diff options
Diffstat (limited to 'config')
-rw-r--r-- | config/pfblockerng/pfblockerng.inc.bak | 2701 |
1 files changed, 0 insertions, 2701 deletions
diff --git a/config/pfblockerng/pfblockerng.inc.bak b/config/pfblockerng/pfblockerng.inc.bak deleted file mode 100644 index da5a5261..00000000 --- a/config/pfblockerng/pfblockerng.inc.bak +++ /dev/null @@ -1,2701 +0,0 @@ -<?php -/* - pfBlockerNG.inc - - pfBlockerNG - Copyright (C) 2014 BBcan177@gmail.com - All rights reserved. - - part of the Postfix package for pfSense - Copyright (C) 2010 Erik Fonnesbeck - Based upon pfBlocker by - Copyright (C) 2011-2012 Marcello Coutinho - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - -*/ - -//error_reporting(E_ALL); - -require_once("util.inc"); -require_once("functions.inc"); -require_once("pkg-utils.inc"); -require_once("pfsense-utils.inc"); -require_once("globals.inc"); -require_once("services.inc"); - -# [ $pfb ] pfBlockerNG Global Array for Paths and Variables. This needs to be called to get the Updated Settings. -function pfb_global() { - global $g,$config,$pfb; - - # Collect pfSense Version - $pfb['pfsenseversion'] = substr(trim(file_get_contents("/etc/version")),0,3); - - # Folders - $pfb['dbdir'] = "{$g['vardb_path']}/pfblockerng"; - $pfb['aliasdir'] = "{$g['vardb_path']}/aliastables"; - $pfb['logdir'] = "{$g['varlog_path']}/pfblockerng"; - $pfb['etdir'] = "{$pfb['dbdir']}/ET"; - $pfb['nativedir'] = "{$pfb['dbdir']}/native"; - $pfb['denydir'] = "{$pfb['dbdir']}/deny"; - $pfb['matchdir'] = "{$pfb['dbdir']}/match"; - $pfb['permitdir'] = "{$pfb['dbdir']}/permit"; - $pfb['origdir'] = "{$pfb['dbdir']}/original"; - $pfb['ccdir'] = "/usr/pbi/pfblockerng-" . php_uname("m") . "/share/GeoIP"; - - # Create Folders if not Exist. - $folder_array = array ("{$pfb['dbdir']}","{$pfb['logdir']}","{$pfb['ccdir']}","{$pfb['origdir']}","{$pfb['nativedir']}","{$pfb['denydir']}","{$pfb['matchdir']}","{$pfb['permitdir']}","{$pfb['aliasdir']}"); - foreach ($folder_array as $folder) { - safe_mkdir ("{$folder}",0755); - } - - # Files - $pfb['master'] = "{$pfb['dbdir']}/masterfile"; - $pfb['errlog'] = "{$pfb['logdir']}/error.log"; - $pfb['geolog'] = "{$pfb['logdir']}/geoip.log"; - $pfb['log'] = "{$pfb['logdir']}/pfblockerng.log"; - $pfb['supptxt'] = "{$pfb['dbdir']}/pfbsuppression.txt"; - $pfb['script'] = 'sh /usr/local/pkg/pfblockerng/pfblockerng.sh'; - $pfb['aliasarchive'] = "/usr/pbi/pfblockerng-" . php_uname("m") . "/etc/aliastables.tar.bz2"; - - # General Variables - $pfb['config'] = $config['installedpackages']['pfblockerng']['config'][0]; - - # Enable/Disable of pfBlockerNG - $pfb['enable'] = $pfb['config']['enable_cb']; - # Keep Blocklists on pfBlockerNG Disable - $pfb['keep'] = $pfb['config']['pfb_keep']; - # Enable Suppression - $pfb['supp'] = $pfb['config']['suppression']; - # Max Lines in pfblockerng.log file - $pfb['logmax'] = $pfb['config']['log_maxlines']; - $pfb['iplocal'] = $config['interfaces']['lan']['ipaddr']; - # Disable Country Database CRON Updates - $pfb['cc'] = $pfb['config']['database_cc']; - - # Set pfBlockerNG to Disabled on 'Re-Install' - if (isset($pfb['install']) && $pfb['install']) { - $pfb['enable'] = ""; - $pfb['install'] = FALSE; - } -} - -pfb_global(); - -# Set Max PHP Memory Setting -$uname = posix_uname(); -if ($uname['machine'] == 'amd64') - ini_set('memory_limit', '256M'); - - -# Function to decode to Alias Custom Entry Box. -function pfbng_text_area_decode($text) { - return preg_replace('/\r\n/', "\n",base64_decode($text)); -} - - -# Manage Log File Line Limit -function pfb_log_mgmt() { - global $pfb; - pfb_global(); - - if ($pfb['logmax'] == "nolimit") { - # Skip Log Mgmt - } else { - exec("/usr/bin/tail -n {$pfb['logmax']} {$pfb['log']} > /tmp/pfblog; /bin/mv -f /tmp/pfblog {$pfb['log']}"); - } -} - - -# Record Log Messsages to pfBlockerNG Log File and/or Error Log File. -function pfb_logger($log, $type) { - global $g,$pfb,$pfbarr; - - $now = date("m/d/y G:i:s", time()); - - # Only log timestamp if new - if (preg_match("/NOW/", $log)) { - if ($now == $pfb['pnow']) { - $log = str_replace("[ NOW ]", "", "{$log}"); - } else { - $log = str_replace("NOW", $now, "{$log}"); - } - $pfb['pnow'] = "{$now}"; - } - - if ($type == 2) { - @file_put_contents("{$pfb['log']}", "{$log}", FILE_APPEND); - @file_put_contents("{$pfb['errlog']}", "{$log}", FILE_APPEND); - } elseif ($type == 3) { - @file_put_contents("{$pfb['geolog']}", "{$log}", FILE_APPEND); - } else { - @file_put_contents("{$pfb['log']}", "{$log}", FILE_APPEND); - } -} - - -# Determine Folder Location for 'List' -function pfb_determine_list_detail($list) { - global $g,$pfb,$pfbarr; - $pfbarr = array(); - - if (in_array($list,array('Match_Both','Match_Inbound','Match_Outbound','Alias_Match'))) { - $pfbarr['skip'] = FALSE; - $pfbarr['folder'] = "{$pfb['matchdir']}"; - } elseif (in_array($list,array('Permit_Both','Permit_Inbound','Permit_Outbound','Alias_Permit'))) { - $pfbarr['skip'] = FALSE; - $pfbarr['folder'] = "{$pfb['permitdir']}"; - } elseif ($list == "Alias_Native") { - $pfbarr['skip'] = FALSE; - $pfbarr['folder'] = "{$pfb['nativedir']}"; - } else { - # Deny - $pfbarr['skip'] = TRUE; - $pfbarr['folder'] = "{$pfb['denydir']}"; - } - - // Collect proper Alias Table Description (Alias Only vs AutoRules) - if (preg_match("/Alias/", $list)) { - $pfbarr['descr'] = ""; - } else { - $pfbarr['descr'] = " Auto "; - } - - return $pfbarr; -} - -# Create Suppression Alias -function pfb_create_suppression_alias() { - global $config; - - // Collect existing pfsense alias(s) - if (is_array($config['aliases']['alias'])) { - foreach($config['aliases']['alias'] as $exalias) { - $new_aliases[] = $exalias; - } - } - // Create New pfBlockerNGSuppress Alias - $new_aliases[] = array( "name" => "pfBlockerNGSuppress", - "address" => "", - "descr" => "pfBlockerNG Suppression List (24|32 CIDR only)", - "type" => "network", - "detail" => "" - ); - $config['aliases']['alias'] = $new_aliases; - write_config(); -} - - -# Create Suppression file from Alias -function pfb_create_suppression_file() { - global $config,$pfb; - - // Find pfBlockerNGSuppress Array ID Number - $pfb['found'] = FALSE; - if (is_array($config['aliases']['alias'])) { - $pfb_id = 0; - foreach ($config['aliases']['alias'] as $alias) { - if ($alias['name'] == "pfBlockerNGSuppress") { - $pfb['found'] = TRUE; - break; - } - $pfb_id++; - } - - if ($pfb['found']) { - $pfb_suppress = str_replace(" ", "\n", $config['aliases']['alias'][$pfb_id]['address']); - if (!empty($pfb_suppress)) - @file_put_contents("{$pfb['supptxt']}",$pfb_suppress, LOCK_EX); - } else { - # Delete Suppression File if Alias is Empty. - unlink_if_exists("{$pfb['supptxt']}"); - } - } - - // Call Function to Create Suppression Alias. - if (!$pfb['found']) - pfb_create_suppression_alias(); -} - - -// IPv6 Range to CIDR function used courtesey from: -// https://github.com/stilez/pfsense-leases/blob/50cc0fa81dba5fe91bcddaea016c245d1b8479cc/etc/inc/util.inc -function ip_range_to_subnet_array_temp2($ip1, $ip2) { - - if (is_ipaddrv4($ip1) && is_ipaddrv4($ip2)) { - $proto = 'ipv4'; // for clarity - $bits = 32; - $ip1bin = decbin(ip2long32($ip1)); - $ip2bin = decbin(ip2long32($ip2)); - } elseif (is_ipaddrv6($ip1) && is_ipaddrv6($ip2)) { - $proto = 'ipv6'; - $bits = 128; - $ip1bin = Net_IPv6::_ip2Bin($ip1); - $ip2bin = Net_IPv6::_ip2Bin($ip2); - } else - return array(); - - // it's *crucial* that binary strings are guaranteed the expected length; do this for certainty even though for IPv6 it's redundant - $ip1bin = str_pad($ip1bin, $bits, '0', STR_PAD_LEFT); - $ip2bin = str_pad($ip2bin, $bits, '0', STR_PAD_LEFT); - - if ($ip1bin === $ip2bin) - return array($ip1 . '/' . $bits); - - if (strcmp($ip1bin, $ip2bin) > 0) - list ($ip1bin, $ip2bin) = array($ip2bin, $ip1bin); // swap contents of ip1 <= ip2 - - $rangesubnets = array(); - $netsize = 0; - - do { - // at loop start, $ip1 is guaranteed strictly less than $ip2 (important for edge case trapping and preventing accidental binary wrapround) - // which means the assignments $ip1 += 1 and $ip2 -= 1 will always be "binary-wrapround-safe" - - // step #1 if start ip (as shifted) ends in any '1's, then it must have a single cidr to itself (any cidr would include the '0' below it) - - if (substr($ip1bin, -1, 1) == '1') { - // the start ip must be in a separate one-IP cidr range - $new_subnet_ip = substr($ip1bin, $netsize, $bits - $netsize) . str_repeat('0', $netsize); - $rangesubnets[$new_subnet_ip] = $bits - $netsize; - $n = strrpos($ip1bin, '0'); //can't be all 1's - $ip1bin = ($n == 0 ? '' : substr($ip1bin, 0, $n)) . '1' . str_repeat('0', $bits - $n - 1); // BINARY VERSION OF $ip1 += 1 - } - - // step #2, if end ip (as shifted) ends in any zeros then that must have a cidr to itself (as cidr cant span the 1->0 gap) - - if (substr($ip2bin, -1, 1) == '0') { - // the end ip must be in a separate one-IP cidr range - $new_subnet_ip = substr($ip2bin, $netsize, $bits - $netsize) . str_repeat('0', $netsize); - $rangesubnets[$new_subnet_ip] = $bits - $netsize; - $n = strrpos($ip2bin, '1'); //can't be all 0's - $ip2bin = ($n == 0 ? '' : substr($ip2bin, 0, $n)) . '0' . str_repeat('1', $bits - $n - 1); // BINARY VERSION OF $ip2 -= 1 - // already checked for the edge case where end = start+1 and start ends in 0x1, above, so it's safe - } - - // this is the only edge case arising from increment/decrement. - // it happens if the range at start of loop is exactly 2 adjacent ips, that spanned the 1->0 gap. (we will have enumerated both by now) - - if (strcmp($ip2bin, $ip1bin) < 0) - continue; - - // step #3 the start and end ip MUST now end in '0's and '1's respectively - // so we have a non-trivial range AND the last N bits are no longer important for CIDR purposes. - - $shift = $bits - max(strrpos($ip1bin, '0'), strrpos($ip2bin, '1')); // num of low bits which are '0' in ip1 and '1' in ip2 - $ip1bin = str_repeat('0', $shift) . substr($ip1bin, 0, $bits - $shift); - $ip2bin = str_repeat('0', $shift) . substr($ip2bin, 0, $bits - $shift); - $netsize += $shift; - if ($ip1bin === $ip2bin) { - // we're done. - $new_subnet_ip = substr($ip1bin, $netsize, $bits - $netsize) . str_repeat('0', $netsize); - $rangesubnets[$new_subnet_ip] = $bits - $netsize; - continue; - } - - // at this point there's still a remaining range, and either startip ends with '1', or endip ends with '0'. So repeat cycle. - } while (strcmp($ip1bin, $ip2bin) < 0); - - // subnets are ordered by bit size. Re sort by IP ("naturally") and convert back to IPv4/IPv6 - - ksort($rangesubnets, SORT_STRING); - $out = array(); - - foreach ($rangesubnets as $ip => $netmask) { - if ($proto == 'ipv4') { - $i = str_split($ip, 8); - $out[] = implode('.', array( bindec($i[0]),bindec($i[1]),bindec($i[2]),bindec($i[3]))) . '/' . $netmask; - } else - $out[] = Net_IPv6::compress(Net_IPv6::_bin2Ip($ip)) . '/' . $netmask; - } - - return $out; -} - - -// Archive Aliastables for NanoBSD and RAMDisk Installations -function pfb_aliastables($mode) { - global $g,$config,$pfb; - $earlyshellcmd = "/usr/local/pkg/pfblockerng/pfblockerng.sh aliastables"; - $msg = ""; - - // Only Execute function if Platform is NanoBSD or Ramdisks are used. - if (($g['platform'] != "pfSense") || isset($config['system']['use_mfs_tmpvar'])) { - conf_mount_rw(); - if ($mode == "update") { - // Archive Aliastable Folder - exec ("cd {$pfb['aliasdir']}; ls -A pfB_*.txt && /usr/bin/tar -jcvf {$pfb['aliasarchive']} pfB_*.txt >/dev/null 2>&1"); - $msg = "\n\nArchiving Aliastable Folder\n"; - } - elseif ($mode == "conf") { - // Check conf file for earlyshellcmd - if (is_array($config['system']['earlyshellcmd'])) { - $a_earlyshellcmd = &$config['system']['earlyshellcmd']; - if (!preg_grep("/pfblockerng.sh aliastables/", $a_earlyshellcmd)) { - $a_earlyshellcmd[] = "{$earlyshellcmd}"; - $msg = "\n** Adding earlyshellcmd **\n"; - } - } - else { - $config['system']['earlyshellcmd'] = "{$earlyshellcmd}"; - $msg = "\n** Adding earlyshellcmd **\n"; - } - } - conf_mount_ro(); - } - else { - if (file_exists("{$pfb['aliasarchive']}")) { - // Remove Aliastables archive if found. - conf_mount_rw(); - @unlink_if_exists("{$pfb['aliasarchive']}"); - conf_mount_ro(); - } - // Remove earlyshellcmd if found. - if (is_array($config['system']['earlyshellcmd'])) { - $a_earlyshellcmd = &$config['system']['earlyshellcmd']; - if (preg_grep("/pfblockerng.sh aliastables/", $a_earlyshellcmd)) { - $a_earlyshellcmd = preg_grep("/pfblockerng.sh aliastables/", $a_earlyshellcmd, PREG_GREP_INVERT); - $msg = "\n** Removing earlyshellcmd **\n"; - } - } - } - - if ($msg != "") - pfb_logger("{$msg}","1"); -} - - -# Main pfBlockerNG Function -function sync_package_pfblockerng($cron = "") { - - global $g,$config,$pfb,$pfbarr; - pfb_global(); - - # Detect Boot Process or Update via CRON - if (isset($_POST) && $cron == "") { - if (!preg_match("/\w+/",$_POST['__csrf_magic'])) { - log_error("[pfBlockerNG] Sync terminated during boot process."); - return; - } - } - log_error("[pfBlockerNG] Starting sync process."); - - // Force Update - Set 'Save' variable when 'No Updates' found. - if ($cron == "noupdates") { - $pfb['save'] = TRUE; - } - - # Start of pfBlockerNG Logging to 'pfblockerng.log' - if ($pfb['enable'] == "on" && !$pfb['save']) { - $log = " UPDATE PROCESS START [ NOW ]\n"; - pfb_logger("{$log}","1"); - } else { - if ($cron != "noupdates") { - $log = "\n**Saving Configuration [ NOW ] ...\n"; - pfb_logger("{$log}","1"); - } - } - - // Call function for NanoBSD/Ramdisk processes. - pfb_aliastables("conf"); - - # Collect pfSense Max Table Size Entry - $pfb['table_limit'] = ($config['system']['maximumtableentries'] != "" ? $config['system']['maximumtableentries'] : "2000000"); - - # If Table limit not defined, set Default to 2M - $config['system']['maximumtableentries'] = "{$pfb['table_limit']}"; - - # Collect local web gui configuration - $pfb['weblocal'] = ($config['system']['webgui']['protocol'] != "" ? $config['system']['webgui']['protocol'] : "http"); - $pfb['port'] = $config['system']['webgui']['port']; - if ($pfb['port'] == "") { - if ($config['system']['webgui']['protocol'] == "http") { - $pfb['port'] = "80"; - } else { - $pfb['port'] = "443"; - } - } - $pfb['weblocal'] .= "://127.0.0.1:{$pfb['port']}/pfblockerng/pfblockerng.php"; - - # Define Inbound/Outbound Action is not user selected. - $pfb['deny_action_inbound'] = ($pfb['config']['inbound_deny_action'] != "" ? $pfb['config']['inbound_deny_action'] : "block"); - $pfb['deny_action_outbound'] = ($pfb['config']['outbound_deny_action'] != "" ? $pfb['config']['outbound_deny_action'] : "reject"); - - # Validation check to see if the Original pfBlocker package is Enabled - $pfb['validate']= $pfb['config']['pfblocker_cb']; - # User Defined CRON Start Minute - $pfb['min'] = $pfb['config']['pfb_min']; - # Reloads Existing Blocklists without Downloading New Lists - $pfb['reuse'] = $pfb['config']['pfb_reuse']; - # Enable OpenVPN AutoRules - $pfb['openvpn'] = $pfb['config']['openvpn_action']; - # Enable/Disable Floating Auto-Rules - $pfb['float'] = $pfb['config']['enable_float']; - # Enable Remove of Duplicate IPs utilizing Grepcidr - $pfb['dup'] = $pfb['config']['enable_dup']; - # Order of the Auto-Rules - $pfb['order'] = $pfb['config']['pass_order']; - # Suffix used for Auto-Rules - $pfb['suffix'] = $pfb['config']['autorule_suffix']; - - # Reputation Variables - $pfb['config_rep'] = $config['installedpackages']['pfblockerngreputation']['config'][0]; - - # Enable/Disable Reputation - $pfb['rep'] = $pfb['config_rep']['enable_rep']; - # Enable/Disable 'pDup' - $pfb['pdup'] = $pfb['config_rep']['enable_pdup']; - # Enable/Disable 'dDup' - $pfb['dedup'] = ($pfb['config_rep']['enable_dedup'] != "" ? $pfb['config_rep']['enable_dedup'] : "x"); - # 'Max' variable setting for Reputation - $pfb['max'] = ($pfb['config_rep']['p24_max_var'] != "" ? $pfb['config_rep']['p24_max_var'] : "x"); - # 'dMax' variable setting for Reputation - $pfb['dmax'] = ($pfb['config_rep']['p24_dmax_var'] != "" ? $pfb['config_rep']['p24_dmax_var'] : "x"); - # 'pMax' variable setting for Reputation - $pfb['pmax'] = ($pfb['config_rep']['p24_pmax_var'] != "" ? $pfb['config_rep']['p24_pmax_var'] : "x"); - # Action for Whitelist Country Category - $pfb['ccwhite'] = $pfb['config_rep']['ccwhite']; - # Action for Blacklist Country Category - $pfb['ccblack'] = $pfb['config_rep']['ccblack']; - # List of Countries in the Whitelist Category - $pfb['ccexclude']= ($pfb['config_rep']['ccexclude'] != "" ? $pfb['config_rep']['ccexclude'] : "x"); - # Emerging Threats IQRisk Block Categories - $pfb['etblock'] = ($pfb['config_rep']['etblock'] != "" ? $pfb['config_rep']['etblock'] : "x"); - # Emerging Threats IQRisk Match Categories - $pfb['etmatch'] = ($pfb['config_rep']['etmatch'] != "" ? $pfb['config_rep']['etmatch'] : "x"); - # Perform a Force Update on ET Categories - $pfb['etupdate']= $pfb['config_rep']['et_update']; - - # Variables - - # Starting Variable to Skip rep, pdup and dedeup functions if no changes are required - $pfb['dupcheck'] = FALSE; - ## $pfb['save'] is used to determine if User pressed "Save" Button to avoid Collision with CRON. - ## This is defined in each pfBlockerNG XML Files - - # Validation Check to ensure pfBlocker and pfBlockerNG are not running at the same time. - if ($pfb['validate'] == "") { - # Collect pfBlocker Enabled Status from config file - $pfb['validate_chk'] = $config['installedpackages']['pfblocker']['config'][0]['enable_cb']; - if ($pfb['validate_chk'] == "on") { - $log = "\n The Package 'pfBlocker' is currently Enabled. Either Disable pfBlocker, or 'Disable Validation Check' in pfBlockerNG \n"; - pfb_logger("{$log}","1"); - return; - } - } - - - ################################# - # Configure ARRAYS # - ################################# - - $continents = array ( "Africa" => "pfB_Africa", - "Antartica" => "pfB_Antartica", - "Asia" => "pfB_Asia", - "Europe" => "pfB_Europe", - "North America" => "pfB_NAmerica", - "Oceania" => "pfB_Oceania", - "South America" => "pfB_SAmerica", - "Top Spammers" => "pfB_Top", - "Proxy and Satellite" => "pfB_PS" - ); - - #create rules vars and arrays - # Array used to Collect Changes to Aliases to be saved to Config - $new_aliases = array(); - $new_aliases_list = array(); - $continent_existing = array(); - $continent_new = array(); - $permit_inbound = array(); - $permit_outbound = array(); - $deny_inbound = array(); - $deny_outbound = array(); - # An Array of all Aliases (Active and non-Active) - $aliases_list = array(); - # This is an Array of Aliases that Have Updated Lists via CRON/Force Update when 'Reputation' disabled. - $pfb_alias_lists = array(); - # This is an Array of All Active Aliases used when 'Reputation' enabled - $pfb_alias_lists_all = array(); - - # Base Rule Array - $base_rule_reg = array( "id" => "", - "tag" => "", - "tagged" => "", - "max" => "", - "max-src-nodes" => "", - "max-src-conn" => "", - "max-src-states"=> "", - "statetimeout" => "", - "statetype" => "keep state", - "os" => "" - ); - - # Floating Rules, Base Rule Array - $base_rule_float = array("id" => "", - "tag" => "", - "tagged" => "", - "quick" => "yes", - "floating" => "yes", - "max" => "", - "max-src-nodes" => "", - "max-src-conn" => "", - "max-src-states"=> "", - "statetimeout" => "", - "statetype" => "keep state", - "os" => "" - ); - - - ######################################### - # Configure Rule Suffix # - ######################################### - - # Discover if any Rules are AutoRules (If no AutoRules found, $pfb['autorules'] is FALSE, Skip Rules Re-Order ) - # To configure Auto Rule Suffix. pfBlockerNG must be disabled to change Suffix and to avoid Duplicate Rules - $pfb['autorules'] = FALSE; - $pfb['found'] = FALSE; - foreach ($continents as $continent => $pfb_alias) { - if (is_array($config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'])) { - $continent_config = $config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'][0]; - if ($continent_config['action'] != "Disabled" && in_array($continent_config['action'],array('Deny_Both','Deny_Inbound','Deny_Outbound','Match_Both','Match_Inbound','Match_Outbound','Permit_Both','Permit_Inbound','Permit_Outbound'))) { - $pfb['autorules'] = TRUE; - $pfb['found'] = TRUE; - break; - } - } - } - - $list_type = array ("pfblockernglistsv4", "pfblockernglistsv6"); - foreach ($list_type as $ip_type) { - if ($config['installedpackages'][$ip_type]['config'] != "" && !$pfb['found']) { - foreach($config['installedpackages'][$ip_type]['config'] as $list) { - if ($list['action'] != "Disabled" && in_array($list['action'],array('Deny_Both','Deny_Inbound','Deny_Outbound','Match_Both','Match_Inbound','Match_Outbound','Permit_Both','Permit_Inbound','Permit_Outbound'))) { - $pfb['autorules'] = TRUE; - break; - } - } - } - } - - #Configure Auto Rule Suffix. pfBlockerNG must be disabled to change Suffix and to avoid Duplicate Rules - # Count Number of Rules with 'pfB_' - $count = 0; - if (is_array($config['filter']['rule'])) { - foreach ($config['filter']['rule'] as $rule) { - # Collect any pre-existing Suffix - if (preg_match("/pfB_\w+(\s.*)/",$rule['descr'], $pfb_suffix_real) && $count == 0) { - $pfb_suffix_match = $pfb_suffix_real[1]; - } - # Query for Existing pfB Rules - if (preg_match("/pfB_/",$rule['descr'])) { - $count++; - break; - } - } - } - - # Change Suffix only if No pfB Rules Found and Auto Rules are Enabled. - if ($pfb['autorules'] && $count == 0) { - switch ($pfb['suffix']) { - case "autorule": - $pfb['suffix'] = " auto rule"; - break; - case "standard": - $pfb['suffix'] = ""; - break; - case "ar": - $pfb['suffix'] = " AR"; - break; - } - } else { - if ($pfb['autorules']) { - # Use existing Suffix Match - $pfb['suffix'] = $pfb_suffix_match; - } else { - # Leave Rule Suffix 'Blank' - $pfb['suffix'] = ""; - } - } - - - ######################################################### - # Configure INBOUND/OUTBOUND INTERFACES # - ######################################################### - - # Collect pfSense Interface Order - $ifaces = get_configured_interface_list(); - - if (!empty($pfb['config']['inbound_interface'])) { - # Sort Interface Array to match pfSense Interface order to allow Floating Rules to populate. - $selected_interfaces = explode(",",$pfb['config']['inbound_interface']); - # Sort pfBlockerNG Interface order to pfSense Interface Order - $sort_interfaces = array_intersect($ifaces, $selected_interfaces); - $implode_interfaces = ltrim(implode(",",$sort_interfaces), ","); - # CSV String for Inbound Interfaces for 'pfB_' Match Rules - $pfb['inbound_floating'] = $implode_interfaces; - $pfb['inbound_interfaces_float'] = explode(" ",$implode_interfaces); - - # Assign Inbound Base Rule/Interfaces - if ($pfb['float'] == "on") { - # Define Base Firewall Floating Rules Settings - $base_rule = $base_rule_float; - $pfb['inbound_interfaces'] = $pfb['inbound_interfaces_float']; - } else { - # Define Base Firewall Rules Settings - $base_rule = $base_rule_reg; - $pfb['inbound_interfaces'] = explode(",",$pfb['config']['inbound_interface']); - } - } else { - # Define Empty Variable/Array - $pfb['inbound_interfaces_float'] = ""; - $pfb['inbound_interfaces'] = array(); - } - - if (!empty($pfb['config']['outbound_interface'])) { - # Sort Interface Array to match pfSense Interface order to allow Floating Rules to populate. - $selected_interfaces = explode(",",$pfb['config']['outbound_interface']); - # Sort pfBlockerNG Interface order to pfSense Interface Order - $sort_interfaces = array_intersect($ifaces, $selected_interfaces); - // If OpenVPN Interfaces are not in dropdown menu - if ($pfb['openvpn'] == "on" && $config['openvpn']['openvpn-server'] || $pfb['openvpn'] == "on" && $config['openvpn']['openvpn-client']) - if (!in_array("openvpn",$sort_interfaces)) - array_push($sort_interfaces, "openvpn"); - $implode_interfaces = ltrim(implode(",",$sort_interfaces), ","); - # CSV String for Outbound Interfaces for 'pfB_' Match Rules - $pfb['outbound_floating'] = $implode_interfaces; - $pfb['outbound_interfaces_float'] = explode(" ",$implode_interfaces); - - # Assign Outbound Base Rule/Interfaces - if ($pfb['float'] == "on") { - $base_rule = $base_rule_float; - $pfb['outbound_interfaces'] = $pfb['outbound_interfaces_float']; - } else { - $base_rule = $base_rule_reg; - $pfb['outbound_interfaces'] = explode(",",$pfb['config']['outbound_interface']); - // If OpenVPN Interfaces are not in dropdown menu - if ($pfb['openvpn'] == "on" && $config['openvpn']['openvpn-server'] || $pfb['openvpn'] == "on" && $config['openvpn']['openvpn-client']) - if (!in_array("openvpn",$sort_interfaces)) - array_push($pfb['outbound_interfaces'], "openvpn"); - } - } else { - # Define Empty Variable/Array - $pfb['outbound_interfaces_float'] = ""; - $pfb['outbound_interfaces'] = array(); - } - - - ################################################# - # Clear Removed Lists from Masterfiles # - ################################################# - - # Process to keep Masterfiles in Sync with Valid Lists from config.conf file. - $pfb['sync_master'] = TRUE; - - # Don't execute this function when pfBlockerNG is Disabled and 'Keep Blocklists' is enabled. - if ($pfb['enable'] == "" && $pfb['keep'] == "on") - $pfb['sync_master'] = FALSE; - - if ($pfb['sync_master']) { - $pfb['existing']['match']['type'] = "match"; - $pfb['existing']['permit']['type'] = "permit"; - $pfb['existing']['deny']['type'] = "deny"; - $pfb['existing']['native']['type'] = "native"; - $pfb['existing']['match']['folder'] = "{$pfb['matchdir']}"; - $pfb['existing']['permit']['folder'] = "{$pfb['permitdir']}"; - $pfb['existing']['deny']['folder'] = "{$pfb['denydir']}"; - $pfb['existing']['native']['folder'] = "{$pfb['nativedir']}"; - $pfb['actual']['match']['type'] = "match"; - $pfb['actual']['permit']['type'] = "permit"; - $pfb['actual']['deny']['type'] = "deny"; - $pfb['actual']['native']['type'] = "native"; - $pfb['actual']['match']['folder'] = "{$pfb['matchdir']}"; - $pfb['actual']['permit']['folder'] = "{$pfb['permitdir']}"; - $pfb['actual']['deny']['folder'] = "{$pfb['denydir']}"; - $pfb['actual']['native']['folder'] = "{$pfb['nativedir']}"; - - // Find all Enabled Continents Lists - foreach ($continents as $continent => $pfb_alias) { - if (is_array($config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config']) && $pfb['enable'] == "on") { - $continent_config = $config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'][0]; - if ($continent_config['action'] != "Disabled") { - $cont_type = array ("countries4" => "_v4", "countries6" => "_v6"); - foreach ($cont_type as $c_type => $vtype) { - if ($continent_config[$c_type] != "") { - # Set Parameters for 'Match', 'Permit', 'Native' and 'Deny' - if (in_array($continent_config['action'],array('Match_Both','Match_Inbound','Match_Outbound','Alias_Match'))) { - $pfb['existing']['match'][] = "{$pfb_alias}{$vtype}"; - } elseif (in_array($continent_config['action'],array('Permit_Both','Permit_Inbound','Permit_Outbound','Alias_Permit'))){ - $pfb['existing']['permit'][] = "{$pfb_alias}{$vtype}"; - } elseif ($continent_config['action'] == "Alias_Native") { - $pfb['existing']['native'][] = "{$pfb_alias}{$vtype}"; - } else { - $pfb['existing']['deny'][] = "{$pfb_alias}{$vtype},"; // Add Trailing ',' - } - } - } - } - } - } - - # Find all Enabled IPv4/IPv6 Lists - $list_type = array ("pfblockernglistsv4" => "_v4", "pfblockernglistsv6" => "_v6"); - foreach ($list_type as $ip_type => $vtype) { - if ($config['installedpackages'][$ip_type]['config'] != "" && $pfb['enable'] == "on") { - foreach ($config['installedpackages'][$ip_type]['config'] as $list) { - if (is_array($list['row']) && $list['action'] != "Disabled") { - foreach ($list['row'] as $row) { - if ($vtype == "_v4") { - $pfb_alias = "{$row['header']}"; - } else { - $pfb_alias = "{$row['header']}_v6"; - } - # Collect Enabled Lists - if ($row['url'] != "" && $row['state'] != "Disabled") { - # Set Parameters for 'Match', 'Permit', 'Native' and 'Deny' - if (in_array($list['action'],array('Match_Both','Match_Inbound','Match_Outbound','Alias_Match'))) { - $pfb['existing']['match'][] = "{$pfb_alias}"; - } elseif (in_array($list['action'],array('Permit_Both','Permit_Inbound','Permit_Outbound','Alias_Permit'))) { - $pfb['existing']['permit'][] = "{$pfb_alias}"; - } elseif ($list['action'] == "Alias_Native") { - $pfb['existing']['native'][] = "{$pfb_alias}"; - } else { - $pfb['existing']['deny'][] = "{$pfb_alias},"; // Add Trailing ',' - } - } - } - } - } - } - } - - # Find all Enabled IPv4 'Custom List' Header Names and Check if 'Emerging Threats Update' and 'Custom List Update' Needs Force Updating - $list_type = array ("pfblockernglistsv4" => "_v4", "pfblockernglistsv6" => "_v6"); - foreach ($list_type as $ip_type => $vtype) { - if ($config['installedpackages'][$ip_type]['config'] != "" && $pfb['enable'] == "on") { - $count = -1; - foreach ($config['installedpackages'][$ip_type]['config'] as $list) { - if (is_array($list['row']) && $list['action'] != "Disabled") { - $count++; - # Check if 'Emerging Threats Update' Needs Updating before next CRON Event. - if (is_array($list['row']) && $row['state'] != "Disabled" && $pfb['etupdate'] == "enabled" && $vtype == "_v4") { - foreach ($list['row'] as $row) { - $aliasname = $row['header']; - if ($row['format'] == "et") { - unlink_if_exists("{$pfb['denydir']}/{$aliasname}.txt"); - $config['installedpackages']['pfblockerngreputation']['config'][0]['et_update'] = "disabled"; - break; - } - } - } - } - - # Collect Enabled Custom List Box Aliases - if (pfbng_text_area_decode($list['custom']) != "") { - if ($vtype == "_v4") { - $pfb_alias = "{$list['aliasname']}_custom"; - } else { - $pfb_alias = "{$list['aliasname']}_custom_v6"; - } - # Determine Folder Location for 'List' - if (in_array($list['action'],array('Match_Both','Match_Inbound','Match_Outbound','Alias_Match'))) { - $pfb['existing']['match'][] = "{$pfb_alias}"; - $pfbfolder = "{$pfb['matchdir']}"; - } elseif (in_array($list['action'],array('Permit_Both','Permit_Inbound','Permit_Outbound','Alias_Permit'))) { - $pfb['existing']['permit'][] = "{$pfb_alias}"; - $pfbfolder = "{$pfb['permitdir']}"; - } elseif ($list['action'] == "Alias_Native") { - $pfb['existing']['native'][] = "{$pfb_alias}"; - $pfbfolder = "{$pfb['nativedir']}"; - } else { - $pfb['existing']['deny'][] = "{$pfb_alias},"; // Add Trailing ',' - $pfbfolder = "{$pfb['denydir']}"; - } - # Determine if 'Custom List' Needs Force Updating before next CRON Event. - if ($list['custom_update'] == "enabled") { - unlink_if_exists("{$pfbfolder}/{$pfb_alias}.txt"); - # Uncheck 'Enabled' in List 'Custom_update' Setting - $config['installedpackages'][$ip_type]['config'][$count]['custom_update'] = "disabled"; - } - } - } - } - } - - # Collect all .txt file Names for each List Type - $list_types = array('match' => $pfb['matchdir'], 'permit' => $pfb['permitdir'], 'deny' => $pfb['denydir'], 'native' => $pfb['nativedir']); - foreach ($list_types as $type => $pfbfolder) { - $pfb_files = glob("$pfbfolder/*.txt"); - foreach ($pfb_files as $pfb_list) { - $pfb_file = basename($pfb_list,".txt"); - if ($type == "deny") { - $pfb['actual'][$type][] = "{$pfb_file},"; // Add Trailing ',' - } else { - $pfb['actual'][$type][] = "{$pfb_file}"; - } - } - } - - # Flag to execute pfctl and Rules Ordering - $pfb['remove'] = FALSE; - # Execute Final Summary as a List was Removed - $pfb['summary'] = FALSE; - - # Process to Remove Lists from Masterfile/DB Folder if they do not Exist - if (isset($pfb['existing'])) { - foreach ($pfb['existing'] as $pfb_exist) { - $existing_type = $pfb_exist['type']; - $pfbfolder = $pfb_exist['folder']; - foreach ($pfb['actual'] as $pfb_act) { - $actual_type = $pfb_act['type']; - if ($existing_type == $actual_type) { - switch ($existing_type) { - case "deny": - $results = array_diff($pfb_act, $pfb_exist); - $f_result = implode($results); - if ($f_result != "") { - $log = "[ Removing List(s) : {$f_result} ]\n"; - pfb_logger("{$log}","1"); - # Script to Remove un-associated Lists - exec ("{$pfb['script']} remove x x x {$f_result} >> {$pfb['log']} 2>&1"); - $pfb['summary'] = TRUE; - $pfb['remove'] = TRUE; - } - break; - case "match": - case "permit": - case "native": - $results = array_diff($pfb_act, $pfb_exist); - # This variable ($f_result) used in next section below. - $f_result = implode($results); - if (!empty($results)) { - foreach ($results as $pfb_results) { - $log = "[ Removing List(s) : {$pfb_results} ]\n"; - pfb_logger("{$log}","1"); - unlink_if_exists("{$pfbfolder}/{$pfb_results}.txt"); - } - $pfb['summary'] = TRUE; - $pfb['remove'] = TRUE; - } - break; - } - - # Allow Rebuilding of Changed Aliase to purge 'SKIP' Lists (when pfBlockerNG is Enabled) - $list_type = array ("pfblockernglistsv4" => "_v4", "pfblockernglistsv6" => "_v6"); - foreach ($list_type as $ip_type => $vtype) { - if ($f_result != "" && $pfb['enable'] == "on") { - foreach ($results as $removed_header) { - if ($config['installedpackages'][$ip_type]['config'] != "" && $pfb['enable'] == "on") { - foreach ($config['installedpackages'][$ip_type]['config'] as $list) { - $alias = "pfB_" . preg_replace("/\W/","",$list['aliasname']); - if (is_array($list['row'])) { - foreach ($list['row'] as $row) { - $removed = rtrim($removed_header, ','); - if ($row['header'] == $removed) { - $pfb['summary'] = TRUE; - $pfb['remove'] = TRUE; - # Add Alias to Update Array - $pfb_alias_lists[] = "{$alias}"; - $pfb_alias_lists_all[] = "{$alias}"; - } - } - } - } - } - } - } - } - } - } - } - } - } - - ######################################################### - # Clear Match/Pass/ET/Original Files/Folders # - ######################################################### - - # When pfBlockerNG is Disabled and 'Keep Blocklists' is Disabled. - if ($pfb['enable'] == "" && $pfb['keep'] == "" && !$pfb['install']) { - $log = "\n Removing DB Files/Folders \n"; - pfb_logger("{$log}","1"); - - unlink_if_exists("{$pfb['dbdir']}/masterfile"); - unlink_if_exists("{$pfb['dbdir']}/mastercat"); - unlink_if_exists("{$pfb['supptxt']}"); - rmdir_recursive("{$pfb['origdir']}"); - rmdir_recursive("{$pfb['matchdir']}"); - rmdir_recursive("{$pfb['permitdir']}"); - rmdir_recursive("{$pfb['denydir']}"); - rmdir_recursive("{$pfb['nativedir']}"); - rmdir_recursive("{$pfb['etdir']}"); - } - - - ######################################### - # Create Suppression Txt File # - ######################################### - - if ($pfb['enable'] == "on" && $pfb['supp'] == "on") - pfb_create_suppression_file(); - - - ################################# - # Assign Countries # - ################################# - - foreach ($continents as $continent => $pfb_alias) { - if (is_array($config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'])) { - $continent_config = $config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'][0]; - if ($continent_config['action'] != "Disabled" && $pfb['enable'] == "on") { - - # Determine Folder Location for Alias (return array $pfbarr) - pfb_determine_list_detail($continent_config['action']); - $pfb['skip'] = $pfbarr['skip']; - $pfb_descr = $pfbarr['descr']; - $pfbfolder = $pfbarr['folder']; - - // Determine if Continent Lists require Action (IPv4 and IPv6) - $cont_type = array ("countries4" => "_v4", "countries6" => "_v6"); - foreach ($cont_type as $c_type => $vtype) { - - $continent = ""; - if ($continent_config[$c_type] != "") { - - // Collect Selected ISO Country Files - foreach (explode(",", $continent_config[$c_type]) as $iso) { - if ($iso != "" && file_exists($pfb['ccdir'] .'/' . $iso . $vtype . '.txt')) { - $continent .= file_get_contents ($pfb['ccdir'] . '/' . $iso . $vtype . '.txt'); - } - } - - if (file_exists($pfb['origdir'] . '/' . $pfb_alias . $vtype . '.orig')) - $continent_existing = preg_replace('/\s/', '', file ($pfb['origdir'] . '/' . $pfb_alias . $vtype . '.orig')); - - // Collect New Continent Data for comparison. Cleanup Array for Comparison - $continent_new = preg_split ('/$\R?^/m', $continent); - $line = count ( $continent_new ) - 1; - $match = $continent_new[$line]; - $continent_new[$line] = rtrim($match, "\n"); - - # Check if pfBlockerNG pfctl Continent Tables are Empty (pfBlockerNG was Disabled w/ "keep", then Re-enabled) - $pfctlck = exec ("/sbin/pfctl -vvsTables | grep -A1 {$pfb_alias}{$vtype} | awk '/Addresses/ {s+=$2}; END {print s}'"); - if (empty($pfctlck) && file_exists($pfbfolder . '/' . $pfb_alias . $vtype . '.txt')) { - $file_cont = file_get_contents($pfbfolder . '/' . $pfb_alias . $vtype . '.txt'); - @file_put_contents($pfb['aliasdir'] . '/' . $pfb_alias . $vtype . '.txt',$file_cont, LOCK_EX); - # PFCTL - Update Only Aliases that have been updated. ('Reputation' Disabled) - $pfb_alias_lists[] = "{$pfb_alias}{$vtype}"; - } - - # Collect Active Alias Lists (Used for pfctl Update when 'Reputation' is enabled). - $pfb_alias_lists_all[] = "{$pfb_alias}{$vtype}"; - - // Compare Existing (Original File) and New Continent Data - if ($continent_new === $continent_existing && !empty($pfctlck) && file_exists($pfbfolder . '/' . $pfb_alias . $vtype . '.txt') && $pfb['reuse'] == "") { - # Format Log into clean Tab Spaces - $string_final = "{$pfb_alias}{$vtype}"; - if (strlen($string_final) > 10) { - $log_tab = "\t"; - } else { - $log_tab = "\t\t"; - } - - if (!$pfb['save']) { - $log = "\n[ {$pfb_alias}{$vtype} ] {$log_tab} exists, Reloading File [ NOW ]\n"; - pfb_logger("{$log}","1"); - } - } else { - // Do not proceed with Changes on User 'Save' - if (!$pfb['save']) { - $log = "\n[ {$pfb_alias}{$vtype} ] {$log_tab} Changes Found... Updating \n"; - pfb_logger("{$log}","1"); - - # Test to Skip d-dup and p-dup functions when changes are found. - $pfb['dupcheck'] = TRUE; - - $pfb_alias_lists[] = "{$pfb_alias}{$vtype}"; - - // Script to call Duplication Check Process only on IPv4 - if ($pfb['dup'] == "on" && $pfb['skip'] && $vtype == "_v4") { - // Copy Continent Data to 'lists' folder for duplication processing - @file_put_contents($pfb['origdir'] . '/' . $pfb_alias . $vtype . '.orig',$continent, LOCK_EX); - @file_put_contents($pfb['denydir'] . '/' . $pfb_alias . $vtype . '.txt',$continent, LOCK_EX); - exec ("{$pfb['script']} continent {$pfb_alias}{$vtype} >> {$pfb['log']} 2>&1"); - $continent = file_get_contents($pfbfolder . '/' . $pfb_alias . $vtype . '.txt'); - @file_put_contents($pfb['aliasdir'] . '/' . $pfb_alias . $vtype . '.txt',$continent, LOCK_EX); - } else { - @file_put_contents($pfbfolder . '/' . $pfb_alias . $vtype . '.txt',$continent, LOCK_EX); - @file_put_contents($pfb['origdir'] . '/' . $pfb_alias . $vtype . '.orig',$continent, LOCK_EX); - @file_put_contents($pfb['aliasdir'] . '/' . $pfb_alias . $vtype . '.txt',$continent, LOCK_EX); - } - - # Check if File Exists and is >0 in Size and Save alias file - $file_chk = "0"; - $cont_chk = "{$pfbfolder}/{$pfb_alias}{$vtype}.txt"; - if (file_exists($cont_chk) && @filesize($cont_chk) >0) - $file_chk = exec ("/usr/bin/grep -cv '^#\|^$' {$cont_chk}"); - - if ($file_chk == "0" || $file_chk == "1") { - $new_file = "1.1.1.1\n"; - @file_put_contents($pfbfolder . '/' . $pfb_alias . $vtype . '.txt', $new_file, LOCK_EX); - @file_put_contents($pfb['aliasdir'] . "/" . $pfb_alias . $vtype . ".txt", $new_file, LOCK_EX); - $log = "[ {$pfb_alias}{$vtype} ] Found no Unique IPs, Adding '1.1.1.1' to avoid Empty File\n"; - pfb_logger("{$log}","1"); - } - } - } - - - if (file_exists($pfbfolder . '/' . $pfb_alias . $vtype . '.txt')) { - #Create alias config - $new_aliases_list[] = "{$pfb_alias}{$vtype}"; - - $pfb_contlog = $continent_config['aliaslog']; - - $new_aliases[] = array( "name" => "{$pfb_alias}{$vtype}", - "url" => "{$pfb['weblocal']}?pfb={$pfb_alias}{$vtype}", - "updatefreq" => "32", - "address" => "", - "descr" => "pfBlockerNG {$vtype} {$pfb_descr} Country Alias", - "type" => "urltable", - "detail" => "DO NOT EDIT THIS ALIAS" - ); - - #Create rule if action permits - switch ($continent_config['action']) { - case "Deny_Both": - case "Deny_Outbound": - $rule = $base_rule; - $rule['type'] = "{$pfb['deny_action_outbound']}"; - if ($vtype == "_v6") - $rule['ipprotocol'] = "inet6"; - if ($pfb['float'] == "on") - $rule['direction'] = "any"; - $rule['descr']= "{$pfb_alias}{$vtype}{$pfb['suffix']}"; - $rule['source'] = array("any" => ""); - $rule['destination'] = array ("address" => "{$pfb_alias}{$vtype}"); - if ($pfb['config']['enable_log'] == "on" || $pfb_contlog == "enabled") - $rule['log'] = ""; - $deny_outbound[] = $rule; - if ($continent_config['action'] != "Deny_Both") - break; - case "Deny_Inbound": - $rule = $base_rule; - $rule['type'] = "{$pfb['deny_action_inbound']}"; - if ($vtype == "_v6") - $rule['ipprotocol'] = "inet6"; - if ($pfb['float'] == "on") - $rule['direction'] = "any"; - $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; - $rule['source'] = array("address" => "{$pfb_alias}{$vtype}"); - $rule['destination'] = array ("any" => ""); - if ($pfb['config']['enable_log'] == "on" || $pfb_contlog == "enabled") - $rule['log'] = ""; - $deny_inbound[] = $rule; - break; - case "Permit_Both": - case "Permit_Outbound": - $rule = $base_rule; - $rule['type'] = "pass"; - if ($vtype == "_v6") - $rule['ipprotocol'] = "inet6"; - if ($pfb['float'] == "on") - $rule['direction'] = "any"; - $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; - $rule['source'] = array ("any" => ""); - $rule['destination'] = array("address" => "{$pfb_alias}{$vtype}"); - if ($pfb['config']['enable_log'] == "on" || $pfb_contlog == "enabled") - $rule['log'] = ""; - $permit_outbound[] = $rule; - if ($continent_config['action'] != "Permit_Both") - break; - case "Permit_Inbound": - $rule = $base_rule; - $rule['type'] = "pass"; - if ($vtype == "_v6") - $rule['ipprotocol'] = "inet6"; - if ($pfb['float'] == "on") - $rule['direction'] = "any"; - $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; - $rule['source'] = array("address"=> "{$pfb_alias}{$vtype}"); - $rule['destination'] = array ("any" => ""); - if ($pfb['config']['enable_log'] == "on" || $pfb_contlog == "enabled") - $rule['log'] = ""; - $permit_inbound[] = $rule; - break; - case "Match_Both": - case "Match_Outbound": - $rule = $base_rule_float; - $rule['type'] = "match"; - if ($vtype == "_v6") - $rule['ipprotocol'] = "inet6"; - $rule['direction'] = "any"; - $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; - $rule['source'] = array ("any" => ""); - $rule['destination'] = array ("address" => "{$pfb_alias}{$vtype}"); - if ($pfb['config']['enable_log'] == "on" || $pfb_contlog == "enabled") - $rule['log'] = ""; - $match_outbound[] = $rule; - if ($list['action'] != "Match_Both") - break; - case "Match_Inbound": - $rule = $base_rule_float; - $rule['type'] = "match"; - if ($vtype == "_v6") - $rule['ipprotocol'] = "inet6"; - $rule['direction'] = "any"; - $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; - $rule['source'] = array ("address" => "{$pfb_alias}{$vtype}"); - $rule['destination'] = array ( "any" => ""); - if ($pfb['config']['enable_log'] == "on" || $pfb_contlog == "enabled") - $rule['log'] = ""; - $match_inbound[] = $rule; - break; - } - } else { - #unlink continent list if any - unlink_if_exists($pfb['aliasdir'] . '/' . $pfb_alias . $vtype . '.txt'); - } - } - } - } - #mark pfctl aliastable for cleanup - if (!in_array($pfb_alias, $aliases_list)) { - $aliases_list[] = "{$pfb_alias}{$vtype}"; - } - } - } - # UNSET variables - unset ($continent, $continent_existing, $continent_new); - - ################################################# - # Download and Collect IPv4/IPv6 lists # - ################################################# - - # IPv4 REGEX Definitions - $pfb['range'] = '/((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))-((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))/'; - $pfb['block'] = '/(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[ 0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.([0]{1})\s+/'; - $pfb['cidr'] = '/((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)?\/[0-9]{2})/'; - $pfb['single'] = '/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\s+/'; - $pfb['s_html'] = '/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/'; - - # IPv4 preg_replace Regex Filter array - $pfb_ipreg = array(); - $pfb_ipreg[0] = '/\b0+(?=\d)/'; # Remove any Leading Zeros in each Octet - $pfb_ipreg[1] = '/\s/'; # Remove any Whitespaces - $pfb_ipreg[2] = '/127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/'; # Remove any Loopback Addresses 127/8 - $pfb_ipreg[3] = '/0\.0\.0\.0\/32/'; # Remove 0.0.0.0/32 - $pfb_ipreg[4] = '/0\.0\.0\.0/'; # Remove 0.0.0.0 - - # IPv6 REGEX Definitions -- ** Still Needs some Adjustment on Regex Definition for IPv6 ** - # https://mebsd.com/coding-snipits/php-regex-ipv6-with-preg_match.html - $pattern1 = '([A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}'; - $pattern2 = '[A-Fa-f0-9]{1,4}::([A-Fa-f0-9]{1,4}:){0,5}[A-Fa-f0-9]{1,4}'; - $pattern3 = '([A-Fa-f0-9]{1,4}:){2}:([A-Fa-f0-9]{1,4}:){0,4}[A-Fa-f0-9]{1,4}'; - $pattern4 = '([A-Fa-f0-9]{1,4}:){3}:([A-Fa-f0-9]{1,4}:){0,3}[A-Fa-f0-9]{1,4}'; - $pattern5 = '([A-Fa-f0-9]{1,4}:){4}:([A-Fa-f0-9]{1,4}:){0,2}[A-Fa-f0-9]{1,4}'; - $pattern6 = '([A-Fa-f0-9]{1,4}:){5}:([A-Fa-f0-9]{1,4}:){0,1}[A-Fa-f0-9]{1,4}'; - $pattern7 = '([A-Fa-f0-9]{1,4}:){6}:[A-Fa-f0-9]{1,4}'; - $pattern8 = '[A-Fa-f0-9]{1,4}:[A-Fa-f0-9]{1,4}:[A-Fa-f0-9]{1,4}::\/[0-9]{2}'; - $pattern9 = '[A-Fa-f0-9]{1,4}:([A-Fa-f0-9]{1,4}::)\/[0-9]{2}'; - $pattern10 = '[A-Fa-f0-9]{1,4}::\/[0-9]{2}'; - $pfb['ipv6'] = "/($pattern1)|($pattern2)|($pattern3)|($pattern4)|($pattern5)|($pattern6)|($pattern7)|($pattern8)|($pattern9)|($pattern10)/"; - - $pfb['supp_update'] = FALSE; - $list_type = array ("pfblockernglistsv4" => "_v4", "pfblockernglistsv6" => "_v6"); - foreach ($list_type as $ip_type => $vtype) { - if ($config['installedpackages'][$ip_type]['config'] != "") { - foreach ($config['installedpackages'][$ip_type]['config'] as $list) { - if ($list['action'] != "Disabled" && $pfb['enable'] == "on" && !$pfb['save'] && is_array($list['row'])) { - # Capture Alias Name - $alias = "pfB_" . preg_replace("/\W/","",$list['aliasname']); - foreach ($list['row'] as $row) { - if ($row['url'] != "" && $row['state'] != "Disabled") { - - # Determine Folder Location for Alias (return array $pfbarr) - pfb_determine_list_detail($list['action']); - $pfb['skip'] = $pfbarr['skip']; - $pfbfolder = $pfbarr['folder']; - - if ($vtype == "_v4") { - $header_url = "{$row['header']}"; - } else { - $header_url = "{$row['header']}_v6"; - } - - # Format Log into clean Tab Spaces - if (strlen($header_url) > 10) { - $log_tab = "\t"; - } else { - $log_tab = "\t\t"; - } - - // Empty Header Field Validation Check - if (empty($header_url) || preg_match("/\W/",$header_url)) { - $log = "\n [ {$row['url']} ]\n ** TERMINATED - Header contains Blank/International/Special or Spaces\n"; - pfb_logger("{$log}","2"); - continue; - } - - # Collect Active Alias List (Used for pfctl Update when 'Reputation' is enabled. - $pfb_alias_lists_all[] = "{$alias}"; - - if (file_exists($pfbfolder . '/' . $header_url . '.txt') && $pfb['reuse'] == "") { - if ($row['state'] == "Hold") { - $log = "\n[ {$header_url} ] {$log_tab} Static Hold [ NOW ]\n"; - } else { - $log = "\n[ {$header_url} ] {$log_tab} exists, Reloading File [ NOW ]\n"; - } - pfb_logger("{$log}","1"); - } else { - if ($pfb['reuse'] == "on" && file_exists($pfb['origdir'] . '/' . $header_url . '.orig')) { - $log = "\n[ {$header_url} ] {$log_tab} Using Previously Downloaded File [ NOW ]\n"; - } else { - $log = "\n[ {$header_url} ] {$log_tab} Downloading New File [ NOW ]\n"; - } - pfb_logger("{$log}","1"); - - # Perform Remote URL Date/Time Stamp checks - $host = @parse_url($row['url']); - $list_url = "{$row['url']}"; - if ($row['format'] != "rsync" || $row['format'] != "html") { - if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) { - $remote_tds = "local"; - } else { - $remote_tds = @implode(preg_grep("/Last-Modified/", get_headers($list_url))); - $remote_tds = preg_replace("/^Last-Modified: /","", $remote_tds); - } - } - - $url_list = array(); - if ($row['format'] == "gz" || $row['format'] == "gz_2") { - $file_dwn = "{$pfb['origdir']}/{$header_url}.gz"; - if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse - } else { - $url_gz = "{$row['url']}"; - $file_gz = @file_get_contents($url_gz); - @file_put_contents($file_dwn, $file_gz, LOCK_EX); - if ($remote_tds == "local") - $remote_tds = gmdate ("D, d M Y H:i:s T", filemtime($file_dwn)); - $remote_stamp = strtotime($remote_tds); - if (!empty($remote_stamp) && file_exists($file_dwn)) - touch ($file_dwn, $remote_stamp); - } - $url_list = @gzfile($file_dwn); - } - - # IBlock Large Files mixed with IPs and Domains. PHP mem of 256M can't handle very large Files. - if ($row['format'] == "gz_lg") { - $file_dwn = "{$pfb['origdir']}/{$header_url}.gz"; - if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse - } else { - $url_gz = "{$row['url']}"; - $file_gz = @file_get_contents($url_gz); - @file_put_contents($file_dwn, $file_gz, LOCK_EX); - exec ("/usr/bin/gunzip -c {$file_dwn} | /usr/bin/sed 's/^.*://' | /usr/bin/grep -v '[a-zA-Z]\|^$\|^#' > {$pfb['origdir']}/{$header_url}.orig"); - if ($remote_tds == "local") - $remote_tds = gmdate ("D, d M Y H:i:s T", filemtime($file_dwn)); - $remote_stamp = strtotime($remote_tds); - if (!empty($remote_stamp) && file_exists($file_dwn)) - touch ($file_dwn, $remote_stamp); - } - $url_list = @file($pfb['origdir'] . '/' . $header_url . '.orig'); - } - - elseif ($row['format'] == "zip") { - $file_dwn = "{$pfb['origdir']}/{$header_url}.zip"; - if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse - } else { - $url_zip = "{$row['url']}"; - if (!$file_zip = @file_get_contents($url_zip)) { - $error = error_get_last(); - $log = "\n [ {$header_url} ] {$error['message']} \n"; - pfb_logger("{$log}","2"); - } else { - @file_put_contents($file_dwn, $file_zip, LOCK_EX); - if ($remote_tds == "local") - $remote_tds = gmdate ("D, d M Y H:i:s T", filemtime($file_dwn)); - $remote_stamp = strtotime($remote_tds); - if (!empty($remote_stamp) && file_exists($file_dwn)) - touch ($file_dwn, $remote_stamp); - } - } - $zip_out = "{$pfb['origdir']}/{$header_url}.orig"; - exec ("/usr/bin/tar -xOf {$file_dwn} | tr ',' '\n' > {$zip_out}"); - $url_list = @file($zip_out); - } - - elseif ($row['format'] == "et") { - $file_dwn = "{$pfb['origdir']}/{$header_url}.gz"; - # Script to Call ET IQRISK Process - if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse - } else { - $url_et = "{$row['url']}"; - $file_et = @file_get_contents($url_et); - @file_put_contents($file_dwn, $file_et, LOCK_EX); - if ($remote_tds == "local") - $remote_tds = gmdate ("D, d M Y H:i:s T", filemtime($file_dwn)); - $remote_stamp = strtotime($remote_tds); - if (!empty($remote_stamp) && file_exists($file_dwn)) - touch ($file_dwn, $remote_stamp); - } - exec ("{$pfb['script']} et {$header_url} x x x x x {$pfb['etblock']} {$pfb['etmatch']} >> {$pfb['log']} 2>&1"); - $url_list = @file($pfb['origdir'] . '/' . $header_url . '.orig'); - } - - elseif ($row['format'] == "xlsx") { - $file_dwn = "{$pfb['origdir']}/{$header_url}.zip"; - # Script to Call XLSX Process - if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse - } else { - $url_xlsx = "{$row['url']}"; - $file_xlsx = @file_get_contents($url_xlsx); - @file_put_contents($file_dwn, $file_xlsx, LOCK_EX); - if ($remote_tds == "local") - $remote_tds = gmdate ("D, d M Y H:i:s T", filemtime($file_dwn)); - $remote_stamp = strtotime($remote_tds); - if (!empty($remote_stamp) && file_exists($file_dwn)) - touch ($file_dwn, $remote_stamp); - } - exec ("{$pfb['script']} xlsx {$header_url} >> {$pfb['log']} 2>&1"); - $url_list = @file($pfb['origdir'] . '/' . $header_url . '.orig'); - } - - elseif ($row['format'] == "txt") { - $file_dwn = "{$pfb['origdir']}/{$header_url}.orig"; - if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - $url_list = @file($file_dwn); - } else { - $url_other = @file($row['url']); - $url_list = $url_other; - @file_put_contents($file_dwn, $url_other, LOCK_EX); - if ($remote_tds == "local") - $remote_tds = gmdate ("D, d M Y H:i:s T", filemtime($file_dwn)); - $remote_stamp = strtotime($remote_tds); - if (!empty($remote_stamp) && file_exists($file_dwn)) - touch ($file_dwn, $remote_stamp); - } - } - - elseif ($row['format'] == "html" || $row['format'] == "block") { - $file_dwn = "{$pfb['origdir']}/{$header_url}.raw"; - if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse - $return = 0; - } else { - $url_html = "{$row['url']}"; - exec ("/usr/bin/fetch -v -o {$file_dwn} -T 20 {$url_html}",$output,$return); - } - if ($return == 0) - $url_list = @file($file_dwn); - } - - elseif ($row['format'] == "rsync") { - $file_dwn = "{$pfb['origdir']}/{$header_url}.orig"; - if ($pfb['reuse'] == "on" && file_exists($file_dwn)) { - # File Exists/Reuse - } else { - $url_rsync = "{$row['url']}"; - exec ("/usr/local/bin/rsync --timeout=5 {$url_rsync} {$file_dwn}"); - } - $url_list = @file($file_dwn); - } - - #extract range lists - $new_file = ""; - if (!empty($url_list)) { - if ($row['format'] == "gz" && $vtype == "_v4") { - foreach ($url_list as $line) { - if (!preg_match("/^#/", $line)) { - # Network range 192.168.0.0-192.168.0.254 - if (preg_match($pfb['range'],$line,$matches)) { - $a_cidr = ip_range_to_subnet_array_temp2($matches[1],$matches[2]); - if (!empty($a_cidr)) { - foreach ($a_cidr as $cidr) { - $new_file .= preg_replace($pfb_ipreg,'',$cidr) . "\n"; - } - } - } - } - } - } - - elseif ($row['format'] == "block" && $vtype == "_v4") { - foreach ($url_list as $line) { - if (!preg_match("/^#/", $line)) { - # Block Type '218.77.79.0 218.77.79.255 24' - if (preg_match($pfb['block'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "/24\n"; - } - } - } - } - - elseif ($row['format'] == "html" && $vtype == "_v4") { - foreach ($url_list as $line) { - if (!preg_match("/^#/", $line)) { - # CIDR format 192.168.0.0/16 - if (preg_match($pfb['cidr'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; - } - # Single ip addresses - elseif (preg_match($pfb['s_html'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; - } - } - } - } - - elseif ($vtype == "_v6") { - foreach ($url_list as $line) { - if (!preg_match("/^#/", $line)) { - # IPv6 Regex Match - if (preg_match($pfb['ipv6'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; - } - } - } - } - - else { - foreach ($url_list as $line) { - if (!preg_match("/^#/", $line)) { - # CIDR format 192.168.0.0/16 - if (preg_match($pfb['cidr'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; - } - # Single ip addresses - elseif (preg_match($pfb['single'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; - } - } - } - } - } - - # Check to see if Blocklist actually Failed Download or has no IPs listed. - if ($row['format'] == "html" || $row['format'] == "block") { - $url_chk = $file_dwn; - } else { - $url_chk = "{$pfb['origdir']}/{$header_url}.orig"; - } - - # Check if File Exists and is >0 in Size - $file_chk = ""; - if (file_exists($url_chk) && @filesize($url_chk) >0) - $file_chk = exec ("/usr/bin/grep -cv '^#\|^$' {$url_chk}"); - - if ($file_chk == "0") { - $new_file = "1.1.1.1\n"; - $url_other = $new_file; - $log = "[ {$header_url} ] Found no IPs, Adding '1.1.1.1' to avoid Download FAIL\n"; - pfb_logger("{$log}","1"); - } - - if ($new_file != "") { - if ($row['format'] == "gz" || $row['format'] == "gz_2" || $row['format'] == "html" || $row['format'] == "block") { - # Re-Save these formats as original file - $url_other = $new_file; - @file_put_contents($pfb['origdir'] . '/' . $header_url . '.orig',$url_other, LOCK_EX); - } - - # Save List to '.txt' format in appropriate Folder - @file_put_contents($pfbfolder . '/' .$header_url . '.txt',$new_file, LOCK_EX); - - if ($pfb['rep'] == "on" && $pfb['skip'] && $vtype == "_v4") { - # Script to Call p24 Process - exec ("{$pfb['script']} p24 {$header_url} {$pfb['max']} {$pfb['dedup']} {$pfb['ccexclude']} {$pfb['ccwhite']} {$pfb['ccblack']} >> {$pfb['log']} 2>&1"); - } - - if ($pfb['dup'] == "on" && $pfb['skip'] && $vtype == "_v4") { - # Script to call Duplication Check Process - exec ("{$pfb['script']} duplicate {$header_url} >> {$pfb['log']} 2>&1"); - } - - # PFCTL - Update Only Aliases that have been updated only. - $pfb_alias_lists[] = "{$alias}"; - # Launch d-dup and p-dup functions when changes are found. - if ($pfb['skip'] && $vtype == "_v4") - $pfb['dupcheck'] = TRUE; - # Enable Suppression Process due to Updates - if ($pfb['supp'] == "on" && $vtype == "_v4") - $pfb['supp_update'] = TRUE; - - } else { - # Log FAILED Downloads and Check if Firewall or Snort/Suricata is Blocking Host - $log = "\n [ {$alias} {$header_url} ] Download FAIL [ NOW ]\n"; - pfb_logger("{$log}","2"); - - # Rebuild Previous List File from contents of Masterfile - if ($pfb['skip'] && $vtype == "_v4") { - # Search with trailing Whitespace to match exact Header in Masterfile - $header_url2 = $header_url . "[[:space:]]"; - $file_chk = exec ("/usr/bin/grep {$header_url2} {$pfb['master']} | grep -c ^"); - - if (!file_exists($pfbfolder . '/' . $header_url . '.txt') && @$file_chk > 0 && file_exists($pfb['master'])) { - $log = " [ {$alias} {$header_url} ] Found: {$file_chk} Line(s), Restoring previous List from Master \n"; - pfb_logger("{$log}","2"); - exec ("/usr/bin/grep {$header_url2} {$pfb['master']} | cut -d' ' -f2 > {$pfbfolder}/{$header_url}.txt"); - } - } - # A "Space" string Variable - $sp = " "; - $ip = @gethostbyname($host['host']); - $ip2 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", "\"^$1\.$2\.$3\.\"", $ip); - - # Only Perform these Checks if they are not "localfiles" - if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) { - $log = " [ {$alias} {$header_url} ] Local File Failure \n"; - pfb_logger("{$log}","2"); - } else { - # only perform these steps if an 'IP' is found. - if (!empty($ip)) { - // Query for Exact IP Match - $result_b1 = array(); - $pfb_b1 = exec ("/usr/bin/grep ^{$ip} {$pfbfolder}/*", $result_b1); - // Query for First Three IP Octet Matches - $result_b2 = array(); - $pfb_b2 = exec ("/usr/bin/grep {$ip2} {$pfbfolder}/*", $result_b2); - // Query Snort/Suricata snort2c IP Block Table - $snort_pfb = exec("/sbin/pfctl -t snort2c -T show | grep {$ip}"); - - # If an exact IP Match is not found report any First Three IP Octets. - if (!empty($result_b1)) { - $final_b1 = implode("\n ", $result_b1); - $log = " [ {$alias} {$header_url}, {$ip} ] Firewall IP Block Found in : \n{$sp}{$final_b1}\n"; - pfb_logger("{$log}","2"); - } else { - if (!empty($result_b2)) { - $final_b2 = implode("\n ", $result_b2); - $log = " [ {$alias} {$header_url}, {$ip} ] *Potential* Firewall IP Block Found in : \n{$sp}{$final_b2}\n"; - pfb_logger("{$log}","2"); - } - } - if (!empty($snort_pfb)) { - $log = " [ {$alias} {$header_url}, {$ip} ] snort2c IP Block Found in : [ {$snort_pfb} ]\n"; - pfb_logger("{$log}","2"); - } - } else { - $log = " [ {$alias} {$header_url} ] No host IP found \n"; - pfb_logger("{$log}","2"); - } - } - } - # UNSET variables - unset ($file_gz,$file_zip,$file_et,$file_xlsx,$url_other,$url_list); - } - } - } - #check custom network list - if (pfbng_text_area_decode($list['custom']) != "") { - - if ($vtype == "_v4") { - $aliascustom = "{$list['aliasname']}_custom"; - } else { - $aliascustom = "{$list['aliasname']}_custom_v6"; - } - - # Format Log into clean Tab Spaces - if (strlen($aliascustom) > 10) { - $log_tab = "\t"; - } else { - $log_tab = "\t\t"; - } - - # Collect Active Alias List (Used for pfctl Update when 'Reputation' is enabled. - $pfb_alias_lists_all[] = "{$alias}"; - - # Determine Folder Location for Alias (return array $pfbarr) - pfb_determine_list_detail($list['action']); - $pfb['skip'] = $pfbarr['skip']; - $pfbfolder = $pfbarr['folder']; - - if (file_exists($pfbfolder . '/' . $aliascustom . '.txt') && $pfb['reuse'] == "") { - $log = "\n[ {$aliascustom} ] {$log_tab} exists, Reloading File [ NOW ]\n"; - pfb_logger("{$log}","1"); - } else { - $url_list = array(); - $log = "\n[ {$aliascustom} ] {$log_tab} Loading Custom File [ NOW ]\n"; - pfb_logger("{$log}","1"); - - $custom_list = pfbng_text_area_decode($list['custom']) . "\n"; - @file_put_contents($pfb['origdir'] . '/' . $aliascustom . '.orig', $custom_list, LOCK_EX); - $url_list = @file($pfb['origdir'] . '/' . $aliascustom . '.orig'); - - $new_file = ""; - if (!empty($url_list)) { - foreach ($url_list as $line) { - if ($vtype == "_v4") { - # CIDR format 192.168.0.0/16 - if (preg_match($pfb['cidr'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; - } - # Single ip addresses - elseif (preg_match($pfb['s_html'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; - } - # Network range 192.168.0.0-192.168.0.254 - elseif (preg_match($pfb['range'],$line,$matches)) { - $a_cidr = ip_range_to_subnet_array_temp2($matches[1],$matches[2]); - if (!empty($a_cidr)) { - foreach ($a_cidr as $cidr) { - $new_file .= preg_replace($pfb_ipreg, '',$cidr) . "\n"; - } - } - } - } else { - # IPv6 Regex - if (preg_match($pfb['ipv6'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; - } - } - } - - } - if ($new_file != "") { - # PFCTL - Collect Only Aliases that have been updated only. - $pfb_alias_lists[] = "{$alias}"; - # Collect Updated lists for Suppression Process - @file_put_contents($pfbfolder . '/'. $aliascustom . '.txt',$new_file, LOCK_EX); - # Enable Suppression Process due to Updates - if ($pfb['supp'] == "on" && $vtype == "_v4") - $pfb['supp_update'] = TRUE; - if ($pfb['rep'] == "on" && $pfb['skip'] && $vtype == "_v4") { - # Script to Call p24 Process - exec ("{$pfb['script']} p24 {$aliascustom} {$pfb['max']} {$pfb['dedup']} {$pfb['ccexclude']} {$pfb['ccwhite']} {$pfb['ccblack']} >> {$pfb['log']} 2>&1"); - } - if ($pfb['dup'] == "on" && $pfb['skip'] && $vtype == "_v4") { - # Script to call Duplication Check Process - exec ("{$pfb['script']} duplicate {$aliascustom} >> {$pfb['log']} 2>&1"); - } - } else { - $log = "[ {$aliascustom} ] Custom List Error ]\n"; - pfb_logger("{$log}","1"); - } - } - } - } - } - } - } - - - ################################# - # REPUTATION PROCESSES # - ################################# - - # IP Reputation processes (pdup and ddup) - if ($pfb['pdup'] == "on" && $pfb['dupcheck'] && !$pfb['save'] && $pfb['enable'] == "on") { - # Script to run pdup process - exec ("{$pfb['script']} pdup x {$pfb['pmax']} >> {$pfb['log']} 2>&1"); - } - if ($pfb['dedup'] == "on" && $pfb['dupcheck'] && !$pfb['save'] && $pfb['enable'] == "on") { - # Script to run dedup process - exec ("{$pfb['script']} dedup x {$pfb['dmax']} {$pfb['dedup']} {$pfb['ccexclude']} {$pfb['ccwhite']} {$pfb['ccblack']} >> {$pfb['log']} 2>&1"); - } - - ################################# - # CONFIGURE ALIASES # - ################################# - - $list_type = array ("pfblockernglistsv4" => "_v4", "pfblockernglistsv6" => "_v6"); - foreach ($list_type as $ip_type => $vtype) { - if ($config['installedpackages'][$ip_type]['config'] != "" && $pfb['enable'] == "on") { - $runonce = 0; - foreach ($config['installedpackages'][$ip_type]['config'] as $list) { - $alias = "pfB_" . preg_replace("/\W/","",$list['aliasname']); - - # Determine Folder Location for Alias (return array $pfbarr) - pfb_determine_list_detail($list['action']); - $pfb['skip'] = $pfbarr['skip']; - $pfb_descr = $pfbarr['descr']; - $pfbfolder = $pfbarr['folder']; - - // Re-Save Only Aliases that have been updated only. - // When 'Reputation' is used, all Aliases need to be Updated. - $final_alias = array(); - if ($pfb['dedup'] == "on" || $pfb['pdup'] == "on") { - if (!empty($pfb_alias_lists_all)) - $final_alias = array_unique($pfb_alias_lists_all); - } else { - if (!empty($pfb_alias_lists)) - $final_alias = array_unique($pfb_alias_lists); - } - - if ($list['action'] != "Disabled") { - #remove empty lists files if any - if (is_array($list['row'])) { - $update = 0; - ${$alias} = ""; - foreach ($list['row'] as $row) { - if ($row['url'] != "" && $row['state'] != "Disabled") { - if ($vtype == "_v4") { - $header_url = "{$row['header']}"; - } else { - $header_url = "{$row['header']}_v6"; - } - $pfctlck = exec ("/sbin/pfctl -vvsTables | grep -A1 {$alias} | awk '/Addresses/ {s+=$2}; END {print s}'"); - - # Update Alias if List File Exists and its been updated or if the Alias URL Table is Empty. - if (file_exists($pfbfolder . "/" . $header_url . ".txt") && in_array($alias, $final_alias) || file_exists($pfbfolder . "/" . $header_url . ".txt") && empty($pfctlck)) { - # Script to run Suppression process (Print Header Only) - if ($pfb['supp'] == "on" && $vtype == "_v4" && $runonce == 0 && $pfb['supp_update']) { - exec ("{$pfb['script']} suppress x x x suppressheader >> {$pfb['log']} 2>&1"); - $runonce++; - } - # Script to run Suppression Process (Body) - if ($pfb['supp'] == "on" && $vtype == "_v4" && $pfb['supp_update']) { - if ($pfb['dup'] == "on" || !$pfb['skip']) { - # Execute if Duplication Process is Enabled or List is Permit or Match - exec ("{$pfb['script']} suppress x x x {$header_url}\|{$pfbfolder}/ >> {$pfb['log']} 2>&1"); - } else { - # Execute if Duplication Process is Disabled - exec ("{$pfb['script']} suppress x x off {$header_url}\|{$pfbfolder}/ >> {$pfb['log']} 2>&1"); - } - } - ${$alias} .= file_get_contents($pfbfolder . '/' . $header_url . '.txt'); - $update++; - } - } - } - } - - #check custom network list - if ($vtype == "_v4") { - $aliasname = "{$list['aliasname']}_custom"; - } else { - $aliasname = "{$list['aliasname']}_custom_v6"; - } - - # Update Alias if List File Exists and its been updated or if the Alias URL Table is Empty. - $pfctlck = exec ("/sbin/pfctl -vvsTables | grep -A1 {$alias} | awk '/Addresses/ {s+=$2}; END {print s}'"); - - if (pfbng_text_area_decode($list['custom']) != "") { - if (file_exists($pfbfolder . "/" . $aliasname . ".txt") && in_array($alias, $final_alias) || file_exists($pfbfolder . "/" . $aliasname . ".txt") && empty($pfctlck)) { - ${$alias} .= file_get_contents($pfbfolder . '/' . $aliasname . '.txt'); - $update++; - } - } - # Determine Validity of Alias URL Tables/Rules. ie: Don't create Empty URL Tables or Aliases - if (${$alias} == "" && empty($pfctlck)) { - unlink_if_exists($pfb['aliasdir'] . '/' . $alias. '.txt'); - } else { - // Save Only Aliases that have been updated. - if ($update > 0) { - @file_put_contents($pfb['aliasdir'] . '/' . $alias. '.txt',${$alias}, LOCK_EX); - } - - $alias_log = $list['aliaslog']; - #create alias - $new_aliases_list[] = "{$alias}"; - - $new_aliases[] = array( "name" => "{$alias}", - "url" => "{$pfb['weblocal']}?pfb={$alias}", - "updatefreq" => "32", - "address" => "", - "descr" => "pfBlockerNG {$pfb_descr} List Alias", - "type" => "urltable", - "detail" => "DO NOT EDIT THIS ALIAS" - ); - - #Create rule if action permits - switch ($list['action']) { - case "Deny_Both": - case "Deny_Outbound": - $rule = $base_rule; - $rule['type'] = "{$pfb['deny_action_outbound']}"; - if ($vtype == "_v6") - $rule['ipprotocol'] = "inet6"; - if ($pfb['float'] == "on") - $rule['direction'] = "any"; - $rule['descr'] = "{$alias}{$pfb['suffix']}"; - $rule['source'] = array ("any" => ""); - $rule['destination'] = array ("address" => "{$alias}"); - if ($pfb['config']['enable_log'] == "on" || $alias_log == "enabled") - $rule['log'] = ""; - $deny_outbound[] = $rule; - if ($list['action'] != "Deny_Both") - break; - case "Deny_Inbound": - $rule = $base_rule; - $rule['type'] = "{$pfb['deny_action_inbound']}"; - if ($vtype == "_v6") - $rule['ipprotocol'] = "inet6"; - if ($pfb['float'] == "on") - $rule['direction'] = "any"; - $rule['descr'] = "{$alias}{$pfb['suffix']}"; - $rule['source'] = array("address" => "{$alias}"); - $rule['destination'] = array ("any" => ""); - if ($pfb['config']['enable_log'] == "on" || $alias_log == "enabled") - $rule['log'] = ""; - $deny_inbound[] = $rule; - break; - case "Permit_Both": - case "Permit_Outbound": - $rule = $base_rule; - $rule['type'] = "pass"; - if ($vtype == "_v6") - $rule['ipprotocol'] = "inet6"; - if ($pfb['float'] == "on") - $rule['direction'] = "any"; - $rule['descr'] = "{$alias}{$pfb['suffix']}"; - $rule['source'] = array ("any" => ""); - $rule['destination'] = array ("address" => "{$alias}"); - if ($pfb['config']['enable_log'] == "on" || $alias_log == "enabled") - $rule['log'] = ""; - $permit_outbound[] = $rule; - if ($list['action'] != "Permit_Both") - break; - case "Permit_Inbound": - $rule = $base_rule; - $rule['type'] = "pass"; - if ($vtype == "_v6") - $rule['ipprotocol'] = "inet6"; - if ($pfb['float'] == "on") - $rule['direction'] = "any"; - $rule['descr'] = "{$alias}{$pfb['suffix']}"; - $rule['source'] = array ("address" => "{$alias}"); - $rule['destination'] = array ("any" => ""); - if ($pfb['config']['enable_log'] == "on" || $alias_log == "enabled") - $rule['log'] = ""; - $permit_inbound[] = $rule; - break; - case "Match_Both": - case "Match_Outbound": - $rule = $base_rule_float; - $rule['type'] = "match"; - if ($vtype == "_v6") - $rule['ipprotocol'] = "inet6"; - $rule['direction'] = "any"; - $rule['descr'] = "{$alias}{$pfb['suffix']}"; - $rule['source'] = array ("any" => ""); - $rule['destination'] = array ("address" => "{$alias}"); - if ($pfb['config']['enable_log'] == "on" || $alias_log == "enabled") - $rule['log'] = ""; - $match_outbound[] = $rule; - if ($list['action'] != "Match_Both") - break; - case "Match_Inbound": - $rule = $base_rule_float; - $rule['type'] = "match"; - if ($vtype == "_v6") - $rule['ipprotocol'] = "inet6"; - $rule['direction'] = "any"; - $rule['descr'] = "{$alias}{$pfb['suffix']}"; - $rule['source'] = array ("address" => "{$alias}"); - $rule['destination'] = array ("any" => ""); - if ($pfb['config']['enable_log'] == "on" || $alias_log == "enabled") - $rule['log'] = ""; - $match_inbound[] = $rule; - break; - } - } - #mark pfctl aliastable for cleanup - if (!in_array($alias, $aliases_list)) { - $aliases_list[] = "{$alias}"; - } - } else { - #unlink previous pfblockerNG alias list if any - unlink_if_exists($pfb['aliasdir'] . '/' . $alias . '.txt'); - } - } - } - } - # Clear Variables - ${$alias} = ""; - - - ######################################### - # UPDATE pfSense ALIAS TABLES # - ######################################### - - #update pfsense alias table - if (is_array($config['aliases']['alias'])) { - foreach ($config['aliases']['alias'] as $cbalias) { - if (preg_match("/pfB_/",$cbalias['name'])) { - #mark pfctl aliastable for cleaning - if (!in_array($cbalias['name'], $aliases_list)) { - $aliases_list[] = $cbalias['name']; #mark aliastable for cleaning - } - #remove previous aliastable file if alias is not defined any more - if (!in_array($cbalias['name'], $new_aliases_list)) { - unlink_if_exists($pfb['aliasdir'] . '/' . $cbalias['name'] . ".txt"); - } - } else { - $new_aliases[] = $cbalias; - - # Check Table Size - if (file_exists($pfb['aliasdir'] . '/' . $alias . '.txt') && $message == "") { - preg_match("/(\d+)/",exec("/usr/bin/grep -c ^ " . $pfb['aliasdir'] . '/' . $alias . '.txt'),$matches); - } - if (($matches[1] * 2.1) >= $pfb['table_limit']) { - #alias table too large - $message = "{$alias} alias table is too large. Reduce networks in list or increase 'Firewall Maximum Table Entries' value to at least " . (int)($matches[1] * 2.1) . ' in "system - advanced - Firewall/NAT" . '; - } - } - } - } - - #apply new alias table to xml - if ($message == "") { - $config['aliases']['alias'] = $new_aliases; - } - # UNSET Variables - unset($new_aliases, $cbalias); - - - ######################### - # Assign Rules # - ######################### - - # Only Execute if AutoRules are defined or if an Alias has been removed. - if ($pfb['autorules'] || $pfb['enable'] == "" || $pfb['remove']) { - if (count($deny_inbound) > 0 || count($permit_inbound) > 0 || count($match_inbound) > 0) { - if ($pfb['inbound_interfaces'] == "") { - $message = "Unable to apply rules. Inbound Interface option not configured."; - } - } - if (count($deny_outbound) > 0 || count($permit_outbound) > 0 || count($match_outbound) > 0) { - if ($pfb['outbound_interfaces'] == "") { - $message = "Unable to apply rules. Outbound Interface option not configured."; - } - } - - if ($message == "") { - $new_rules = array(); - $permit_rules = array(); - $match_rules = array(); - $other_rules = array(); - $fpermit_rules = array(); - $fmatch_rules = array(); - $fother_rules = array(); - - # Collect All Existing Rules - $rules = $config['filter']['rule']; - # Collect Existing pfSense Rules 'Pass', 'Match' and 'Other' pfSense rules into new Arrays. - if (!empty($rules)) { - foreach ($rules as $rule) { - if (!preg_match("/pfB_.*" . $pfb['suffix'] . "/",$rule['descr'])) { - // Floating rules collection 'Floating Pass/Match'. Balance to 'other' - if ($pfb['float'] == "on") { - if ($rule['type'] == "pass" && $rule['floating'] == "yes") { - $fpermit_rules[] = $rule; - } elseif ($rule['type'] == "match" && $rule['floating'] == "yes") { - $fmatch_rules[] = $rule; - } elseif ($rule['floating'] == "yes") { - $fother_rules[] = $rule; - } else { - $other_rules[] = $rule; - } - } else { - // Collect only 'Selected Inbound and Outbound Interfaces'. Balance to 'Other' - if (in_array($rule['interface'],$pfb['inbound_interfaces']) || in_array($rule['interface'],$pfb['outbound_interfaces'])) { - // Floating Rules 'off'. Collect 'Floating Other', Balance to 'Other' - if ($rule['floating'] == "yes") { - $fother_rules[] = $rule; - } elseif ($rule['type'] == "pass") { - if ($pfb['order'] == "order_0") { - $other_rules[] = $rule; - } else { - $permit_rules[] = $rule; - } - } elseif ($rule['type'] == "match") { - if ($pfb['order'] == "order_0") { - $other_rules[] = $rule; - } else { - $match_rules[] = $rule; - } - } else { - $other_rules[] = $rule; - } - } else { - if ($rule['floating'] == "yes") { - $fother_rules[] = $rule; - } else { - $other_rules[] = $rule; - } - } - } - } - } - } - - ################################################################################# - # PASS/MATCH RULES ORDER(p/m) # - # ORDER 0 - pfBlockerNG / All other Rules # - # ORDER 1 - pfSense (p/m) / pfBlockerNG (p/m) / pfBlockerNG Block/Reject # - # ORDER 2 - pfBlockerNG (p/m) / pfSense (p/m) / pfBlockerNG Block/Reject # - # ORDER 3 - pfBlockerNG (p/m) / pfBlockerNG Block/Reject / pfSense (p/m) # - ################################################################################# - - if ($pfb['float'] == "") { - if (!empty($fother_rules)) { - foreach ($fother_rules as $cb_rules) { - $new_rules[] = $cb_rules; - } - } - } - if (!empty($fpermit_rules) && $pfb['order'] == "order_1") { - foreach ($fpermit_rules as $cb_rules) { - $new_rules[] = $cb_rules; - } - } - if (!empty($fmatch_rules) && $pfb['order'] == "order_1") { - foreach ($fmatch_rules as $cb_rules) { - $new_rules[] = $cb_rules; - } - } - - # Define Inbound Interface Rules - if (!empty($pfb['inbound_interfaces'])) { - $counter = 0; - foreach ($pfb['inbound_interfaces'] as $inbound_interface) { - if (!empty($permit_rules) && $pfb['order'] == "order_1") { - foreach ($permit_rules as $cb_rules) { - if ($cb_rules['interface'] == $inbound_interface) - $new_rules[] = $cb_rules; - } - } - if (!empty($match_rules) && $pfb['order'] == "order_1") { - foreach ($match_rules as $cb_rules) { - if ($cb_rules['interface'] == $inbound_interface) - $new_rules[] = $cb_rules; - } - } - # Match Inbound Rules defined as Floating Only. - if (!empty($match_inbound) && $counter == 0) { - foreach ($match_inbound as $cb_rules) { - $cb_rules['interface'] = $pfb['inbound_floating']; - $new_rules[] = $cb_rules; - $counter ++; - } - } - if (!empty($permit_inbound)) { - foreach ($permit_inbound as $cb_rules) { - $cb_rules['interface'] = $inbound_interface; - $new_rules[] = $cb_rules; - } - } - if (!empty($fpermit_rules) && $pfb['order'] == "order_2") { - foreach ($fpermit_rules as $cb_rules) { - $new_rules[] = $cb_rules; - } - } - if (!empty($fmatch_rules) && $pfb['order'] == "order_2") { - foreach ($fmatch_rules as $cb_rules) { - $new_rules[] = $cb_rules; - } - } - if (!empty($permit_rules) && $pfb['order'] == "order_2") { - foreach ($permit_rules as $cb_rules) { - if ($cb_rules['interface'] == $inbound_interface) - $new_rules[] = $cb_rules; - } - } - if (!empty($match_rules) && $pfb['order'] == "order_2") { - foreach ($match_rules as $cb_rules) { - if ($cb_rules['interface'] == $inbound_interface) - $new_rules[] = $cb_rules; - } - } - if (!empty($deny_inbound)) { - foreach ($deny_inbound as $cb_rules) { - $cb_rules['interface'] = $inbound_interface; - $new_rules[] = $cb_rules; - } - } - } - } - - # Define Outbound Interface Rules - if (!empty($pfb['outbound_interfaces'])) { - $counter = 0; - foreach ($pfb['outbound_interfaces'] as $outbound_interface) { - if (!empty($permit_rules) && $pfb['order'] == "order_1") { - foreach ($permit_rules as $cb_rules) { - if ($cb_rules['interface'] == $outbound_interface) - $new_rules[] = $cb_rules; - } - } - if (!empty($match_rules) && $pfb['order'] == "order_1") { - foreach ($match_rules as $cb_rules) { - if ($cb_rules['interface'] == $outbound_interface) - $new_rules[] = $cb_rules; - } - } - # Match Outbound Rules defined as Floating Only. - if (!empty($match_outbound) && $counter == 0) { - foreach ($match_outbound as $cb_rules) { - $cb_rules['interface'] = $pfb['outbound_floating']; - $new_rules[] = $cb_rules; - $counter++; - } - } - if (!empty($permit_outbound)) { - foreach ($permit_outbound as $cb_rules) { - $cb_rules['interface'] = $outbound_interface; - $new_rules[] = $cb_rules; - } - } - if (!empty($permit_rules) && $pfb['order'] == "order_2") { - foreach ($permit_rules as $cb_rules) { - if ($cb_rules['interface'] == $outbound_interface) - $new_rules[] = $cb_rules; - } - } - if (!empty($match_rules) && $pfb['order'] == "order_2") { - foreach ($match_rules as $cb_rules) { - if ($cb_rules['interface'] == $outbound_interface) - $new_rules[] = $cb_rules; - } - } - if (!empty($deny_outbound)) { - foreach ($deny_outbound as $cb_rules) { - $cb_rules['interface'] = $outbound_interface; - $new_rules[] = $cb_rules; - } - } - } - } - - if (!empty($fpermit_rules) && $pfb['order'] == "order_0") { - foreach ($fpermit_rules as $cb_rules) { - $new_rules[] = $cb_rules; - } - } - if (!empty($fmatch_rules) && $pfb['order'] == "order_0") { - foreach ($fmatch_rules as $cb_rules) { - $new_rules[] = $cb_rules; - } - } - if (!empty($fpermit_rules) && $pfb['order'] == "order_3") { - foreach ($fpermit_rules as $cb_rules) { - $new_rules[] = $cb_rules; - } - } - if (!empty($fmatch_rules) && $pfb['order'] == "order_3") { - foreach ($fmatch_rules as $cb_rules) { - $new_rules[] = $cb_rules; - } - } - if (!empty($permit_rules) && $pfb['order'] == "order_3") { - foreach ($permit_rules as $cb_rules) { - $new_rules[] = $cb_rules; - } - } - if (!empty($match_rules) && $pfb['order'] == "order_3") { - foreach ($match_rules as $cb_rules) { - $new_rules[] = $cb_rules; - } - } - if ($pfb['float'] == "on") { - if (!empty($fother_rules)) { - foreach ($fother_rules as $cb_rules) { - $new_rules[] = $cb_rules; - } - } - } - if (!empty($other_rules)) { - foreach ($other_rules as $cb_rules) { - $new_rules[] = $cb_rules; - } - } - - # Save New Rule Order to Config - $config['filter']['rule'] = $new_rules; - } - $log = "\n {$message} \n"; - pfb_logger("{$log}","1"); - - # UNSET arrays - unset ($cb_rules,$permit_inbound,$permit_outbound,$deny_inbound,$deny_outbound,$match_inbound,$match_outbound); - unset ($other_rules,$fother_rules,$permit_rules,$fpermit_rules,$match_rules,$fmatch_rules); - } - - - ################################# - # Closing Processes # - ################################# - - #uncheck Reusing Existing Downloads Check box - if (!$pfb['save'] && $pfb['enable'] == "on") - $config['installedpackages']['pfblockerng']['config'][0]['pfb_reuse'] = ""; - - # Save all Changes to pfSense config file - write_config(); - - # If 'Rule Changes' are found, utilize the 'filter_configure()' function, if not, utilize 'pfctl replace' command - if ($pfb['autorules'] && $rules != $new_rules || $pfb['enable'] == "" || $pfb['remove']) { - require_once("filter.inc"); - - if (!$pfb['save']) { - $log = "\n===[ Aliastables / Rules ]================================\n\n"; - pfb_logger("{$log}","1"); - - $log = "Firewall Rule Changes Found, Applying Filter Reload \n"; - pfb_logger("{$log}","1"); - } - - # Remove all pfBlockerNG Alias tables - if (!empty($aliases_list)) { - foreach ($aliases_list as $table) { - exec ("/sbin/pfctl -t " . escapeshellarg($table) . " -T kill 2>&1", $pfb_null); - } - } - - #load filter file which will create the pfctl tables - filter_configure(); - - // Call function for NanoBSD/Ramdisk processes. - pfb_aliastables("update"); - } else { - # Don't Execute on User 'Save' - if (!$pfb['save']) { - - $log = "\n===[ Aliastables / Rules ]================================\n\n"; - pfb_logger("{$log}","1"); - - $log = "No Changes to Firewall Rules, Skipping Filter Reload \n"; - pfb_logger("{$log}","1"); - - // Re-Save Only Aliases that have been updated only. - // When 'Reputation' is used, all Aliases Need to be Updated. - $final_alias = array(); - if ($pfb['dedup'] == "on" || $pfb['pdup'] == "on") { - if (!empty($pfb_alias_lists_all)) - $final_alias = array_unique($pfb_alias_lists_all); - } else { - if (!empty($pfb_alias_lists)) - $final_alias = array_unique($pfb_alias_lists); - } - - if (!empty($final_alias)) { - foreach ($final_alias as $final) { - $log = "\n Updating: {$final} \n"; - pfb_logger("{$log}","1"); - $result_pfctl = ""; - exec ("/sbin/pfctl -t " . escapeshellarg($final) . " -T replace -f " . $pfb['aliasdir'] . "/" . escapeshellarg($final) . ".txt 2>&1", $result_pfctl); - $log = implode($result_pfctl); - pfb_logger("{$log}","1"); - } - - // Call function for NanoBSD/Ramdisk processes. - pfb_aliastables("update"); - } else { - $log = "\nNo Changes to Aliases, Skipping pfctl Update \n"; - pfb_logger("{$log}","1"); - } - } - } - # UNSET Variables - unset($rules, $new_rules); - - #sync config - pfblockerng_sync_on_changes(); - - ################################# - # FINAL REPORTING # - ################################# - - # Only run with CRON or Force Invoked Process - if ((!$pfb['save'] && $pfb['dupcheck'] && $pfb['enable'] == "on") || $pfb['summary']) { - # Script to run Final Script Processes. - exec ("{$pfb['script']} closing {$pfb['dup']} >> {$pfb['log']} 2>&1"); - } - - if ($pfb['enable'] == "on" && !$pfb['save']) { - $log = "\n\n UPDATE PROCESS ENDED [ NOW ]\n"; - pfb_logger("{$log}","1"); - } - - - ######################################### - # Define/Apply CRON Jobs # - ######################################### - - # Clear any existing pfBlockerNG Cron Jobs - install_cron_job("pfblockerng.php cron", false); - - # Replace Cron job with any User Changes to $pfb_min - if ($pfb['enable'] == "on") { - # Define pfBlockerNG CRON Job - $pfb_cmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> {$pfb['log']} 2>&1"; - # $pfb['min'] ( User Defined Variable. Variable defined at start of Script ) - $pfb_hour = "*"; - $pfb_mday = "*"; - $pfb_month = "*"; - $pfb_wday = "*"; - $pfb_who = "root"; - - install_cron_job($pfb_cmd, true, $pfb['min'], $pfb_hour, $pfb_mday, $pfb_month, $pfb_wday, $pfb_who); - } - - # Clear any existing pfBlockerNG MaxMind CRON Job - install_cron_job("pfblockerng.php dc", false); - - if ($pfb['enable'] == "on") { - # Define pfBlockerNG MaxMind CRON Job - $pfb_gcmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php dc >> {$pfb['geolog']} 2>&1"; - - # MaxMind GeoIP Cron Hour is randomized between 0-23 Hour to minimize effect on MaxMind Website - - $pfb_gmin = "0"; - $pfb_ghour = rand(0,23); - $pfb_gmday = "1,2,3,4,5,6,7"; - $pfb_gmonth = "*"; - $pfb_gwday = "2"; - $pfb_gwho = "root"; - - install_cron_job($pfb_gcmd, true, $pfb_gmin, $pfb_ghour, $pfb_gmday, $pfb_gmonth, $pfb_gwday, $pfb_gwho); - } -} - - -function pfblockerng_validate_input($post, &$input_errors) { - global $config; - foreach ($post as $key => $value) { - if (empty($value)) - continue; - if ($key == "message_size_limit" && !is_numeric($value)) - $input_errors[] = "Message size limit must be numeric."; - if ($key == "process_limit" && !is_numeric($value)) - $input_errors[] = "Process limit must be numeric."; - if ($key == "freq" && (!preg_match("/^\d+(h|m|d)$/",$value) || $value == 0)) - $input_errors[] = "A valid number with a time reference is required for the field 'Frequency'"; - if (substr($key, 0, 2) == "dc" && !is_hostname($value)) - $input_errors[] = "{$value} is not a valid host name."; - if (substr($key, 0, 6) == "domain" && is_numeric(substr($key, 6))) { - if (!is_domain($value)) - $input_errors[] = "{$value} is not a valid domain name."; - } else if (substr($key, 0, 12) == "mailserverip" && is_numeric(substr($key, 12))) { - if (empty($post['domain' . substr($key, 12)])) - $input_errors[] = "Domain for {$value} cannot be blank."; - if (!is_ipaddr($value) && !is_hostname($value)) - $input_errors[] = "{$value} is not a valid IP address or host name."; - } - } -} - - -function pfblockerng_php_install_command() { - require_once("/usr/local/www/pfblockerng/pfblockerng.php"); - global $config,$pfb; - pfb_global(); - - // Remove previously used CC folder location if exists - @rmdir_recursive("{$pfb['dbdir']}/cc"); - - # Uncompress Country Code File and delete Archive after extraction. - @rename("{$pfb['dbdir']}/countrycodes.tar.bz2", "{$pfb['ccdir']}/countrycodes.tar.bz2"); - exec("cd {$pfb['ccdir']}; /usr/bin/tar -jxvf {$pfb['ccdir']}/countrycodes.tar.bz2"); - unlink_if_exists("{$pfb['ccdir']}/countrycodes.tar.bz2"); - # Download MaxMind Files and Create Country Code files and Build Continent XML Files - update_output_window(gettext("Downloading MaxMind Country Databases. This may take a minute...")); - exec("/bin/sh /usr/local/pkg/pfblockerng/geoipupdate.sh all >> {$pfb['geolog']} 2>&1"); - - update_output_window(gettext("MaxMind Country Database downloads completed...")); - update_output_window(gettext("Converting MaxMind Country Databases for pfBlockerNG. This may take a few minutes...")); - pfblockerng_uc_countries(); - update_output_window(gettext("Creating pfBlockerNG Continenet XML Files...")); - pfblockerng_get_countries(); - update_output_window(gettext("Completed Creating pfBlockerNG Continenet XML Files...")); - - // Remove Original Maxmind Database Files - @unlink_if_exists("{$pfb['dbdir']}/GeoIPCountryCSV.zip"); - @unlink_if_exists("{$pfb['dbdir']}/GeoIPCountryWhois.csv"); - @unlink_if_exists("{$pfb['dbdir']}/GeoIPv6.csv"); - @unlink_if_exists("{$pfb['dbdir']}/country_continent.csv"); - - # Add Widget to Dashboard - update_output_window(gettext("Adding pfBlockerNG Widget to Dashboard.")); - if ($pfb['keep'] == "on" && !empty($pfb['widgets'])) { - // Restore previous Widget setting if "Keep" is enabled. - $config['widgets']['sequence'] = $pfb['widgets']; - } else { - $widgets = $config['widgets']['sequence']; - if (!preg_match("/pfblockerng-container/", $widgets)) { - if (empty($widgets)) { - $config['widgets']['sequence'] = "pfblockerng-container:col2:show"; - } else { - $config['widgets']['sequence'] .= ",pfblockerng-container:col2:show"; - } - } - } -} - - -function pfblockerng_php_deinstall_command() { - require_once("config.inc"); - global $config,$pfb; - - # Set these two variables to Disable pfBlockerNG on De-Install - $pfb['save'] = TRUE; - $pfb['install'] = TRUE; - sync_package_pfblockerng(); - rmdir_recursive("/usr/local/pkg/pfblockerng"); - rmdir_recursive("/usr/local/www/pfblockerng"); - - # Maintain pfBlockerNG Settings and Database Files if $pfb['keep'] is ON. - if ($pfb['keep'] != "on") { - # Remove pfBlockerNG Log and DB Folder - rmdir_recursive("{$pfb['dbdir']}"); - rmdir_recursive("{$pfb['logdir']}"); - - // Remove Aliastables archive and earlyshellcmd if found. - @unlink_if_exists("{$pfb['aliasarchive']}"); - if (is_array($config['system']['earlyshellcmd'])) { - $a_earlyshellcmd = &$config['system']['earlyshellcmd']; - if (preg_grep("/pfblockerng.sh aliastables/", $a_earlyshellcmd)) { - $a_earlyshellcmd = preg_grep("/pfblockerng.sh aliastables/", $a_earlyshellcmd, PREG_GREP_INVERT); - } - } - - # Remove Settings from Config - if (is_array($config['installedpackages']['pfblockerng'])) - unset($config['installedpackages']['pfblockerng']); - if (is_array($config['installedpackages']['pfblockerngglobal'])) - unset($config['installedpackages']['pfblockerngglobal']); - if (is_array($config['installedpackages']['pfblockerngsync'])) - unset($config['installedpackages']['pfblockerngsync']); - if (is_array($config['installedpackages']['pfblockerngreputation'])) - unset($config['installedpackages']['pfblockerngreputation']); - if (is_array($config['installedpackages']['pfblockernglistsv4'])) - unset($config['installedpackages']['pfblockernglistsv4']); - if (is_array($config['installedpackages']['pfblockernglistsv6'])) - unset($config['installedpackages']['pfblockernglistsv6']); - if (is_array($config['installedpackages']['pfblockerngafrica'])) - unset($config['installedpackages']['pfblockerngafrica']); - if (is_array($config['installedpackages']['pfblockerngantartica'])) - unset($config['installedpackages']['pfblockerngantartica']); - if (is_array($config['installedpackages']['pfblockerngasia'])) - unset($config['installedpackages']['pfblockerngasia']); - if (is_array($config['installedpackages']['pfblockerngeurope'])) - unset($config['installedpackages']['pfblockerngeurope']); - if (is_array($config['installedpackages']['pfblockerngnorthamerica'])) - unset($config['installedpackages']['pfblockerngnorthamerica']); - if (is_array($config['installedpackages']['pfblockerngoceania'])) - unset($config['installedpackages']['pfblockerngoceania']); - if (is_array($config['installedpackages']['pfblockerngsouthamerica'])) - unset($config['installedpackages']['pfblockerngsouthamerica']); - if (is_array($config['installedpackages']['pfblockerngtopspammers'])) - unset($config['installedpackages']['pfblockerngtopspammers']); - if (is_array($config['installedpackages']['pfblockerngproxyandsatellite'])) - unset($config['installedpackages']['pfblockerngproxyandsatellite']); - } - - # Remove Widget (code from Snort deinstall) - $pfb['widgets'] = $config['widgets']['sequence']; - if (!empty($pfb['widgets'])) { - $widgetlist = explode(",", $pfb['widgets']); - foreach ($widgetlist as $key => $widget) { - if (strstr($widget, "pfblockerng-container")) { - unset($widgetlist[$key]); - break; - } - } - $config['widgets']['sequence'] = implode(",", $widgetlist); - } - update_output_window(gettext("pfBlockerNG has been Uninstalled")); -} - -/* Uses XMLRPC to synchronize the changes to a remote node */ -function pfblockerng_sync_on_changes() { - global $config, $g, $pfb_sync; - - // Create Array of Sync Settings and exit if Sync is Disabled. - if (is_array($config['installedpackages']['pfblockerngsync']['config'][0])) { - $pfb_sync = $config['installedpackages']['pfblockerngsync']['config'][0]; - if ($pfb_sync['varsynconchanges'] == "disabled" || $pfb_sync['varsynconchanges'] == "") - return; - - $synctimeout = $pfb_sync['varsynctimeout']; - } else { - return; - } - - log_error("[pfBlockerNG] XMLRPC sync is starting."); - - if (is_array($config['installedpackages']['pfblockerngsync']['config'])) { - switch ($pfb_sync['varsynconchanges']) { - case "manual": - if (is_array($pfb_sync[row])) { - $rs = $pfb_sync[row]; - } else { - log_error("[pfBlockerNG] XMLRPC sync is enabled but there are no replication targets configured."); - return; - } - break; - case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ - $system_carp = $config['installedpackages']['carpsettings']['config'][0]; - $rs[0]['varsyncipaddress'] = $system_carp['synchronizetoip']; - $rs[0]['varsyncusername'] = $system_carp['username']; - $rs[0]['varsyncpassword'] = $system_carp['password']; - - // XMLRPC sync is currently only supported over connections using the same protocol and port as this system - if ($config['system']['webgui']['protocol'] == "http") { - $rs[0]['varsyncprotocol'] = "http"; - } else { - $rs[0]['varsyncprotocol'] = "https"; - } - - if ($system_carp['synchronizetoip'] == "") { - log_error("[pfBlockerNG] XMLRPC sync is enabled but there are no replication targets configured."); - return; - } - } else { - log_error("[pfBlockerNG] XMLRPC sync is enabled but there are no replication targets configured."); - return; - } - break; - default: - return; - break; - } - if (is_array($rs)) { - foreach ($rs as $sh) { - // Only Sync Enabled Replication Targets - if ($sh['varsyncdestinenable'] == "ON") { - $sync_to_ip = $sh['varsyncipaddress']; - $port = $sh['varsyncport']; - $password = htmlspecialchars($sh['varsyncpassword']); - $protocol = $sh['varsyncprotocol']; - - if (!empty($sh['varsyncusername'])) { - $username = $sh['varsyncusername']; - } else { - $username = "admin"; - } - - pfblockerng_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout); - } - } - if ($success) - log_error("[pfBlockerNG] XMLRPC sync completed successfully."); - } - } -} - - -/* Do the actual XMLRPC sync */ -function pfblockerng_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout) { - global $config, $g, $pfb_sync; - $success = TRUE; - - /* Exit on missing parameters */ - if (empty($sync_to_ip) || empty($password)) { - log_error("[pfBlockerNG] XMLRPC sync parameter missing (host IP or password) ... aborting xmlrpc sync"); - $success = FALSE; - return $success; - } - - /* Do not attempt a package sync while booting up or installing package */ - if ($g['booting'] || $g['pfblockerng_postinstall']) { - log_error("[pfBlockerNG] XMLRPC sync to Replication targets terminated during boot up or during package reinstallation."); - $success = FALSE; - return $success; - } - - // Validate Replication Target IP Address and Port Settings - if (!is_ipaddr($sync_to_ip) || !is_port($port)) { - log_error("[pfBlockerNG] XMLRPC sync terminated due to mis-configured Replication Target IP Address or Port settings."); - $success = FALSE; - return $success; - } - - /* Test key variables and set defaults if empty */ - if (empty($synctimeout)) - $synctimeout = 150; - - $url = "{$protocol}://{$sync_to_ip}"; - - if ($port == "") { $port = $config['system']['webgui']['port']; }; - /* If port is empty lets rely on the protocol selection */ - if ($port == "") { - if ($config['system']['webgui']['protocol'] == "http") { - $port = "80"; - } else { - $port = "443"; - } - } - /* xml will hold the sections to sync */ - $xml = array(); - // If User Disabled, remove 'General Tab Customizations' from Sync - if ($config['installedpackages']['pfblockerngsync']['config'][0]['syncinterfaces'] == "") - $xml['pfblockerng'] = $config['installedpackages']['pfblockerng']; - $xml['pfblockerngreputation'] = $config['installedpackages']['pfblockerngreputation']; - $xml['pfblockernglistsv4'] = $config['installedpackages']['pfblockernglistsv4']; - $xml['pfblockernglistsv6'] = $config['installedpackages']['pfblockernglistsv6']; - $xml['pfblockerngtopspammers'] = $config['installedpackages']['pfblockerngtopspammers']; - $xml['pfblockerngafrica'] = $config['installedpackages']['pfblockerngafrica']; - $xml['pfblockerngantartica'] = $config['installedpackages']['pfblockerngantartica']; - $xml['pfblockerngasia'] = $config['installedpackages']['pfblockerngasia']; - $xml['pfblockerngeurope'] = $config['installedpackages']['pfblockerngeurope']; - $xml['pfblockerngnorthamerica'] = $config['installedpackages']['pfblockerngnorthamerica']; - $xml['pfblockerngoceania'] = $config['installedpackages']['pfblockerngoceania']; - $xml['pfblockerngsouthamerica'] = $config['installedpackages']['pfblockerngsouthamerica']; - $xml['pfblockerngproxyandsatellite'] = $config['installedpackages']['pfblockerngproxyandsatellite']; - - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); - - /* set a few variables needed for sync code borrowed from filter.inc */ - log_error("[pfBlockerNG] XMLRPC syncing to {$url}:{$port}."); - $method = 'pfsense.merge_installedpackages_section_xmlrpc'; - $msg = new XML_RPC_Message($method, $params); - $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials($username, $password); - if ($g['debug']) { - $cli->setDebug(1); - } - - /* send our XMLRPC message and timeout after defined sync timeout value */ - $resp = $cli->send($msg, $synctimeout); - $error = ""; - if (!$resp) { - log_error("[pfBlockerNG] XMLRPC communications error occurred while attempting sync with {$url}:{$port}."); - file_notice("sync_settings", $error, "pfBlockerNG Settings Sync", ""); - $success = FALSE; - return $success; - } elseif ($resp->faultCode()) { - $cli->setDebug(1); - $resp = $cli->send($msg, $synctimeout); - log_error("[pfBlockerNG] XMLRPC Error received while attempting sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString()); - file_notice("sync_settings", $error, "pfBlockerNG Settings Sync", ""); - $success = FALSE; - return $success; - } else { - log_error("[pfBlockerNG] XMLRPC sync successfully completed with {$url}:{$port}."); - } - return $success; -} -?>
\ No newline at end of file |