); + } else { + $pfb_localsub[] = "{$int['ipaddr']}/{$int['subnet']}"; + } + } + } + } } + + // Remove any Duplicate IPs + $pfb_local = array_unique($pfb_local); + $pfb_localsub = array_unique($pfb_localsub); } -$counter = 0; // Process Fields_array and generate Output if (!empty($fields_array[$type]) && !empty($rule_list)) { $key = 0; @@ -774,19 +850,19 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { } // Add DNS Resolve and Suppression Icons to External IPs only. GeoIP Code to External IPs only. - if (in_array($fields[8], $pfb_local) || check_lan_dest($lan_ip,$lan_mask,$fields[8],"32")) { + if (in_array($fields[8], $pfb_local) || ip_in_pfb_localsub($fields[8])) { // Destination is Gateway/NAT/VIP $rule = $rule_list[$rulenum]['name'] . "<br />(" . $rulenum .")"; $host = $fields[7]; - $alert_ip .= "<a href='/pfblockerng/pfblockerng_diag_dns.php?host={$host}' title=\" " . gettext("Resolve host via Rev. DNS lookup"); - $alert_ip .= "\"> <img src=\"/themes/{$g['theme']}/images/icons/icon_log.gif\" width=\"11\" height=\"11\" border=\"0\" "; - $alert_ip .= "alt=\"Icon Reverse Resolve with DNS\" style=\"cursor: pointer;\"/></a>"; + $alert_ip = "<a href='/pfblockerng/pfblockerng_diag_dns.php?host={$host}' title=\" " . gettext("Resolve host via Rev. DNS lookup"); + $alert_ip .= "\"> <img src=\"/themes/{$g['theme']}/images/icons/icon_log.gif\" width='11' height='11' border='0' "; + $alert_ip .= "alt=\"Icon Reverse Resolve with DNS\" style=\"cursor: pointer;\" /></a>"; if ($pfb_query != "Country" && $rtype == "block" && $pfb['supp'] == "on") { - $supp_ip .= "<input type='image' name='addsuppress[]' onclick=\"hostruleid('{$host}','{$rule_list[$rulenum]['name']}');\" "; + $supp_ip = "<input type='image' name='addsuppress[]' onclick=\"hostruleid('{$host}','{$rule_list[$rulenum]['name']}');\" "; $supp_ip .= "src=\"../themes/{$g['theme']}/images/icons/icon_pass_add.gif\" title=\""; - $supp_ip .= gettext($supp_ip_txt) . "\" border=\"0\" width='11' height='11'/>"; + $supp_ip .= gettext($supp_ip_txt) . "\" border='0' width='11' height='11' />"; } if ($pfb_query != "Country" && $rtype == "block" && $hostlookup == "on") { @@ -802,14 +878,14 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { $rule = $rule_list[$rulenum]['name'] . "<br />(" . $rulenum .")"; $host = $fields[8]; - $alert_ip .= "<a href='/pfblockerng/pfblockerng_diag_dns.php?host={$host}' title=\"" . gettext("Resolve host via Rev. DNS lookup"); - $alert_ip .= "\"> <img src=\"/themes/{$g['theme']}/images/icons/icon_log.gif\" width=\"11\" height=\"11\" border=\"0\" "; - $alert_ip .= "alt=\"Icon Reverse Resolve with DNS\" style=\"cursor: pointer;\"/></a>"; + $alert_ip = "<a href='/pfblockerng/pfblockerng_diag_dns.php?host={$host}' title=\"" . gettext("Resolve host via Rev. DNS lookup"); + $alert_ip .= "\"> <img src=\"/themes/{$g['theme']}/images/icons/icon_log.gif\" width='11' height='11' border='0' "; + $alert_ip .= "alt=\"Icon Reverse Resolve with DNS\" style=\"cursor: pointer;\" /></a>"; if ($pfb_query != "Country" && $rtype == "block" && $pfb['supp'] == "on") { - $supp_ip .= "<input type='image' name='addsuppress[]' onclick=\"hostruleid('{$host}','{$rule_list[$rulenum]['name']}');\" "; + $supp_ip = "<input type='image' name='addsuppress[]' onclick=\"hostruleid('{$host}','{$rule_list[$rulenum]['name']}');\" "; $supp_ip .= "src=\"../themes/{$g['theme']}/images/icons/icon_pass_add.gif\" title=\""; - $supp_ip .= gettext($supp_ip_txt) . "\" border=\"0\" width='11' height='11'/>"; + $supp_ip .= gettext($supp_ip_txt) . "\" border='0' width='11' height='11' />"; } if ($pfb_query != "Country" && $rtype == "block" && $hostlookup == "on") { @@ -829,7 +905,7 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { $country = substr(exec("$pathgeoip6 -f $pathgeoipdat6 $host"),26,2); } - # IP Query Grep Exclusion + // IP Query Grep Exclusion $pfb_ex1 = "grep -v 'pfB\_\|\_v6\.txt'"; $pfb_ex2 = "grep -v 'pfB\_\|/32\|/24\|\_v6\.txt' | grep -m1 '/'"; @@ -857,8 +933,9 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { $host3 = $host2 - $cnt . '\''; $pfb_query = exec("/usr/bin/grep -rH {$host1}{$host3} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex2}"); // Break out of loop if found. - if (!empty($pfb_query)) + if (!empty($pfb_query)) { $cnt = 6; + } } } // Search for First Three Octets @@ -886,10 +963,11 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { } // Default to "No Match" if not found. - if (empty($pfb_query)) + if (empty($pfb_query)) { $pfb_query = "No Match"; + } - # Split List Column into Two lines. + // Split List Column into Two lines. unset ($pfb_match); if ($pfb_query == "No Match") { $pfb_match[1] = "{$pfb_query}"; @@ -921,43 +999,44 @@ if (!empty($fields_array[$type]) && !empty($rule_list)) { } // Print Alternating Line Shading - if ($pfb['pfsenseversion'] > '2.0') { - $alertRowEvenClass = "listMReven"; - $alertRowOddClass = "listMRodd"; - } else { - $alertRowEvenClass = "listr"; - $alertRowOddClass = "listr"; - } + $alertRowEvenClass = "style='background-color: #D8D8D8;'"; + $alertRowOddClass = "style='background-color: #E8E8E8;'"; $alertRowClass = $counter % 2 ? $alertRowEvenClass : $alertRowOddClass; - echo "<tr class='{$alertRowClass}'> + echo "<tr {$alertRowClass}> <td class='listMRr' align='center'>{$fields[99]}</td> <td class='listMRr' align='center'>{$fields[2]}</td> <td class='listMRr' align='center' title='The pfBlockerNG Rule that Blocked this Host.'>{$rule}</td> <td class='listMRr' align='center'>{$fields[6]}</td> - <td class='listMRr' align='center' style='sorttable_customkey:{$fields[7]};' sorttable_customkey='{$fields[7]}'>{$src_icons}{$fields[97]}{$srcport}<br /><small>{$hostname['src']}</small></td> - <td class='listMRr' align='center' style='sorttable_customkey:{$fields[8]};' sorttable_customkey='{$fields[8]}'>{$dst_icons}{$fields[98]}{$dstport}<br /><small>{$hostname['dst']}</small></td> + <td class='listMRr' align='center' sorttable_customkey='{$fields[97]}'>{$src_icons}{$fields[97]}{$srcport}<br /><small>{$hostname['src']}</small></td> + <td class='listMRr' align='center' sorttable_customkey='{$fields[98]}'>{$dst_icons}{$fields[98]}{$dstport}<br /><small>{$hostname['dst']}</small></td> <td class='listMRr' align='center'>{$country}</td> <td class='listbg' align='center' title='{$pfb_matchtitle}' style=\"font-size: 10px word-wrap:break-word;\">{$pfb_match[1]}<br />{$pfb_match[2]}</td></tr>"; $counter++; - if ($counter > 0 && $rtype == "block") { - $mycounter = $counter; - } else { - $mycounter = 0; + if ($rtype == "block") { + $resolvecounter = $counter; } } } } ?> </tbody> + <tr> + <!--Print Final Table Info--> + <?php + if ($pfbentries != $counter) { + $msg = " - Insufficient Firewall Alerts found."; + } + echo (" <td colspan='8' style='font-size:10px; background-color: #F0F0F0;' >Found {$counter} Alert Entries {$msg}</td>"); + $counter = 0; $msg = ''; + ?> + </tr> </table> </table> <?php endforeach; ?> <!--End - Create Three Output Windows 'Deny', 'Permit' and 'Match'--> <?php unset ($fields_array); ?> </td></tr> </table> - -</div> </td> <script type="text/javascript"> @@ -991,7 +1070,7 @@ function findhostnames(counter) { ) } -var alertlines = <?php echo $mycounter; ?>; +var alertlines = <?php echo $resolvecounter; ?>; var autoresolve = "<?php echo $config['installedpackages']['pfblockerngglobal']['hostlookup']; ?>"; if ( autoresolve == "on" ) { for (alertcount = 0; alertcount < alertlines; alertcount++) { @@ -1014,4 +1093,4 @@ function enable_hideFilter() { <?php include("fend.inc"); ?> </form> </body> -</html> +</html>
\ No newline at end of file diff --git a/config/pfblockerng/pfblockerng_diag_dns.php b/config/pfblockerng/pfblockerng_diag_dns.php index b44bc71c..fa238b7a 100644 --- a/config/pfblockerng/pfblockerng_diag_dns.php +++ b/config/pfblockerng/pfblockerng_diag_dns.php @@ -56,15 +56,6 @@ foreach ($a_aliases as $a) { $counter++; } -# Collect pfSense Version -$pfs_version = substr(trim(file_get_contents("/etc/version")), 0, 3); - -if ($pfs_version > '2.2') { - $cmd = '/usr/bin/drill'; -} else { - $cmd = '/usr/bin/dig'; -} - if (isset($_POST['create_alias']) && (is_hostname($host) || is_ipaddr($host))) { if ($_POST['override']) { $override = true; @@ -73,7 +64,7 @@ if (isset($_POST['create_alias']) && (is_hostname($host) || is_ipaddr($host))) { $type = "hostname"; if ($resolved) { $resolved = array(); - exec("{$cmd} {$host_esc} A | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); + exec("/usr/bin/drill {$host_esc} A | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); $isfirst = true; foreach ($resolved as $re) { if ($re <> "") { @@ -120,7 +111,7 @@ if ($_POST) { $dns_servers = array(); exec("/usr/bin/grep nameserver /etc/resolv.conf | /usr/bin/cut -f2 -d' '", $dns_servers); foreach ($dns_servers as $dns_server) { - $query_time = exec("{$cmd} {$host_esc} " . escapeshellarg("@" . trim($dns_server)) . " | /usr/bin/grep Query | /usr/bin/cut -d':' -f2"); + $query_time = exec("/usr/bin/drill {$host_esc} " . escapeshellarg("@" . trim($dns_server)) . " | /usr/bin/grep Query | /usr/bin/cut -d':' -f2"); if ($query_time == "") { $query_time = gettext("No response"); } @@ -149,7 +140,7 @@ if ($_POST) { $resolved = gethostbyname($host); if ($resolved) { $resolved = array(); - exec("{$cmd} {$host_esc} A | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); + exec("/usr/bin/drill {$host_esc} A | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); } $hostname = $host; if ($host != $resolved) { @@ -208,7 +199,7 @@ include("head.inc"); ?> <input name="host" type="text" class="formfld unknown" id="host" size="20" value="<?=htmlspecialchars($host);?>"> </td> <?php if ($resolved && $type) { ?> - <td valign="middle"> = </td><td> + <td valign="middle"> </td><td> <font size="+1"> <?php $found = 0; @@ -244,8 +235,8 @@ include("head.inc"); ?> </tr> <?php if ($_POST): ?> <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Resolution time per server");?></td> - <td width="78%" class="vtable"> + <td width="22%" valign="top" class="vncell"><?=gettext("Resolution time per server");?></td> + <td width="78%" class="vtable"> <table width="170" border="0" cellpadding="6" cellspacing="0" summary="resolution time"> <tr> <td class="listhdrr"> @@ -271,7 +262,7 @@ include("head.inc"); ?> endforeach; ?> </table> - </td> + </td> </tr> <?php endif; ?> <?php if (!$input_errors && $ipaddr) { ?> diff --git a/config/pfblockerng/pfblockerng_log.php b/config/pfblockerng/pfblockerng_log.php index 4c25ce29..a235f20a 100644 --- a/config/pfblockerng/pfblockerng_log.php +++ b/config/pfblockerng/pfblockerng_log.php @@ -52,13 +52,13 @@ require_once("/usr/local/pkg/pfblockerng/pfblockerng.inc"); pfb_global(); -# Get log files from directory +// Get log files from directory function getlogs($logdir, $log_extentions = array('log')) { if (!is_array($log_extentions)) { $log_extentions = array($log_extentions); } - # Get logfiles + // Get logfiles $log_filenames = array(); foreach ($log_extentions as $extention) { if ($extention <> '*') { @@ -68,7 +68,7 @@ function getlogs($logdir, $log_extentions = array('log')) { } } - # Convert to filenames only + // Convert to filenames only if (count($log_filenames) > 0) { $log_totalfiles = count($log_filenames); for ($cnt = 0; $cnt < $log_totalfiles; $cnt++) { @@ -76,18 +76,19 @@ function getlogs($logdir, $log_extentions = array('log')) { } } - # Sort the filename + // Sort the filename asort($log_filenames); - # Done + // Done return $log_filenames; } -# Define logtypes -# name => Displayname of the type -# ext => Log extentions (array for multiple extentions) -# logdir=> Log directory -# clear => Add clear button (TRUE/FALSE) +/* Define logtypes: + name => Displayname of the type + ext => Log extentions (array for multiple extentions) + logdir => Log directory + clear => Add clear button (TRUE/FALSE) */ + $pfb_logtypes = array( 'defaultlogs' => array('name' => 'Log Files', 'logdir' => "{$pfb['logdir']}/", 'logs' => array("pfblockerng.log", "error.log", "geoip.log", "maxmind_ver"), @@ -153,7 +154,7 @@ $pfb_logtypes = array( 'defaultlogs' => array('name' => 'Log Files', ) ); -# Check logtypes +// Check logtypes $logtypeid = 'defaultlogs'; if (isset($_POST['logtype'])) { $logtypeid = $_POST['logtype']; @@ -161,13 +162,13 @@ if (isset($_POST['logtype'])) { $logtypeid = htmlspecialchars($_GET['logtype']); } -# Check if POST has been set +// Check if POST has been set if (isset($_POST['file'])) { clearstatcache(); $pfb_logfilename = $_POST['file']; $pfb_ext = pathinfo($pfb_logfilename, PATHINFO_EXTENSION); - # Load log + // Load log if ($_POST['action'] == 'load') { if (!is_file($pfb_logfilename)) { echo "|3|" . gettext("Log file is empty or does not exist") . ".|"; @@ -187,12 +188,12 @@ if (isset($_POST['file'])) { if (isset($_POST['logFile'])) { $s_logfile = $_POST['logFile']; - # Clear selected file + // Clear selected file if (isset($_POST['clear'])) { unlink_if_exists($s_logfile); } - # Download log + // Download log if (isset($_POST['download'])) { if (file_exists($s_logfile)) { ob_start(); //important or other posts will fail diff --git a/config/pfblockerng/pfblockerng_sync.xml b/config/pfblockerng/pfblockerng_sync.xml index f6cee305..03b86dce 100644 --- a/config/pfblockerng/pfblockerng_sync.xml +++ b/config/pfblockerng/pfblockerng_sync.xml @@ -52,6 +52,7 @@ <version>1.0</version> <title>pfBlockerNG: XMLRPC Sync</title> <include_file>/usr/local/pkg/pfblockerng/pfblockerng.inc</include_file> + <addedit_string>pfBlockerNG: Save XMLRPC Sync settings</addedit_string> <menu> <name>pfBlockerNG</name> <tooltiptext>Configure pfBlockerNG</tooltiptext> @@ -124,7 +125,7 @@ <url>/pkg_edit.php?xml=/pfblockerng/pfblockerng_sync.xml&id=0</url> <active/> </tab> - </tabs> + </tabs> <fields> <field> <name>pfBlockerNG XMLRPC Sync Settings</name> @@ -132,8 +133,8 @@ </field> <field> <fielddescr>LINKS</fielddescr> - <fieldname>none</fieldname> - <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> + <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> + <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> </description> <type>info</type> </field> @@ -173,7 +174,6 @@ </field> <field> <fielddescr>Replication Targets</fielddescr> - <fieldname>none</fieldname> <type>rowhelper</type> <rowhelper> <rowhelperfield> @@ -217,15 +217,15 @@ <rowhelperfield> <fielddescr>Target Password</fielddescr> <fieldname>varsyncpassword</fieldname> - <description><![CDATA[Password of the user "admin" on the destination host.]]></description> + <description><![CDATA[Password of the user 'admin' on the destination host.]]></description> <type>password</type> <size>20</size> </rowhelperfield> </rowhelper> </field> <field> - <name><![CDATA[<ul>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or - 'Force Update'</ul>]]></name> + <name><![CDATA[<center>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or + 'Force Update'</center>]]></name> <type>listtopic</type> </field> </fields> diff --git a/config/pfblockerng/pfblockerng_top20.xml b/config/pfblockerng/pfblockerng_top20.xml index db898112..32ed52e8 100644 --- a/config/pfblockerng/pfblockerng_top20.xml +++ b/config/pfblockerng/pfblockerng_top20.xml @@ -52,13 +52,14 @@ <version>1.0</version> <title>pfBlockerNG: Top 20 Spammer Countries</title> <include_file>/usr/local/pkg/pfblockerng/pfblockerng.inc</include_file> + <addedit_string>pfBlockerNG: Save Top20 settings</addedit_string> <menu> <name>pfBlockerNG</name> <tooltiptext>Configure pfblockerNG</tooltiptext> <section>Firewall</section> <url>pkg_edit.php?xml=pfblockerng.xml&id=0</url> </menu> - <tabs> + <tabs> <tab> <text>General</text> <url>/pkg_edit.php?xml=pfblockerng.xml&id=0</url> @@ -124,7 +125,7 @@ <text>Sync</text> <url>/pkg_edit.php?xml=/pfblockerng/pfblockerng_sync.xml&id=0</url> </tab> - </tabs> + </tabs> <fields> <field> <name><![CDATA[TOP 20 - Spammer Countries (Geolite Data by Maxmind Inc. - ISO 3166)]]></name> @@ -132,20 +133,19 @@ </field> <field> <fielddescr>LINKS</fielddescr> - <fieldname>none</fieldname> - <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> + <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> + <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> </description> <type>info</type> - </field> + </field> <field> - <fielddescr><![CDATA[<br /><strong>Top 20 IPv4</strong><br />Spammer Countries]]></fielddescr> <fieldname>countries4</fieldname> - <description> - <![CDATA[Select Top IPv4 Spammer Countries you want to take an action on.<br /> - <strong>Use CTRL + CLICK to unselect countries</strong>]]> - </description> + <fielddescr><![CDATA[<strong><center>Top 20<br /> Spammer Countries</center></strong><br /> + <center>Use CTRL + CLICK to unselect countries</center>]]> + </fielddescr> + <description><![CDATA[<center><br />IPv4 Countries</center>]]></description> <type>select</type> - <options> + <options> <option><name>China-CN</name><value>CN</value></option> <option><name>Russia-RU</name><value>RU</value></option> <option><name>Japan-JP</name><value>JP</value></option> @@ -169,14 +169,12 @@ </options> <size>20</size> <multiple/> + <usecolspan2/> + <combinefields>begin</combinefields> </field> <field> - <fielddescr><![CDATA[<br /><strong>Top 20 IPv6</strong><br />Spammer Countries]]></fielddescr> <fieldname>countries6</fieldname> - <description> - <![CDATA[Select Top IPv6 Spammer Countries you want to take an action on.<br /> - <strong>Use CTRL + CLICK to unselect countries</strong>]]> - </description> + <description><![CDATA[<br /><center>IPv6 Countries</center>]]></description> <type>select</type> <options> <option><name>China-CN</name><value>CN</value></option> @@ -199,13 +197,16 @@ <option><name>Taiwan-TW</name><value>TW</value></option> <option><name>Mexico-MX</name><value>MX</value></option> <option><name>Chilie-CL</name><value>CL</value></option> - </options> - <size>20</size> - <multiple/> + </options> + <size>20</size> + <multiple/> + <usecolspan2/> + <dontdisplayname/> + <combinefields>end</combinefields> </field> <field> <fielddescr>List Action</fielddescr> - <description><![CDATA[<br />Default : <strong>Disabled</strong><br /><br /> + <description><![CDATA[<br />Default: <strong>Disabled</strong><br /><br /> Select the <strong>Action</strong> for Firewall Rules on lists you have selected.<br /><br /> <strong><u>'Disabled' Rules:</u></strong> Disables selection and does nothing to selected Alias.<br /><br /> @@ -231,12 +232,12 @@ <strong><u>'Alias' Rules:</u></strong><br /> <strong>'Alias'</strong> rules create an <a href="/firewall_aliases.php">alias</a> for the list (and do nothing else). This enables a pfBlockerNG list to be used by name, in any firewall rule or pfSense function, as desired. - <ul><li><strong>Options - Alias Deny, Alias Permit, Alias Match, Alias Native</strong></li><br /> + <ul><li><strong>Options - Alias Deny, Alias Permit, Alias Match, Alias Native</strong></li><br /> <li>'Alias Deny' can use De-Duplication and Reputation Processes if configured.</li><br /> <li>'Alias Permit' and 'Alias Match' will be saved in the Same folder as the other Permit/Match Auto-Rules</li><br /> <li>'Alias Native' lists are kept in their Native format without any modifications.</li></ul> <strong>When using 'Alias' rules, change (pfB_) to ( pfb_ ) in the beginning of rule description and Use the 'Exact' spelling of - the Alias (no trailing Whitespace) </strong> Custom 'Alias' rules with 'pfB_ xxx' description will be removed by package if + the Alias (no trailing Whitespace)</strong> Custom 'Alias' rules with 'pfB_ xxx' description will be removed by package if using Auto Rule Creation.<br /><br /><strong>Tip</strong>: You can create the Auto Rules and remove "<u>auto rule</u>" from the Rule Descriptions, then disable Auto Rules. This method will 'KEEP' these rules from being 'Deleted' which will allow editing for a Custom Alias Configuration<br />]]> @@ -262,7 +263,7 @@ <field> <fielddescr>Enable Logging</fielddescr> <fieldname>aliaslog</fieldname> - <description><![CDATA[Default:<strong>Enable</strong><br /> + <description><![CDATA[Default: <strong>Enable</strong><br /> Select - Logging to Status: System Logs: FIREWALL ( Log )]]> </description> <type>select</type> @@ -272,8 +273,87 @@ </options> </field> <field> - <name><![CDATA[<ul>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or - 'Force Update'</ul>]]> </name> + <name>Advanced Inbound Firewall Rule Settings</name> + <type>listtopic</type> + </field> + <field> + <type>info</type> + <description><![CDATA[<font color='red'>Note: </font>In general Auto-Rules are created as follows:<br /> + <ul>Inbound - 'any' port, 'any' protocol and 'any' destination<br /> + Outbound - 'any' port, 'any' protocol and 'any' destination address in the lists</ul> + Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.<br /> + <strong>Select the pfSense 'Port' and/or 'Destination' Alias below:</strong>]]> + </description> + </field> + <field> + <fieldname>autoports</fieldname> + <fielddescr>Enable Custom Port</fielddescr> + <type>checkbox</type> + <enablefields>aliasports</enablefields> + <usecolspan2/> + <combinefields>begin</combinefields> + </field> + <field> + <fielddescr>Define Alias</fielddescr> + <fieldname>aliasports</fieldname> + <description><![CDATA[<a href="/firewall_aliases.php?tab=port">Click Here to add/edit Aliases</a> + Do not manually enter port numbers. <br />Do not use 'pfB_' in the Port Alias name.]]> + </description> + <size>21</size> + <type>aliases</type> + <typealiases>port</typealiases> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fieldname>autodest</fieldname> + <fielddescr>Enable Custom Destination</fielddescr> + <type>checkbox</type> + <enablefields>aliasdest,autonot</enablefields> + <usecolspan2/> + <combinefields>begin</combinefields> + </field> + <field> + <fieldname>aliasdest</fieldname> + <description><![CDATA[<a href="/firewall_aliases.php?tab=ip">Click Here to add/edit Aliases</a> + Do not manually enter Addresses(es). <br />Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> + </description> + <size>21</size> + <type>aliases</type> + <typealiases>network</typealiases> + <dontdisplayname/> + <usecolspan2/> + <combinefields/> + </field> + <field> + <fielddescr>Invert</fielddescr> + <fieldname>autonot</fieldname> + <description><![CDATA[<div style="padding-left: 22px;"><strong>Invert</strong> - Option to invert the sense of the match.<br /> + ie - Not (!) Destination Address(es)</div>]]> + </description> + <type>checkbox</type> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fielddescr>Custom Protocol</fielddescr> + <fieldname>autoproto</fieldname> + <description><![CDATA[<strong>Default: any</strong><br />Select the Protocol used for Inbound Firewall Rule(s).]]></description> + <type>select</type> + <options> + <option><name>any</name><value></value></option> + <option><name>TCP</name><value>tcp</value></option> + <option><name>UDP</name><value>udp</value></option> + <option><name>TCP/UDP</name><value>tcp/udp</value></option> + </options> + <size>4</size> + <default_value></default_value> + </field> + <field> + <name><![CDATA[<center>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or + 'Force Update'</center>]]></name> <type>listtopic</type> </field> </fields> diff --git a/config/pfblockerng/pfblockerng_update.php b/config/pfblockerng/pfblockerng_update.php index f3a18231..e63d04dc 100644 --- a/config/pfblockerng/pfblockerng_update.php +++ b/config/pfblockerng/pfblockerng_update.php @@ -76,7 +76,6 @@ function pfbupdate_status($status) { // Function to perform a Force Update, Cron or Reload function pfb_cron_update($type) { - global $pfb; // Query for any Active pfBlockerNG CRON Jobs @@ -87,8 +86,9 @@ function pfb_cron_update($type) { exit; } - if (!file_exists("{$pfb['log']}")) + if (!file_exists("{$pfb['log']}")) { touch("{$pfb['log']}"); + } // Update Status Window with correct Task if ($type == "update") { @@ -102,7 +102,6 @@ function pfb_cron_update($type) { // Remove any existing pfBlockerNG CRON Jobs install_cron_job("pfblockerng.php cron", false); - write_config(); // Execute PHP Process in the Background mwexec_bg("/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php {$type} >> {$pfb['log']} 2>&1"); @@ -121,18 +120,19 @@ function pfb_cron_update($type) { $lastpos = $len; } else { $f = fopen($pfb['log'], "rb"); - if ($f === false) + if ($f === false) { die(); + } fseek($f, $lastpos); while (!feof($f)) { $pfb_buffer = fread($f, 2048); $pfb_output .= str_replace( array ("\r", "\")"), "", $pfb_buffer); - // Refresh on new lines only. This allows Scrolling. - if ($lastpos != $lastpos_old) + if ($lastpos != $lastpos_old) { pfbupdate_output($pfb_output); + } $lastpos_old = $lastpos; ob_flush(); flush(); @@ -151,7 +151,7 @@ function pfb_cron_update($type) { ob_flush(); flush(); fclose($f); - # Call Log Mgmt Function + // Call Log Mgmt Function pfb_log_mgmt(); die(); } @@ -207,61 +207,112 @@ include_once("head.inc"); <tr> <td colspan="2" class="listr"> <?php - // Collect Existing CRON settings - if (is_array($config['cron']['item'])) { - foreach ($config['cron']['item'] as $cron) { - if (preg_match("/usr.local.www.pfblockerng.pfblockerng.php cron/",$cron["command"])) { - $pfb_min = "{$cron['minute']}"; - break; + if ($pfb['enable'] == "on") { + + /* Legend - Time Variables + + $pfb['interval'] Hour interval setting (1,2,3,4,6,8,12,24) + $pfb['min'] Cron minute start time (0-23) + $pfb['hour'] Cron start hour (0-23) + $pfb['24hour'] Cron daily/wk start hr (0-23) + + $currenthour Current hour + $currentmin Current minute + $cron_hour_begin First cron hour setting (interval 2-24) + $cron_hour_next Next cron hour setting (interval 2-24) + + $max_min_remain Max minutes to next cron (not including currentmin) + $min_remain Total minutes remaining to next cron + $min_final The minute component in hour:min + + $nextcron Next cron event in hour:mins + $cronreal Time remaining to next cron in hours:mins */ + + $currenthour = date('G'); + $currentmin = date('i'); + + if ($pfb['interval'] == 1) { + if (($currenthour + ($currentmin/60)) <= ($pfb['hour'] + ($pfb['min']/60))) { + $cron_hour_next = $currenthour; + } else { + $cron_hour_next = $currenthour + 1; + } + if (($currenthour + ($pfb['min']/60)) >= 24) { + $cron_hour_next = $pfb['hour']; } + $max_min_remain = 60 + $pfb['min']; } - } - // Calculate Minutes Remaining till next CRON Event. - $currentmin = date('i'); - switch ($pfb_min) { - case "0": - $min_remain = (60 - $currentmin); - break; - case "15": - if ($currentmin < 15) { - $min_remain = (15 - $currentmin); - } else { - $min_remain = (75 - $currentmin); + elseif ($pfb['interval'] == 24) { + $cron_hour_next = $cron_hour_begin = $pfb['24hour'] != '' ? $pfb['24hour'] : '00'; + } + else { + // Find Next Cron hour schedule + $crondata = pfb_cron_base_hour(); + if (!empty($crondata)) { + foreach ($crondata as $key => $line) { + if ($key == 0) { + $cron_hour_begin = $line; + } + if ($line > $currenthour) { + $cron_hour_next = $line; + break; + } + } } - break; - case "30": - if ($currentmin < 30) { - $min_remain = (30 - $currentmin); - } else { - $min_remain = (90 - $currentmin); + + // Roll over to First cron hour setting + if (!isset($cron_hour_next)) { + if (empty($cron_hour_begin)) { + // $cron_hour_begin is hour '0' + $cron_hour_next = (24 - $currenthour); + } else { + $cron_hour_next = $cron_hour_begin; + } } - break; - case "45": - if ($currentmin < 45) { - $min_remain = (45 - $currentmin); + } + + if ($pfb['interval'] != 1) { + if (($currenthour + ($currentmin/60)) <= ($cron_hour_next + ($pfb['min']/60))) { + $max_min_remain = (($cron_hour_next - $currenthour) * 60) + $pfb['min']; } else { - $min_remain = (105 - $currentmin); + $max_min_remain = ((24 - $currenthour + $cron_hour_begin) * 60) + $pfb['min']; + $cron_hour_next = $cron_hour_begin; } - break; - } + } - // Default to "< 1 minute" if empty - if (empty($min_remain)) - $min_remain = "< 1"; + $min_remain = ($max_min_remain - $currentmin); + $min_final = ($min_remain % 60); + $sec_final = (60 - date('s')); - // Next Scheduled Cron Time - if ($pfb_min == "0") - $pfb_min = "00"; - $nextcron = (date('H') +1) . ":{$pfb_min}"; + if (strlen($sec_final) == 1) { + $sec_final = '0' . $sec_final; + } + if (strlen($min_final) == 1) { + $min_final = '0' . $min_final; + } + if (strlen($cron_hour_next) == 1) { + $cron_hour_next = '0' . $cron_hour_next; + } + + if ($min_remain > 59) { + $nextcron = floor($min_remain / 60) . ':' . $min_final . ':' . $sec_final; + } else { + $nextcron = '00:' . $min_final . ':' . $sec_final; + } + + if ($pfb['min'] == 0) { + $pfb['min'] = '00'; + } + $cronreal = "{$cron_hour_next}:{$pfb['min']}"; + } - // If pfBlockerNG is Disabled or Cron Task is Missing - if (empty($pfb['enable']) || empty($pfb_min)) { - $min_remain = " -- "; - $nextcron = " [ Disabled ] "; + if (empty($pfb['enable']) || empty($cron_hour_next)) { + $cronreal = ' [ Disabled ]'; + $nextcron = '--'; } - echo "NEXT Scheduled CRON Event will run at <font size=\"3\"> {$nextcron}</font> in<font size=\"3\"> - <span class=\"red\"> {$min_remain} </span></font> Minutes."; + echo "NEXT Scheduled CRON Event will run at <font size=\"3\"> {$cronreal}</font> with + <font size=\"3\"><span class=\"red\"> {$nextcron} </span></font> time remaining."; // Query for any Active pfBlockerNG CRON Jobs $result_cron = array(); @@ -272,7 +323,7 @@ include_once("head.inc"); echo "<img src = '/themes/{$g['theme']}/images/icons/icon_pass.gif' width='15' height='15' border='0' title='pfBockerNG Cron Task is Running.'/>"; } - echo "<br /><font size=\"3\"><span class=\"red\">Refresh</span></font> to update current Status and Minute(s) remaining"; + echo "<br /><font size=\"3\"><span class=\"red\">Refresh</span></font> to update current Status and time remaining"; ?> </td> </tr> @@ -348,8 +399,9 @@ include("fend.inc"); // Execute the Viewer output Window if (isset($_POST['pfbview'])) { - if (!file_exists("{$pfb['log']}")) + if (!file_exists("{$pfb['log']}")) { touch("{$pfb['log']}"); + } // Reference: http://stackoverflow.com/questions/3218895/php-how-to-read-a-file-live-that-is-constantly-being-written-to pfbupdate_status(gettext("Log Viewing in progress. ** Press 'END VIEW' to Exit ** ")); @@ -372,8 +424,9 @@ if (isset($_POST['pfbview'])) { $lastpos = $len; } else { $f = fopen($pfb['log'], "rb"); - if ($f === false) + if ($f === false) { die(); + } fseek($f, $lastpos); while (!feof($f)) { @@ -415,8 +468,9 @@ if (isset($_POST['pfbcron']) && $pfb['enable'] == "on") { // Execute a Reload of all Aliases and Lists if (isset($_POST['pfbreload']) && $pfb['enable'] == "on") { + // Set 'Reuse' Flag for Reload process $config['installedpackages']['pfblockerng']['config'][0]['pfb_reuse'] = "on"; - write_config(); + write_config("pfBlockerNG: Executing Force Reload"); pfb_cron_update(reload); } diff --git a/config/pfblockerng/pfblockerng_v4lists.xml b/config/pfblockerng/pfblockerng_v4lists.xml index febfd597..00747a24 100644 --- a/config/pfblockerng/pfblockerng_v4lists.xml +++ b/config/pfblockerng/pfblockerng_v4lists.xml @@ -54,6 +54,7 @@ <version>1.0</version> <title>pfBlockerNG: IPv4 Alias/List Configuration</title> <include_file>/usr/local/pkg/pfblockerng/pfblockerng.inc</include_file> + <addedit_string>pfBlockerNG: Save IPv4 settings</addedit_string> <menu> <name>pfBlockerNG</name> <tooltiptext></tooltiptext> @@ -149,6 +150,8 @@ <fielddescr>Logging</fielddescr> <fieldname>aliaslog</fieldname> </columnitem> + <addtext>Add a new Alias</addtext> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> @@ -158,15 +161,15 @@ </field> <field> <fielddescr>LINKS</fielddescr> - <fieldname>none</fieldname> - <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> + <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> + <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> </description> <type>info</type> </field> <field> <fielddescr>Alias Name</fielddescr> <fieldname>aliasname</fieldname> - <description><![CDATA[Enter lists Alias Names.<br /> + <description><![CDATA[Enter Alias Name.<br /> Example: Badguys<br /> Do not include <strong>'pfBlocker' or 'pfB_'</strong> in the Alias Name, it's done by package.<br /> <strong>International, special or space characters will be ignored in firewall alias names. @@ -182,40 +185,37 @@ <size>90</size> </field> <field> - <fieldname>InfoLists</fieldname> <type>info</type> - <description><![CDATA[<strong><u>'Format'</u></strong> : Select the Format Type<br /><br /> - <strong><u>'URL'</u></strong> : Add direct link to list: + <description><![CDATA[<strong><u>'Format'</u></strong>: Select the Format Type<br /><br /> + <strong><u>'URL'</u></strong>: Add direct link to list: Example: <a target=_new href='http://list.iblocklist.com/?list=bt_ads&fileformat=p2p&archiveformat=gz'>Ads</a>, <a target=_new href='http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p&archiveformat=gz'>Spyware</a>, - <a target=_new href='http://list.iblocklist.com/?list=bt_proxy&fileformat=p2p&archiveformat=gz'>Proxies</a> )<br /><br /> - <strong><u>'pfSense Local File'</u></strong> Format :<br /><br /> - http(s)://127.0.0.1/NAME_OF_FILE <strong>or</strong> + <a target=_new href='http://list.iblocklist.com/?list=bt_proxy&fileformat=p2p&archiveformat=gz'>Proxies</a><br /><br /> + <strong><u>'pfSense Local File'</u></strong> Format:<br /><br /> + http(s)://127.0.0.1/NAME_OF_FILE <strong>or</strong> /usr/local/www/NAME_OF_FILE (Files can also be placed in the /var/db/pfblockerng folders)<br /><br /> - <strong><u>'Header'</u></strong> : The <u>'Header' Field</u> must be <u>Unique</u>, it will + <strong><u>'Header'</u></strong>: The <u>'Header' Field</u> must be <u>Unique</u>, it will name the List File and it will be referenced in the pfBlockerNG Widget. Use a Unique Prefix per 'Alias Category' followed by a unique descriptor for each List.<br /><br />]]> </description> </field> <field> <fielddescr><![CDATA[<strong>IPv4</strong> Lists]]></fielddescr> - <fieldname>none</fieldname> <description><![CDATA[<br /><strong>'Format'</strong> - Select the file format that URL will retrieve.<br /> - - <ul><li><strong>'txt'</strong> Plain txt Lists</li><br /> - <li><strong>'gz'</strong> - IBlock GZ Lists in Range Format only.</li><br /> - <li><strong>'gz_2'</strong> - Other GZ Lists in IP or CIDR only.</li><br /> - <li><strong>'gz_lg'</strong> - Large IBlock GZ Lists in Range Format only.</li><br /> - <li><strong>'zip'</strong> - ZIP'd Lists</li><br /> - <li><strong>'block'</strong>- IP x.x.x.0 Block type</li><br /> - <li><strong>'html'</strong> - Web Links</li><br /> - <li><strong>'xlsx'</strong> - Excel Lists</li><br /> - <li><strong>'rsync'</strong> - RSync Lists</li><br /> + <ul><li><strong>'txt'</strong> Plain txt Lists</li> + <li><strong>'gz'</strong> - IBlock GZ Lists in Range Format only</li> + <li><strong>'gz_2'</strong> - Other GZ Lists in IP or CIDR only</li> + <li><strong>'gz_lg'</strong> - Large IBlock GZ Lists in Range Format only</li> + <li><strong>'zip'</strong> - ZIP'd Lists</li> + <li><strong>'block'</strong>- IP x.x.x.0 Block type</li> + <li><strong>'html'</strong> - Web Links</li> + <li><strong>'xlsx'</strong> - Excel Lists</li> + <li><strong>'rsync'</strong> - RSync Lists</li> <li><strong>'ET' IQRisk</strong> - Only</li></ul> - <strong>'State'</strong> - Select the Run State for each list.<br /> - <ul><li><strong>'ON/OFF'</strong> - Enabled / Disabled</li><br /> - <li><strong>'HOLD'</strong> - Once a List has been Downloaded, list will remain Static.</li></ul> + <strong>'State'</strong> - Select the Run State for each list<br /> + <ul><li><strong>'ON/OFF'</strong> - Enabled / Disabled</li> + <li><strong>'HOLD'</strong> - Once a List has been Downloaded, list will remain Static</li></ul> <strong>'Note' -</strong> Downloaded or pfsense local file must have only one network per line and follows the syntax below: <ul>Network ranges: <strong>172.16.1.0-172.16.1.255</strong><br /> IP Address: <strong>172.16.1.10</strong><br /> @@ -223,50 +223,50 @@ </description> <type>rowhelper</type> <rowhelper> - <rowhelperfield> - <fielddescr>Format</fielddescr> - <fieldname>format</fieldname> - <type>select</type> - <options> - <option><name>txt</name><value>txt</value></option> - <option><name>gz</name><value>gz</value></option> - <option><name>gz_2</name><value>gz_2</value></option> - <option><name>gz_lg</name><value>gz_lg</value></option> - <option><name>zip</name><value>zip</value></option> - <option><name>block</name><value>block</value></option> - <option><name>html</name><value>html</value></option> - <option><name>xlsx</name><value>xlsx</value></option> - <option><name>RSync</name><value>rsync</value></option> - <option><name>ET</name><value>et</value></option> - </options> - </rowhelperfield> - <rowhelperfield> - <fielddescr>State</fielddescr> - <fieldname>state</fieldname> - <type>select</type> - <options> - <option><name>ON</name><value>Enabled</value></option> - <option><name>OFF</name><value>Disabled</value></option> - <option><name>HOLD</name><value>Hold</value></option> - </options> - </rowhelperfield> - <rowhelperfield> - <fielddescr>URL or pfSense local file</fielddescr> - <fieldname>url</fieldname> - <type>input</type> - <size>50</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr>Header</fielddescr> - <fieldname>header</fieldname> - <type>input</type> - <size>15</size> - </rowhelperfield> + <rowhelperfield> + <fielddescr>Format</fielddescr> + <fieldname>format</fieldname> + <type>select</type> + <options> + <option><name>txt</name><value>txt</value></option> + <option><name>gz</name><value>gz</value></option> + <option><name>gz_2</name><value>gz_2</value></option> + <option><name>gz_lg</name><value>gz_lg</value></option> + <option><name>zip</name><value>zip</value></option> + <option><name>block</name><value>block</value></option> + <option><name>html</name><value>html</value></option> + <option><name>xlsx</name><value>xlsx</value></option> + <option><name>RSync</name><value>rsync</value></option> + <option><name>ET</name><value>et</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>State</fielddescr> + <fieldname>state</fieldname> + <type>select</type> + <options> + <option><name>ON</name><value>Enabled</value></option> + <option><name>OFF</name><value>Disabled</value></option> + <option><name>HOLD</name><value>Hold</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>URL or pfSense local file</fielddescr> + <fieldname>url</fieldname> + <type>input</type> + <size>50</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Header</fielddescr> + <fieldname>header</fieldname> + <type>input</type> + <size>15</size> + </rowhelperfield> </rowhelper> </field> <field> <fielddescr>List Action</fielddescr> - <description><![CDATA[<br />Default : <strong>Disabled</strong><br /><br /> + <description><![CDATA[<br />Default: <strong>Disabled</strong><br /><br /> Select the <strong>Action</strong> for Firewall Rules on lists you have selected.<br /><br /> <strong><u>'Disabled' Rules:</u></strong> Disables selection and does nothing to selected Alias.<br /><br /> @@ -292,12 +292,12 @@ <strong><u>'Alias' Rules:</u></strong><br /> <strong>'Alias'</strong> rules create an <a href="/firewall_aliases.php">alias</a> for the list (and do nothing else). This enables a pfBlockerNG list to be used by name, in any firewall rule or pfSense function, as desired. - <ul><li><strong>Options - Alias Deny, Alias Permit, Alias Match, Alias Native</strong></li><br /> + <ul><li><strong>Options - Alias Deny, Alias Permit, Alias Match, Alias Native</strong></li><br /> <li>'Alias Deny' can use De-Duplication and Reputation Processes if configured.</li><br /> <li>'Alias Permit' and 'Alias Match' will be saved in the Same folder as the other Permit/Match Auto-Rules</li><br /> <li>'Alias Native' lists are kept in their Native format without any modifications.</li></ul> <strong>When using 'Alias' rules, change (pfB_) to ( pfb_ ) in the beginning of rule description and Use the 'Exact' spelling of - the Alias (no trailing Whitespace) </strong> Custom 'Alias' rules with 'pfB_ xxx' description will be removed by package if + the Alias (no trailing Whitespace)</strong> Custom 'Alias' rules with 'pfB_ xxx' description will be removed by package if using Auto Rule Creation.<br /><br /><strong>Tip</strong>: You can create the Auto Rules and remove "<u>auto rule</u>" from the Rule Descriptions, then disable Auto Rules. This method will 'KEEP' these rules from being 'Deleted' which will allow editing for a Custom Alias Configuration<br />]]> @@ -324,8 +324,8 @@ <field> <fielddescr>Update Frequency</fielddescr> <fieldname>cron</fieldname> - <description><![CDATA[Default:<strong>Never</strong><br /> - Select how often List files will be downloaded]]> + <description><![CDATA[Default: <strong>Never</strong><br /> + Select how often List files will be downloaded. <strong>This must be within the Cron Interval/Start Hour settings.</strong>]]> </description> <type>select</type> <options> @@ -344,7 +344,7 @@ <field> <fielddescr>Weekly (Day of Week)</fielddescr> <fieldname>dow</fieldname> - <description><![CDATA[Default:<strong>1</strong><br /> + <description><![CDATA[Default: <strong>Monday</strong><br /> Select the 'Weekly' ( Day of the Week ) to Update <br /> This is only required for the 'Weekly' Frequency Selection. The 24 Hour Download 'Time' will be used.]]> </description> @@ -362,7 +362,7 @@ <field> <fielddescr>Enable Logging</fielddescr> <fieldname>aliaslog</fieldname> - <description><![CDATA[Default:<strong>Enable</strong><br /> + <description><![CDATA[Default: <strong>Enable</strong><br /> Select - Logging to Status: System Logs: FIREWALL ( Log )<br /> This can be overriden by the 'Global Logging' Option in the General Tab.]]> </description> @@ -373,6 +373,85 @@ </options> </field> <field> + <name>Advanced Inbound Firewall Rule Settings</name> + <type>listtopic</type> + </field> + <field> + <type>info</type> + <description><![CDATA[<font color='red'>Note: </font>In general Auto-Rules are created as follows:<br /> + <ul>Inbound - 'any' port, 'any' protocol and 'any' destination<br /> + Outbound - 'any' port, 'any' protocol and 'any' destination address in the lists</ul> + Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.<br /> + <strong>Select the pfSense 'Port' and/or 'Destination' Alias below:</strong>]]> + </description> + </field> + <field> + <fieldname>autoports</fieldname> + <fielddescr>Enable Custom Port</fielddescr> + <type>checkbox</type> + <enablefields>aliasports</enablefields> + <usecolspan2/> + <combinefields>begin</combinefields> + </field> + <field> + <fielddescr>Define Alias</fielddescr> + <fieldname>aliasports</fieldname> + <description><![CDATA[<a href="/firewall_aliases.php?tab=port">Click Here to add/edit Aliases</a> + Do not manually enter port numbers. <br />Do not use 'pfB_' in the Port Alias name.]]> + </description> + <size>21</size> + <type>aliases</type> + <typealiases>port</typealiases> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fieldname>autodest</fieldname> + <fielddescr>Enable Custom Destination</fielddescr> + <type>checkbox</type> + <enablefields>aliasdest,autonot</enablefields> + <usecolspan2/> + <combinefields>begin</combinefields> + </field> + <field> + <fieldname>aliasdest</fieldname> + <description><![CDATA[<a href="/firewall_aliases.php?tab=ip">Click Here to add/edit Aliases</a> + Do not manually enter Addresses(es). <br />Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> + </description> + <size>21</size> + <type>aliases</type> + <typealiases>network</typealiases> + <dontdisplayname/> + <usecolspan2/> + <combinefields/> + </field> + <field> + <fielddescr>Invert</fielddescr> + <fieldname>autonot</fieldname> + <description><![CDATA[<div style="padding-left: 22px;"><strong>Invert</strong> - Option to invert the sense of the match.<br /> + ie - Not (!) Destination Address(es)</div>]]> + </description> + <type>checkbox</type> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fielddescr>Custom Protocol</fielddescr> + <fieldname>autoproto</fieldname> + <description><![CDATA[<strong>Default: any</strong><br />Select the Protocol used for Inbound Firewall Rule(s).]]></description> + <type>select</type> + <options> + <option><name>any</name><value></value></option> + <option><name>TCP</name><value>tcp</value></option> + <option><name>UDP</name><value>udp</value></option> + <option><name>TCP/UDP</name><value>tcp/udp</value></option> + </options> + <size>4</size> + <default_value></default_value> + </field> + <field> <name>IPv4 Custom list</name> <type>listtopic</type> </field> @@ -394,18 +473,19 @@ <field> <fielddescr>Update Custom List</fielddescr> <fieldname>custom_update</fieldname> - <description><![CDATA[Default:<strong>Disable</strong><br /> - select - Enable Update if changes are made to this List. Cron will also resync this list at the next Scheduled Update.]]> + <description><![CDATA[Select - '<strong>Default</strong>' to update Custom List as per Update Frequency setting.<br /> + Select - '<strong>Update Custom List</strong>' followed by a 'Force Update' to apply Custom List Changes.<br /> + Cron will also resync this Custom List at the next Update Frequency.]]> </description> <type>select</type> <options> - <option><name>Disable</name><value>disabled</value></option> - <option><name>Enable</name><value>enabled</value></option> + <option><name>Default</name><value>disabled</value></option> + <option><name>Update Custom List</name><value>enabled</value></option> </options> </field> <field> - <name><![CDATA[<ul>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or - 'Force Update'</ul>]]></name> + <name><![CDATA[<center>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or + 'Force Update'</center>]]></name> <type>listtopic</type> </field> </fields> diff --git a/config/pfblockerng/pfblockerng_v6lists.xml b/config/pfblockerng/pfblockerng_v6lists.xml index 10a866c0..3e9dbe6f 100644 --- a/config/pfblockerng/pfblockerng_v6lists.xml +++ b/config/pfblockerng/pfblockerng_v6lists.xml @@ -54,6 +54,7 @@ <version>1.0</version> <title>pfBlockerNG: IPv6 Alias/List Configuration</title> <include_file>/usr/local/pkg/pfblockerng/pfblockerng.inc</include_file> + <addedit_string>pfBlockerNG: Save IPv6 settings</addedit_string> <menu> <name>pfBlockerNG</name> <tooltiptext></tooltiptext> @@ -118,7 +119,7 @@ <tab> <text>P.S.</text> <url>/pkg_edit.php?xml=/pfblockerng/pfblockerng_ProxyandSatellite.xml&id=0</url> - </tab> + </tab> <tab> <text>Logs</text> <url>/pfblockerng/pfblockerng_log.php</url> @@ -149,6 +150,8 @@ <fielddescr>Logging</fielddescr> <fieldname>aliaslog</fieldname> </columnitem> + <addtext>Add a new Alias</addtext> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> @@ -157,15 +160,15 @@ </field> <field> <fielddescr>LINKS</fielddescr> - <fieldname>none</fieldname> - <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> + <description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> + <a href="/firewall_rules.php">Firewall Rules</a> <a href="diag_logs_filter.php">Firewall Logs</a>]]> </description> <type>info</type> </field> <field> <fielddescr>Alias Name</fielddescr> <fieldname>aliasname</fieldname> - <description><![CDATA[Enter lists Alias Names.<br /> + <description><![CDATA[Enter Alias Name.<br /> Example: Badguys<br /> Do not include <strong>'pfBlocker' or 'pfB_'</strong> in the Alias Name, it's done by package.<br /> <strong>International, special or space characters will be ignored in firewall alias names. @@ -181,38 +184,35 @@ <size>90</size> </field> <field> - <fieldname>InfoLists</fieldname> <type>info</type> - <description><![CDATA[<strong><u>'Format'</u></strong> : Select the Format Type<br /><br /> - <strong><u>'URL'</u></strong> : Add direct link to list: + <description><![CDATA[<strong><u>'Format'</u></strong>: Select the Format Type<br /><br /> + <strong><u>'URL'</u></strong>: Add direct link to list: Example: <a target=_new href='http://list.iblocklist.com/?list=bt_ads&fileformat=p2p&archiveformat=gz'>Ads</a>, <a target=_new href='http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p&archiveformat=gz'>Spyware</a>, <a target=_new href='http://list.iblocklist.com/?list=bt_proxy&fileformat=p2p&archiveformat=gz'>Proxies</a><br /><br /> - <strong><u>'pfSense Local File'</u></strong> Format :<br /><br /> - http(s)://127.0.0.1/NAME_OF_FILE <strong>or</strong> + <strong><u>'pfSense Local File'</u></strong> Format:<br /><br /> + http(s)://127.0.0.1/NAME_OF_FILE <strong>or</strong> /usr/local/www/NAME_OF_FILE (Files can also be placed in the /var/db/pfblockerng folders)<br /><br /> - <strong><u>'Header'</u></strong> : The <u>'Header' Field</u> must be <u>Unique</u>, it will + <strong><u>'Header'</u></strong>: The <u>'Header' Field</u> must be <u>Unique</u>, it will name the List File and it will be referenced in the pfBlockerNG Widget. Use a Unique Prefix per 'Alias Category' followed by a unique descriptor for each List.<br /><br />]]> </description> </field> <field> <fielddescr><![CDATA[<strong>IPv6</strong> Lists]]></fielddescr> - <fieldname>none</fieldname> - <description><![CDATA[<br /><strong>'Format'</strong> - Choose the file format that URL will retrieve.<br /> - - <ul><li><strong>'txt'</strong> Plain txt Lists</li><br /> - <li><strong>'gz'</strong> - IBlock GZ Lists in Range Format only.</li><br /> - <li><strong>'gz_2'</strong> - Other GZ Lists in IP or CIDR only.</li><br /> - <li><strong>'zip'</strong> - ZIP'd Lists</li><br /> - <li><strong>'block'</strong>- IP x.x.x.0 Block type</li><br /> - <li><strong>'html'</strong> - Web Links</li><br /> - <li><strong>'xlsx'</strong> - Excel Lists</li><br /> - <li><strong>'rsync'</strong> - RSync Lists</li><br /> - <strong>'State'</strong> - Select the Run State for each list.<br /> - <ul><li><strong>'ON/OFF'</strong> - Enabled / Disabled</li><br /> - <li><strong>'HOLD'</strong> - Once a List has been Downloaded, list will remain Static.</li></ul> + <description><![CDATA[<br /><strong>'Format'</strong> - Select the file format that URL will retrieve.<br /> + <ul><li><strong>'txt'</strong> Plain txt Lists</li> + <li><strong>'gz'</strong> - IBlock GZ Lists in Range Format only</li> + <li><strong>'gz_2'</strong> - Other GZ Lists in IP or CIDR only</li> + <li><strong>'zip'</strong> - ZIP'd Lists</li> + <li><strong>'block'</strong>- IP x.x.x.0 Block type</li> + <li><strong>'html'</strong> - Web Links</li> + <li><strong>'xlsx'</strong> - Excel Lists</li> + <li><strong>'rsync'</strong> - RSync Lists</li> + <strong>'State'</strong> - Select the Run State for each list<br /> + <ul><li><strong>'ON/OFF'</strong> - Enabled / Disabled</li> + <li><strong>'HOLD'</strong> - Once a List has been Downloaded, list will remain Static</li></ul> <strong>'Note' -</strong> Downloaded or pfsense local file must have only one network per line and follows the syntax below: <ul>Network ranges: <strong> TBC </strong><br /> IP Address: <strong> TBC </strong><br /> @@ -220,48 +220,48 @@ </description> <type>rowhelper</type> <rowhelper> - <rowhelperfield> - <fielddescr>Format</fielddescr> - <fieldname>format</fieldname> - <type>select</type> - <options> - <option><name>txt</name><value>txt</value></option> - <option><name>gz</name><value>gz</value></option> - <option><name>gz_2</name><value>gz_2</value></option> - <option><name>zip</name><value>zip</value></option> - <option><name>block</name><value>block</value></option> - <option><name>html</name><value>html</value></option> - <option><name>xlsx</name><value>xlsx</value></option> - <option><name>RSync</name><value>rsync</value></option> - </options> - </rowhelperfield> - <rowhelperfield> - <fielddescr>State</fielddescr> - <fieldname>state</fieldname> - <type>select</type> - <options> - <option><name>ON</name><value>Enabled</value></option> - <option><name>OFF</name><value>Disabled</value></option> - <option><name>HOLD</name><value>Hold</value></option> - </options> - </rowhelperfield> - <rowhelperfield> - <fielddescr>URL or pfSense local file</fielddescr> - <fieldname>url</fieldname> - <type>input</type> - <size>50</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr>Header</fielddescr> - <fieldname>header</fieldname> - <type>input</type> - <size>15</size> - </rowhelperfield> + <rowhelperfield> + <fielddescr>Format</fielddescr> + <fieldname>format</fieldname> + <type>select</type> + <options> + <option><name>txt</name><value>txt</value></option> + <option><name>gz</name><value>gz</value></option> + <option><name>gz_2</name><value>gz_2</value></option> + <option><name>zip</name><value>zip</value></option> + <option><name>block</name><value>block</value></option> + <option><name>html</name><value>html</value></option> + <option><name>xlsx</name><value>xlsx</value></option> + <option><name>RSync</name><value>rsync</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>State</fielddescr> + <fieldname>state</fieldname> + <type>select</type> + <options> + <option><name>ON</name><value>Enabled</value></option> + <option><name>OFF</name><value>Disabled</value></option> + <option><name>HOLD</name><value>Hold</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>URL or pfSense local file</fielddescr> + <fieldname>url</fieldname> + <type>input</type> + <size>50</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Header</fielddescr> + <fieldname>header</fieldname> + <type>input</type> + <size>15</size> + </rowhelperfield> </rowhelper> </field> <field> <fielddescr>List Action</fielddescr> - <description><![CDATA[<br />Default : <strong>Disabled</strong><br /><br /> + <description><![CDATA[<br />Default: <strong>Disabled</strong><br /><br /> Select the <strong>Action</strong> for Firewall Rules on lists you have selected.<br /><br /> <strong><u>'Disabled' Rules:</u></strong> Disables selection and does nothing to selected Alias.<br /><br /> @@ -287,7 +287,7 @@ <strong><u>'Alias' Rules:</u></strong><br /> <strong>'Alias'</strong> rules create an <a href="/firewall_aliases.php">alias</a> for the list (and do nothing else). This enables a pfBlockerNG list to be used by name, in any firewall rule or pfSense function, as desired. - <ul><li><strong>Options - Alias Deny, Alias Permit, Alias Match, Alias Native</strong></li><br /> + <ul><li><strong>Options - Alias Deny, Alias Permit, Alias Match, Alias Native</strong></li><br /> <li>'Alias Deny' can use De-Duplication and Reputation Processes if configured.</li><br /> <li>'Alias Permit' and 'Alias Match' will be saved in the Same folder as the other Permit/Match Auto-Rules</li><br /> <li>'Alias Native' lists are kept in their Native format without any modifications.</li></ul> @@ -319,8 +319,8 @@ <field> <fielddescr>Update Frequency</fielddescr> <fieldname>cron</fieldname> - <description><![CDATA[Default:<strong>Never</strong><br /> - Select how often List files will be downloaded]]> + <description><![CDATA[Default: <strong>Never</strong><br /> + Select how often List files will be downloaded. <strong>This must be within the Cron Interval/Start Hour settings.</strong>]]> </description> <type>select</type> <options> @@ -339,7 +339,7 @@ <field> <fielddescr>Weekly (Day of Week)</fielddescr> <fieldname>dow</fieldname> - <description><![CDATA[Default:<strong>1</strong><br /> + <description><![CDATA[Default: <strong>Monday</strong><br /> Select the 'Weekly' ( Day of the Week ) to Update <br /> This is only required for the 'Weekly' Frequency Selection. The 24 Hour Download 'Time' will be used.]]> </description> @@ -357,7 +357,7 @@ <field> <fielddescr>Enable Logging</fielddescr> <fieldname>aliaslog</fieldname> - <description><![CDATA[Default:<strong>Enable</strong><br /> + <description><![CDATA[Default: <strong>Enable</strong><br /> Select - Logging to Status: System Logs: FIREWALL ( Log )<br /> This can be overriden by the 'Global Logging' Option in the General Tab.]]> </description> @@ -368,6 +368,85 @@ </options> </field> <field> + <name>Advanced Inbound Firewall Rule Settings</name> + <type>listtopic</type> + </field> + <field> + <type>info</type> + <description><![CDATA[<font color='red'>Note: </font>In general Auto-Rules are created as follows:<br /> + <ul>Inbound - 'any' port, 'any' protocol and 'any' destination<br /> + Outbound - 'any' port, 'any' protocol and 'any' destination address in the lists</ul> + Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.<br /> + <strong>Select the pfSense 'Port' and/or 'Destination' Alias below:</strong>]]> + </description> + </field> + <field> + <fieldname>autoports</fieldname> + <fielddescr>Enable Custom Port</fielddescr> + <type>checkbox</type> + <enablefields>aliasports</enablefields> + <usecolspan2/> + <combinefields>begin</combinefields> + </field> + <field> + <fielddescr>Define Alias</fielddescr> + <fieldname>aliasports</fieldname> + <description><![CDATA[<a href="/firewall_aliases.php?tab=port">Click Here to add/edit Aliases</a> + Do not manually enter port numbers. <br />Do not use 'pfB_' in the Port Alias name.]]> + </description> + <size>21</size> + <type>aliases</type> + <typealiases>port</typealiases> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fieldname>autodest</fieldname> + <fielddescr>Enable Custom Destination</fielddescr> + <type>checkbox</type> + <enablefields>aliasdest,autonot</enablefields> + <usecolspan2/> + <combinefields>begin</combinefields> + </field> + <field> + <fieldname>aliasdest</fieldname> + <description><![CDATA[<a href="/firewall_aliases.php?tab=ip">Click Here to add/edit Aliases</a> + Do not manually enter Addresses(es). <br />Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> + </description> + <size>21</size> + <type>aliases</type> + <typealiases>network</typealiases> + <dontdisplayname/> + <usecolspan2/> + <combinefields/> + </field> + <field> + <fielddescr>Invert</fielddescr> + <fieldname>autonot</fieldname> + <description><![CDATA[<div style="padding-left: 22px;"><strong>Invert</strong> - Option to invert the sense of the match.<br /> + ie - Not (!) Destination Address(es)</div>]]> + </description> + <type>checkbox</type> + <dontdisplayname/> + <usecolspan2/> + <combinefields>end</combinefields> + </field> + <field> + <fielddescr>Custom Protocol</fielddescr> + <fieldname>autoproto</fieldname> + <description><![CDATA[<strong>Default: any</strong><br />Select the Protocol used for Inbound Firewall Rule(s).]]></description> + <type>select</type> + <options> + <option><name>any</name><value></value></option> + <option><name>TCP</name><value>tcp</value></option> + <option><name>UDP</name><value>udp</value></option> + <option><name>TCP/UDP</name><value>tcp/udp</value></option> + </options> + <size>4</size> + <default_value></default_value> + </field> + <field> <name>IPv6 Custom list</name> <type>listtopic</type> </field> @@ -389,18 +468,19 @@ <field> <fielddescr>Update Custom List</fielddescr> <fieldname>custom_update</fieldname> - <description><![CDATA[Default:<strong>Disable</strong><br /> - Select - Enable Update if changes are made to this List. Cron will also resync this list at the next Scheduled Update.]]> + <description><![CDATA[Select - '<strong>Default</strong>' to update Custom List as per Update Frequency setting.<br /> + Select - '<strong>Update Custom List</strong>' followed by a 'Force Update' to apply Custom List Changes.<br /> + Cron will also resync this Custom List at the next Update Frequency.]]> </description> <type>select</type> <options> - <option><name>Disable</name><value>disabled</value></option> - <option><name>Enable</name><value>enabled</value></option> + <option><name>Default</name><value>disabled</value></option> + <option><name>Update Custom List</name><value>enabled</value></option> </options> </field> <field> - <name><![CDATA[<ul>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or - 'Force Update'</ul>]]></name> + <name><![CDATA[<center>Click to SAVE Settings and/or Rule Edits. Changes are Applied via CRON or + 'Force Update'</center>]]></name> <type>listtopic</type> </field> </fields> |