diff options
Diffstat (limited to 'config')
65 files changed, 7376 insertions, 1460 deletions
diff --git a/config/countryblock/countryblock.inc b/config/countryblock/countryblock.inc index f8335d53..f67fd76f 100644 --- a/config/countryblock/countryblock.inc +++ b/config/countryblock/countryblock.inc @@ -103,8 +103,10 @@ function php_install_command_cb() exec("cp /tmp/interfaces.txt /usr/local/www/packages/countryblock/interfaces.txt"); unlink_if_exists("/tmp/interfaces.txt"); - exec("cp /tmp/CIDR.php /usr/local/www/packages/countryblock/CIDR.tar.gz"); - unlink_if_exists("/tmp/CIDR.php"); + exec("/usr/bin/fetch -o /tmp https://raw.github.com/tommyboy180/pfsense-bin/2812cb9e1c9357bbf2027eff82096773bc4ddc5d/countryblock/CIDR.tar.gz"); + + exec("cp /tmp/CIDR.tar.gz /usr/local/www/packages/countryblock/CIDR.tar.gz"); + unlink_if_exists("/tmp/CIDR.tar.gz"); exec("tar xzf /usr/local/www/packages/countryblock/CIDR.tar.gz -C /usr/local/www/packages/countryblock/CIDR"); exec("rm /usr/local/www/packages/countryblock/CIDR.tar.gz"); @@ -112,7 +114,6 @@ function php_install_command_cb() exec("mkdir /usr/local/www/packages/countryblock/lists"); exec("touch /usr/local/www/packages/countryblock/lists/countries.txt"); - conf_mount_ro(); config_unlock(); } @@ -127,6 +128,7 @@ function deinstall_command_cb() exec("rm -R /usr/local/www/packages/countryblock/countryblocks"); exec("rm -R /usr/local/www/packages/countryblock"); exec("rm /usr/local/etc/rc.d/countryblock.sh"); + exec("rm /usr/local/pkg/pf/countryblock.sh"); exec("pfctl -t countryblock -T kill"); exec("sed -i -e '/countryblock/d' /tmp/rules.debug"); exec("pfctl -o basic -f /tmp/rules.debug"); diff --git a/config/countryblock/countryblock.xml b/config/countryblock/countryblock.xml index daee679b..dbbefd18 100644 --- a/config/countryblock/countryblock.xml +++ b/config/countryblock/countryblock.xml @@ -41,7 +41,7 @@ <requirements>Active Internet</requirements> <faq>http://forum.pfsense.org/index.php/topic,25732.0.html</faq> <name>Country Block Settings</name> - <version>0.2.1</version> + <version>0.2.2</version> <title>Settings</title> <include_file>/usr/local/pkg/countryblock.inc</include_file> <menu> @@ -164,11 +164,6 @@ <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/countryblock/email.tmp</item> </additional_files_needed> - <additional_files_needed> - <prefix>/tmp/</prefix> - <chmod>0755</chmod> - <item>http://tomschaefer.org/pfsense/repo/countryblock/CIDR.php</item> - </additional_files_needed> <fields> <field> <fielddescr>Variable One</fielddescr> diff --git a/config/freeradius.inc b/config/freeradius.inc index 6e81f0a0..17b5408f 100644 --- a/config/freeradius.inc +++ b/config/freeradius.inc @@ -26,8 +26,8 @@ function freeradius_install_command() { $rcfile = array(); $rcfile['file'] = 'radiusd.sh'; - $rcfile['start'] = 'radiusd -s &'; - $rcfile['stop'] = 'killall radiusd'; + $rcfile['start'] = 'logger -f /var/log/system.log "freeRADIUS rc_start: killing all existing radiusd processes" && killall -9 radiusd ; sleep 5 && logger -f /var/log/system.log "freeRADIUS rc_start: starting radiusd " ; radiusd -s &'; + $rcfile['stop'] = 'logger -f /var/log/system.log "freeRADIUS rc_stop: killing all existing radiusd processes" && killall -9 radiusd ; sleep 5 && logger -f /var/log/system.log "freeRADIUS rc_stop: radiusd has quit"'; conf_mount_rw(); write_rcfile($rcfile); conf_mount_ro(); @@ -36,16 +36,18 @@ function freeradius_install_command() { function freeradius_settings_resync() { global $config; - $settings = $config['installedpackages']['freeradiussettings']['config'][0]; - $iface = ($settings['interface'] ? $settings['interface'] : 'LAN'); $iface = convert_friendly_interface_to_real_interface_name($iface); $iface_ip = find_interface_ip($iface); $port = ($settings['port'] != '' ? $settings['port'] : 0); - $radiuslogging = $settings['radiuslogging']; - $radiuslogbadpass = $settings['radiuslogbadpass']; - $radiusloggoodpass = $settings['radiusloggoodpass']; + $radiuslogging = $settings['radiuslogging']; + $radiuslogbadpass = $settings['radiuslogbadpass']; + $radiusloggoodpass = $settings['radiusloggoodpass']; + $max_requests_var = $settings['max_requests_var']; + $max_request_time_var = $settings['max_request_time_var']; + $cleanup_delay_var = $settings['cleanup_delay_var']; + $logdir_var = $settings['logdir_var']; // FreeRADIUS's configuration is huge // This is the standard default config file, trimmed down a bit. Somebody might want to implement more options. It should be as simple as editing this, then also providing the settings in each file that was included here (or maybe just put the config inlined here). @@ -55,7 +57,7 @@ exec_prefix = \${prefix} sysconfdir = \${prefix}/etc localstatedir = /var sbindir = \${exec_prefix}/sbin -logdir = /var/log +logdir = $logdir_var raddbdir = \${sysconfdir}/raddb radacctdir = \${logdir}/radacct confdir = \${raddbdir} @@ -65,10 +67,10 @@ libdir = \${exec_prefix}/lib pidfile = \${run_dir}/radiusd.pid #user = nobody #group = nobody -max_request_time = 30 +max_request_time = $max_request_time_var delete_blocked_requests = no -cleanup_delay = 5 -max_requests = 1024 +cleanup_delay = $cleanup_delay_var +max_requests = $max_requests_var bind_address = $iface_ip port = $port hostname_lookups = no @@ -447,21 +449,29 @@ function freeradius_users_resync() { foreach ($users as $user) { $username = $user['username']; $password = $user['password']; - $multiconnet = $user['multiconnet']; - $ip = $user['ip']; - $userexpiration=$user['expiration']; - $sessiontime=$user['sessiontime']; - $onlinetime=$user['onlinetime']; - $vlanid=$user['vlanid']; - $additionaloptions=$user['additionaloptions']; - $atrib=''; - $head="$username User-Password == ".'"'.$password.'"'; + $multiconnect = $user['multiconnect']; + $ip = $user['ip']; + $subnetmask = $user['subnetmask']; + $gateway = $user['gateway']; + $userexpiration=$user['expiration']; + $sessiontime=$user['sessiontime']; + $onlinetime=$user['onlinetime']; + $vlanid=$user['vlanid']; + $additionaloptions=$user['additionaloptions']; + $atrib=''; + $head="$username User-Password == ".'"'.$password.'"'; if ($multiconnect <> '') { - $head .=", Simultaneous-Use += $multiconnet"; + $head .=", Simultaneous-Use += $multiconnect"; } - if ($x <> '') { + if ($userexpiration <> '') { $head .=", Expiration := ".'"'.$userexpiration.'"'; } + if ($subnetmask<> '') { + $head .=", Framed-IP-Netmask = $subnetmask"; + } + if ($gateway<> '') { + $head .=", Framed-Route = $gateway"; + } if ($onlinetime <> '') { $head .=", Login-Time := ". '"' . $onlinetime .'"'; } diff --git a/config/freeradius.xml b/config/freeradius.xml index 8f214787..f878d693 100644 --- a/config/freeradius.xml +++ b/config/freeradius.xml @@ -2,49 +2,49 @@ <!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ + <copyright> + <![CDATA[ /* $Id$ */ /* ========================================================================== */ /* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ + freeradius.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ /* ========================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ /* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> <name>freeradius</name> <version>1.1.2</version> <title>FreeRADIUS: Users</title> @@ -83,48 +83,52 @@ <fielddescr>Username</fielddescr> <fieldname>username</fieldname> </columnitem> - <columnitem> - <fielddescr>Description</fielddescr> - <fieldname>description</fieldname> - </columnitem> - <columnitem> - <fielddescr>IP address</fielddescr> - <fieldname>ip</fieldname> - </columnitem> - <columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + <columnitem> + <fielddescr>IP address</fielddescr> + <fieldname>ip</fieldname> + </columnitem> + <columnitem> + <fielddescr>Subnet Mask</fielddescr> + <fieldname>subnetmask</fieldname> + </columnitem> + <columnitem> <fielddescr>Multiple Connection</fielddescr> - <fieldname>multiconnet</fieldname> + <fieldname>multiconnect</fieldname> </columnitem> <columnitem> <fielddescr>Expiration</fielddescr> <fieldname>expiration</fieldname> </columnitem> - <columnitem> + <columnitem> <fielddescr>Session time</fielddescr> <fieldname>sessiontime</fieldname> </columnitem> - <columnitem> - <fielddescr>Online time</fielddescr> - <fieldname>onlinetime</fieldname> - </columnitem> - <columnitem> - <fielddescr>VLAN ID</fielddescr> - <fieldname>vlanid</fieldname> - </columnitem> - </adddeleteeditpagefields> + <columnitem> + <fielddescr>Online time</fielddescr> + <fieldname>onlinetime</fieldname> + </columnitem> + <columnitem> + <fielddescr>VLAN ID</fielddescr> + <fieldname>vlanid</fieldname> + </columnitem> + </adddeleteeditpagefields> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> - <chmod>077</chmod> + <chmod>0775</chmod> <item>http://www.pfsense.org/packages/config/freeradiusclients.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> - <chmod>077</chmod> + <chmod>0775</chmod> <item>http://www.pfsense.org/packages/config/freeradiussettings.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> - <chmod>077</chmod> + <chmod>0775</chmod> <item>http://www.pfsense.org/packages/config/freeradius.inc</item> </additional_files_needed> <fields> @@ -145,14 +149,26 @@ <field> <fieldname>ip</fieldname> <fielddescr>IP address</fielddescr> - <description>If you want this user to be assigned a specific IP address from radius, enter the IP -address here. Continuous IP address is available with "+" suffix(example:192.168.1.5+. It may help for assigning the -different IP address to multiple simultaneous connections). IMPORTANT, you MUST ener an IP address here if you checked -"RADIUS issued IP's" on vpn pptp or vpn pppoe configuration.</description> + <description><![CDATA[Framed-IP-Address. If you want this user to be assigned a specific IP address from radius, enter the IP +address here. Continuous IP address is available with "+" suffix(example:192.168.1.5+. It may help for assigning the +different IP address to multiple simultaneous connections). IMPORTANT, you MUST enter an IP address here if you checked +"RADIUS issued IP" on vpn pptp or vpn pppoe configuration.]]></description> <type>input</type> - </field> + </field> + <field> + <fieldname>subnetmask</fieldname> + <fielddescr>subnetmask</fielddescr> + <description>Framed-IP-Netmask. Example: 255.255.255.0</description> + <type>input</type> + </field> + <field> + <fieldname>gateway</fieldname> + <fielddescr>gateway</fielddescr> + <description>Framed-Route. Example: 192.168.1.1</description> + <type>input</type> + </field> <field> - <fieldname>multiconnet</fieldname> + <fieldname>multiconnect</fieldname> <fielddescr>Number of Multiple connection</fielddescr> <description>The available number of multiple simultaneous connections with this username.</description> <required/> @@ -164,16 +180,16 @@ different IP address to multiple simultaneous connections). IMPORTANT, you MUS <description>You may enter the date that this account will stop working here.use Mmm dd yyyy example: 01 Jan 2007 will be Jan 01 2007</description> <type>input</type> </field> - <field> + <field> <fieldname>sessiontime</fieldname> <fielddescr>Session time</fielddescr> <description>Time this user has until relogin in seconds</description> <type>input</type> </field> - <field> + <field> <fieldname>onlinetime</fieldname> <fielddescr>Online time</fielddescr> - <description>A time string may be a list of simple time strings separated with vertical bars `|' or commas `,'. + <description><![CDATA[A time string may be a list of simple time strings separated with vertical bars `|' or commas `,'. Each simple time string must begin either with a day-of-week abbreviation (one of `Su', `Mo', `Tu', `We', `Th', `Fr', `Sa'), or `Wk' for any day from Monday to Friday inclusive, or `Any' or `Al' for any day. @@ -193,47 +209,46 @@ Here are a few sample time strings with an explanation of what they mean. `Any' - This means any day. Since no time is specified, it means any time on any day. </description> + This means any day. Since no time is specified, it means any time on any day.]]></description> <type>input</type> </field> - <field> - <fieldname>description</fieldname> - <fielddescr>Description</fielddescr> - <description>You may enter a description here for your reference (not parsed).</description> - <type>input</type> - </field> - <field> - <fieldname>vlanid</fieldname> - <fielddescr>VLAN ID</fielddescr> - <description><![CDATA[ - Enter the VLAN ID (integer from 1-4095) OR the VLAN name that this user/device should be assigned. In general, this parameter is used in conjunction with switches and access points that support mac-based authentication.<br><br> - - This setting can be used for switches/wireless access points that support the following radius parameters:<br> - Tunnel-Type = VLAN<br> - Tunnel-Medium-Type = IEEE-802<br> - Tunnel-Private-Group-ID = "insert vlan identifier here"<br><br> - - This was implemented and tested with HP Procurve Switches (3500yl, and 2626). HP Procurve switches support using either the VLAN ID or the VLAN name, while other switches will only work using the VLAN ID. - ]]> - </description> - <type>input</type> - </field> - <field> - <fieldname>additionaloptions</fieldname> - <fielddescr>Additional RADIUS Options</fielddescr> - <description> - <![CDATA[ - Experts only.<br> - You may append extra custom RADIUS options to this user account (separated by commas).<br> - IMPORTANT: If you don't format this field correctly, FreeRADIUS may not properly start because the users file will contain a syntax error. - ]]> - </description> - <type>textarea</type> - <rows>10</rows> - <cols>75</cols> - </field> - </fields> + <field> + <fieldname>description</fieldname> + <fielddescr>Description</fielddescr> + <description>You may enter a description here for your reference (not parsed).</description> + <type>input</type> + </field> + <field> + <fieldname>vlanid</fieldname> + <fielddescr>VLAN ID</fielddescr> + <description><![CDATA[ + Enter the VLAN ID (integer from 1-4095) OR the VLAN name that this user/device should be assigned. In general, this parameter is used in conjunction with switches and access points that support mac-based authentication.<br><br> + + This setting can be used for switches/wireless access points that support the following radius parameters:<br> + Tunnel-Type = VLAN<br> + Tunnel-Medium-Type = IEEE-802<br> + Tunnel-Private-Group-ID = "insert vlan identifier here"<br><br> + + This was implemented and tested with HP Procurve Switches (3500yl, and 2626). HP Procurve switches support using either the VLAN ID or the VLAN name, while other switches will only work using the VLAN ID. + ]]> + </description> + <type>input</type> + </field> + <field> + <fieldname>additionaloptions</fieldname> + <fielddescr>Additional RADIUS Options</fielddescr> + <description><![CDATA[ + Experts only.<br> + You may append extra custom RADIUS options to this user account (separated by commas).<br> + IMPORTANT: If you don't format this field correctly, FreeRADIUS may not properly start because the users file will contain a syntax error. + ]]> + </description> + <type>textarea</type> + <rows>10</rows> + <cols>75</cols> + </field> + </fields> <custom_delete_php_command> freeradius_users_resync(); </custom_delete_php_command> @@ -243,7 +258,7 @@ Here are a few sample time strings with an explanation of what they mean. <custom_php_install_command> freeradius_install_command(); </custom_php_install_command> - <custom_php_deinstall_command> + <custom_php_deinstall_command> freeradius_deinstall_command(); </custom_php_deinstall_command> -</packagegui> +</packagegui>
\ No newline at end of file diff --git a/config/freeradiussettings.xml b/config/freeradiussettings.xml index 9e3042b9..c842e542 100644 --- a/config/freeradiussettings.xml +++ b/config/freeradiussettings.xml @@ -80,58 +80,96 @@ <type>input</type> <default_value>1812</default_value> </field> - <field> - <fielddescr>Radius Logging</fielddescr> - <fieldname>radiuslogging</fieldname> - <description>Enable radius logging to /var/log/radius.log?</description> - <type>select</type> - <default_value>no</default_value> - <options> - <option> - <name>no</name> - <value>no</value> - </option> - <option> - <name>yes</name> - <value>yes</value> - </option> - </options> - </field> - <field> - <fielddescr>Log bad authentication attempts?</fielddescr> - <fieldname>radiuslogbadpass</fieldname> - <description>Specifies whether to log bad authentication attempts to the radius.log file. Radius Logging must be enabled for this to work.</description> - <type>select</type> - <default_value>no</default_value> - <options> - <option> - <name>no</name> - <value>no</value> - </option> - <option> - <name>yes</name> - <value>yes</value> - </option> - </options> - </field> - <field> - <fielddescr>Log good authentication attempts?</fielddescr> - <fieldname>radiusloggoodpass</fieldname> - <description>Specifies whether to log good authentication attempts to the radius.log file. Radius Logging must be enabled for this to work.</description> - <type>select</type> - <default_value>no</default_value> - <options> - <option> - <name>no</name> - <value>no</value> - </option> - <option> - <name>yes</name> - <value>yes</value> - </option> - </options> - </field> - </fields> + <field> + <fielddescr>Maximum requests server</fielddescr> + <fieldname>max_requests_var</fieldname> + <description>The maximum number of requests the RADIUS server can handle. Default is 1024. It should be 256 * number of clients e.g.: 4 Switches * 256 = 1024.</description> + <type>input</type> + <default_value>1024</default_value> + </field> + <field> + <fielddescr>Max request time</fielddescr> + <fieldname>max_request_time_var</fieldname> + <description>The maximum time (in seconds) to handle a request. Default is 30. Useful range of values: 5 to 120.</description> + <type>input</type> + <default_value>30</default_value> + </field> + <field> + <fielddescr>Cleanup delay</fielddescr> + <fieldname>cleanup_delay_var</fieldname> + <description>The time to wait (in seconds) before cleaning up a reply which was sent to the NAS. Default is 5. Useful range of values: 2 to 10.</description> + <type>input</type> + <default_value>5</default_value> + </field> + <field> + <fielddescr>Radius Logging Destination</fielddescr> + <fieldname>logdir_var</fieldname> + <description>Logging to "syslog" or "/var/log/radius.log" ?</description> + <type>select</type> + <default_value>/var/log</default_value> + <options> + <option> + <name>radius.log</name> + <value>/var/log</value> + </option> + <option> + <name>syslog</name> + <value>syslog</value> + </option> + </options> + </field> + <field> + <fielddescr>Radius Logging</fielddescr> + <fieldname>radiuslogging</fieldname> + <description>Enable logging?</description> + <type>select</type> + <default_value>no</default_value> + <options> + <option> + <name>no</name> + <value>no</value> + </option> + <option> + <name>yes</name> + <value>yes</value> + </option> + </options> + </field> + <field> + <fielddescr>Log bad authentication attempts?</fielddescr> + <fieldname>radiuslogbadpass</fieldname> + <description>Specifies whether to log bad authentication attempts to the radius.log file. Radius Logging must be enabled for this to work.</description> + <type>select</type> + <default_value>no</default_value> + <options> + <option> + <name>no</name> + <value>no</value> + </option> + <option> + <name>yes</name> + <value>yes</value> + </option> + </options> + </field> + <field> + <fielddescr>Log good authentication attempts?</fielddescr> + <fieldname>radiusloggoodpass</fieldname> + <description>Specifies whether to log good authentication attempts to the radius.log file. Radius Logging must be enabled for this to work.</description> + <type>select</type> + <default_value>no</default_value> + <options> + <option> + <name>no</name> + <value>no</value> + </option> + <option> + <name>yes</name> + <value>yes</value> + </option> + </options> + </field> + </fields> <custom_delete_php_command> freeradius_settings_resync(); </custom_delete_php_command> diff --git a/config/nrpe2/nrpe2.inc b/config/nrpe2/nrpe2.inc index 3bc97b21..2d136c3a 100644 --- a/config/nrpe2/nrpe2.inc +++ b/config/nrpe2/nrpe2.inc @@ -143,6 +143,7 @@ function nrpe2_custom_php_write_config() { global $g, $config, $nagios_check_path; conf_mount_rw(); + $cmds = array(); foreach ($config['installedpackages']['nrpe2']['config'][0]['row'] as $cmd) { if (is_executable("{$nagios_check_path}/{$cmd['command']}")) $cmds[] = "command[{$cmd['name']}]={$nagios_check_path}/{$cmd['command']} -w {$cmd['warning']} -c {$cmd['critical']} {$cmd['extra']}\n"; diff --git a/config/openvpn-client-export/vpn_openvpn_export.php b/config/openvpn-client-export/vpn_openvpn_export.php index 04945381..10b7d8e2 100755 --- a/config/openvpn-client-export/vpn_openvpn_export.php +++ b/config/openvpn-client-export/vpn_openvpn_export.php @@ -3,7 +3,7 @@ vpn_openvpn_export.php Copyright (C) 2008 Shrew Soft Inc. - Copyright (C) 2010 Ermal Luçi + Copyright (C) 2010 Ermal Lu�i All rights reserved. Redistribution and use in source and binary forms, with or without @@ -136,6 +136,8 @@ if($act == "conf" || $act == "confall") { $input_errors[] = "You need to specify an IP or hostname."; } else $useaddr = $_GET['useaddr']; + + $advancedoptions = $_GET['advancedoptions']; $usetoken = $_GET['usetoken']; $password = ""; @@ -173,7 +175,7 @@ if($act == "conf" || $act == "confall") { $exp_name = openvpn_client_export_prefix($srvid); if ($act == "confall") $zipconf = true; - $exp_data = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, $nokeys, $proxy, $zipconf, $password); + $exp_data = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, $nokeys, $proxy, $zipconf, $password, false, false, $advancedoptions); if (!$exp_data) { $input_errors[] = "Failed to export config files!"; $error = true; @@ -220,6 +222,8 @@ if($act == "visc") { } else $useaddr = $_GET['useaddr']; + $advancedoptions = $_GET['advancedoptions']; + $usetoken = $_GET['usetoken']; $password = ""; if ($_GET['password']) @@ -255,7 +259,7 @@ if($act == "visc") { $exp_name = openvpn_client_export_prefix($srvid); $exp_name = urlencode($exp_name."-Viscosity.visc.zip"); - $exp_path = viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $usetoken, $password, $proxy); + $exp_path = viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $usetoken, $password, $proxy, $advancedoptions); if (!$exp_path) { $input_errors[] = "Failed to export config files!"; $error = true; @@ -292,6 +296,8 @@ if($act == "inst") { } else $useaddr = $_GET['useaddr']; + $advancedoptions = $_GET['advancedoptions']; + $usetoken = $_GET['usetoken']; $password = ""; if ($_GET['password']) @@ -327,7 +333,7 @@ if($act == "inst") { $exp_name = openvpn_client_export_prefix($srvid); $exp_name = urlencode($exp_name."-install.exe"); - $exp_path = openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $usetoken, $password, $proxy); + $exp_path = openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $usetoken, $password, $advancedoptions); if (!$exp_path) { $input_errors[] = "Failed to export config files!"; $error = true; @@ -385,6 +391,8 @@ function download_begin(act, i, j) { var users = servers[index][1]; var certs = servers[index][3]; var useaddr; + + var advancedoptions; if (document.getElementById("useaddr").value == "other") { if (document.getElementById("useaddr_hostname").value == "") { @@ -394,6 +402,8 @@ function download_begin(act, i, j) { useaddr = document.getElementById("useaddr_hostname").value; } else useaddr = document.getElementById("useaddr").value; + + advancedoptions = document.getElementById("advancedoptions").value; var usetoken = 0; if (document.getElementById("usetoken").checked) @@ -475,6 +485,8 @@ function download_begin(act, i, j) { dlurl += "&proxy_password=" + escape(proxypass); } } + + dlurl += "&advancedoptions=" + escape(advancedoptions); window.open(dlurl,"_self"); } @@ -781,6 +793,14 @@ function useproxy_changed(obj) { <td colspan="2" class="list" height="12"> </td> </tr> <tr> + <td width="22%" valign="top" class="vncell">Additional configuration options</td> + <td width="78%" class="vtable"> + <textarea rows="6" cols="78" name="advancedoptions" id="advancedoptions"></textarea><br/> + <?=gettext("Enter any additional options you would like to add to the OpenVPN client export configuration here, separated by a line break or semicolon"); ?><br/> + <?=gettext("EXAMPLE: remote-random"); ?>; + </td> + </tr> + <tr> <td colspan="2" valign="top" class="listtopic">Client Install Packages</td> </tr> </table> diff --git a/config/postfix/adexport.pl b/config/postfix/adexport.pl new file mode 100755 index 00000000..185848f1 --- /dev/null +++ b/config/postfix/adexport.pl @@ -0,0 +1,189 @@ +#!/usr/bin/perl -w +############################################################################## +# +# Script to export a list of all email addresses from Active Directory +# Brian Landers <brian@packetslave.com> +# +# This code is in the public domain. Your use of this code is at your own +# risk, and no warranty is implied. The author accepts no liability for any +# damages or risks incurred by its use. +# +############################################################################## +# This script would be most useful for generating an access.db file on a +# sendmail gateway server. You would run it to generate a list of all +# valid email addresses, then insert those addresses into access.db as +# follows: +# +# To:bob@example.com RELAY +# To:jim@example.com RELAY +# To:joe@example.com RELAY +# +# Then, you'd create a default entry for the domain that rejects all other +# recipients (since if they're not in the list, they're by definition invalid). +# +# To:example.com ERROR:"User unknown" +# +# For this to work, you need to have "example.com" in your relay-domains +# file (normally /etc/mail/relay-domains), and you need to enable the +# "blacklist_recipients" FEATURE in your sendmail.mc file. +# +# FEATURE(`blacklist_recipients') +# +# See also my genaccessdb script at packetslave.com for ideas on how to +# generate the access.db file from this list of addresses +# +############################################################################## +# $Id: adexport,v 1.2 2011/08/20 23:30:52 blanders Exp $ + +use strict; +$|++; + +use Net::LDAP; +use Net::LDAP::Control::Paged; +use Net::LDAP::Constant qw( LDAP_CONTROL_PAGED ); + +#our ($cn,$passwd,$base); +#($cn,$passwd,$base)=@_ARGV; +#print "$cn \n $passwd \n $base"; +#exit; + +# ---- Constants ---- +our $bind = $ARGV[2].','.$ARGV[1]; # AD account +our $passwd = $ARGV[3]; # AD password +our $base = $ARGV[1]; # Start from root +our @servers; +push (@servers,$ARGV[0]); +our $filter = '(|(objectClass=publicFolder)(&(sAMAccountName=*)(mail=*)))'; +# ------------------- + + +# We use this to keep track of addresses we've seen +my %gSeen; + +# Connect to the server, try each one until we succeed +my $ldap = undef; +foreach( @servers ) { + $ldap = Net::LDAP->new( $_ ); + last if $ldap; + + # If we get here, we didn't connect + die "Unable to connect to any LDAP servers!\n"; +} + +# Create our paging control. Exchange has a maximum recordset size of +# 1000 records by default. We have to use paging to get the full list. + +my $page = Net::LDAP::Control::Paged->new( size => 100 ); + +# Try to bind (login) to the server now that we're connected +my $msg = $ldap->bind( dn => $bind, + password => $passwd + ); + +# If we can't bind, we can't continue +if( $msg->code() ) { + die( "error while binding:", $msg->error_text(), "\n" ); +} + +# Build the args for the search +my @args = ( base => $base, + scope => "subtree", + filter => $filter, + attrs => [ "proxyAddresses" ], + callback => \&handle_object, + control => [ $page ], + ); + +# Now run the search in a loop until we run out of results. This code +# is taken pretty much directly from the example code in the perldoc +# page for Net::LDAP::Control::Paged + +my $cookie; +while(1) { + # Perform search + my $mesg = $ldap->search( @args ); + + # Only continue on LDAP_SUCCESS + $mesg->code and last; + + # Get cookie from paged control + my($resp) = $mesg->control( LDAP_CONTROL_PAGED ) or last; + $cookie = $resp->cookie or last; + + # Set cookie in paged control + $page->cookie($cookie); +} + +if( $cookie ) { + # We had an abnormal exit, so let the server know we do not want any more + $page->cookie($cookie); + $page->size(0); + $ldap->search( @args ); +} + +# Finally, unbind from the server +$ldap->unbind; + +# ------------------------------------------------------------------------ +# Callback function that gets called for each record we get from the server +# as we get it. We look at the type of object and call the appropriate +# handler function +# + +sub handle_object { + + my $msg = shift; # Net::LDAP::Message object + my $data = shift; # May be Net::LDAP::Entry or Net::LDAP::Reference + + # Only process if we actually got data + return unless $data; + + return handle_entry( $msg, $data ) if $data->isa("Net::LDAP::Entry"); + return handle_reference( $msg, $data ) if $data->isa("Net::LDAP::Reference"); + + # If we get here, it was something we're not prepared to handle, + # so just return silently. + + return; +} + +# ------------------------------------------------------------------------ +# Handler for a Net::LDAP::Entry object. This is an actual record. We +# extract all email addresses from the record and output only the SMTP +# ones we haven't seen before. + +sub handle_entry { + + my $msg = shift; + my $data = shift; + + # Extract the email addressess, selecting only the SMTP ones, and + # filter them so that we only get unique addresses + + my @mails = grep { /^smtp:/i && !$gSeen{$_}++ } + $data->get_value( "proxyAddresses" ); + + # If we found any, strip off the SMTP: identifier and print them out + if( @mails ) { + print map { s/^smtp:(.+)$/\L$1\n/i; $_ } @mails; + } +} + +# ------------------------------------------------------------------------ +# Handler for a Net::LDAP::Reference object. This is a 'redirect' to +# another portion of the directory. We simply extract the references +# from the object and resubmit them to the handle_object function for +# processing. + +sub handle_reference { + + my $msg = shift; + my $data = shift; + + foreach my $obj( $data->references() ) { + + # Oooh, recursion! Might be a reference to another reference, after all + return handle_object( $msg, $obj ); + } +} + diff --git a/config/postfix/postfix.inc b/config/postfix/postfix.inc index cf470c8f..e8152be7 100644 --- a/config/postfix/postfix.inc +++ b/config/postfix/postfix.inc @@ -3,6 +3,8 @@ postfix.inc part of the Postfix package for pfSense Copyright (C) 2010 Erik Fonnesbeck + Copyright (C) 2011 Marcello Coutinho + All rights reserved. Redistribution and use in source and binary forms, with or without @@ -27,69 +29,538 @@ POSSIBILITY OF SUCH DAMAGE. */ - require_once("util.inc"); +require_once("functions.inc"); +require_once("pkg-utils.inc"); +require_once("globals.inc"); -function sync_package_postfix() { +function px_text_area_decode($text){ + return preg_replace('/\r\n/', "\n",base64_decode($text)); +} + +function px_get_real_interface_address($iface) { global $config; + $iface = convert_friendly_interface_to_real_interface_name($iface); + $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6")); + list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line); + return array($ip, long2ip(hexdec($netmask))); +} +function sync_relay_recipients($via_cron="cron"){ + global $config; + #relay recipients + if ($config['installedpackages']['postfixrecipients']['config']) { + $relay_recipients=""; + $relay_ldap_recipients=""; + $ad_export="/usr/local/etc/postfix/adexport.pl"; + foreach ($config['installedpackages']['postfixrecipients']['config'] as $postfix_recipients_config) { + if($postfix_recipients_config['location'] && file_exists($postfix_recipients_config['location'])) + $relay_recipients .= file_get_contents($postfix_recipients_config['location']); + if($postfix_recipients_config['custom_recipients']) + $relay_recipients .= px_text_area_decode($postfix_recipients_config['custom_recipients']); + if($postfix_recipients_config['enable_ldap']){ + #validate cront job + if(preg_match("/(\d+)(\w)/",$postfix_recipients_config['freq'],$matches)){ + $cron_sufix="\t*\t*\troot\t/usr/local/bin/php /usr/local/www/postfix_recipients.php"; + switch ($matches[2]){ + case m: + $cron= "*/".$matches[1]."\t*\t*".$cron_sufix; + break; + case h: + $cron= "0\t*/".$matches[1]."\t*".$cron_sufix; + break; + case d: + $cron= "0\t0\t*/".$matches[1].$cron_sufix; + break; + default: + $input_errors[] = "A valid number with a time reference is required for the field 'Frequency'"; + } + #update cront job file + $crontab = file('/etc/crontab'); + foreach ($crontab as $line) + $new_cron.=(preg_match("/postfix_recipients.php/",$line)?$cron."\n":$line); + #include if conf does not exist in crontab + $new_cron.=(!preg_match("/postfix_recipients.php/",$new_cron)?"\n".$cron."\n\n":""); + file_put_contents("/etc/crontab",$new_cron, LOCK_EX); + #check crontab changes + $md5_new_file = trim(md5_file('/etc/crontab')); + if(file_exists('/etc/crontab.md5')) + $md5_old_file = trim(file_get_contents('/etc/crontab.md5')); + if($md5_new_file <> $md5_old_file){ + mwexec('/usr/bin/killall -HUP cron'); + file_put_contents("/etc/crontab.md5",$md5_new_file, LOCK_EX); + } + } + $relay_ldap_recipients=""; + if ($via_cron == "gui"){ + #running via pfsense gui, not time for ldap fetch. + $ldap_recipients='/usr/local/etc/postfix/relay_ldap_recipients.txt'; + if (!file_exists($ldap_recipients)) + system('/usr/bin/touch '. $ldap_recipients); + $relay_ldap_recipients=file_get_contents($ldap_recipients); + } + else{ + #running via crontab, time to get ldap content. + $ldap_temp=array(); + foreach ($postfix_recipients_config['row'] as $postfix_ldap) { + print "extracting from ".$postfix_ldap['dc']."..."; + $filename="/usr/local/etc/postfix/relay_ldap_recipients.".$postfix_ldap['dc'].".txt"; + exec($ad_export." ".$postfix_ldap['dc']." ".$postfix_ldap['cn']." ".$postfix_ldap['username']." ".$postfix_ldap['password'],$ldap_fetch,$status); + if ($status == 0){ + #write backup conf for ldap server + $fp=fopen($filename,"w+"); + foreach($ldap_fetch as $key => $value) + fwrite($fp,$value."\n"); + fclose($fp); + } + else{ + if (file_exists($filename)) { + #LDAP fetch failed...read backup file. + print "Restoring backup file for ".$postfix_ldap['dc']."..."; + $ldap_fetch=file($filename); + } + else{ + #we never got any info from this server. + print "There is no backup file for ".$postfix_ldap['dc']."..."; + $ldap_fetch=array(); + } + } + $ldap_all = array_merge($ldap_temp,$ldap_fetch); + $ldap_temp=$ldap_all; + print "(".count($ldap_fetch).")\n"; + $ldap_fetch=array(); + } + $ldap_unique=array_unique($ldap_all); + print "Total ldap recipients:".count($ldap_all)."\tunique:".count($ldap_unique)."\n"; + foreach($ldap_unique as $recipient) + $relay_ldap_recipients.=($recipient != ""?$recipient." OK\n":""); + + #save ldap relay recipients + file_put_contents("/usr/local/etc/postfix/relay_ldap_recipients.txt",$relay_ldap_recipients, LOCK_EX); + } + } + } + #save all relay recipients and reload postfix + file_put_contents("/usr/local/etc/postfix/relay_recipients",$relay_ldap_recipients."\n".$relay_recipients, LOCK_EX); + exec("/usr/local/sbin/postmap /usr/local/etc/postfix/relay_recipients"); + mwexec("/usr/local/sbin/postfix reload"); + } + if($relay_recipients !="" || $relay_ldap_recipients!="") + return("relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients\n"); +} +function sync_package_postfix() { + global $config; $relay_domains = ""; $transport = ""; - $message_size_limit = "10240000"; - - if (is_array($config['installedpackages']['postfix']['config'])) { - foreach ($config['installedpackages']['postfix']['config'] as $postfix_config) { - if (isset($postfix_config['message_size_limit'])) - $message_size_limit = $postfix_config['message_size_limit']; - if (is_array($postfix_config['row'])) { - foreach ($postfix_config['row'] as $postfix_row) { - $relay_domains .= ' ' . $postfix_row['domain']; - if (!empty($postfix_row['mailserverip'])) - $transport .= $postfix_row['domain'] . " smtp:[" . $postfix_row['mailserverip'] . "]\n"; + $postfix_config=$config['installedpackages']['postfix']['config'][0]; + $message_size_limit=($postfix_config['message_size_limit']?$postfix_config['message_size_limit']:"10240000"); + $process_limit=($postfix_config['process_limit']?$postfix_config['process_limit']:"100"); + if (is_array($postfix_config['row'])) { + foreach ($postfix_config['row'] as $postfix_row) { + $relay_domains .= ' ' . $postfix_row['domain']; + if (!empty($postfix_row['mailserverip'])) + $transport .= $postfix_row['domain'] . " smtp:[" . $postfix_row['mailserverip'] . "]\n"; } } + #check logging + if ($postfix_config['log_to']){ + switch($postfix_config['log_to']){ + case 'maillog': + system("/usr/bin/touch /var/log/maillog"); + $mail_syslog="mail.crit;"; + break; + case 'none': + $mail_syslog="mail.crit;"; + break; + default: + $mail_syslog='mail.*;'; + break; + } + #update /etc/inc/system.inc + $sys_log_file='/etc/inc/system.inc'; + $sys_log = file($sys_log_file); + $new_sys_log=""; + $found_mail=0; + foreach ($sys_log as $line){ + $new_line=preg_replace('/mail.(.|crit);/',$mail_syslog,$line); + #set syslog entry mail.* %/var/log/maillog when log_to = system + if (preg_match ('/mail.(.|crit);/',$line) && $postfix_config['log_to'] =="maillog") + $new_sys_log .= 'mail.*'."\t\t\t\t\t\t".'/var/log/maillog'."\n"; + #remove syslog entry mail.* %/var/log/maillog when log_to != system + if (preg_match ("/^mail/",$line)) + $new_sys_log .=""; + else + $new_sys_log .= $new_line; + } + if (!file_exists('/root/system.inc.backup')) { + copy ($sys_log_file,'/root/system.inc.backup'); + } + file_put_contents($sys_log_file,$new_sys_log, LOCK_EX); + #mwexec('/usr/local/bin/php -q /usr/local/www/postfix_syslog.php'); + #restart syslog daemon + system_syslogd_start(); } + + #check_debug + if($postfix_config['debug_list'] && $postfix_config['debug_list']!=""){ + $check_debug ="\n#Debugging postfix\n"; + $check_debug.="debug_peer_list = ".px_text_area_decode($postfix_config['debug_list'])."\n"; + $check_debug.="debug_peer_level = ".$postfix_config['debug_level']."\n\n"; } + #check relay recipients + $all_relay_recipients=sync_relay_recipients('gui'); + + $copyright=<<<ABOUT +#Part of the Postfix package for pfSense +#Copyright (C) 2010 Erik Fonnesbeck +#Copyright (C) 2011 Marcello Coutinho +#All rights reserved. +#DO NOT EDIT THIS FILE + - $postfix_main = +ABOUT; + $postfix_main="#main.cf\n".$copyright; + #Header Maps + if ($config['installedpackages']['postfixacl']['config'][0]['header_maps']){ + $postfix_main .= "header_checks = pcre:/usr/local/etc/postfix/header_check\n"; + $header_check = px_text_area_decode($config['installedpackages']['postfixacl']['config'][0]['header_maps']); + } + #MIME Maps + if ($config['installedpackages']['postfixacl']['config'][0]['mime_maps']){ + $postfix_main .= "mime_header_checks = pcre:/usr/local/etc/postfix/mime_check\n"; + $mime_check = px_text_area_decode($config['installedpackages']['postfixacl']['config'][0]['mime_maps']); + } + #Body Maps + if ($config['installedpackages']['postfixacl']['config'][0]['body_maps']){ + $postfix_main .= "body_checks = pcre:/usr/local/etc/postfix/body_check\n"; + $body_check = px_text_area_decode($config['installedpackages']['postfixacl']['config'][0]['body_maps']); + } + #Client CIDR + if ($config['installedpackages']['postfixacl']['config'][0]['cal_cidr']){ + if ($antispam['zombie_blocker']=='disabled') + $cal_cidr = px_text_area_decode($config['installedpackages']['postfixacl']['config'][0]['cal_cidr']); + else + #formatar o arquivo retirando os 'oks' + $cal_cidr_tmp = px_text_area_decode($config['installedpackages']['postfixacl']['config'][0]['cal_cidr']); + $cal_cidr = preg_replace('/ ok/i'," permit",$cal_cidr_tmp); + } + #Client PCRE + if ($config['installedpackages']['postfixacl']['config'][0]['cal_pcre']){ + $cal_pcre = px_text_area_decode($config['installedpackages']['postfixacl']['config'][0]['cal_pcre']); + } + $postfix_main .= px_text_area_decode($postfix_config['maincf'])."\n". "relay_domains ={$relay_domains}\n" . "transport_maps = hash:/usr/local/etc/postfix/transport\n" . "local_recipient_maps =\n" . + $all_relay_recipients. "mydestination =\n" . "mynetworks_style = host\n" . - "message_size_limit = {$message_size_limit}\n"; + "message_size_limit = {$message_size_limit}\n" . + "default_process_limit = {$process_limit}\n"; + #assign antispam options + $antispam=$config['installedpackages']['postfixantispam']['config'][0]; + + if($antispam['antispam_enabled']){ + switch ($antispam['antispam_software']){ + case "mailscanner": + $header_check .= (!preg_match('@/ HOLD@',$header_check)?"\n/^Received:/ HOLD\n":"\n"); + $postfix_main_antispam = "#Saving all mail after header/body/rbl/spf checks to mailscanner\n\n"; + break; + case "policyd2": + if ($antispam['antispam_location']){ + $postfix_main_antispam = <<<EOF +#using policyd v2 +client_throttle = check_policy_service {$antispam['antispam_location']} +smtpd_client_restrictions = check_policy_service {$antispam['antispam_location']} +smtpd_restriction_classes = + has_our_domain_as_sender + client_throttle +smtpd_end_of_data_restrictions = check_policy_service {$antispam['antispam_location']} + +EOF; + } + else{ + $postfix_main_antispam = "Policyd v2 has no location set.\n\n"; + } + break; + } + } + + if ($antispam['header_check'] == "strong") + { + $postfix_main .= <<<EOF +disable_vrfy_command = yes +strict_rfc821_envelopes = yes + +#Just reject after helo,sender,client,recipient tests +smtpd_delay_reject = yes + +# Don't talk to mail systems that don't know their own hostname. +smtpd_helo_required = yes +smtpd_helo_restrictions = reject_unknown_helo_hostname + +smtpd_sender_restrictions = reject_non_fqdn_sender, + reject_unknown_sender_domain, + reject_unauth_pipelining, + reject_multi_recipient_bounce, + permit + +# Allow connections from specified local clients and strong check everybody else. +smtpd_client_restrictions = check_client_access pcre:/usr/local/etc/postfix/cal_pcre, + check_client_access cidr:/usr/local/etc/postfix/cal_cidr, + reject_unknown_client_hostname, + reject_unauth_pipelining, + reject_multi_recipient_bounce, + permit + +smtpd_recipient_restrictions = reject_invalid_helo_hostname, + reject_unknown_recipient_domain, + reject_non_fqdn_helo_hostname, + reject_non_fqdn_recipient, + reject_unauth_destination, + reject_unauth_pipelining, + reject_multi_recipient_bounce, + SPFSPFSPFRBLRBLRBL + +EOF; + } +else + { + #erro nas listas de bloqueio + $postfix_main .= <<<EOF +#Just reject after helo,sender,client,recipient tests +smtpd_delay_reject = yes + +# Don't talk to mail systems that don't know their own hostname. +smtpd_helo_required = yes +smtpd_helo_restrictions = reject_unknown_helo_hostname + +smtpd_sender_restrictions = reject_unknown_sender_domain, + RBLRBLRBL + +# Allow connections from specified local clients and rbl check everybody else if rbl check are set. +smtpd_client_restrictions = check_client_access pcre:/usr/local/etc/postfix/cal_pcre, + check_client_access cidr:/usr/local/etc/postfix/cal_cidr, + RBLRBLRBL + +# Whitelisting: local clients may specify any destination domain. +smtpd_recipient_restrictions = reject_unauth_destination, + SPFSPFSPFRBLRBLRBL + +EOF; + } +#check spf option +switch($antispam['postfix_spf']){ + case 'spf_mark_only': + $postfix_main.= "spf_mark_only = yes\n"; + $spf="reject_spf_invalid_sender,\n\t\t\t\t"; + break; + case 'disable': + $spf=""; + break; + default: + $spf=$antispam['postfix_spf'].",\n\t\t\t\t"; + break; +} +$postfix_main=preg_replace("/SPFSPFSPF/",$spf,$postfix_main); +$postfix_main .= $postfix_main_antispam.$check_debug; +switch ($antispam['zombie_blocker']) + { + case "enforce": + case "drop": + case "ignore": + $postscreen=1; + break; + + case "disabled": + $postscreen=0; + break; + } + if ($antispam['soft_bounce'] == "enabled") + { + $postfix_main.="soft_bounce = yes\n"; + } + + if ($postscreen==1) #Postscreen enabled + { + if(preg_match("/(\d+),(\d+)(s|m|h|w)/",$antispam['greet_time'],$greet)){ + $postfix_main.='postscreen_greet_wait = ${stress?'.$greet[1].'}${stress:'.$greet[2].'}'.$greet[3]."\n"; + } + $ag=$antispam['after_greeting']; + if(preg_match("/postscreen_disable_vrfy_command/",$antispam['after_greeting'])){ + $postfix_main.="postscreen_disable_vrfy_command = yes\n"; + } + if(preg_match("/postscreen_non_smtp_command_enable/",$antispam['after_greeting'])){ + $postfix_main.="postscreen_non_smtp_command_enable = yes\n"; + $postfix_main.="postscreen_non_smtp_command_action = ".$antispam['zombie_blocker']."\n"; + } + if(preg_match("/postscreen_pipelining_enable/",$antispam['after_greeting'])){ + $postfix_main.="postscreen_pipelining_enable = yes\n"; + $postfix_main.="postscreen_pipelining_action = ".$antispam['zombie_blocker']."\n"; + } + if(preg_match("/postscreen_bare_newline_enable/",$antispam['after_greeting'])){ + $postfix_main.="postscreen_bare_newline_enable = yes\n"; + $postfix_main.="postscreen_bare_newline_action = ".$antispam['zombie_blocker']."\n"; + } + if(preg_match("/postscreen_greet_check/",$antispam['after_greeting'])){ + $postfix_main.="postscreen_greet_action = ".$antispam['zombie_blocker']."\n"; + } + + $postfix_main.="postscreen_access_list = cidr:/usr/local/etc/postfix/cal_cidr\n"; + $postfix_main.="postscreen_dnsbl_action= ".$antispam['zombie_blocker']."\n"; + $postfix_main.="postscreen_blacklist_action= ".$antispam['zombie_blocker']."\n"; + + #postscreen interface loop + $ifaces = ($postfix_config['enabled_interface'] ? $postfix_config['enabled_interface'] : 'wan'); + $real_ifaces = array(); + $postfix_master=""; + foreach (explode(",", $ifaces) as $i => $iface) { + $real_ifaces[] = px_get_real_interface_address($iface); + if($real_ifaces[$i][0]) { + $postfix_master .=$real_ifaces[$i][0].":25 inet n - n - 1 postscreen\n\t-o user=postfix\n"; + $postfix_master .=($antispam['soft_bounce'] == "postscreen"?"\t-o soft_bounce=yes\n":""); + } + } + $postfix_master .= $postfix_inets.<<<MASTEREOF +smtpd pass - - n - - smtpd +dnsblog unix - - n - 0 dnsblog +tlsproxy unix - - n - 0 tlsproxy + +MASTEREOF; + $rbl2=""; + if ($antispam['rbl_servers'] != "") + { + $postfix_main .= "postscreen_dnsbl_sites=" . $antispam['rbl_servers']."\n"; + $postfix_main .= "postscreen_dnsbl_threshold=" . $antispam['rbl_threshold']."\n"; + } + } + else + { #Postscreen disabled + if ($antispam['rbl_servers'] != "") + { + $RBL = explode(",",$antispam['rbl_servers']); + foreach ($RBL as $rbl) + { + $prefix=($rbl2 !=""?"\t\t\t\t":""); + $rbl2.= $prefix."reject_rbl_client $rbl,\n"; + } + } + + #interface loop + $postfix_inets=""; + $ifaces = ($postfix_config['enabled_interface'] ? $postfix_config['enabled_interface'] : 'loopback'); + $real_ifaces = array(); + $postfix_master=""; + foreach (explode(",", $ifaces) as $i => $iface) { + $real_ifaces[] = px_get_real_interface_address($iface); + if($real_ifaces[$i][0]) { + $postfix_master .=$real_ifaces[$i][0].":25 inet n - n - 1 smtpd\n\t-o user=postfix\n"; + } + } + + } + $rbl2.=($rbl2 !=""?"\t\t\t\tpermit\n":"permit\n"); + $postfix_main=preg_replace("/RBLRBLRBL/",$rbl2,$postfix_main); + $postfix_master .= <<<MASTEREOF2 +pickup fifo n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +qmgr fifo n - n 300 1 qmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - n - - smtp +relay unix - - n - - smtp + -o smtp_fallback_relay= +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +scache unix - - n - 1 scache + +MASTEREOF2; + conf_mount_rw(); log_error("Writing out configuration"); file_put_contents("/usr/local/etc/postfix/main.cf", $postfix_main, LOCK_EX); + file_put_contents("/usr/local/etc/postfix/master.cf", $postfix_master, LOCK_EX); file_put_contents("/usr/local/etc/postfix/transport", $transport, LOCK_EX); - exec("/usr/local/sbin/postmap /usr/local/etc/postfix/transport"); + file_put_contents("/usr/local/etc/postfix/cal_cidr", $cal_cidr, LOCK_EX); + file_put_contents("/usr/local/etc/postfix/cal_pcre", $cal_pcre, LOCK_EX); + file_put_contents("/usr/local/etc/postfix/header_check", $header_check, LOCK_EX); + file_put_contents("/usr/local/etc/postfix/mime_check", $mime_check, LOCK_EX); + file_put_contents("/usr/local/etc/postfix/body_check", $body_check, LOCK_EX); + $FILES=array("transport"); + foreach ($FILES as $file) + { + mwexec("/usr/local/sbin/postmap /usr/local/etc/postfix/".$file); + } + if (!is_dir("/etc/mail")) mkdir("/etc/mail", 0755); if (!file_exists("/etc/mail/aliases")) touch("/etc/mail/aliases"); exec("/usr/local/bin/newaliases"); - - $start = "/usr/local/sbin/postfix start\n"; + postfix_start(); + postfix_sync_on_changes(); +} +function postfix_start(){ + global $config; + $start=<<<EOF + + sysctl kern.ipc.nmbclusters=65536 + sysctl kern.ipc.somaxconn=16384 + sysctl kern.maxfiles=131072 + sysctl kern.maxfilesperproc=104856 + sysctl kern.threads.max_threads_per_proc=4096 + /usr/local/sbin/postfix start + +EOF; $stop = "/usr/local/sbin/postfix stop\n"; log_error("Writing rc_file"); write_rcfile(array("file" => "postfix.sh", "start" => $start, "stop" => $stop)); conf_mount_ro(); - log_error("Stopping postfix"); - mwexec("/usr/local/etc/rc.d/postfix.sh stop"); sleep(1); - log_error("Starting postfix"); - mwexec_bg("/usr/local/etc/rc.d/postfix.sh start"); - log_error("Postfix setup completed"); + if ($config['installedpackages']['postfix']['config'][0]['enable_postfix']){ + log_error("Reloading/starting postfix"); + system('/bin/chmod +x /usr/local/etc/rc.d/postfix.sh'); + mwexec_bg("/usr/local/sbin/postfix reload || /usr/local/etc/rc.d/postfix.sh start"); + log_error("Postfix setup completed"); + } + else{ + log_error("Stopping postfix"); + mwexec("/usr/local/etc/rc.d/postfix.sh stop"); + system('/bin/chmod -x /usr/local/etc/rc.d/postfix.sh'); + } } function postfix_validate_input($post, &$input_errors) { foreach ($post as $key => $value) { if (empty($value)) continue; + if($key == "greet_time" && !preg_match("/(\d+),(\d+)(s|m|h|w)/",$value)) + $input_errors[] = "Wrong greet time sintax."; + if($key == "message_size_limit" && !is_numeric($value)) + $input_errors[] = "Message size limit must be numeric."; + if($key == "process_limit" && !is_numeric($value)) + $input_errors[] = "Process limit must be numeric."; + if($key == "freq" && (!preg_match("/^\d+(h|m|d)$/",$value) || $value == 0)) + $input_errors[] = "A valid number with a time reference is required for the field 'Frequency'"; + if (substr($key, 0, 2) == "dc" && !is_hostname($value)) + $input_errors[] = "{$value} is not a valid host name."; if (substr($key, 0, 6) == "domain" && is_numeric(substr($key, 6))) { if (!is_domain($value)) $input_errors[] = "{$value} is not a valid domain name."; @@ -114,4 +585,117 @@ function postfix_php_deinstall_command() { conf_mount_ro(); } -?>
\ No newline at end of file +/* Uses XMLRPC to synchronize the changes to a remote node */ +function postfix_sync_on_changes() { + global $config, $g; + log_error("[postfix] postfix_xmlrpc_sync.php is starting."); + $synconchanges = $config['installedpackages']['postfixsync']['config'][0]['synconchanges']; + if(!$synconchanges) + return; + foreach ($config['installedpackages']['postfixsync']['config'] as $rs ){ + foreach($rs['row'] as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if($password && $sync_to_ip) + postfix_do_xmlrpc_sync($sync_to_ip, $password); + } + } + log_error("[postfix] postfix_xmlrpc_sync.php is ending."); +} + +/* Do the actual XMLRPC sync */ +function postfix_do_xmlrpc_sync($sync_to_ip, $password) { + global $config, $g; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['postfix'] = $config['installedpackages']['postfix']; + $xml['postfixacl'] = $config['installedpackages']['postfixacl']; + $xml['postfixrecipients'] = $config['installedpackages']['postfixrecipients']; + $xml['postfixantispam'] = $config['installedpackages']['postfixantispam']; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("Beginning Postfix XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after 250 seconds */ + $resp = $cli->send($msg, "250"); + if(!$resp) { + $error = "A communications error occurred while attempting postfix XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "Postfix Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, "250"); + $error = "An error code was received while attempting postfix XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "Postfix Settings Sync", ""); + } else { + log_error("Postfix XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell postfix to reload our settings on the destionation sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/postfix.inc');\n"; + $execcmd .= "sync_package_postfix();"; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("postfix XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + $resp = $cli->send($msg, "250"); + if(!$resp) { + $error = "A communications error occurred while attempting postfix XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "postfix Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, "250"); + $error = "An error code was received while attempting postfix XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "postfix Settings Sync", ""); + } else { + log_error("postfix XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + +} + +?> diff --git a/config/postfix/postfix.xml b/config/postfix/postfix.xml index 831be1e4..91659e71 100644 --- a/config/postfix/postfix.xml +++ b/config/postfix/postfix.xml @@ -10,8 +10,10 @@ postfix.xml part of the Postfix package for pfSense Copyright (C) 2010 Erik Fonnesbeck + Copyright (C) 2011 Marcello Coutinho + All rights reserved. - */ + */ /* ========================================================================== */ /* Redistribution and use in source and binary forms, with or without @@ -42,8 +44,8 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>postfix</name> - <version>1.1</version> - <title>Services: Postfix Forwarder</title> + <version>1.2</version> + <title>Services: Postfix relay and antispam</title> <include_file>/usr/local/pkg/postfix.inc</include_file> <menu> <name>Postfix Forwarder</name> @@ -61,20 +63,158 @@ <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_acl.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_recipients.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_antispam.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_sync.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_view_config.php</item> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_recipients.php</item> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/adexport.pl</item> + <prefix>/usr/local/etc/postfix/</prefix> + <chmod>0755</chmod> + </additional_files_needed> +<tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=postfix.xml&id=0</url> + <active/> + </tab> + <tab> + <text>ACLs / Filter Maps</text> + <url>/pkg_edit.php?xml=postfix_acl.xml&id=0</url> + </tab> + <tab> + <text>Valid recipients</text> + <url>/pkg_edit.php?xml=postfix_recipients.xml&id=0</url> + </tab> + <tab> + <text>Antispam</text> + <url>/pkg_edit.php?xml=postfix_antispam.xml&id=0</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=postfix_sync.xml&id=0</url> + </tab> + <tab> + <text>View config files</text> + <url>/postfix_view_config.php</url> + </tab> +</tabs> <fields> <field> <name>Postfix General Settings</name> <type>listtopic</type> </field> <field> + <fielddescr>Enable Postfix </fielddescr> + <fieldname>enable_postfix</fieldname> + <type>checkbox</type> + <description></description> + </field> + <field> + <fielddescr>Listen interface(s)</fielddescr> + <fieldname>enabled_interface</fieldname> + <description><![CDATA[Interface(s) that daemon will bind to.<br>Do not listen on WAN without a good "antispam/close relay" configuration.]]></description> + <type>interfaces_selection</type> + <required/> + <default_value>loopback</default_value> + <multiple/> + </field> + <field> <fielddescr>Maximum message size</fielddescr> <fieldname>message_size_limit</fieldname> <type>input</type> + <size>10</size> <description> This setting governs the largest message size that will be accepted by this mail server. Ensure you have enough space to accommodate this size, and ensure this setting matches or is lower than the destination server(s).<br/>Default: 10240000 (10MB). </description> </field> <field> + <fielddescr>Process Limit</fielddescr> + <fieldname>process_limit</fieldname> + <type>input</type> + <size>10</size> + <description> + The default maximal number of Postfix child processes that provide a given service.<br/>Default: 100 + </description> + </field> + <field> + <fielddescr>custom main.cf options</fielddescr> + <fieldname>maincf</fieldname> + <description>Paste your custom code here. This code will be included at main.cf postfix file</description> + <type>textarea</type> + <cols>70</cols> + <rows>03</rows> + <encoding>base64</encoding> + </field> + <field> + <name>Logging</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Destination</fielddescr> + <fieldname>log_to</fieldname> + <description><![CDATA[Choose where you want to save log information about mails on this server.<br> + Using system log you can forward logging to a syslog server.<BR> + Status -> system Logs -> Settings]]></description> + <type>select</type> + <options> + <option><name>System log</name><value>system</value></option> + <option><name>/var/log/maillog</name><value>maillog</value></option> + <option><name>Disable logging</name><value>none</value></option> + </options> + </field> + + <field> + <fielddescr>Debug peer list</fielddescr> + <fieldname>debug_list</fieldname> + <description><![CDATA[The "debug_peer_list" parameter specifies an optional list of domain or network patterns, /file/name patterns or type:name tables.<br> + When an SMTP client or server host name or address matches a pattern, increase the verbose logging level by the amount specified in the "debug_peer_level" parameter.]]></description> + <type>textarea</type> + <cols>70</cols> + <rows>3</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Debug peer level</fielddescr> + <fieldname>debug_level</fieldname> + <description><![CDATA[The "debug_peer_level" parameter specifies the increment in verbose logging level when an SMTP client or server host name or address matches a pattern in the "debug_peer_list" parameter.]]></description> + <type>select</type> + <options> + <option><name>2</name><value>2</value></option> + <option><name>3</name><value>3</value></option> + <option><name>4</name><value>4</value></option> + <option><name>5</name><value>5</value></option> + <option><name>6</name><value>6</value></option> + </options> + </field> + + <field> <name>Domains to Forward</name> <type>listtopic</type> </field> @@ -88,14 +228,14 @@ <fieldname>domain</fieldname> <description>Enter the domain here (ex: example.com)</description> <type>input</type> - <size>20</size> + <size>30</size> </rowhelperfield> <rowhelperfield> <fielddescr>Mail Server IP</fielddescr> <fieldname>mailserverip</fieldname> <description>Enter the mail server IP to forward to here.</description> <type>input</type> - <size>20</size> + <size>40</size> </rowhelperfield> </rowhelper> </field> diff --git a/config/postfix/postfix_acl.xml b/config/postfix/postfix_acl.xml new file mode 100644 index 00000000..f3f944e5 --- /dev/null +++ b/config/postfix/postfix_acl.xml @@ -0,0 +1,208 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + postfix.xml + part of the Postfix package for pfSense + Copyright (C) 2010 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>postfixacl</name> + <version>1.0</version> + <title>Services: Postfix relay and antispam</title> + <include_file>/usr/local/pkg/postfix.inc</include_file> + <menu> + <name>Postfix Antispam and mail Relay</name> + <tooltiptext>Configure Postfix Forwarder</tooltiptext> + <section>Services</section> + <url>pkg_edit.php?xml=postfix.xml&id=0</url> + </menu> + <service> + <name>postfix</name> + <rcfile>postfix.sh</rcfile> + <executable>master</executable> + </service> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix.inc</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_acl.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_recipients.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_antispam.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_sync.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_view_config.php</item> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_recipients.php</item> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=postfix.xml&id=0</url> + </tab> + <tab> + <text>ACLs / Filter Maps</text> + <url>/pkg_edit.php?xml=postfix_acl.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Valid recipients</text> + <url>/pkg_edit.php?xml=postfix_recipients.xml&id=0</url> + </tab> + <tab> + <text>Antispam</text> + <url>/pkg_edit.php?xml=postfix_antispam.xml&id=0</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=postfix_sync.xml&id=0</url> + </tab> + <tab> + <text>View config files</text> + <url>/postfix_view_config.php</url> + </tab> + </tabs> + <fields> + <field> + <name>Filters while receiving mail</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Header</fielddescr> + <fieldname>header_maps</fieldname> + <description><![CDATA[<strong>PCRE filters</strong><a href=http://www.postfix.org/pcre_table.5.html> that are applied to initial message headers(except for the headers that are processed with mime_header_checks</a> Hint:<br> + /^Subject:.*(viagra|cialis|levitra|day price):/ REJECT<br> + /^From:.*spammer@myspam.net/ REJECT<br> + /^From:.*@mytrustdomain OK<br> + See http://www.postfix.org/header_checks.5.html for more help]]> + </description> + <type>textarea</type> + <cols>83</cols> + <rows>15</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>MIME</fielddescr> + <fieldname>mime_maps</fieldname> + <description><![CDATA[<strong>PCRE filters</strong><a href=http://www.postfix.org/pcre_table.5.html> that are applied to MIME related message headers only.</a> Hint:<br> + /^name=[^>]*\.(com|vbs|js|jse|exe|bat|cmd|vxd|scr|hlp|pif|shs|ini|dll)/ REJECT W do not allow files of type "$3" because of security concerns - "$2" caused the block.<br> + /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|drv|em(ai)?l|ex[_e]|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed]]> + </description> + <type>textarea</type> + <cols>83</cols> + <rows>15</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>body</fielddescr> + <fieldname>body_maps</fieldname> + <description><![CDATA[<strong>PCRE filters</strong><a href=http://www.postfix.org/pcre_table.5.html> that are applied to all other content, including multi-part message boundaries.</a> Hint:<br> + # First skip over base 64 encoded text to save CPU cycles.<br> + ~^[[:alnum:]+/]{60,}$~ OK]]> + </description> + <type>textarea</type> + <cols>83</cols> + <rows>15</rows> + <encoding>base64</encoding> + </field> + + <field> + <name>Client Access List</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>CIDR</fielddescr> + <fieldname>cal_cidr</fieldname> + <description><![CDATA[Paste your client access list in CIDR format(standard ip/domain and action) one per line.<br> + This list is used by postfix/postscreen to check who has access or not to this relay. Hint:<br> + 192.168.3.2 OK<br>spammer.junkdomain.com REJECT]]> + </description> + <type>textarea</type> + <cols>83</cols> + <rows>15</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>PCRE</fielddescr> + <fieldname>cal_pcre</fieldname> + <description><![CDATA[Paste your client access list in PCRE format one per line.<br> + This list is used by postfix to check who has access or not to this relay.Hint:<br> + /.*\.dsl\..*/ REJECT DSLs not allowed<br> + /.*\.adsl\..*/ REJECT DSLs not allowed]]> + </description> + <type>textarea</type> + <cols>83</cols> + <rows>15</rows> + <encoding>base64</encoding> + </field> + </fields> + <custom_php_install_command> + postfix_php_install_command(); + </custom_php_install_command> + <custom_php_deinstall_command> + postfix_php_deinstall_command(); + </custom_php_deinstall_command> + <custom_php_validation_command> + postfix_validate_input($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + sync_package_postfix(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/postfix/postfix_antispam.xml b/config/postfix/postfix_antispam.xml new file mode 100644 index 00000000..fa518efa --- /dev/null +++ b/config/postfix/postfix_antispam.xml @@ -0,0 +1,274 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + postfix.xml + part of the Postfix package for pfSense + Copyright (C) 2011 Marcello Coutinho + + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>postfix_antispam</name> + <version>1.0</version> + <title>Services: Postfix relay and antispam</title> + <include_file>/usr/local/pkg/postfix.inc</include_file> + <menu> + <name>Postfix Antispam and mail Relay</name> + <tooltiptext>Configure Postfix Forwarder</tooltiptext> + <section>Services</section> + <url>pkg_edit.php?xml=postfix_antispam.xml&id=0</url> + </menu> + <service> + <name>postfix</name> + <rcfile>postfix.sh</rcfile> + <executable>master</executable> + </service> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix.inc</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_acl.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_recipients.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_antispam.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_sync.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_view_config.php</item> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_recipients.php</item> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + </additional_files_needed> +<tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=postfix.xml&id=0</url> + </tab> + <tab> + <text>ACLs / Filter Maps</text> + <url>/pkg_edit.php?xml=postfix_acl.xml&id=0</url> + </tab> + <tab> + <text>Valid recipients</text> + <url>/pkg_edit.php?xml=postfix_recipients.xml&id=0</url> + </tab> + <tab> + <text>Antispam</text> + <url>/pkg_edit.php?xml=postfix_antispam.xml&id=0</url> + <active/> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=postfix_sync.xml&id=0</url> + </tab> + <tab> + <text>View config files</text> + <url>/postfix_view_config.php</url> + </tab> +</tabs> + <fields> + <field> + <name>Postfix Antispam Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Header verification </fielddescr> + <fieldname>header_check</fieldname> + <type>select</type> + <options> + <option><name>Strong</name><value>strong</value></option> + <option><name>Basic</name><value>basic</value></option> + </options> + <description>Enable sender, client, recipients and rfc verification</description> + </field> + <field> + <fielddescr>Zombie blocker</fielddescr> + <fieldname>zombie_blocker</fieldname> + <description> + <![CDATA[<a target=_new href='http://www.postfix.org/POSTSCREEN_README.html'>Use postfix 2.8 Postscreen feature to detect zombie spammers</a>]]> + </description> + <type>select</type> + <options> + <option><name>Enabled with enforce</name><value>enforce</value></option> + <option><name>Enabled with drop</name><value>drop</value></option> + <option><name>Enabled with ignore</name><value>ignore</value></option> + <option><name>Disabled</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>greet wait time</fielddescr> + <fieldname>greet_time</fieldname> + <type>input</type> + <size>10</size> + <description><![CDATA[<strong>syntax: 2,6s </strong>(default: up to 2 seconds under stress, up to 6 seconds otherwise)<br> + The amount of time that postscreen will wait for an SMTP client to send a command before its turn, and for DNS blocklist lookup results to arrive .<br> + Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit).<br> + Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).]]> + </description> + </field> + <field> + <fielddescr>After greeting tests</fielddescr> + <fieldname>after_greeting</fieldname> + <description> + <![CDATA[<a target=_new href='http://www.postfix.org/POSTSCREEN_README.html'>Postscreen After greeting tests. All these options are recomended.</a>]]> + </description> + <type>select</type> + <options> + <option><name>postscreen_bare_newline_enable</name><value>postscreen_bare_newline_enable</value></option> + <option><name>postscreen_disable_vrfy_command</name><value>postscreen_disable_vrfy_command</value></option> + <option><name>postscreen_non_smtp_command_enable</name><value>postscreen_non_smtp_command_enable</value></option> + <option><name>postscreen_pipelining_enable</name><value>postscreen_pipelining_enable</value></option> + <option><name>postscreen_greet_check</name><value>postscreen_greet_check</value></option> + </options> + <size>06</size> + <multiple/> + </field> + <field> + <fielddescr>Soft Bounce</fielddescr> + <fieldname>soft_bounce</fieldname> + <type>select</type> + <options> + <option><name>Enabled only in postscreen</name><value>postscreen</value></option> + <option><name>Enabled</name><value>enabled</value></option> + <option><name>Disabled</name><value>disabled</value></option> + </options> + <description><![CDATA[Safety net to keep mail queued that would otherwise be returned to the sender.<br> + This parameter disables locally-generated bounces, and prevents the Postfix SMTP server from rejecting mail permanently, by changing 5xx reply codes into 4xx.<br> + However, soft_bounce is no cure for address rewriting mistakes or mail routing mistakes.]]> + </description> + </field> + <field> + <fielddescr>RBL server List</fielddescr> + <fieldname>rbl_servers</fieldname> + <description><![CDATA[ + ex: dnsbl.sorbs.net, bl.spamcop.net*2, dnslb.local*-5, cbl.abuseat.org, b.barracudacentral.org, dnsbl.invaluement.com<BR> + Check some rbl servers at http://www.anti-abuse.org/multi-rbl-check/<br><br> + You can also create a local rbl dns server to whitelist some hosts/domains<br> + See how it works in http://www.postfix.org/postconf.5.html#postscreen_dnsbl_sites]]> + </description> + <type>textarea</type> + <cols>70</cols> + <rows>05</rows> + </field> + <field> + <fielddescr>RBL threshold</fielddescr> + <fieldname>rbl_threshold</fieldname> + <description>How many RBL Lists Postscreen must find clien's ip address to block sender.</description> + <type>select</type> + <options> + <option><name>1</name><value>1</value></option> + <option><name>2</name><value>2</value></option> + <option><name>3</name><value>3</value></option> + <option><name>4</name><value>4</value></option> + <option><name>5</name><value>5</value></option> + </options> + </field> + <field> + <fielddescr>SPF lookup</fielddescr> + <fieldname>postfix_spf</fieldname> + <type>select</type> + <options> + <option><name>REJECT the mail when the sender credentials FAILS (Recomended)</name><value>reject_spf_invalid_sender</value></option> + <option><name>PERMIT the mail when the sender credentials SUCCEED</name><value>permit_spf_valid_sender</value></option> + <option><name>Just show in header that the mail failed the test</name><value>spf_mark_only</value></option> + <option><name>Do not check SPF records</name><value>disable</value></option> + </options> + <description> + <![CDATA[<a target=_new href='http://www.openspf.org/Introduction'>The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery.</a>]]> + </description> + </field> + <field> + <name><![CDATA[Third part Antispam Settings ]]></name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Use Third part antispam</fielddescr> + <fieldname>antispam_enabled</fieldname> + <type>checkbox</type> + <description></description> + </field> + <field> + <fielddescr>Software</fielddescr> + <fieldname>antispam_software</fieldname> + <description>Select Third part solution to use. See postfix forwarder package info page for instaling instructions</description> + <type>select</type> + <options> + <option><name>Mailscanner + Spamassassin + clamav</name><value>mailscanner</value></option> + <option><name>Policyd v2 + amavis</name><value>policyd2</value></option> + </options> + </field> + <field> + <fielddescr>Policydv2 Location</fielddescr> + <fieldname>antispam_location</fieldname> + <description><![CDATA[inet:ipaddress:port of antispam server.<br><strong>NEVER try to install policyd on pfsense base system. It will never boot again.</strong>]]></description> + <type>input</type> + <size>50</size> + </field> + </fields> + <custom_php_install_command> + postfix_php_install_command(); + </custom_php_install_command> + <custom_php_deinstall_command> + postfix_php_deinstall_command(); + </custom_php_deinstall_command> + <custom_php_validation_command> + postfix_validate_input($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + sync_package_postfix(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/postfix/postfix_recipients.php b/config/postfix/postfix_recipients.php new file mode 100644 index 00000000..0deb2f79 --- /dev/null +++ b/config/postfix/postfix_recipients.php @@ -0,0 +1,4 @@ +<?php
+require_once ('/usr/local/pkg/postfix.inc');
+sync_relay_recipients("cron");
+?>
\ No newline at end of file diff --git a/config/postfix/postfix_recipients.xml b/config/postfix/postfix_recipients.xml new file mode 100644 index 00000000..450b6df4 --- /dev/null +++ b/config/postfix/postfix_recipients.xml @@ -0,0 +1,208 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + postfix_recipients.xml + part of the Postfix package for pfSense + Copyright (C) 2011 Marcello Coutinho + All rights reserved. +*/ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>postfixrecipients</name> + <version>1.0</version> + <title>Services: Postfix relay and antispam</title> + <include_file>/usr/local/pkg/postfix.inc</include_file> + <menu> + <name>Postfix Antispam and mail Relay</name> + <tooltiptext>Configure Postfix Forwarder</tooltiptext> + <section>Services</section> + <url>pkg_edit.php?xml=postfix.xml&id=0</url> + </menu> + <service> + <name>postfix</name> + <rcfile>postfix.sh</rcfile> + <executable>master</executable> + </service> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix.inc</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_acl.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_recipients.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_antispam.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_sync.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_view_config.php</item> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_recipients.php</item> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + </additional_files_needed> +<tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=postfix.xml&id=0</url> + </tab> + <tab> + <text>ACLs / Filter Maps</text> + <url>/pkg_edit.php?xml=postfix_acl.xml&id=0</url> + </tab> + <tab> + <text>Valid recipients</text> + <url>/pkg_edit.php?xml=postfix_recipients.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Antispam</text> + <url>/pkg_edit.php?xml=postfix_antispam.xml&id=0</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=postfix_sync.xml&id=0</url> + </tab> + <tab> + <text>View config files</text> + <url>/postfix_view_config.php</url> + </tab> +</tabs> + <fields> + <field> + <name>Get Valid recipients from Active Directory</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable LDAP fetch</fielddescr> + <fieldname>enable_ldap</fieldname> + <type>checkbox</type> + <description><![CDATA[Extract valid email addresses from Active Directory.<br> + Before using LDAP fetch you must install p5-perl-ldap package(hint: <strong>/usr/sbin/pkg_add -r p5-perl-ldap</strong>)]]></description> + </field> + <field> + <fielddescr>Frequency</fielddescr> + <fieldname>freq</fieldname> + <description>Wait time between each fetch HINT 30m(30 minutes), 1h(one hour), 1d(one day)</description> + <type>input</type> + <size>15</size> + </field> + <field> + <fielddescr><![CDATA[<strong>HINTS</strong><br>Hostname:<br>dc1.mysite.com<br><br>Domain:<br>dc=mysite,dc=com<br><br>Username:<br>cn=antispam,cn=Users<br>]]></fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>Hostname</fielddescr> + <fieldname>dc</fieldname> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Domain</fielddescr> + <fieldname>cn</fieldname> + <type>input</type> + <size>22</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Username</fielddescr> + <fieldname>username</fieldname> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <type>password</type> + <size>10</size> + </rowhelperfield> + </rowhelper> + </field> + <field> + <name>Get Valid recipients from local file</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Location</fielddescr> + <name>location</name> + <type>input</type> + <size>80</size> + </field> + <field> + <name>Custom Valid recipients</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Custom list</fielddescr> + <fieldname>custom_recipients</fieldname> + <description><![CDATA[Paste your valid recipients here, one per line. <strong>HINT user@mycompany.com OK</strong>]]></description> + <type>textarea</type> + <cols>60</cols> + <rows>15</rows> + <encoding>base64</encoding> + </field> + </fields> + <custom_php_install_command> + postfix_php_install_command(); + </custom_php_install_command> + <custom_php_deinstall_command> + postfix_php_deinstall_command(); + </custom_php_deinstall_command> + <custom_php_validation_command> + postfix_validate_input($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + sync_package_postfix(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/postfix/postfix_sync.xml b/config/postfix/postfix_sync.xml new file mode 100644 index 00000000..f859e795 --- /dev/null +++ b/config/postfix/postfix_sync.xml @@ -0,0 +1,167 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + postfix_sync.xml + part of the Postfix package for pfSense + Copyright (C) 2010 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>postfix_sync</name> + <version>1.0</version> + <title>Services: Postfix relay and antispam</title> + <include_file>/usr/local/pkg/postfix.inc</include_file> + <menu> + <name>Postfix Antispam and mail Relay</name> + <tooltiptext>Configure Postfix Forwarder</tooltiptext> + <section>Services</section> + <url>pkg_edit.php?xml=postfix.xml&id=0</url> + </menu> + <service> + <name>postfix</name> + <rcfile>postfix.sh</rcfile> + <executable>master</executable> + </service> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix.inc</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_acl.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_recipients.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_antispam.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_sync.xml</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_view_config.php</item> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/postfix/postfix_recipients.php</item> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + </additional_files_needed> +<tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=postfix.xml&id=0</url> + </tab> + <tab> + <text>ACLs / Filter Maps</text> + <url>/pkg_edit.php?xml=postfix_acl.xml&id=0</url> + </tab> + <tab> + <text>Valid recipients</text> + <url>/pkg_edit.php?xml=postfix_recipients.xml&id=0</url> + </tab> + <tab> + <text>Antispam</text> + <url>/pkg_edit.php?xml=postfix_antispam.xml&id=0</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=postfix_sync.xml&id=0</url> + <active/> + </tab> + <tab> + <text>View config files</text> + <url>/postfix_view_config.php</url> + </tab> +</tabs> + <fields> + <field> + <name>Postfix XMLRPC Sync</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Automatically sync Postfix configuration changes</fielddescr> + <fieldname>synconchanges</fieldname> + <description>pfSense will automatically sync changes to the hosts defined below.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Remote Server</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>IP Address</fielddescr> + <fieldname>ipaddress</fieldname> + <description>IP Address of remote server</description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Password for remote server.</description> + <type>password</type> + <size>20</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_install_command> + postfix_php_install_command(); + </custom_php_install_command> + <custom_php_deinstall_command> + postfix_php_deinstall_command(); + </custom_php_deinstall_command> + <custom_php_validation_command> + postfix_validate_input($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + sync_package_postfix(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/postfix/postfix_syslog.php b/config/postfix/postfix_syslog.php new file mode 100644 index 00000000..5901c775 --- /dev/null +++ b/config/postfix/postfix_syslog.php @@ -0,0 +1,5 @@ +<?php +require_once("/etc/inc/pkg-utils.inc"); +require_once("/etc/inc/system.inc"); +system_syslogd_start(); +?> diff --git a/config/postfix/postfix_view_config.php b/config/postfix/postfix_view_config.php new file mode 100644 index 00000000..c73e9cb4 --- /dev/null +++ b/config/postfix/postfix_view_config.php @@ -0,0 +1,111 @@ +<?php +/* + postfix_view_config.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2010 Marcello Coutinho <marcellocoutinho@gmail.com> + based on varnish_view_config. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Postfix: View Configuration"; +include("head.inc"); + +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> + +<?php if($one_two): ?> +<p class="pgtitle"><?=$pgtitle?></font></p> +<?php endif; ?> + +<?php if ($savemsg) print_info_box($savemsg); ?> + +<form action="postfix_view_config.php" method="post"> + +<div id="mainlevel"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("General"), false, "/pkg_edit.php?xml=postfix.xml&id=0"); + $tab_array[] = array(gettext("ACLs / Filter Maps"), false, "/pkg_edit.php?xml=postfix_acl.xml&id=0"); + $tab_array[] = array(gettext("Valid Recipients"), false, "/pkg_edit.php?xml=postfix_recipients.xml&id=0"); + $tab_array[] = array(gettext("Antispam"), false, "/pkg_edit.php?xml=postfix_antispam.xml&id=0"); + $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=postfix_sync.xml&id=0"); + $tab_array[] = array(gettext("View config files"), true, "/postfix_view_config.php"); + + display_top_tabs($tab_array); +?> + </td></tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabcont" > + <input type="button" onClick="location.href='./postfix_view_config.php?file=0'" value="main.cf"> + <input type="button" onClick="location.href='./postfix_view_config.php?file=1'" value="master.cf"> + <input type="button" onClick="location.href='./postfix_view_config.php?file=2'" value="relay_recipients"> + <input type="button" onClick="location.href='./postfix_view_config.php?file=3'" value="header_check"> + <input type="button" onClick="location.href='./postfix_view_config.php?file=4'" value="mime_check"> + <input type="button" onClick="location.href='./postfix_view_config.php?file=5'" value="body_check"> + <input type="button" onClick="location.href='./postfix_view_config.php?file=6'" value="client CIDR"> + <input type="button" onClick="location.href='./postfix_view_config.php?file=7'" value="client PCRE"> + </td> + </tr> + <tr> + <td class="tabcont" > + <textarea id="varnishlogs" rows="50" cols="100%"> +<?php + $files_array[]="/usr/local/etc/postfix/main.cf"; + $files_array[]="/usr/local/etc/postfix/master.cf"; + $files_array[]="/usr/local/etc/postfix/relay_recipients"; + $files_array[]="/usr/local/etc/postfix/header_check"; + $files_array[]="/usr/local/etc/postfix/mime_check"; + $files_array[]="/usr/local/etc/postfix/body_check"; + $files_array[]="/usr/local/etc/postfix/cal_cidr"; + $files_array[]="/usr/local/etc/postfix/cal_pcre"; + $id=($_REQUEST['file']?$_REQUEST['file']:"0"); + $config_file = file_get_contents("$files_array[$id]"); + echo $files_array[$id]."\n".$config_file; +?> + </textarea> + </td> + </tr> + </table> + </div> + </td> + </tr> + </table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort/NOTES.txt b/config/snort/NOTES.txt deleted file mode 100644 index e566d292..00000000 --- a/config/snort/NOTES.txt +++ /dev/null @@ -1,26 +0,0 @@ - - -April 27 2010 -Snort-dev 2.8.5.3 pk v. 23 final - -TODO: - -Auto rule download has to be mirrored to the GUI download code. -Snort block table should survive reboots. Dont know how Im going to do this. -Create Upload GUI. Use Pierre POMES code. -Add log rotation and log dir size display -Redo code for rule downloads so that changes in snort.org rule gzip file does not break the package. -Add code suggested by Andrew Thompson. - -Long Term Goals: - -Use Chroot for snort. -Isolate functions using classes so we dont have double $vars errors. ! Important -The whitelist and supress code can be simplified. -Go through each tab and delete old code. -Snort Inline needs to be worked on. ! Important - - -Any other Devs that read this. -Please add your intials and date to any code blocks you add. It helps me keep track. - diff --git a/config/snort/bin/7.3.x86/barnyard2 b/config/snort/bin/7.3.x86/barnyard2 Binary files differdeleted file mode 100644 index df78449d..00000000 --- a/config/snort/bin/7.3.x86/barnyard2 +++ /dev/null diff --git a/config/snort/bin/8.1x64/barnyard2 b/config/snort/bin/8.1x64/barnyard2 Binary files differdeleted file mode 100644 index 3416c814..00000000 --- a/config/snort/bin/8.1x64/barnyard2 +++ /dev/null diff --git a/config/snort/bin/8.1x86/barnyard2 b/config/snort/bin/8.1x86/barnyard2 Binary files differdeleted file mode 100644 index 07e1069f..00000000 --- a/config/snort/bin/8.1x86/barnyard2 +++ /dev/null diff --git a/config/snort/bin/barnyard2 b/config/snort/bin/barnyard2 Binary files differdeleted file mode 100644 index b942e87f..00000000 --- a/config/snort/bin/barnyard2 +++ /dev/null diff --git a/config/snort/bin/snort2c b/config/snort/bin/snort2c Binary files differdeleted file mode 100644 index fdc91ac8..00000000 --- a/config/snort/bin/snort2c +++ /dev/null diff --git a/config/snort/pfsense_rules/local.rules b/config/snort/pfsense_rules/local.rules deleted file mode 100644 index 83a05f1b..00000000 --- a/config/snort/pfsense_rules/local.rules +++ /dev/null @@ -1,7 +0,0 @@ -# ---------------- -# LOCAL RULES -# ---------------- -# This file intentionally does not come with signatures. Put your local -# additions here. Pfsense first install rule. Rule edit tabe fails with out this file. -# -#
\ No newline at end of file diff --git a/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 deleted file mode 100644 index d2e6fa4d..00000000 --- a/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 +++ /dev/null @@ -1 +0,0 @@ -"e8a95fd5f1b40e878fedeffd585134bb"
\ No newline at end of file diff --git a/config/snort/pfsense_rules/rules/pfsense-voip.rules b/config/snort/pfsense_rules/rules/pfsense-voip.rules deleted file mode 100644 index 12f2fdf2..00000000 --- a/config/snort/pfsense_rules/rules/pfsense-voip.rules +++ /dev/null @@ -1,10 +0,0 @@ -alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000001; rev:1;) -# Excessive number of SIP 4xx Responses Does not work -#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000002; rev:1;) -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000003; rev:1;) -# Rule for alerting of INVITE flood attack: -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000004; rev:1;) -# Rule for alerting of REGISTER flood attack: -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; sid:5000005; rev:1;) -# Threshold rule for unauthorized responses: -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000006; rev:1;) diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 8e3e5f88..f27bb383 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -37,7 +37,7 @@ require_once("functions.inc"); require_once("filter.inc"); /* package version */ -$snort_package_version = 'Snort 2.8.6.1 pkg v. 2.0'; +$snort_package_version = 'Snort 2.9.0.5 pkg v. 2.0'; /* Allow additional execution time 0 = no limit. */ ini_set('max_execution_time', '9999'); @@ -59,7 +59,7 @@ else $snort_arch_ck = php_uname("m"); if ($snort_arch_ck == 'i386') $snort_arch = 'x86'; -else if ($snort_arch_ck = "amd64") +else if ($snort_arch_ck == "amd64") $snort_arch = 'x64'; else $snort_arch = "Unknown"; @@ -291,7 +291,7 @@ function Running_Stop($snort_uuid, $if_real, $id) { global $config; /* if snort.sh crashed this will remove the pid */ - exec('/bin/rm /tmp/snort.sh.pid'); + @unlink('/tmp/snort.sh.pid'); $start_up_s = exec("/bin/ps -U snort | grep \"\-R {$snort_uuid}\" | awk '{ print \$1; }'"); $start_up_r = exec("/bin/ps -U root | grep \"\-R {$snort_uuid}\" | awk '{ print \$1; }'"); @@ -490,14 +490,14 @@ function snort_postinstall() } /* cleanup default files */ - @unlink('/usr/local/etc/snort/snort.conf-sample'); - @unlink('/usr/local/etc/snort/threshold.conf-sample'); - @unlink('/usr/local/etc/snort/sid-msg.map-sample'); - @unlink('/usr/local/etc/snort/unicode.map-sample'); - @unlink('/usr/local/etc/snort/classification.config-sample'); - @unlink('/usr/local/etc/snort/generators-sample'); - @unlink('/usr/local/etc/snort/reference.config-sample'); - @unlink('/usr/local/etc/snort/gen-msg.map-sample'); + @rename('/usr/local/etc/snort/snort.conf-sample', '/usr/local/etc/snort/snort.conf'); + @rename('/usr/local/etc/snort/threshold.conf-sample', '/usr/local/etc/snort/threshold.conf'); + @rename('/usr/local/etc/snort/sid-msg.map-sample', '/usr/local/etc/snort/sid-msg.map'); + @rename('/usr/local/etc/snort/unicode.map-sample', '/usr/local/etc/snort/unicode.map'); + @rename('/usr/local/etc/snort/classification.config-sample', '/usr/local/etc/snort/classification.config'); + @rename('/usr/local/etc/snort/generators-sample', '/usr/local/etc/snort/generators'); + @rename('/usr/local/etc/snort/reference.config-sample', '/usr/local/etc/snort/reference.config'); + @rename('/usr/local/etc/snort/gen-msg.map-sample', '/usr/local/etc/snort/gen-msg.map'); @unlink('/usr/local/etc/snort/sid'); @unlink('/usr/local/etc/rc.d/snort'); @unlink('/usr/local/etc/rc.d/bardyard2'); @@ -588,19 +588,19 @@ function snort_postinstall() exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/page_white_text.png'); /* install barnyard2 for 2.0 x86 x64 and 1.2.3 x86 */ - chdir("/usr/local/bin/"); - update_status(gettext("Installing Barnyard2 for $snort_arch...")); update_output_window(gettext("Please wait...")); if ($snort_pfsense_basever == 'yes') - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/7.3.x86/barnyard2'); - else if ($snort_pfsense_basever == 'no') - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/8.1{$snort_arch}/barnyard2'); - + exec('/usr/bin/fetch -o /usr/local/bin/barnyard2 http://www.pfsense.com/packages/config/snort/bin/7.3.x86/barnyard2'); + else if ($snort_pfsense_basever == 'no') { + if ($snort_arch == 'x64') + exec("/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/amd64/8/All/barnyard2"); + else + exec("/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/8/All/barnyard2"); + exec('/bin/chmod 0755 /usr/local/bin/barnyard2'); + } update_output_window(gettext("Finnished Installing Barnyard2...")); - exec('/bin/chmod 755 /usr/local/bin/barnyard2'); - /* XXX: remove compeletely? */ if ($snort_pfsense_basever == 'yes') { if (!is_dir('/tmp/pkg_s')) @@ -1243,13 +1243,12 @@ function create_snort_sh() ###### For Each Iface # If Snort proc is NOT running -if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" = "" ]; then +if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/awk '{print $2;}'`" = "" ]; then /bin/echo "snort.sh run" > /tmp/snort.sh.pid # Start snort and barnyard2 /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck /usr/local/bin/snort -u snort -g snort -R {$snort_uuid} -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} $start_barnyard2 @@ -1266,9 +1265,9 @@ EOD; #### Fake start only used on bootup and Pfsense IP changes #### Only try to restart if snort is running on Iface -if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" != "" ]; then +if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/awk '{print $2;}'`" != "" ]; then - snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" + snort_pid=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/awk '{print $2;}'` /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart" #### Restart Iface @@ -1281,7 +1280,7 @@ EOE; $snort_sh_text4[] = <<<EOF -pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print \$2;}'` +pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/awk '{print \$2;}'` sleep 3 pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/awk '{print \$2;}'` @@ -1294,7 +1293,6 @@ if [ \${pid_s} ] ; then sleep 3 /bin/kill \${pid_b} - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid fi @@ -1337,7 +1335,7 @@ rc_start() { /bin/rm /tmp/snort.sh.pid #### If on Fake start snort is NOT running DO a real start. - if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}{$if_real}" | awk '{print $2;}'`" = "" ]; then + if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}" | awk '{print $2;}'`" = "" ]; then rc_start_real @@ -1422,7 +1420,7 @@ function create_rules_iface($id, $if_real, $snort_uuid) /* open barnyard2.conf for writing */ function create_barnyard2_conf($id, $if_real, $snort_uuid) { - global $bconfig, $g; + global $config, $g; if (!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); @@ -1439,7 +1437,7 @@ function create_barnyard2_conf($id, $if_real, $snort_uuid) { $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w"); if(!$bconf) { log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing."); - exit; + return; } fwrite($bconf, $barnyard2_conf_text); fclose($bconf); @@ -1929,8 +1927,8 @@ function generate_snort_conf($id, $if_real, $snort_uuid) /* generate rule sections to load */ $enabled_rulesets = $snortcfg['rulesets']; + $selected_rules_sections = ""; if (!empty($enabled_rulesets)) { - $selected_rules_sections = ""; $enabled_rulesets_array = split("\|\|", $enabled_rulesets); foreach($enabled_rulesets_array as $enabled_item) $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; @@ -2200,9 +2198,13 @@ EOD; else $def_max_queued_segs_type = ' max_queued_segs ' . $snortcfg['max_queued_segs'] . ','; + $snort_preprocessor_decoder_rules = ""; + if (file_exists("/usr/local/etc/snort/preproc_rules/preprocessor.rules")) + $snort_preprocessor_decoder_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + if (file_exists("/usr/local/etc/snort/preproc_rules/decoder.rules")) + $snort_preprocessor_decoder_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; /* build snort configuration file */ - /* TODO; feed back from pfsense users to reduce false positives */ $snort_conf_text = <<<EOD # snort configuration file @@ -2212,31 +2214,6 @@ EOD; # for more information # snort.conf # Snort can be found at http://www.snort.org/ -# -# Copyright (C) 2009-2010 Robert Zelaya -# part of pfSense -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# 1. Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. ######################### # @@ -2316,7 +2293,7 @@ portvar DCERPC_BRIGHTSTORE [6503,6504] ##################### var RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules -# var PREPROC_RULE_PATH ./preproc_rules +var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules ################################ # @@ -2357,9 +2334,9 @@ dynamicdetection directory /usr/local/lib/snort/dynamicrules preprocessor frag3_global: max_frags 8192 preprocessor frag3_engine: policy bsd detect_anomalies -preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ -track_udp yes, track_icmp yes -preprocessor stream5_tcp: policy BSD, ports both all,{$def_max_queued_bytes_type}{$def_max_queued_segs_type} use_static_footprint_sizes +preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes + +preprocessor stream5_tcp: policy BSD, ports both all, {$def_max_queued_bytes_type}{$def_max_queued_segs_type} preprocessor stream5_udp: preprocessor stream5_icmp: @@ -2375,16 +2352,6 @@ preprocessor stream5_icmp: {$def_sf_portscan_type} -############################ - # -# OLD # -# preprocessor dcerpc: \ # -# autodetect \ # -# max_frag_size 3000 \ # -# memcap 100000 # - # -############################ - {$def_dce_rpc_2_type} {$def_dns_preprocessor_type} @@ -2420,10 +2387,12 @@ preprocessor ssl: ports { {$def_ssl_ports_ignore_type} }, trustservers, noinspec include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config - $threshold_file_name +{$snort_preprocessor_decoder_rules} + +$threshold_file_name # Snort user pass through configuration - {$snort_config_pass_thru} +{$snort_config_pass_thru} ################### # diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 9d14c9ec..c80bf672 100644 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -46,8 +46,8 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> - <version>2.8.6</version> - <title>Services:2.8.6 pkg v. 1.30</title> + <version>2.9.0.5</version> + <title>Services:2.9.0.5 pkg v. 2.0</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 8e81d16a..7bd47934 100644 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -80,34 +80,36 @@ if ($_POST['save']) write_config(); header("Location: /snort/snort_alerts.php"); + exit; } } if ($_POST['delete']) { - conf_mount_rw(); if(file_exists('/var/log/snort/alert')) { + conf_mount_rw(); @file_put_content("/var/log/snort/alert", ""); post_delete_logs(); mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); mwexec('/bin/chmod 660 /var/log/snort/*', true); - sleep(2); mwexec('/usr/bin/killall -HUP snort', true); + conf_mount_ro(); + + header("Location: /snort/snort_alerts.php"); + exit; } - conf_mount_ro(); } if ($_POST['download']) { - ob_start(); //importanr or other post will fail $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); $file_name = "snort_logs_{$save_date}.tar.gz"; - exec("/usr/bin/tar cfz /tmp/snort_logs_{$save_date}.tar.gz /var/log/snort"); + exec("/usr/bin/tar cfz /tmp/{$file_name} /var/log/snort"); - if (file_exists("/tmp/snort_logs_{$save_date}.tar.gz")) { + if (file_exists("/tmp/{$file_name}")) { $file = "/tmp/snort_logs_{$save_date}.tar.gz"; header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); header("Pragma: private"); // needed for IE @@ -117,10 +119,11 @@ if ($_POST['download']) header("Content-length: ".filesize($file)); header("Content-disposition: attachment; filename = {$file_name}"); readfile("$file"); - exec("/bin/rm /tmp/snort_logs_{$save_date}.tar.gz"); - od_end_clean(); //importanr or other post will fail - } else - echo 'Error no saved file.'; + exec("/bin/rm /tmp/{$file_name}"); + } + + header("Location: /snort/snort_alerts.php"); + exit; } diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index 2e857f22..c4ac1292 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -44,105 +44,42 @@ require_once("/usr/local/pkg/snort/snort.inc"); global $g; -if (!is_array($config['installedpackages']['snortglobal']['rule'])) - $config['installedpackages']['snortglobal']['rule'] = array(); - -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; if (isset($_GET['dup'])) { $id = $_GET['dup']; $after = $_GET['dup']; } +$pconfig = array(); if (isset($id) && $a_nat[$id]) { /* old options */ - $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; - $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; - $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; - $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; - $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; - $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; - $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; - $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; - $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; - $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; - $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; - $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; - $pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers']; - $pconfig['def_dns_ports'] = $a_nat[$id]['def_dns_ports']; - $pconfig['def_smtp_servers'] = $a_nat[$id]['def_smtp_servers']; - $pconfig['def_smtp_ports'] = $a_nat[$id]['def_smtp_ports']; - $pconfig['def_mail_ports'] = $a_nat[$id]['def_mail_ports']; - $pconfig['def_http_servers'] = $a_nat[$id]['def_http_servers']; - $pconfig['def_www_servers'] = $a_nat[$id]['def_www_servers']; - $pconfig['def_http_ports'] = $a_nat[$id]['def_http_ports']; - $pconfig['def_sql_servers'] = $a_nat[$id]['def_sql_servers']; - $pconfig['def_oracle_ports'] = $a_nat[$id]['def_oracle_ports']; - $pconfig['def_mssql_ports'] = $a_nat[$id]['def_mssql_ports']; - $pconfig['def_telnet_servers'] = $a_nat[$id]['def_telnet_servers']; - $pconfig['def_telnet_ports'] = $a_nat[$id]['def_telnet_ports']; - $pconfig['def_snmp_servers'] = $a_nat[$id]['def_snmp_servers']; - $pconfig['def_snmp_ports'] = $a_nat[$id]['def_snmp_ports']; - $pconfig['def_ftp_servers'] = $a_nat[$id]['def_ftp_servers']; - $pconfig['def_ftp_ports'] = $a_nat[$id]['def_ftp_ports']; - $pconfig['def_ssh_servers'] = $a_nat[$id]['def_ssh_servers']; - $pconfig['def_ssh_ports'] = $a_nat[$id]['def_ssh_ports']; - $pconfig['def_pop_servers'] = $a_nat[$id]['def_pop_servers']; - $pconfig['def_pop2_ports'] = $a_nat[$id]['def_pop2_ports']; - $pconfig['def_pop3_ports'] = $a_nat[$id]['def_pop3_ports']; - $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; - $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; - $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; - $pconfig['def_sip_proxy_ports'] = $a_nat[$id]['def_sip_proxy_ports']; - $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; - $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; - $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; - $pconfig['def_nntp_ports'] = $a_nat[$id]['def_nntp_ports']; - $pconfig['def_rlogin_ports'] = $a_nat[$id]['def_rlogin_ports']; - $pconfig['def_rsh_ports'] = $a_nat[$id]['def_rsh_ports']; - $pconfig['def_ssl_ports'] = $a_nat[$id]['def_ssl_ports']; + $pconfig = $a_nat[$id]; $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; - $pconfig['enable'] = $a_nat[$id]['enable']; - $pconfig['uuid'] = $a_nat[$id]['uuid']; - $pconfig['interface'] = $a_nat[$id]['interface']; - $pconfig['descr'] = $a_nat[$id]['descr']; - $pconfig['whitelistname'] = $a_nat[$id]['whitelistname']; - $pconfig['homelistname'] = $a_nat[$id]['homelistname']; - $pconfig['externallistname'] = $a_nat[$id]['externallistname']; - $pconfig['suppresslistname'] = $a_nat[$id]['suppresslistname']; - $pconfig['performance'] = $a_nat[$id]['performance']; - $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; - $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; - $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; - $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; - $pconfig['configpassthru'] = $a_nat[$id]['configpassthru']; $pconfig['barnconfigpassthru'] = base64_decode($a_nat[$id]['barnconfigpassthru']); - $pconfig['rulesets'] = $a_nat[$id]['rulesets']; - $pconfig['rule_sid_off'] = $a_nat[$id]['rule_sid_off']; - $pconfig['rule_sid_on'] = $a_nat[$id]['rule_sid_on']; - - - if (!$pconfig['interface']) - $pconfig['interface'] = "wan"; -} else - $pconfig['interface'] = "wan"; +} if (isset($_GET['dup'])) unset($id); $if_real = snort_get_real_interface($pconfig['interface']); -if (!empty($config['installedpackages']['snortglobal']['rule'][$id])) - $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; +$snort_uuid = $pconfig['uuid']; /* alert file */ $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; -if ($_POST["Submit"]) { +if ($_POST) { /* XXX: Mising error reporting?! * check for overlaps @@ -160,70 +97,6 @@ if ($_POST["Submit"]) { /* repost the options already in conf */ $natent = $pconfig; - /* post new options */ - if ($_POST['interface'] != "") { $natent['interface'] = $_POST['interface']; } else unset($natent['interface']); - if ($_POST['enable'] != "") { $natent['enable'] = $_POST['enable']; } else unset($natent['enable']); - if ($_POST['uuid'] != "") { $natent['uuid'] = $_POST['uuid']; } else unset($natent['uuid']); - if ($_POST['descr'] != "") { $natent['descr'] = $_POST['descr']; } else unset($natent['descr']); - if ($_POST['performance'] != "") { $natent['performance'] = $_POST['performance']; } else unset($natent['descr']); - if ($_POST['blockoffenders7'] != "") { $natent['blockoffenders7'] = $_POST['blockoffenders7']; } else unset($natent['blockoffenders7']); - if ($_POST['alertsystemlog'] != "") { $natent['alertsystemlog'] = $_POST['alertsystemlog']; } else unset($natent['alertsystemlog']); - if ($_POST['tcpdumplog'] != "") { $natent['tcpdumplog'] = $_POST['tcpdumplog']; } else unset($natent['tcpdumplog']); - if ($_POST['snortunifiedlog'] != "") { $natent['snortunifiedlog'] = $_POST['snortunifiedlog']; } else unset($natent['snortunifiedlog']); - if ($_POST['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['def_ssl_ports_ignore']; } else unset($natent['def_ssl_ports_ignore']); - if ($_POST['flow_depth'] != "") { $natent['flow_depth'] = $_POST['flow_depth']; } else unset($natent['flow_depth']); - if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; } else unset($natent['max_queued_bytes']); - if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; } else unset($natent['max_queued_segs']); - if ($_POST['perform_stat'] != "") { $natent['perform_stat'] = $_POST['perform_stat']; } else unset($natent['perform_stat']); - if ($_POST['http_inspect'] != "") { $natent['http_inspect'] = $_POST['http_inspect']; } else unset($natent['http_inspect']); - if ($_POST['other_preprocs'] != "") { $natent['other_preprocs'] = $_POST['other_preprocs']; } else unset($natent['other_preprocs']); - if ($_POST['ftp_preprocessor'] != "") { $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor']; } else unset($natent['ftp_preprocessor']); - if ($_POST['smtp_preprocessor'] != "") { $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor']; } else unset($natent['smtp_preprocessor']); - if ($_POST['sf_portscan'] != "") { $natent['sf_portscan'] = $_POST['sf_portscan']; } else unset($natent['sf_portscan']); - if ($_POST['dce_rpc_2'] != "") { $natent['dce_rpc_2'] = $_POST['dce_rpc_2']; } else unset($natent['dce_rpc_2']); - if ($_POST['dns_preprocessor'] != "") { $natent['dns_preprocessor'] = $_POST['dns_preprocessor']; } else unset($natent['dns_preprocessor']); - if ($_POST['def_dns_servers'] != "") { $natent['def_dns_servers'] = $_POST['def_dns_servers']; } else unset($natent['def_dns_servers']); - if ($_POST['def_dns_ports'] != "") { $natent['def_dns_ports'] = $_POST['def_dns_ports']; } else unset($natent['def_dns_ports']); - if ($_POST['def_smtp_servers'] != "") { $natent['def_smtp_servers'] = $_POST['def_smtp_servers']; } else unset($natent['def_smtp_servers']); - if ($_POST['def_smtp_ports'] != "") { $natent['def_smtp_ports'] = $_POST['def_smtp_ports']; } else unset($natent['def_mail_ports']); - if ($_POST['def_mail_ports'] != "") { $natent['def_mail_ports'] = $_POST['def_mail_ports']; } else unset($natent['def_mail_ports']); - if ($_POST['def_http_servers'] != "") { $natent['def_http_servers'] = $_POST['def_http_servers']; } else unset($natent['def_http_servers']); - if ($_POST['def_www_servers'] != "") { $natent['def_www_servers'] = $_POST['def_www_servers']; } else unset($natent['def_www_servers']); - if ($_POST['def_http_ports'] != "") { $natent['def_http_ports'] = $_POST['def_http_ports']; } else unset($natent['def_http_ports']); - if ($_POST['def_sql_servers'] != "") { $natent['def_sql_servers'] = $_POST['def_sql_servers']; } else unset($natent['def_sql_servers']); - if ($_POST['def_oracle_ports'] != "") { $natent['def_oracle_ports'] = $_POST['def_oracle_ports']; } else unset($natent['def_oracle_ports']); - if ($_POST['def_mssql_ports'] != "") { $natent['def_mssql_ports'] = $_POST['def_mssql_ports']; } else unset($natent['def_mssql_ports']); - if ($_POST['def_telnet_servers'] != "") { $natent['def_telnet_servers'] = $_POST['def_telnet_servers']; } else unset($natent['def_telnet_ports']); - if ($_POST['def_telnet_ports'] != "") { $natent['def_telnet_ports'] = $_POST['def_telnet_ports']; } else unset($natent['def_telnet_ports']); - if ($_POST['def_snmp_servers'] != "") { $natent['def_snmp_servers'] = $_POST['def_snmp_servers']; } else unset($natent['def_snmp_servers']); - if ($_POST['def_snmp_ports'] != "") { $natent['def_snmp_ports'] = $_POST['def_snmp_ports']; } else unset($natent['def_snmp_ports']); - if ($_POST['def_ftp_servers'] != "") { $natent['def_ftp_servers'] = $_POST['def_ftp_servers']; } else unset($natent['def_ftp_servers']); - if ($_POST['def_ftp_ports'] != "") { $natent['def_ftp_ports'] = $_POST['def_ftp_ports']; } else unset($natent['def_ftp_ports']); - if ($_POST['def_ssh_servers'] != "") { $natent['def_ssh_servers'] = $_POST['def_ssh_servers']; } else unset($natent['def_ssh_servers']); - if ($_POST['def_ssh_ports'] != "") { $natent['def_ssh_ports'] = $_POST['def_ssh_ports']; } else unset($natent['def_ssh_ports']); - if ($_POST['def_pop_servers'] != "") { $natent['def_pop_servers'] = $_POST['def_pop_servers']; } else unset($natent['def_pop_servers']); - if ($_POST['def_pop2_ports'] != "") { $natent['def_pop2_ports'] = $_POST['def_pop2_ports']; } else unset($natent['def_pop2_ports']); - if ($_POST['def_pop3_ports'] != "") { $natent['def_pop3_ports'] = $_POST['def_pop3_ports']; } else unset($natent['def_pop3_ports']); - if ($_POST['def_imap_servers'] != "") { $natent['def_imap_servers'] = $_POST['def_imap_servers']; } else unset($natent['def_imap_servers']); - if ($_POST['def_imap_ports'] != "") { $natent['def_imap_ports'] = $_POST['def_imap_ports']; } else unset($natent['def_imap_ports']); - if ($_POST['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $_POST['def_sip_proxy_ip']; } else unset($natent['def_sip_proxy_ip']); - if ($_POST['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $_POST['def_sip_proxy_ports']; } else unset($natent['def_sip_proxy_ports']); - if ($_POST['def_auth_ports'] != "") { $natent['def_auth_ports'] = $_POST['def_auth_ports']; } else unset($natent['def_auth_ports']); - if ($_POST['def_finger_ports'] != "") { $natent['def_finger_ports'] = $_POST['def_finger_ports']; } else unset($natent['def_finger_ports']); - if ($_POST['def_irc_ports'] != "") { $natent['def_irc_ports'] = $_POST['def_irc_ports']; } else unset($natent['def_irc_ports']); - if ($_POST['def_nntp_ports'] != "") { $natent['def_nntp_ports'] = $_POST['def_nntp_ports']; } else unset($natent['def_nntp_ports']); - if ($_POST['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $_POST['def_rlogin_ports']; } else unset($natent['def_rlogin_ports']); - if ($_POST['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $_POST['def_rsh_ports']; } else unset($natent['def_rsh_ports']); - if ($_POST['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $_POST['def_ssl_ports']; } else unset($natent['def_ssl_ports']); - if ($_POST['snortunifiedlog'] != "") { $natent['snortunifiedlog'] = $_POST['snortunifiedlog']; } else unset($natent['snortunifiedlog']); - if ($_POST['configpassthru'] != "") { $natent['configpassthru'] = $_POST['configpassthru']; } else unset($natent['configpassthru']); - if ($_POST['rulesets'] != "") { $natent['rulesets'] = $_POST['rulesets']; } else unset($natent['rulesets']); - if ($_POST['rule_sid_off'] != "") { $natent['rule_sid_off'] = $_POST['rule_sid_off']; } else unset($natent['rule_sid_off']); - if ($_POST['rule_sid_on'] != "") { $natent['rule_sid_on'] = $_POST['rule_sid_on']; } else unset($natent['rule_sid_on']); - if ($_POST['whitelistname'] != "") { $natent['whitelistname'] = $_POST['whitelistname']; } else unset($natent['whitelistname']); - if ($_POST['homelistname'] != "") { $natent['homelistname'] = $_POST['homelistname']; } else unset($natent['homelistname']); - if ($_POST['externallistname'] != "") { $natent['externallistname'] = $_POST['externallistname']; } else unset($natent['externallistname']); - if ($_POST['suppresslistname'] != "") { $natent['suppresslistname'] = $_POST['suppresslistname']; } else unset($natent['suppresslistname']); $natent['barnyard_enable'] = $_POST['barnyard_enable'] ? 'on' : 'off'; $natent['barnyard_mysql'] = $_POST['barnyard_mysql'] ? $_POST['barnyard_mysql'] : $pconfig['barnyard_mysql']; $natent['barnconfigpassthru'] = $_POST['barnconfigpassthru'] ? base64_encode($_POST['barnconfigpassthru']) : $pconfig['barnconfigpassthru']; @@ -231,8 +104,6 @@ if ($_POST["Submit"]) { $natent['snortunifiedlog'] = 'on'; else $natent['snortunifiedlog'] = 'off'; - if (empty($_POST['barnyard_enable'])) - $natent['snortunifiedlog'] = 'off'; if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -252,7 +123,6 @@ if ($_POST["Submit"]) { header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); - sleep(2); header("Location: snort_barnyard.php?id=$id"); exit; } @@ -334,73 +204,16 @@ function enable_change(enable_change) { <tr> <td class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <?php - /* display error code if there is no id */ - if($id == "") - { - echo " - <style type=\"text/css\"> - .noid { - position:absolute; - top:10px; - left:0px; - width:94%; - background:#FCE9C0; - background-position: 15px; - border-top:2px solid #DBAC48; - border-bottom:2px solid #DBAC48; - padding: 15px 10px 85% 50px; - } - </style> - <div class=\"alert\" ALIGN=CENTER><img src=\"/themes/{$g['theme']}/images/icons/icon_alert.gif\"/><strong>You can not edit options without an interface ID.</CENTER></div>\n"; - - } - ?> <tr> <td colspan="2" valign="top" class="listtopic">General Barnyard2 Settings</td> </tr> <tr> <td width="22%" valign="top" class="vncellreq2">Enable</td> - <td width="78%" class="vtable"><?php - // <input name="enable" type="checkbox" value="yes" checked onClick="enable_change(false)"> - // care with spaces - if ($pconfig['barnyard_enable'] == "on") - $checked = checked; - if($id != "") - { - $onclick_enable = "onClick=\"enable_change(false)\">"; - } - echo " - <input name=\"barnyard_enable\" type=\"checkbox\" value=\"on\" $checked $onclick_enable - <strong>Enable Barnyard2 on this Interface</strong><br> - This will enable barnyard2 for this interface. You will also have to set the database credentials.</td>\n\n"; - ?> - - </tr> - <tr> - <td width="22%" valign="top" class="vncell2">Interface</td> - <td width="78%" class="vtable"><select name="interface" - class="formfld"> - <?php - if (function_exists('get_configured_interface_with_descr')) - $interfaces = get_configured_interface_with_descr(); - else { - $interfaces = array('wan' => 'WAN', 'lan' => 'LAN', 'pptp' => 'PPTP', 'pppoe' => 'PPPOE'); - for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { - $interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr']; - } - } - foreach ($interfaces as $iface => $ifacename): - if ($iface != $pconfig['interface']) - continue; - ?> - <option value="<?=$iface;?>" selected><?=htmlspecialchars($ifacename);?></option> - - <?php endforeach; ?> - </select><br> - <span class="vexpl">The interface this rule applies to.</span><br/> - </td> + <td width="78%" class="vtable"> + <input name="barnyard_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_enable'] == "on") echo "checked"; ?> onClick="enable_change(false)"> + <strong>Enable Barnyard2 </strong><br> + This will enable barnyard2 for this interface. You will also have to set the database credentials.</td> </tr> <tr> <td colspan="2" valign="top" class="listtopic">Mysql Settings</td> @@ -431,8 +244,7 @@ function enable_change(enable_change) { <td width="22%" valign="top"> </td> <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="Save"> - <?php if (isset($id) && $a_nat[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>"> <?php endif; ?></td> + <input name="id" type="hidden" value="<?=$id;?>"> </td> </tr> <tr> <td width="22%" valign="top"> </td> @@ -452,6 +264,6 @@ function enable_change(enable_change) { enable_change(false); //--> </script> - <?php include("fend.inc"); ?> +<?php include("fend.inc"); ?> </body> </html> diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index cb85e0ef..2292dabd 100644 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -1,7 +1,6 @@ <?php -/* $Id$ */ /* - snort_rulesets.php + snort_check_for_rule_updates.php Copyright (C) 2006 Scott Ullrich Copyright (C) 2009 Robert Zelaya Copyright (C) 2011 Ermal Luci @@ -41,8 +40,8 @@ $pkg_interface = "console"; $tmpfname = "/usr/local/etc/snort/tmp/snort_rules_up"; $snortdir = "/usr/local/etc/snort"; $snortdir_wan = "/usr/local/etc/snort"; -$snort_filename_md5 = "snortrules-snapshot-2861.tar.gz.md5"; -$snort_filename = "snortrules-snapshot-2861.tar.gz"; +$snort_filename_md5 = "snortrules-snapshot-2905.tar.gz.md5"; +$snort_filename = "snortrules-snapshot-2905.tar.gz"; $emergingthreats_filename_md5 = "emerging.rules.tar.gz.md5"; $emergingthreats_filename = "emerging.rules.tar.gz"; $pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; @@ -150,7 +149,7 @@ if ($emergingthreats == 'on') update_status(gettext("Downloading emergingthreats md5 file...")); ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); // $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); - $image = @file_get_contents('http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz.md5'); + $image = @file_get_contents('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz.md5'); @file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image); update_status(gettext("Done downloading emergingthreats md5")); } @@ -286,7 +285,7 @@ if ($emergingthreats == "on") }else{ update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); update_output_window(gettext("May take 4 to 10 min...")); - download_file_with_progress_bar('http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz', "{$tmpfname}/{$emergingthreats_filename}"); + download_file_with_progress_bar('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz', "{$tmpfname}/{$emergingthreats_filename}"); update_status(gettext('Done downloading Emergingthreats rules file.')); } } @@ -340,11 +339,9 @@ if ($snortdownload == 'on') if (file_exists("{$tmpfname}/{$snort_filename}")) { if ($pfsense_stable == 'yes') - { $freebsd_version_so = 'FreeBSD-7-2'; - }else{ - $freebsd_version_so = 'FreeBSD-8-0'; - } + else + $freebsd_version_so = 'FreeBSD-8-1'; update_status(gettext("Extracting Snort.org rules...")); update_output_window(gettext("May take a while...")); @@ -356,14 +353,17 @@ if ($snortdownload == 'on') sleep(2); exec('/usr/local/bin/perl /usr/local/bin/snort_rename.pl s/^/snort_/ *.rules'); - /* extract so rules on for x86 for now */ - /* TODO: ask snort.org to build x64 version of so rules for Freebsd 8.1 Sept 05,2010 */ + /* extract so rules */ + exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); if($snort_arch == 'x86'){ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/i386/2.8.6.1/"); - exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); - exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/i386/2.8.6.1/* /usr/local/lib/snort/dynamicrules/"); - /* extract so rules none bin and rename */ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/" . + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/i386/2.9.0.5/"); + exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/i386/2.9.0.5/* /usr/local/lib/snort/dynamicrules/"); + } else if ($snort_arch == 'x64') { + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/x86-64/2.9.0.5/"); + exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/x86-64/2.9.0.5/* /usr/local/lib/snort/dynamicrules/"); + } + /* extract so rules none bin and rename */ + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/" . " so_rules/chat.rules/" . " so_rules/dos.rules/" . " so_rules/exploit.rules/" . @@ -412,7 +412,6 @@ if ($snortdownload == 'on') update_output_window(gettext("Error Line 755")); $snortdownload = 'off'; } - } } /* Untar emergingthreats rules to tmp */ @@ -633,11 +632,6 @@ function oinkmaster_run($id, $if_real, $iface_uuid) /* might have to add a sleep for 3sec for flash drives or old drives */ exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf -o /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules > /usr/local/etc/snort/oinkmaster_{$iface_uuid}_{$if_real}.log"); - /* TODO: Remove this code when x64 so rules are ready */ - if($snort_arch == 'x64'){ - exec("/bin/rm -r /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/*.so.rules"); - } - } } } @@ -687,14 +681,6 @@ else if ($snort_md5_check_ok == 'on' && $emerg_md5_check_ok == 'on' && $pfsense_ else { /* You are Not Up to date, always stop snort when updating rules for low end machines */; update_status(gettext("You are NOT up to date...")); - $chk_if_snort_up = exec("pgrep -x snort"); - if ($chk_if_snort_up != "") { - update_output_window(gettext("Stopping Snort service...")); - exec("/usr/bin/touch /tmp/snort_download_halt.pid"); - exec("/bin/sh /usr/local/etc/rc.d/snort.sh stop"); - sleep(2); - } - exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); update_status(gettext("The Rules update finished...")); update_output_window(gettext("Snort has restarted with your new set of rules...")); diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 68b5710a..ddb1e378 100644 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -1,7 +1,7 @@ <?php /* $Id$ */ /* - snort_interfaces.php + snort_define_servers.php part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. @@ -45,38 +45,24 @@ require_once("/usr/local/pkg/snort/snort.inc"); global $g; -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - $config['installedpackages']['snortglobal']['rule'] = array(); -} - -//nat_rules_sort(); -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; - -if (isset($_GET['dup'])) { - $id = $_GET['dup']; - $after = $_GET['dup']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; } +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +$a_nat = &$config['installedpackages']['snortglobal']['rule']; +$pconfig = array(); if (isset($id) && $a_nat[$id]) { + $pconfig = $a_nat[$id]; /* old options */ - $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; - $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; - $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; - $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; - $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; - $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; - $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; - $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; - $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; - $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; - $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; - $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; $pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers']; $pconfig['def_dns_ports'] = $a_nat[$id]['def_dns_ports']; $pconfig['def_smtp_servers'] = $a_nat[$id]['def_smtp_servers']; @@ -110,82 +96,22 @@ if (isset($id) && $a_nat[$id]) { $pconfig['def_rlogin_ports'] = $a_nat[$id]['def_rlogin_ports']; $pconfig['def_rsh_ports'] = $a_nat[$id]['def_rsh_ports']; $pconfig['def_ssl_ports'] = $a_nat[$id]['def_ssl_ports']; - $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; - $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; - $pconfig['enable'] = $a_nat[$id]['enable']; - $pconfig['uuid'] = $a_nat[$id]['uuid']; - $pconfig['interface'] = $a_nat[$id]['interface']; - $pconfig['whitelistname'] = $a_nat[$id]['whitelistname']; - $pconfig['homelistname'] = $a_nat[$id]['homelistname']; - $pconfig['externallistname'] = $a_nat[$id]['externallistname']; - $pconfig['suppresslistname'] = $a_nat[$id]['suppresslistname']; - $pconfig['descr'] = $a_nat[$id]['descr']; - $pconfig['performance'] = $a_nat[$id]['performance']; - $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; - $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; - $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; - $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; - $pconfig['configpassthru'] = $a_nat[$id]['configpassthru']; - $pconfig['barnconfigpassthru'] = $a_nat[$id]['barnconfigpassthru']; - $pconfig['rulesets'] = $a_nat[$id]['rulesets']; - $pconfig['rule_sid_off'] = $a_nat[$id]['rule_sid_off']; - $pconfig['rule_sid_on'] = $a_nat[$id]['rule_sid_on']; - - if (isset($_GET['dup'])) - unset($id); } /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); - $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; /* alert file */ $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; +if ($_POST) { -if ($_POST["Submit"]) { - - /* check for overlaps */ + $natent = array(); + $natent = $pconfig; /* if no errors write to conf */ if (!$input_errors) { - $natent = array(); - /* repost the options already in conf */ - if ($pconfig['interface'] != "") { $natent['interface'] = $pconfig['interface']; } - if ($pconfig['enable'] != "") { $natent['enable'] = $pconfig['enable']; } - if ($pconfig['uuid'] != "") { $natent['uuid'] = $pconfig['uuid']; } - if ($pconfig['descr'] != "") { $natent['descr'] = $pconfig['descr']; } - if ($pconfig['performance'] != "") { $natent['performance'] = $pconfig['performance']; } - if ($pconfig['blockoffenders7'] != "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } - if ($pconfig['alertsystemlog'] != "") { $natent['alertsystemlog'] = $pconfig['alertsystemlog']; } - if ($pconfig['tcpdumplog'] != "") { $natent['tcpdumplog'] = $pconfig['tcpdumplog']; } - if ($pconfig['snortunifiedlog'] != "") { $natent['snortunifiedlog'] = $pconfig['snortunifiedlog']; } - if ($pconfig['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $pconfig['def_ssl_ports_ignore']; } - if ($pconfig['flow_depth'] != "") { $natent['flow_depth'] = $pconfig['flow_depth']; } - if ($pconfig['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $pconfig['max_queued_bytes']; } - if ($pconfig['max_queued_segs'] != "") { $natent['max_queued_segs'] = $pconfig['max_queued_segs']; } - if ($pconfig['perform_stat'] != "") { $natent['perform_stat'] = $pconfig['perform_stat']; } - if ($pconfig['http_inspect'] != "") { $natent['http_inspect'] = $pconfig['http_inspect']; } - if ($pconfig['other_preprocs'] != "") { $natent['other_preprocs'] = $pconfig['other_preprocs']; } - if ($pconfig['ftp_preprocessor'] != "") { $natent['ftp_preprocessor'] = $pconfig['ftp_preprocessor']; } - if ($pconfig['smtp_preprocessor'] != "") { $natent['smtp_preprocessor'] = $pconfig['smtp_preprocessor']; } - if ($pconfig['sf_portscan'] != "") { $natent['sf_portscan'] = $pconfig['sf_portscan']; } - if ($pconfig['dce_rpc_2'] != "") { $natent['dce_rpc_2'] = $pconfig['dce_rpc_2']; } - if ($pconfig['dns_preprocessor'] != "") { $natent['dns_preprocessor'] = $pconfig['dns_preprocessor']; } - if ($pconfig['barnyard_enable'] != "") { $natent['barnyard_enable'] = $pconfig['barnyard_enable']; } - if ($pconfig['barnyard_mysql'] != "") { $natent['barnyard_mysql'] = $pconfig['barnyard_mysql']; } - if ($pconfig['rulesets'] != "") { $natent['rulesets'] = $pconfig['rulesets']; } - if ($pconfig['rule_sid_off'] != "") { $natent['rule_sid_off'] = $pconfig['rule_sid_off']; } - if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } - if ($pconfig['configpassthru'] != "") { $natent['configpassthru'] = $pconfig['configpassthru']; } - if ($pconfig['barnconfigpassthru'] != "") { $natent['barnconfigpassthru'] = $pconfig['barnconfigpassthru']; } - if ($pconfig['whitelistname'] != "") { $natent['whitelistname'] = $pconfig['whitelistname']; } - if ($pconfig['homelistname'] != "") { $natent['homelistname'] = $pconfig['homelistname']; } - if ($pconfig['externallistname'] != "") { $natent['externallistname'] = $pconfig['externallistname']; } - if ($pconfig['suppresslistname'] != "") { $natent['suppresslistname'] = $pconfig['suppresslistname']; } - - /* post new options */ if ($_POST['def_dns_servers'] != "") { $natent['def_dns_servers'] = $_POST['def_dns_servers']; }else{ $natent['def_dns_servers'] = ""; } if ($_POST['def_dns_ports'] != "") { $natent['def_dns_ports'] = $_POST['def_dns_ports']; }else{ $natent['def_dns_ports'] = ""; } @@ -241,9 +167,7 @@ if ($_POST["Submit"]) { header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); - header("Location: snort_define_servers.php?id=$id"); - exit; } } @@ -262,15 +186,6 @@ if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} echo "{$snort_general_css}\n"; ?> -<div class="body2"> - -<noscript> -<div class="alert" ALIGN=CENTER><img - src="../themes/<?php echo $g['theme']; ?>/images/icons/icon_alert.gif" /><strong>Please -enable JavaScript to view this content -</CENTER></div> -</noscript> - <form action="snort_define_servers.php" method="post" enctype="multipart/form-data" name="iform" id="iform"><?php @@ -284,20 +199,6 @@ enable JavaScript to view this content print_info_box2($savemsg); } - //if (file_exists($d_snortconfdirty_path)) { - if (file_exists($d_snortconfdirty_path) || file_exists("/var/run/snort_conf_{$snort_uuid}_.dirty")) { - echo '<p>'; - - if($savemsg) { - print_info_box_np2("{$savemsg}"); - }else{ - print_info_box_np2(' - The Snort configuration has changed and snort needs to be restarted on this interface.<br> - You must apply the changes in order for them to take effect.<br> - '); - } - } - ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> @@ -324,28 +225,6 @@ enable JavaScript to view this content <tr> <td class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <?php - /* display error code if there is no id */ - if($id == "") - { - echo " - <style type=\"text/css\"> - .noid { - position:absolute; - top:10px; - left:0px; - width:94%; - background:#FCE9C0; - background-position: 15px; - border-top:2px solid #DBAC48; - border-bottom:2px solid #DBAC48; - padding: 15px 10px 85% 50px; - } - </style> - <div class=\"alert\" ALIGN=CENTER><img src=\"/themes/{$g['theme']}/images/icons/icon_alert.gif\"/><strong>You can not edit options without an interface ID.</CENTER></div>\n"; - - } - ?> <tr> <td width="22%" valign="top"> </td> <td width="78%"><span class="vexpl"><span class="red"><strong>Note:</strong></span><br> @@ -624,9 +503,8 @@ enable JavaScript to view this content <td width="22%" valign="top"> </td> <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="Save"> - <?php if (isset($id) && $a_nat[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <?php endif; ?></td> + <input name="id" type="hidden" value="<?=$id;?>"> + </td> </tr> <tr> <td width="22%" valign="top"> </td> @@ -638,10 +516,6 @@ enable JavaScript to view this content </table> </form> - -</div> - - - <?php include("fend.inc"); ?> +<?php include("fend.inc"); ?> </body> </html> diff --git a/config/snort/snort_download_rules.php b/config/snort/snort_download_rules.php index 0e4ce635..36a19e79 100644 --- a/config/snort/snort_download_rules.php +++ b/config/snort/snort_download_rules.php @@ -1,7 +1,6 @@ <?php -/* $Id$ */ /* - snort_rulesets.php + snort_download_rules.php Copyright (C) 2006 Scott Ullrich Copyright (C) 2009 Robert Zelaya Copyright (C) 2011 Ermal Luci @@ -40,8 +39,8 @@ require_once("/usr/local/pkg/snort/snort.inc"); $tmpfname = "/usr/local/etc/snort/tmp/snort_rules_up"; $snortdir = "/usr/local/etc/snort"; $snortdir_wan = "/usr/local/etc/snort"; -$snort_filename_md5 = "snortrules-snapshot-2861.tar.gz.md5"; -$snort_filename = "snortrules-snapshot-2861.tar.gz"; +$snort_filename_md5 = "snortrules-snapshot-2905.tar.gz.md5"; +$snort_filename = "snortrules-snapshot-2905.tar.gz"; $emergingthreats_filename_md5 = "emerging.rules.tar.gz.md5"; $emergingthreats_filename = "emerging.rules.tar.gz"; $pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; @@ -203,7 +202,7 @@ if ($emergingthreats == 'on') update_status(gettext("Downloading emergingthreats md5 file...")); ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); // $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); - $image = @file_get_contents('http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz.md5'); + $image = @file_get_contents('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz.md5'); @file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image); update_status(gettext("Done downloading emergingthreats md5")); } @@ -346,7 +345,7 @@ if ($emergingthreats == "on") }else{ update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); update_output_window(gettext("May take 4 to 10 min...")); - download_file_with_progress_bar('http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz', "{$tmpfname}/{$emergingthreats_filename}"); + download_file_with_progress_bar('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz', "{$tmpfname}/{$emergingthreats_filename}"); update_status(gettext('Done downloading Emergingthreats rules file.')); } } @@ -404,7 +403,7 @@ if ($snortdownload == 'on') { $freebsd_version_so = 'FreeBSD-7-2'; }else{ - $freebsd_version_so = 'FreeBSD-8-0'; + $freebsd_version_so = 'FreeBSD-8-1'; } update_status(gettext("Extracting Snort.org rules...")); @@ -417,14 +416,18 @@ if ($snortdownload == 'on') sleep(2); exec('/usr/local/bin/perl /usr/local/bin/snort_rename.pl s/^/snort_/ *.rules'); - /* extract so rules on for x86 for now */ - /* TODO: ask snort.org to build x64 version of so rules for Freebsd 8.1 Sept 05,2010 */ - if($snort_arch == 'x86'){ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/i386/2.8.6.1/"); - exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); - exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/i386/2.8.6.1/* /usr/local/lib/snort/dynamicrules/"); - /* extract so rules none bin and rename */ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/" . + /* extract so rules */ + exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); + if($snort_arch == 'x86') { + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/i386/2.9.0.5/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/i386/2.9.0.5/"); + exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/i386/2.9.0.5/* /usr/local/lib/snort/dynamicrules/"); + } else if ($snort_arch == 'x64') { + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/x86-64/2.9.0.5/"); + exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/x86-64/2.9.0.5/* /usr/local/lib/snort/dynamicrules/"); + } + /* extract so rules none bin and rename */ + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/" . " so_rules/chat.rules/" . " so_rules/dos.rules/" . " so_rules/exploit.rules/" . @@ -473,7 +476,6 @@ if ($snortdownload == 'on') update_output_window(gettext("Error Line 755")); $snortdownload = 'off'; } - } } /* Untar emergingthreats rules to tmp */ @@ -693,12 +695,6 @@ function oinkmaster_run($id, $if_real, $iface_uuid) /* might have to add a sleep for 3sec for flash drives or old drives */ exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf -o /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules > /usr/local/etc/snort/oinkmaster_{$iface_uuid}_{$if_real}.log"); - - /* TODO: Remove this code when x64 so rules are ready */ - if($snort_arch == 'x64'){ - exec("/bin/rm -r /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/*.so.rules"); - } - } } } @@ -751,14 +747,6 @@ else if ($snort_md5_check_ok == 'on' && $emerg_md5_check_ok == 'on' && $pfsense_ else { /* You are Not Up to date, always stop snort when updating rules for low end machines */; update_status(gettext("You are NOT up to date...")); - $chk_if_snort_up = exec("pgrep -x snort"); - if ($chk_if_snort_up != "") { - update_output_window(gettext("Stopping Snort service...")); - exec("/usr/bin/touch /tmp/snort_download_halt.pid"); - exec("/bin/sh /usr/local/etc/rc.d/snort.sh stop"); - sleep(2); - } - exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); update_status(gettext("The Rules update finished...")); update_output_window(gettext("Snort has restarted with your new set of rules...")); diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 92ff0a06..874edb91 100644 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -45,9 +45,9 @@ $snort_load_jquery_colorbox = 'yes'; /* quick md5s chk */ -if(file_exists('/usr/local/etc/snort/snortrules-snapshot-2861.tar.gz.md5')) +if(file_exists('/usr/local/etc/snort/snortrules-snapshot-2905.tar.gz.md5')) { - $snort_org_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/snortrules-snapshot-2861.tar.gz.md5'); + $snort_org_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/snortrules-snapshot-2905.tar.gz.md5'); }else{ $snort_org_sig_chk_local = 'N/A'; } diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index 1d91eda8..39f8eddc 100644 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -168,6 +168,7 @@ if ($_GET['act'] == 'toggle' && is_numeric($id)) { header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); } + sleep(4); // So the GUI reports correctly header("Location: /snort/snort_interfaces.php"); exit; } diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index 37d389da..9a47bb24 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -143,7 +143,7 @@ if ($_POST["Reset"]) { $x=0; $is_installed = false; foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort2c")) { + if (strstr($item['command'], $cronmatch)) { $is_installed = true; break; } diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index df4e9b6a..c5c7a4a8 100644 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -1,7 +1,7 @@ <?php /* $Id$ */ /* - snort_interfaces.php + snort_preprocessors.php part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. @@ -46,15 +46,17 @@ $a_nat = &$config['installedpackages']['snortglobal']['rule']; $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; - -if (isset($_GET['dup'])) { - $id = $_GET['dup']; - $after = $_GET['dup']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; } +$pconfig = array(); if (isset($id) && $a_nat[$id]) { + $pconfig = $a_nat[$id]; /* new options */ + $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; @@ -67,138 +69,22 @@ if (isset($id) && $a_nat[$id]) { $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; - - /* old options */ - $pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers']; - $pconfig['def_dns_ports'] = $a_nat[$id]['def_dns_ports']; - $pconfig['def_smtp_servers'] = $a_nat[$id]['def_smtp_servers']; - $pconfig['def_smtp_ports'] = $a_nat[$id]['def_smtp_ports']; - $pconfig['def_mail_ports'] = $a_nat[$id]['def_mail_ports']; - $pconfig['def_http_servers'] = $a_nat[$id]['def_http_servers']; - $pconfig['def_www_servers'] = $a_nat[$id]['def_www_servers']; - $pconfig['def_http_ports'] = $a_nat[$id]['def_http_ports']; - $pconfig['def_sql_servers'] = $a_nat[$id]['def_sql_servers']; - $pconfig['def_oracle_ports'] = $a_nat[$id]['def_oracle_ports']; - $pconfig['def_mssql_ports'] = $a_nat[$id]['def_mssql_ports']; - $pconfig['def_telnet_servers'] = $a_nat[$id]['def_telnet_servers']; - $pconfig['def_telnet_ports'] = $a_nat[$id]['def_telnet_ports']; - $pconfig['def_snmp_servers'] = $a_nat[$id]['def_snmp_servers']; - $pconfig['def_snmp_ports'] = $a_nat[$id]['def_snmp_ports']; - $pconfig['def_ftp_servers'] = $a_nat[$id]['def_ftp_servers']; - $pconfig['def_ftp_ports'] = $a_nat[$id]['def_ftp_ports']; - $pconfig['def_ssh_servers'] = $a_nat[$id]['def_ssh_servers']; - $pconfig['def_ssh_ports'] = $a_nat[$id]['def_ssh_ports']; - $pconfig['def_pop_servers'] = $a_nat[$id]['def_pop_servers']; - $pconfig['def_pop2_ports'] = $a_nat[$id]['def_pop2_ports']; - $pconfig['def_pop3_ports'] = $a_nat[$id]['def_pop3_ports']; - $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; - $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; - $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; - $pconfig['def_sip_proxy_ports'] = $a_nat[$id]['def_sip_proxy_ports']; - $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; - $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; - $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; - $pconfig['def_nntp_ports'] = $a_nat[$id]['def_nntp_ports']; - $pconfig['def_rlogin_ports'] = $a_nat[$id]['def_rlogin_ports']; - $pconfig['def_rsh_ports'] = $a_nat[$id]['def_rsh_ports']; - $pconfig['def_ssl_ports'] = $a_nat[$id]['def_ssl_ports']; - $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; - $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; - $pconfig['enable'] = $a_nat[$id]['enable']; - $pconfig['uuid'] = $a_nat[$id]['uuid']; - $pconfig['interface'] = $a_nat[$id]['interface']; - $pconfig['descr'] = $a_nat[$id]['descr']; - $pconfig['whitelistname'] = $a_nat[$id]['whitelistname']; - $pconfig['homelistname'] = $a_nat[$id]['homelistname']; - $pconfig['externallistname'] = $a_nat[$id]['externallistname']; - $pconfig['suppresslistname'] = $a_nat[$id]['suppresslistname']; - $pconfig['performance'] = $a_nat[$id]['performance']; - $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; - $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; - $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; - $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; - $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; - $pconfig['configpassthru'] = $a_nat[$id]['configpassthru']; - $pconfig['barnconfigpassthru'] = $a_nat[$id]['barnconfigpassthru']; - $pconfig['rulesets'] = $a_nat[$id]['rulesets']; - $pconfig['rule_sid_off'] = $a_nat[$id]['rule_sid_off']; - $pconfig['rule_sid_on'] = $a_nat[$id]['rule_sid_on']; - - if (isset($_GET['dup'])) - unset($id); } /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); - $snort_uuid = $pconfig['uuid']; /* alert file */ $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; -if ($_POST["Submit"]) { +if ($_POST) { - /* check for overlaps */ + $natent = array(); + $natent = $pconfig; /* if no errors write to conf */ if (!$input_errors) { - $natent = array(); - /* repost the options already in conf */ - if ($pconfig['interface'] != "") { $natent['interface'] = $pconfig['interface']; } - if ($pconfig['enable'] != "") { $natent['enable'] = $pconfig['enable']; } - if ($pconfig['uuid'] != "") { $natent['uuid'] = $pconfig['uuid']; } - if ($pconfig['descr'] != "") { $natent['descr'] = $pconfig['descr']; } - if ($pconfig['performance'] != "") { $natent['performance'] = $pconfig['performance']; } - if ($pconfig['blockoffenders7'] != "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } - if ($pconfig['alertsystemlog'] != "") { $natent['alertsystemlog'] = $pconfig['alertsystemlog']; } - if ($pconfig['tcpdumplog'] != "") { $natent['tcpdumplog'] = $pconfig['tcpdumplog']; } - if ($pconfig['snortunifiedlog'] != "") { $natent['snortunifiedlog'] = $pconfig['snortunifiedlog']; } - if ($pconfig['barnyard_enable'] != "") { $natent['barnyard_enable'] = $pconfig['barnyard_enable']; } - if ($pconfig['barnyard_mysql'] != "") { $natent['barnyard_mysql'] = $pconfig['barnyard_mysql']; } - if ($pconfig['def_dns_servers'] != "") { $natent['def_dns_servers'] = $pconfig['def_dns_servers']; } - if ($pconfig['def_dns_ports'] != "") { $natent['def_dns_ports'] = $pconfig['def_dns_ports']; } - if ($pconfig['def_smtp_servers'] != "") { $natent['def_smtp_servers'] = $pconfig['def_smtp_servers']; } - if ($pconfig['def_smtp_ports'] != "") { $natent['def_smtp_ports'] = $pconfig['def_smtp_ports']; } - if ($pconfig['def_mail_ports'] != "") { $natent['def_mail_ports'] = $pconfig['def_mail_ports']; } - if ($pconfig['def_http_servers'] != "") { $natent['def_http_servers'] = $pconfig['def_http_servers']; } - if ($pconfig['def_www_servers'] != "") { $natent['def_www_servers'] = $pconfig['def_www_servers']; } - if ($pconfig['def_http_ports'] != "") { $natent['def_http_ports'] = $pconfig['def_http_ports']; } - if ($pconfig['def_sql_servers'] != "") { $natent['def_sql_servers'] = $pconfig['def_sql_servers']; } - if ($pconfig['def_oracle_ports'] != "") { $natent['def_oracle_ports'] = $pconfig['def_oracle_ports']; } - if ($pconfig['def_mssql_ports'] != "") { $natent['def_mssql_ports'] = $pconfig['def_mssql_ports']; } - if ($pconfig['def_telnet_servers'] != "") { $natent['def_telnet_servers'] = $pconfig['def_telnet_servers']; } - if ($pconfig['def_telnet_ports'] != "") { $natent['def_telnet_ports'] = $pconfig['def_telnet_ports']; } - if ($pconfig['def_snmp_servers'] != "") { $natent['def_snmp_servers'] = $pconfig['def_snmp_servers']; } - if ($pconfig['def_snmp_ports'] != "") { $natent['def_snmp_ports'] = $pconfig['def_snmp_ports']; } - if ($pconfig['def_ftp_servers'] != "") { $natent['def_ftp_servers'] = $pconfig['def_ftp_servers']; } - if ($pconfig['def_ftp_ports'] != "") { $natent['def_ftp_ports'] = $pconfig['def_ftp_ports']; } - if ($pconfig['def_ssh_servers'] != "") { $natent['def_ssh_servers'] = $pconfig['def_ssh_servers']; } - if ($pconfig['def_ssh_ports'] != "") { $natent['def_ssh_ports'] = $pconfig['def_ssh_ports']; } - if ($pconfig['def_pop_servers'] != "") { $natent['def_pop_servers'] = $pconfig['def_pop_servers']; } - if ($pconfig['def_pop2_ports'] != "") { $natent['def_pop2_ports'] = $pconfig['def_pop2_ports']; } - if ($pconfig['def_pop3_ports'] != "") { $natent['def_pop3_ports'] = $pconfig['def_pop3_ports']; } - if ($pconfig['def_imap_servers'] != "") { $natent['def_imap_servers'] = $pconfig['def_imap_servers']; } - if ($pconfig['def_imap_ports'] != "") { $natent['def_imap_ports'] = $pconfig['def_imap_ports']; } - if ($pconfig['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $pconfig['def_sip_proxy_ip']; } - if ($pconfig['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $pconfig['def_sip_proxy_ports']; } - if ($pconfig['def_auth_ports'] != "") { $natent['def_auth_ports'] = $pconfig['def_auth_ports']; } - if ($pconfig['def_finger_ports'] != "") { $natent['def_finger_ports'] = $pconfig['def_finger_ports']; } - if ($pconfig['def_irc_ports'] != "") { $natent['def_irc_ports'] = $pconfig['def_irc_ports']; } - if ($pconfig['def_nntp_ports'] != "") { $natent['def_nntp_ports'] = $pconfig['def_nntp_ports']; } - if ($pconfig['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $pconfig['def_rlogin_ports']; } - if ($pconfig['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $pconfig['def_rsh_ports']; } - if ($pconfig['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $pconfig['def_ssl_ports']; } - if ($pconfig['configpassthru'] != "") { $natent['configpassthru'] = $pconfig['configpassthru']; } - if ($pconfig['barnconfigpassthru'] != "") { $natent['barnconfigpassthru'] = $pconfig['barnconfigpassthru']; } - if ($pconfig['rulesets'] != "") { $natent['rulesets'] = $pconfig['rulesets']; } - if ($pconfig['rule_sid_off'] != "") { $natent['rule_sid_off'] = $pconfig['rule_sid_off']; } - if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } - if ($pconfig['whitelistname'] != "") { $natent['whitelistname'] = $pconfig['whitelistname']; } - if ($pconfig['homelistname'] != "") { $natent['homelistname'] = $pconfig['homelistname']; } - if ($pconfig['externallistname'] != "") { $natent['externallistname'] = $pconfig['externallistname']; } - if ($pconfig['suppresslistname'] != "") { $natent['suppresslistname'] = $pconfig['suppresslistname']; } - - /* post new options */ $natent['perform_stat'] = $_POST['perform_stat']; if ($_POST['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['def_ssl_ports_ignore']; }else{ $natent['def_ssl_ports_ignore'] = ""; } @@ -485,8 +371,7 @@ enable JavaScript to view this content <td width="22%" valign="top"> </td> <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="Save"> - <?php if (isset($id) && $a_nat[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>"> <?php endif; ?></td> + <input name="id" type="hidden" value="<?=$id;?>"></td> </tr> <tr> <td width="22%" valign="top"> </td> diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 3975fd2c..2aa49865 100644 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -1,7 +1,6 @@ <?php -/* $Id$ */ /* - edit_snortrule.php + snort_rules.php Copyright (C) 2004, 2005 Scott Ullrich Copyright (C) 2008, 2009 Robert Zelaya Copyright (C) 2011 Ermal Luci @@ -43,6 +42,10 @@ $a_nat = &$config['installedpackages']['snortglobal']['rule']; $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} if (isset($id) && $a_nat[$id]) { $pconfig['enable'] = $a_nat[$id]['enable']; @@ -52,7 +55,6 @@ if (isset($id) && $a_nat[$id]) { /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); - $iface_uuid = $a_nat[$id]['uuid']; /* Check if the rules dir is empy if so warn the user */ @@ -135,58 +137,20 @@ function get_middle($source, $beginning, $ending, $init_pos) { function write_rule_file($content_changed, $received_file) { - //read snort file with writing enabled - $filehandle = fopen($received_file, "w"); - - //delimiter for each new rule is a new line - $delimiter = "\n"; - - //implode the array back into a string for writing purposes - $fullfile = implode($delimiter, $content_changed); - - //write data to file - fwrite($filehandle, $fullfile); - - //close file handle - fclose($filehandle); - + @file_put_contents($received_file, implode("\n", $content_changed)); } function load_rule_file($incoming_file) { - - //read snort file - $filehandle = fopen($incoming_file, "r"); - //read file into string, and get filesize - $contents = fread($filehandle, filesize($incoming_file)); - - //close handler - fclose ($filehandle); - - - //string for populating category select - $currentruleset = basename($rulefile); - - //delimiter for each new rule is a new line - $delimiter = "\n"; + $contents = @file_get_contents($incoming_file); //split the contents of the string file into an array using the delimiter - $splitcontents = explode($delimiter, $contents); - - return $splitcontents; - + return explode("\n", $contents); } -/* -if ($_GET['openruleset'] != '' && $_GET['ids'] != '') { - header("Location: /snort/snort_rules.php?id=$id&openruleset={$_GET['openruleset']}&saved=yes"); - exit; -} -*/ - -//$ruledir = "/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/"; -$ruledir = "/usr/local/etc/snort/rules/"; +$ruledir = "/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/"; +//$ruledir = "/usr/local/etc/snort/rules/"; $dh = opendir($ruledir); while (false !== ($filename = readdir($dh))) { @@ -205,200 +169,50 @@ else //Load the rule file $splitcontents = load_rule_file($rulefile); -if ($_POST) -{ +if ($_GET['act'] == "toggle" && $_GET['ids']) { - conf_mount_rw(); - - if (!$_POST['apply']) { - //retrieve POST data - $post_lineid = $_POST['lineid']; - $post_enabled = $_POST['enabled']; - $post_src = $_POST['src']; - $post_srcport = $_POST['srcport']; - $post_dest = $_POST['dest']; - $post_destport = $_POST['destport']; - - //clean up any white spaces insert by accident - $post_src = str_replace(" ", "", $post_src); - $post_srcport = str_replace(" ", "", $post_srcport); - $post_dest = str_replace(" ", "", $post_dest); - $post_destport = str_replace(" ", "", $post_destport); - - //copy rule contents from array into string - $tempstring = $splitcontents[$post_lineid]; - - //search string - $findme = "# alert"; //find string for disabled alerts - - //find if alert is disabled - $disabled = strstr($tempstring, $findme); - - //if find alert is false, then rule is disabled - if ($disabled !== false) - { - //has rule been enabled - if ($post_enabled == "yes") - { - //move counter up 1, so we do not retrieve the # in the rule_content array - $tempstring = str_replace("# alert", "alert", $tempstring); - $counter2 = 1; - } - else - { - //rule is staying disabled - $counter2 = 2; - } - } - else - { - //has rule been disabled - if ($post_enabled != "yes") - { - //move counter up 1, so we do not retrieve the # in the rule_content array - $tempstring = str_replace("alert", "# alert", $tempstring); - $counter2 = 2; - } - else - { - //rule is staying enabled - $counter2 = 1; - } - } - - //explode rule contents into an array, (delimiter is space) - $rule_content = explode(' ', $tempstring); - - //insert new values - $counter2++; - $rule_content[$counter2] = $post_src;//source location - $counter2++; - $rule_content[$counter2] = $post_srcport;//source port location - $counter2 = $counter2+2; - $rule_content[$counter2] = $post_dest;//destination location - $counter2++; - $rule_content[$counter2] = $post_destport;//destination port location - - //implode the array back into string - $tempstring = implode(' ', $rule_content); - - //copy string into file array for writing - $splitcontents[$post_lineid] = $tempstring; - - //write the new .rules file - write_rule_file($splitcontents, $rulefile); - - //once file has been written, reload file - $splitcontents = load_rule_file($rulefile); - - $stopMsg = true; - } - conf_mount_ro(); -} -else if ($_GET['act'] == "toggle") -{ - - conf_mount_rw(); - - $toggleid = $_GET['ids']; + $lineid= $_GET['ids']; //copy rule contents from array into string - $tempstring = $splitcontents[$toggleid]; + $tempstring = $splitcontents[$lineid]; //explode rule contents into an array, (delimiter is space) $rule_content = explode(' ', $tempstring); - //search string $findme = "# alert"; //find string for disabled alerts - - //find if alert is disabled $disabled = strstr($tempstring, $findme); //if find alert is false, then rule is disabled - if ($disabled !== false) - { + if ($disabled !== false) { //rule has been enabled - //move counter up 1, so we do not retrieve the # in the rule_content array - $tempstring = str_replace("# alert", "alert", $tempstring); - - } - else - { - //has rule been disabled - //move counter up 1, so we do not retrieve the # in the rule_content array - $tempstring = str_replace("alert", "# alert", $tempstring); - - } + $tempstring = substr($tempstring, 2); + } else + $tempstring = "# ". $tempstring; //copy string into array for writing - $splitcontents[$toggleid] = $tempstring; + $splitcontents[$lineid] = $tempstring; //write the new .rules file write_rule_file($splitcontents, $rulefile); - //once file has been written, reload file - $splitcontents = load_rule_file($rulefile); - - $stopMsg = true; - //write disable/enable sid to config.xml - if ($disabled == false) { - $string_sid = strstr($tempstring, 'sid:'); - $sid_pieces = explode(";", $string_sid); - $sid_off_cut = $sid_pieces[0]; - // sid being turned off - $sid_off = str_replace("sid:", "", $sid_off_cut); + $sid = get_middle($tempstring, 'sid:', ';', 0); + if (is_numeric($sid)) { // rule_sid_on registers - $sid_on_pieces = $a_nat[$id]['rule_sid_on']; - // if off sid is the same as on sid remove it - $sid_on_old = str_replace("||enablesid $sid_off", "", "$sid_on_pieces"); - // write the replace sid back as empty - $a_nat[$id]['rule_sid_on'] = $sid_on_old; - // rule sid off registers - $sid_off_pieces = $a_nat[$id]['rule_sid_off']; - // if off sid is the same as off sid remove it - $sid_off_old = str_replace("||disablesid $sid_off", "", "$sid_off_pieces"); - // write the replace sid back as empty - $a_nat[$id]['rule_sid_off'] = $sid_off_old; - // add sid off registers to new off sid - $a_nat[$id]['rule_sid_off'] = "||disablesid $sid_off" . $a_nat[$id]['rule_sid_off']; - } - else - { - $string_sid = strstr($tempstring, 'sid:'); - $sid_pieces = explode(";", $string_sid); - $sid_on_cut = $sid_pieces[0]; - // sid being turned off - $sid_on = str_replace("sid:", "", $sid_on_cut); - // rule_sid_off registers - $sid_off_pieces = $a_nat[$id]['rule_sid_off']; - // if off sid is the same as on sid remove it - $sid_off_old = str_replace("||disablesid $sid_on", "", "$sid_off_pieces"); - // write the replace sid back as empty - $a_nat[$id]['rule_sid_off'] = $sid_off_old; - // rule sid on registers - $sid_on_pieces = $a_nat[$id]['rule_sid_on']; - // if on sid is the same as on sid remove it - $sid_on_old = str_replace("||enablesid $sid_on", "", "$sid_on_pieces"); - // write the replace sid back as empty - $a_nat[$id]['rule_sid_on'] = $sid_on_old; - // add sid on registers to new on sid - $a_nat[$id]['rule_sid_on'] = "||enablesid $sid_on" . $a_nat[$id]['rule_sid_on']; + if (!empty($a_nat[$id]['rule_sid_on'])) + $a_nat[$id]['rule_sid_on'] = str_replace("||enablesid $sid", "", $a_nat[$id]['rule_sid_on']); + if (!empty($a_nat[$id]['rule_sid_on'])) + $a_nat[$id]['rule_sid_off'] = str_replace("||disablesid $sid", "", $a_nat[$id]['rule_sid_off']); + if ($disabled === false) + $a_nat[$id]['rule_sid_off'] = "||disablesid $sid_off" . $a_nat[$id]['rule_sid_off']; + else + $a_nat[$id]['rule_sid_on'] = "||enablesid $sid_on" . $a_nat[$id]['rule_sid_on']; } - write_config(); - conf_mount_ro(); - -} -if ($_GET['saved'] == 'yes') -{ - $message = "The Snort rule configuration has been changed.<br>You must restart this snort interface in order for the changes to take effect."; + write_config(); - // stop_service("snort"); - // sleep(2); - // start_service("snort"); - // $savemsg = ""; - // $stopMsg = false; + header("Location: /snort/snort_rules.php?id={$id}&openruleset={$rulefile}"); + exit; } $currentruleset = basename($rulefile); @@ -409,50 +223,25 @@ require_once("guiconfig.inc"); include_once("head.inc"); $pgtitle = "Snort: $id $iface_uuid $if_real Category: $currentruleset"; - ?> -<body - link="#0000CC" vlink="#0000CC" alink="#0000CC"> - -<?php include("fbegin.inc"); ?> -<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> - +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php +include("fbegin.inc"); +if ($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} + echo "{$snort_general_css}\n"; ?> +<form action="snort_rules.php" method="post" name="iform" id="iform"> -<div class="body2"> - -<noscript> -<div class="alert" ALIGN=CENTER><img - src="../themes/<?php echo $g['theme']; ?>/images/icons/icon_alert.gif" /><strong>Please -enable JavaScript to view this content -</CENTER></div> -</noscript> - - -<?php -echo "<form action=\"snort_rules.php?id={$id}\" method=\"post\" name=\"iform\" id=\"iform\">"; -?> <?php if ($_GET['saved'] == 'yes') {print_info_box_np2($message);}?> -</form> -</script> <script language="javascript" type="text/javascript"> -<!-- +<script language="javascript" type="text/javascript"> function go() { - var agt=navigator.userAgent.toLowerCase(); - if (agt.indexOf("msie") != -1) { - box = document.forms.selectbox; - } else { - box = document.forms[1].selectbox; - } + var box = document.iform.selectbox; destination = box.options[box.selectedIndex].value; if (destination) location.href = destination; } -// --> -</script> <script type="text/javascript"> -<!-- function popup(url) { params = 'width='+screen.width; @@ -464,10 +253,9 @@ function popup(url) if (window.focus) {newwin.focus()} return false; } -// --> </script> -<table width="99%" border="0" cellpadding="0" cellspacing="0"> +<table style="table-layout:fixed;" width="99%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php $tab_array = array(); @@ -488,199 +276,154 @@ function popup(url) display_top_tabs($tab_array); ?> </td></tr> - <tr> - <td> - <div id="mainarea2"> - <table id="maintable" class="tabcont" width="100%" border="0" - cellpadding="0" cellspacing="0"> - <tr> - <td> - <table id="ruletable1" class="sortable" width="100%" border="0" - cellpadding="0" cellspacing="0"> - <tr id="frheader"> - <td width="3%" class="list"> </td> - <td width="5%" class="listhdr">SID</td> - <td width="6%" class="listhdrr">Proto</td> - <td width="15%" class="listhdrr">Source</td> - <td width="10%" class="listhdrr">Port</td> - <td width="15%" class="listhdrr">Destination</td> - <td width="10%" class="listhdrr">Port</td> - <td width="32%" class="listhdrr">Message</td> +<tr> + <td> + <div id="mainarea2"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="listt" colspan="8"> + <br>Category: + <select id="selectbox" name="selectbox" class="formfld" onChange="go()"> + <?php + foreach ($files as $value) { + echo "<option value='?id={$id}&openruleset={$ruledir}{$value}' "; + if ($value === $currentruleset) + echo "selected"; + echo ">{$value}</option>\n"; + } + ?> + </select> + </td> + </tr> + <tr id="frheader"> + <td width="3%" class="list"> </td> + <td width="5%" class="listhdr">SID</td> + <td width="6%" class="listhdrr">Proto</td> + <td width="15%" class="listhdrr">Source</td> + <td width="10%" class="listhdrr">Port</td> + <td width="15%" class="listhdrr">Destination</td> + <td width="10%" class="listhdrr">Port</td> + <td width="32%" class="listhdrr">Message</td> + </tr> + <?php + foreach ( $splitcontents as $counter => $value ) + { + $disabled = "False"; + $comments = "False"; + $findme = "# alert"; //find string for disabled alerts + $disabled_pos = strstr($value, $findme); - </tr> - <tr> - <?php - - echo "<br>Category: "; - - //string for populating category select - $currentruleset = basename($rulefile); - - ?> - <form name="forms"><select name="selectbox" class="formfld" - onChange="go()"> - <?php - $i=0; - foreach ($files as $value) - { - $selectedruleset = ""; - if ($files[$i] === $currentruleset) - $selectedruleset = "selected"; - ?> - <option - value="?id=<?=$id;?>&openruleset=<?=$ruledir;?><?=$files[$i];?>" - <?=$selectedruleset;?>><?=$files[$i];?></option> - <?php - $i++; - - } - ?> - </select></form> - </tr> - <?php - - $counter = 0; - $printcounter = 0; - - foreach ( $splitcontents as $value ) - { - - $counter++; - $disabled = "False"; - $comments = "False"; - - $tempstring = $splitcontents[$counter]; - $findme = "# alert"; //find string for disabled alerts - - //find alert - $disabled_pos = strstr($tempstring, $findme); - - - //do soemthing, this rule is enabled - $counter2 = 1; - - //retrieve sid value - $sid = get_middle($tempstring, 'sid:', ';', 0); - - //check to see if the sid is numberical - $is_sid_num = is_numeric($sid); - - //if SID is numerical, proceed - if ($is_sid_num) - { - - //if find alert is false, then rule is disabled - if ($disabled_pos !== false){ - $counter2 = $counter2+1; - $textss = "<span class=\"gray\">"; - $textse = "</span>"; - $iconb = "icon_block_d.gif"; - } - else - { - $textss = $textse = ""; - $iconb = "icon_block.gif"; - } - - if ($disabled_pos !== false){ - $ischecked = ""; - }else{ - $ischecked = "checked"; - } - - $rule_content = explode(' ', $tempstring); - - $protocol = $rule_content[$counter2];//protocol location - $counter2++; - $source = $rule_content[$counter2];//source location - $counter2++; - $source_port = $rule_content[$counter2];//source port location - $counter2 = $counter2+2; - $destination = $rule_content[$counter2];//destination location - $counter2++; - $destination_port = $rule_content[$counter2];//destination port location - - if (strstr($tempstring, 'msg: "')) - $message = get_middle($tempstring, 'msg: "', '";', 0); - if (strstr($tempstring, 'msg:"')) - $message = get_middle($tempstring, 'msg:"', '";', 0); - - echo "<tr> - <td class=\"listt\"> - $textss\n"; - ?> - <a - href="?id=<?=$id;?>&openruleset=<?=$rulefile;?>&act=toggle&ids=<?=$counter;?>"><img - src="../themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" - width="10" height="10" border="0" - title="click to toggle enabled/disabled status"></a> - <!-- <input name="enable" type="checkbox" value="yes" <?= $ischecked; ?> onClick="enable_change(false)"> --> - <!-- TODO: add checkbox and save so that that disabling is nicer --> - <?php - echo "$textse - </td> - <td class=\"listlr\"> - $textss - $sid - $textse - </td> - <td class=\"listlr\"> - $textss - $protocol"; - ?> - <?php - $printcounter++; - echo "$textse - </td> - <td class=\"listlr\"> - $textss - $source - $textse - </td> - <td class=\"listlr\"> - $textss - $source_port - $textse - </td> - <td class=\"listlr\"> - $textss - $destination - $textse - </td> - <td class=\"listlr\"> - $textss - $destination_port - $textse - </td>"; - ?> - <td class="listbg"><font color="white"> <?php - echo "$textss + $counter2 = 1; + $sid = get_middle($value, 'sid:', ';', 0); + //check to see if the sid is numberical + if (!is_numeric($sid)) + continue; + + //if find alert is false, then rule is disabled + if ($disabled_pos !== false){ + $counter2 = $counter2+1; + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $iconb = "icon_block_d.gif"; + + $ischecked = ""; + } else { + $textss = $textse = ""; + $iconb = "icon_block.gif"; + + $ischecked = "checked"; + } + + $rule_content = explode(' ', $value); + + $protocol = $rule_content[$counter2];//protocol location + $counter2++; + $source = substr($rule_content[$counter2], 0, 20) . "...";//source location + $counter2++; + $source_port = $rule_content[$counter2];//source port location + $counter2 = $counter2+2; + $destination = substr($rule_content[$counter2], 0, 20) . "...";//destination location + $counter2++; + $destination_port = $rule_content[$counter2];//destination port location + + if (strstr($value, 'msg: "')) + $message = get_middle($value, 'msg: "', '";', 0); + else if (strstr($value, 'msg:"')) + $message = get_middle($value, 'msg:"', '";', 0); + + echo "<tr><td class=\"listt\"> $textss\n"; + ?> + <a href="?id=<?=$id;?>&openruleset=<?=$rulefile;?>&act=toggle&ids=<?=$counter;?>"><img + src="../themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" + width="10" height="10" border="0" + title="click to toggle enabled/disabled status"></a> + <!-- <input name="enable" type="checkbox" value="yes" <?= $ischecked; ?> onClick="enable_change(false)"> --> + <!-- TODO: add checkbox and save so that that disabling is nicer --> + <?php + echo "$textse + </td> + <td width='5%' class=\"listlr\"> + $textss + $sid + $textse + </td> + <td width='6%' class=\"listlr\"> + $textss + $protocol"; + echo "$textse + </td> + <td width='20%' class=\"listlr\"> + $textss + $source + $textse + </td> + <td width='5%' class=\"listlr\"> + $textss + $source_port + $textse + </td> + <td width='20%' class=\"listlr\"> + $textss + $destination + $textse + </td> + <td width='5%' class=\"listlr\"> + $textss + $destination_port + $textse + </td> + <td width='30%' class=\"listbg\"><font color=\"white\"> + $textss $message $textse - </td>"; - ?> - <td valign="middle" nowrap class="list"> + </td>"; + ?> + <td valign="middle" nowrap class="list"> <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td><a href="javascript: void(0)" - onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$rulefile;?>&ids=<?=$counter;?>')"><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" - title="edit rule" width="17" height="17" border="0"></a></td> + <tr> + <td><a href="javascript: void(0)" + onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$rulefile;?>&ids=<?=$counter;?>')"><img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" + title="edit rule" width="17" height="17" border="0"></a></td> <!-- Codes by Quackit.com --> - </tr> + </tr> </table> - </td> - <?php - } - } - echo " There are $printcounter rules in this category. <br><br>"; - ?> - - </table> </td> - </tr> - <table class="tabcont" width="100%" border="0" cellspacing="0" - cellpadding="0"> + <?php + } + ?> + + </table> + </td> + </tr> + <tr> + <td class="listlr"> + <?php echo " <strong><span class='red'>There are {$counter} rules in this category. <br/><br/></span></strong>"; ?> + </td> + </tr> + <tr> + <td> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" @@ -693,36 +436,23 @@ function popup(url) width="11" height="11"></td> <td nowrap>Rule Disabled</td> </tr> - <table class="tabcont" width="100%" border="0" cellspacing="0" - cellpadding="0"> - <tr> + <tr> <!-- TODO: add save and cancel for checkbox options --> <!-- <td><pre><input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"><pre></td> --> - </tr> - </table> + </tr> <tr> <td colspan="10"> - <p><!--<strong><span class="red">Warning:<br> - </span></strong>Editing these r</p>--> - + <p><!--<strong><span class="red">Warning:<br/> </span></strong>Editing these r</p>--> </td> </tr> </table> - </table> - - </td> - </tr> - + </td> + </tr> + </table> + </td> +</tr> </table> - -</div> - -<?php - -include("fend.inc"); -echo $snort_custom_rnd_box; -?> - -</div> +</form> +<?php include("fend.inc"); ?> </body> </html> diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index bac04f68..330630f4 100644 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -1,6 +1,6 @@ <?php /* - system_edit.php + snort_rules_edit.php Copyright (C) 2004, 2005 Scott Ullrich Copyright (C) 2011 Ermal Luci All rights reserved. @@ -44,8 +44,6 @@ require_once("/usr/local/pkg/snort/snort_gui.inc"); if (!is_array($config['installedpackages']['snortglobal']['rule'])) { $config['installedpackages']['snortglobal']['rule'] = array(); } - -//nat_rules_sort(); $a_nat = &$config['installedpackages']['snortglobal']['rule']; $id = $_GET['id']; @@ -64,55 +62,69 @@ if (isset($id) && $a_nat[$id]) { //get rule id $lineid = $_GET['ids']; +if (isset($_POST['ids'])) + $lineid = $_POST['ids']; $file = $_GET['openruleset']; +if (isset($_POST['openruleset'])) + $file = $_POST['openruleset']; + //read file into string, and get filesize also chk for empty files -if (filesize($file) > 0 ) { - $contents2 = file_get_contents($file); -}else{ - $contents2 = ''; -} +$contents = ''; +if (filesize($file) > 0 ) + $contents = file_get_contents($file); //delimiter for each new rule is a new line $delimiter = "\n"; //split the contents of the string file into an array using the delimiter -$splitcontents = explode($delimiter, $contents2); - -if ($_POST) { - if($_POST['highlight'] <> "") { - if($_POST['highlight'] == "yes" or - $_POST['highlight'] == "enabled") { - $highlight = "yes"; - } else { - $highlight = "no"; - } - } else { - $highlight = "no"; +$splitcontents = explode($delimiter, $contents); +$findme = "# alert"; //find string for disabled alerts +$highlight = "yes"; +if (strstr($splitcontents[$lineid], $findme)) + $highlight = "no"; +if ($highlight == "no") + $splitcontents[$lineid] = substr($splitcontents[$lineid], 2); + +if (!function_exists('get_middle')) { + function get_middle($source, $beginning, $ending, $init_pos) { + $beginning_pos = strpos($source, $beginning, $init_pos); + $middle_pos = $beginning_pos + strlen($beginning); + $ending_pos = strpos($source, $ending, $beginning_pos); + $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); + return $middle; } +} - if($_POST['rows'] <> "") - $rows = $_POST['rows']; - else - $rows = 1; - - if($_POST['cols'] <> "") - $cols = $_POST['cols']; - else - $cols = 66; - +if ($_POST) { if ($_POST['save']) { - /* get the changes */ - $rule_content2 = $_POST['code']; - //copy string into file array for writing - $splitcontents[$lineid] = $rule_content2; + if ($_POST['highlight'] == "yes") + $splitcontents[$lineid] = $_POST['code']; + else + $splitcontents[$lineid] = "# " . $_POST['code']; + + //write disable/enable sid to config.xml + $sid = get_middle($splitcontents[$lineid], 'sid:', ';', 0); + if (is_numeric($sid)) { + // rule_sid_on registers + if (!empty($a_nat[$id]['rule_sid_on'])) + $a_nat[$id]['rule_sid_on'] = str_replace("||enablesid $sid", "", $a_nat[$id]['rule_sid_on']); + if (!empty($a_nat[$id]['rule_sid_on'])) + $a_nat[$id]['rule_sid_off'] = str_replace("||disablesid $sid", "", $a_nat[$id]['rule_sid_off']); + if ($_POST['highlight'] == "yes") + $a_nat[$id]['rule_sid_on'] = "||enablesid $sid" . $a_nat[$id]['rule_sid_on']; + else + $a_nat[$id]['rule_sid_off'] = "||disablesid $sid" . $a_nat[$id]['rule_sid_off']; + } //write the new .rules file @file_put_contents($file, implode($delimiter, $splitcontents)); - echo "<script> window.close(); </script>"; + write_config(); + + echo "<script> opener.window.location.reload(); window.close(); </script>"; exit; } } @@ -124,18 +136,20 @@ $pgtitle = array(gettext("Advanced"), gettext("File Editor")); <?php include("head.inc");?> <body link="#000000" vlink="#000000" alink="#000000"> +<form action="snort_rules_edit.php" method="post"> + <?php if ($savemsg) print_info_box($savemsg); ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td class="tabcont"> - <form action="snort_rules_edit.php?id=<?=$id; ?>&openruleset=<?=$file; ?>&ids=<?=$ids; ?>" method="post"> +<tr> + <td class="tabcont"> + - <?php if ($savemsg) print_info_box($savemsg); - if ($file != '/usr/local/etc/snort/snort_update.log'): - ?> <table width="100%" cellpadding="9" cellspacing="9" bgcolor="#eeeeee"> <tr> <td> <input name="save" type="submit" class="formbtn" id="save" value="save" /> + <input type='hidden' name='id' value='<?=$id;?>' /> + <input type='hidden' name='ids' value='<?=$ids;?>' /> + <input type='hidden' name='openruleset' value='<?=$file;?>' /> <input type="button" class="formbtn" value="Cancel" onclick="window.close()"> <hr noshade="noshade" /> Disable original rule :<br/> @@ -146,37 +160,29 @@ $pgtitle = array(gettext("Advanced"), gettext("File Editor")); <label for="highlighting_disabled"> <?=gettext("Disabled");?></label> </td> </tr> - </table> - <table width="100%"> + <tr> + <td valign="top" class="label"> + <textarea wrap="off" style="width: 98%; margin: 7px;" + class="<?php echo $language; ?>:showcolumns" rows="3" + cols="66" name="code"><?=$splitcontents[$lineid];?></textarea> + </div> + </td> + </tr> <tr> <td valign="top" class="label"> - <div style="background: #eeeeee;" id="textareaitem"> - <!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> - <textarea wrap="off" style="width: 98%; margin: 7px;" class="<?=$language;?>:showcolumns" rows="<?=$rows;?>" cols="<?=$cols;?>" name="code"> - <?=$tempstring;?> </textarea> - </div> + <div style="background: #eeeeee;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> + <textarea disabled + wrap="off" style="width: 98%; margin: 7px;" + class="<?php echo $language; ?>:showcolumns" rows="33" + cols="66" name="code2"><?=$contents;?></textarea> + </div> </td> </tr> </table> - <?php endif; ?> - <table width='100%'> - <tr> - <td valign="top" class="label"> - <div style="background: #eeeeee;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> - <textarea - <? if ($file != '/usr/local/etc/snort/snort_update.log') { echo 'disabled'; } ?> - wrap="off" style="width: 98%; margin: 7px;" - class="<?php echo $language; ?>:showcolumns" rows="33" - cols="<?=$cols;?>" name="code2"><?=$contents2;?></textarea> - </div> - </td> - </tr> - </table> - <? echo "$file\n"; ?></td> - </tr> + </td> +</tr> </table> - +</form> <?php include("fend.inc");?> - </body> </html> diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 264603a5..e0bdd882 100644 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -38,8 +38,6 @@ global $g; if (!is_array($config['installedpackages']['snortglobal']['rule'])) { $config['installedpackages']['snortglobal']['rule'] = array(); } - -//nat_rules_sort(); $a_nat = &$config['installedpackages']['snortglobal']['rule']; $id = $_GET['id']; diff --git a/config/squid/squid.inc b/config/squid/squid.inc index 7a31f750..8dd2cc8e 100644 --- a/config/squid/squid.inc +++ b/config/squid/squid.inc @@ -324,17 +324,6 @@ function squid_validate_general($post, $input_errors) { $input_errors[] = "You can not run squid on the same port as the webgui"; } - if (($post['transparent_proxy'] != 'on') && ($post['private_subnet_proxy_off'] == 'on')) { - $input_errors[] = "You can not bypass traffic to private subnets without using the transparent proxy."; - } - - if (($post['transparent_proxy'] != 'on') && !empty($post['defined_ip_proxy_off'])) { - $input_errors[] = "You can not bypass traffic from specific IPs without using the transparent proxy."; - } - if (($post['transparent_proxy'] != 'on') && !empty($post['defined_ip_proxy_off_dest'])) { - $input_errors[] = "You can not bypass traffic to specific IPs without using the transparent proxy."; - } - foreach (array('defined_ip_proxy_off') as $hosts) { foreach (explode(";", $post[$hosts]) as $host) { $host = trim($host); @@ -690,6 +679,7 @@ function squid_resync_cache() { $memory_cache_size = ($settings['memory_cache_size'] ? $settings['memory_cache_size'] : 8); $max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size'] : 10); $min_objsize = ($settings['minimum_object_size'] ? $settings['minimum_object_size'] : 0); + $max_objsize_in_mem = ($settings['maximum_objsize_in_mem'] ? $settings['maximum_objsize_in_mem'] : 32); $cache_policy = ($settings['cache_replacement_policy'] ? $settings['cache_replacement_policy'] : 'heap LFUDA'); $memory_policy = ($settings['memory_replacement_policy'] ? $settings['memory_replacement_policy'] : 'heap GDSF'); $offline_mode = ($settings['enable_offline'] == 'on' ? 'on' : 'off'); @@ -712,7 +702,7 @@ function squid_resync_cache() { $conf = <<<EOD cache_mem $memory_cache_size MB -maximum_object_size_in_memory 32 KB +maximum_object_size_in_memory $max_objsize_in_mem KB memory_replacement_policy $memory_policy cache_replacement_policy $cache_policy cache_dir $disk_cache_opts diff --git a/config/squid/squid.xml b/config/squid/squid.xml index 4ce0af0f..6f9ecb18 100644 --- a/config/squid/squid.xml +++ b/config/squid/squid.xml @@ -166,6 +166,7 @@ <fieldname>transparent_proxy</fieldname> <description>If transparent mode is enabled, all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description> <type>checkbox</type> + <enablefields>private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest</enablefields> <required/> </field> <field> @@ -177,14 +178,14 @@ <field> <fielddescr>Bypass proxy for these source IPs</fielddescr> <fieldname>defined_ip_proxy_off</fieldname> - <description>Do not forward traffic from these <b>source</b> IPs, CIDR nets, hostnames, or aliases through the proxy server but directly through the firewall. Separate by semi-colons (;).</description> + <description>Do not forward traffic from these <b>source</b> IPs, CIDR nets, hostnames, or aliases through the proxy server but directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description> <type>input</type> <size>80</size> </field> <field> <fielddescr>Bypass proxy for these destination IPs</fielddescr> <fieldname>defined_ip_proxy_off_dest</fieldname> - <description>Do not proxy traffic going to these <b>destination</b> IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;).</description> + <description>Do not proxy traffic going to these <b>destination</b> IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description> <type>input</type> <size>80</size> </field> diff --git a/config/squid/squid_cache.xml b/config/squid/squid_cache.xml index 881f15b3..55a1ca59 100644 --- a/config/squid/squid_cache.xml +++ b/config/squid/squid_cache.xml @@ -136,6 +136,14 @@ <default_value>4</default_value> </field> <field> + <fielddescr>Maximum object size in RAM</fielddescr> + <fieldname>maximum_objsize_in_mem</fieldname> + <description>Objects smaller than the size specified (in kilobytes) will be saved in RAM. Default is 32.</description> + <type>input</type> + <required/> + <default_value>32</default_value> + </field> + <field> <fielddescr>Level 1 subdirectories</fielddescr> <fieldname>level1_subdirs</fieldname> <description>Each level-1 directory contains 256 subdirectories, so a value of 256 level-1 directories will use a total of 65536 directories for the hard disk cache. This will significantly slow down the startup process of the proxy service, but can speed up the caching under certain conditions.</description> diff --git a/config/squid3-reverse/proxy_monitor.sh b/config/squid3-reverse/proxy_monitor.sh new file mode 100644 index 00000000..fab2ee54 --- /dev/null +++ b/config/squid3-reverse/proxy_monitor.sh @@ -0,0 +1,72 @@ +#!/bin/sh +# $Id$ */ +# +# proxy_monitor.sh +# Copyright (C) 2006 Scott Ullrich +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +set -e + +LOOP_SLEEP=55 + +if [ -f /var/run/squid_alarm ]; then + rm /var/run/squid_alarm +fi + +# Sleep 5 seconds on startup not to mangle with existing boot scripts. +sleep 5 + +# Squid monitor 1.2 +while [ /bin/true ]; do + if [ ! -f /var/run/squid_alarm ]; then + NUM_PROCS=`ps auxw | grep "[s]quid -D"|awk '{print $2}'| wc -l | awk '{ print $1 }'` + if [ $NUM_PROCS -lt 1 ]; then + # squid is down + echo "Squid has exited. Reconfiguring filter." | \ + logger -p daemon.info -i -t Squid_Alarm + echo "Attempting restart..." | logger -p daemon.info -i -t Squid_Alarm + /usr/local/etc/rc.d/squid.sh start + sleep 3 + echo "Reconfiguring filter..." | logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure_sync + touch /var/run/squid_alarm + fi + fi + NUM_PROCS=`ps auxw | grep "[s]quid -D"|awk '{print $2}'| wc -l | awk '{ print $1 }'` + if [ $NUM_PROCS -gt 0 ]; then + if [ -f /var/run/squid_alarm ]; then + echo "Squid has resumed. Reconfiguring filter." | \ + logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure_sync + rm /var/run/squid_alarm + fi + fi + sleep $LOOP_SLEEP +done + +if [ -f /var/run/squid_alarm ]; then + rm /var/run/squid_alarm +fi + diff --git a/config/squid3-reverse/squid.inc b/config/squid3-reverse/squid.inc new file mode 100644 index 00000000..c1b5b419 --- /dev/null +++ b/config/squid3-reverse/squid.inc @@ -0,0 +1,1403 @@ +<?php +/* $Id$ */ +/* + squid.inc + Copyright (C) 2006-2009 Scott Ullrich + Copyright (C) 2006 Fernando Lemos + Copyright (C) 2008 Martin Fuchs + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once('globals.inc'); +require_once('config.inc'); +require_once('util.inc'); +require_once('pfsense-utils.inc'); +require_once('pkg-utils.inc'); +require_once('service-utils.inc'); + +if(!function_exists("filter_configure")) + require_once("filter.inc"); + +define('SQUID_CONFBASE', '/usr/local/etc/squid'); +define('SQUID_BASE', '/var/squid/'); +define('SQUID_ACLDIR', '/var/squid/acl'); +define('SQUID_PASSWD', '/var/etc/squid.passwd'); + +$valid_acls = array(); + +function squid_get_real_interface_address($iface) { + global $config; + + $iface = convert_friendly_interface_to_real_interface_name($iface); + $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6")); + list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line); + + return array($ip, long2ip(hexdec($netmask))); +} + +function squid_chown_recursive($dir, $user, $group) { + chown($dir, $user); + chgrp($dir, $group); + $handle = opendir($dir) ; + while (($item = readdir($handle)) !== false) { + if (($item != ".") && ($item != "..")) { + $path = "$dir/$item"; + if (is_dir($path)) + squid_chown_recursive($path, $user, $group); + elseif (is_file($path)) { + chown($path, $user); + chgrp($path, $group); + } + } + } +} + +/* setup cache */ +function squid_dash_z() { + global $config; + $settings = $config['installedpackages']['squidcache']['config'][0]; + + // If the cache system is null, there is no need to initialize the (irrelevant) cache dir. + if ($settings['harddisk_cache_system'] == "null") + return; + + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + + if(!is_dir($cachedir.'/')) { + log_error("Creating Squid cache dir $cachedir"); + make_dirs($cachedir); + squid_chown_recursive($cachedir, 'proxy', 'proxy'); + } + + if(!is_dir($cachedir.'/00/')) { + log_error("Creating squid cache subdirs in $cachedir"); + mwexec("/usr/local/sbin/squid -k shutdown"); + sleep(5); + mwexec("/usr/local/sbin/squid -k kill"); + mwexec("/usr/local/sbin/squid -z"); + } + + if(file_exists("/var/squid/cache/swap.state")) + exec("chmod a+rw /var/squid/cache/swap.state"); + +} + +function squid_is_valid_acl($acl) { + global $valid_acls; + if(!is_array($valid_acls)) + return; + return in_array($acl, $valid_acls); +} + +function squid_install_command() { + global $config; + global $g; + /* migrate existing csv config fields */ + $settingsauth = $config['installedpackages']['squidauth']['config'][0]; + $settingscache = $config['installedpackages']['squidcache']['config'][0]; + $settingsnac = $config['installedpackages']['squidnac']['config'][0]; + + /* Set storage system */ + if ($g['platform'] == "nanobsd") { + $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_system'] = 'null'; + } + + /* migrate auth settings */ + if (!empty($settingsauth['no_auth_hosts'])) { + if(strstr($settingsauth['no_auth_hosts'], ",")) { + $settingsauth['no_auth_hosts'] = base64_encode(implode("\n", explode(",", $settingsauth['no_auth_hosts']))); + $config['installedpackages']['squidauth']['config'][0]['no_auth_hosts'] = $settingsauth['no_auth_hosts']; + } + } + + /* migrate cache settings */ + if (!empty($settingscache['donotcache'])) { + if(strstr($settingscache['donotcache'], ",")) { + $settingscache['donotcache'] = base64_encode(implode("\n", explode(",", $settingscache['donotcache']))); + $config['installedpackages']['squidcache']['config'][0]['donotcache'] = $settingscache['donotcache']; + } + } + + /* migrate nac settings */ + if(! empty($settingsnac['allowed_subnets'])) { + if(strstr($settingsnac['allowed_subnets'], ",")) { + $settingsnac['allowed_subnets'] = base64_encode(implode("\n", explode(",", $settingsnac['allowed_subnets']))); + $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'] = $settingsnac['allowed_subnets']; + } + } + + if(! empty($settingsnac['banned_hosts'])) { + if(strstr($settingsnac['banned_hosts'], ",")) { + $settingsnac['banned_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_hosts']))); + $config['installedpackages']['squidnac']['config'][0]['banned_hosts'] = $settingsnac['banned_hosts']; + } + } + + if(! empty($settingsnac['banned_macs'])) { + if(strstr($settingsnac['banned_macs'], ",")) { + $settingsnac['banned_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_macs']))); + $config['installedpackages']['squidnac']['config'][0]['banned_macs'] = $settingsnac['banned_macs']; + } + } + + if(! empty($settingsnac['unrestricted_hosts'])) { + if(strstr($settingsnac['unrestricted_hosts'], ",")) { + $settingsnac['unrestricted_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_hosts']))); + $config['installedpackages']['squidnac']['config'][0]['unrestricted_hosts'] = $settingsnac['unrestricted_hosts']; + } + } + + if(! empty($settingsnac['unrestricted_macs'])) { + if(strstr($settingsnac['unrestricted_macs'], ",")) { + $settingsnac['unrestricted_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_macs']))); + $config['installedpackages']['squidnac']['config'][0]['unrestricted_macs'] = $settingsnac['unrestricted_macs']; + } + } + + if(! empty($settingsnac['whitelist'])) { + if(strstr($settingsnac['whitelist'], ",")) { + $settingsnac['whitelist'] = base64_encode(implode("\n", explode(",", $settingsnac['whitelist']))); + $config['installedpackages']['squidnac']['config'][0]['whitelist'] = $settingsnac['whitelist']; + } + } + + if(! empty($settingsnac['blacklist'])) { + if(strstr($settingsnac['blacklist'], ",")) { + $settingsnac['blacklist'] = base64_encode(implode("\n", explode(",", $settingsnac['blacklist']))); + $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist']; + } + } + + update_status("Writing configuration... One moment please..."); + + write_config(); + + /* create cache */ + update_status("Creating squid cache pools... One moment please..."); + squid_dash_z(); + /* make sure pinger is executable */ + if(file_exists("/usr/local/libexec/squid/pinger")) + exec("/bin/chmod a+x /usr/local/libexec/squid/pinger"); + if(file_exists("/usr/local/etc/rc.d/squid")) + exec("/bin/rm /usr/local/etc/rc.d/squid"); + $rc = array(); + $rc['file'] = 'squid.sh'; + $rc['start'] = <<<EOD +if [ -z "`ps auxw | grep "[s]quid -D"|awk '{print $2}'`" ];then + /usr/local/sbin/squid -D +fi + +EOD; + $rc['stop'] = <<<EOD +/usr/local/sbin/squid -k shutdown +# Just to be sure... +sleep 5 +killall -9 squid 2>/dev/null +killall pinger 2>/dev/null + +EOD; + $rc['restart'] = <<<EOD +if [ -z "`ps auxw | grep "[s]quid -D"|awk '{print $2}'`" ];then + /usr/local/sbin/squid -D + else + /usr/local/sbin/squid -k reconfigure + fi + +EOD; + update_status("Writing rc.d files... One moment please..."); + conf_mount_rw(); + write_rcfile($rc); + + exec("chmod a+rx /usr/local/libexec/squid/dnsserver"); + + foreach (array( SQUID_CONFBASE, + SQUID_ACLDIR, + SQUID_BASE ) as $dir) { + make_dirs($dir); + squid_chown_recursive($dir, 'proxy', 'proxy'); + } + + /* kill any running proxy alarm scripts */ + update_status("Checking for running processes... One moment please..."); + log_error("Stopping any running proxy monitors"); + mwexec("ps awux | grep \"proxy_monitor\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill"); + sleep(1); + + if (!file_exists(SQUID_CONFBASE . '/mime.conf') && file_exists(SQUID_CONFBASE . '/mime.conf.default')) + copy(SQUID_CONFBASE . '/mime.conf.default', SQUID_CONFBASE . '/mime.conf'); + + update_status("Checking cache... One moment please..."); + squid_dash_z(); + + if (!is_service_running('squid')) { + update_status("Starting... One moment please..."); + log_error("Starting Squid"); + mwexec_bg("/usr/local/sbin/squid -D"); + } else { + update_status("Reloading Squid for configuration sync... One moment please..."); + log_error("Reloading Squid for configuration sync"); + mwexec("/usr/local/sbin/squid -k reconfigure"); + } + + /* restart proxy alarm scripts */ + log_error("Starting a proxy monitor script"); + mwexec_bg("/usr/local/etc/rc.d/proxy_monitor.sh"); + + update_status("Reconfiguring filter... One moment please..."); + filter_configure(); +} + +function squid_deinstall_command() { + global $config, $g; + $plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."; + squid_install_cron(false); + $settings = &$config['installedpackages']['squidcache']['config'][0]; + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); + update_status("Removing swap.state ... One moment please..."); + update_output_window("$plswait_txt"); + mwexec('rm -rf $cachedir/swap.state'); + mwexec('rm -rf $logdir'); + update_status("Finishing package cleanup."); + mwexec('rm -f /usr/local/etc/rc.d/proxy_monitor.sh'); + mwexec("ps awux | grep \"proxy_monitor\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill"); + mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); + mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); + mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); + update_status("Reloading filter..."); + filter_configure_sync(); +} + +function squid_before_form_general($pkg) { + $values = get_dir(SQUID_CONFBASE . '/errors/'); + // Get rid of '..' and '.' + array_shift($values); + array_shift($values); + $name = array(); + foreach ($values as $value) + $names[] = implode(" ", explode("_", $value)); + + $i = 0; + foreach ($pkg['fields']['field'] as $field) { + if ($field['fieldname'] == 'error_language') + break; + $i++; + } + $field = &$pkg['fields']['field'][$i]; + + for ($i = 0; $i < count($values) - 1; $i++) + $field['options']['option'][] = array('name' => $names[$i], 'value' => $values[$i]); +} + +function squid_validate_general($post, $input_errors) { + global $config; + $settings = $config['installedpackages']['squid']['config'][0]; + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $port = $post['proxy_port'] ? $post['proxy_port'] : $port; + + $icp_port = trim($post['icp_port']); + if (!empty($icp_port) && !is_port($icp_port)) + $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field'; + + if (substr($post['log_dir'], -1, 1) == '/') + $input_errors[] = 'You may not end log location with an / mark'; + + if ($post['log_dir']{0} != '/') + $input_errors[] = 'You must start log location with a / mark'; + if (strlen($post['log_dir']) <= 3) + $input_errors[] = "That is not a valid log location dir"; + + $log_rotate = trim($post['log_rotate']); + if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1))) + $input_errors[] = 'You must enter a valid number of days \'Log rotate\' field'; + + $webgui_port = $config['system']['webgui']['port']; + if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { + $webgui_port = 80; + } + if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { + $webgui_port = 443; + } + + if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) { + $input_errors[] = "You can not run squid on the same port as the webgui"; + } + + foreach (array('defined_ip_proxy_off') as $hosts) { + foreach (explode(";", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host)) + $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; + } + } + foreach (array('defined_ip_proxy_off_dest') as $hosts) { + foreach (explode(";", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host)) + $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; + } + } + + if(!empty($post['dns_nameservers'])) { + $altdns = explode(";", ($post['dns_nameservers'])); + foreach ($altdns as $dnssrv) { + if (!is_ipaddr($dnssrv)) + $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; + }} +} + +function squid_validate_upstream($post, $input_errors) { + if ($post['proxy_forwarding'] == 'on') { + $addr = trim($post['proxy_addr']); + if (empty($addr)) + $input_errors[] = 'The field \'Hostname\' is required'; + else { + if (!is_ipaddr($addr) && !is_domain($addr)) + $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; + } + + foreach (array('proxy_port' => 'TCP port', 'icp_port' => 'ICP port') as $field => $name) { + $port = trim($post[$field]); + if (empty($port)) + $input_errors[] = "The field '$name' is required"; + else { + if (!is_port($port)) + $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; + } + } + } +} + +function squid_validate_cache($post, $input_errors) { + $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size', + 'memory_cache_size' => 'Memory cache size', + 'maximum_object_size' => 'Maximum object size', + ); + foreach ($num_fields as $field => $name) { + $value = trim($post[$field]); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = "You must enter a valid value for '$field'"; + } + + $value = trim($post['minimum_object_size']); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; + + if (!empty($post['cache_swap_low'])) { + $value = trim($post['cache_swap_low']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; + } + + if (!empty($post['cache_swap_high'])) { + $value = trim($post['cache_swap_high']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; + } + + if ($post['donotcache'] != "") { + foreach (split("\n", $post['donotcache']) as $host) { + $host = trim($host); + if (!is_ipaddr($host) && !is_domain($host)) + $input_errors[] = "The host '$host' is not a valid IP or host name"; + } + } + + squid_dash_z(); + +} + +function squid_validate_nac($post, $input_errors) { + $allowed_subnets = explode("\n", $post['allowed_subnets']); + foreach ($allowed_subnets as $subnet) { + $subnet = trim($subnet); + if (!empty($subnet) && !is_subnet($subnet)) + $input_errors[] = "The subnet '$subnet' is not a valid CIDR range"; + } + + foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) { + foreach (explode("\n", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host)) + $input_errors[] = "The host '$host' is not a valid IP address"; + } + } + + foreach (array('unrestricted_macs', 'banned_macs') as $macs) { + foreach (explode("\n", $post[$macs]) as $mac) { + $mac = trim($mac); + if (!empty($mac) && !is_macaddr($mac)) + $input_errors[] = "The mac '$mac' is not a valid MAC address"; + } + } + + foreach (explode(",", $post['timelist']) as $time) { + $time = trim($time); + if (!empty($time) && !squid_is_timerange($time)) + $input_errors[] = "The time range '$time' is not a valid time range"; + } + + if(!empty($post['ext_cachemanager'])) { + $extmgr = explode(";", ($post['ext_cachemanager'])); + foreach ($extmgr as $mgr) { + if (!is_ipaddr($mgr)) + $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; + }} +} + +function squid_validate_traffic($post, $input_errors) { + $num_fields = array( 'max_download_size' => 'Maximum download size', + 'max_upload_size' => 'Maximum upload size', + 'perhost_throttling' => 'Per-host bandwidth throttling', + 'overall_throttling' => 'Overall bandwidth throttling', + ); + foreach ($num_fields as $field => $name) { + $value = trim($post[$field]); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = "The field '$name' must contain a positive number"; + } + + if (!empty($post['quick_abort_min'])) { + $value = trim($post['quick_abort_min']); + if (!is_numeric($value)) + $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; + } + + if (!empty($post['quick_abort_max'])) { + $value = trim($post['quick_abort_max']); + if (!is_numeric($value)) + $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; + } + + if (!empty($post['quick_abort_pct'])) { + $value = trim($post['quick_abort_pct']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = "The field 'Finish when remaining %' must contain a percentaged value"; + } + +} + +function squid_validate_auth($post, $input_errors) { + $num_fields = array( array('auth_processes', 'Authentication processes', 1), + array('auth_ttl', 'Authentication TTL', 0), + ); + foreach ($num_fields as $field) { + $value = trim($post[$field[0]]); + if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) + $input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}"; + } + + $auth_method = $post['auth_method']; + if (($auth_method != 'none') && ($auth_method != 'local')) { + $server = trim($post['auth_server']); + if (empty($server)) + $input_errors[] = 'The field \'Authentication server\' is required'; + else if (!is_ipaddr($server) && !is_domain($server)) + $input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name'; + + $port = trim($post['auth_server_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number'; + + switch ($auth_method) { + case 'ldap': + $user = trim($post['ldap_user']); + if (empty($user)) + $input_errors[] = 'The field \'LDAP server user DN\' is required'; + else if (!$user) + $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; + break; + case 'radius': + $secret = trim($post['radius_secret']); + if (empty($secret)) + $input_errors[] = 'The field \'RADIUS secret\' is required'; + break; + case 'msnt': + foreach (explode(",", trim($post['msnt_secondary'])) as $server) { + if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) + $input_errors[] = "The host '$server' is not a valid IP address or domain name"; + } + break; + } + + $no_auth = explode("\n", $post['no_auth_hosts']); + foreach ($no_auth as $host) { + $host = trim($host); + if (!empty($host) && !is_subnet($host)) + $input_errors[] = "The host '$host' is not a valid CIDR range"; + } + } +} + +function squid_install_cron($should_install) { + global $config, $g; + if($g['booting']==true) + return; + $is_installed = false; + if(!$config['cron']['item']) + return; + $x=0; + foreach($config['cron']['item'] as $item) { + if(strstr($item['task_name'], "squid_rotate_logs")) { + $is_installed = true; + break; + } + $x++; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['task_name'] = "squid_rotate_logs"; + $cron_item['minute'] = "0"; + $cron_item['hour'] = "0"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/local/sbin/squid -k rotate"; + $config['cron']['item'][] = $cron_item; + parse_config(true); + write_config("Squid Log Rotation"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + parse_config(true); + write_config(); + } + configure_cron(); + } + break; + } +} + +function squid_resync_general() { + global $g, $config, $valid_acls; + + $settings = $config['installedpackages']['squid']['config'][0]; + $conf = "# This file is automatically generated by pfSense\n"; + $conf = "# Do not edit manually !\n"; + + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan'); + $real_ifaces = array(); + foreach (explode(",", $ifaces) as $i => $iface) { + $real_ifaces[] = squid_get_real_interface_address($iface); + if($real_ifaces[$i][0]) { + $conf .= "http_port {$real_ifaces[$i][0]}:$port\n"; + } + } + if (($settings['transparent_proxy'] == 'on')) { + $conf .= "http_port 127.0.0.1:80 intercept\n"; + } + $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0); + + $pidfile = "{$g['varrun_path']}/squid.pid"; + $language = ($settings['error_language'] ? $settings['error_language'] : 'English'); + $errordir = SQUID_CONFBASE . '/errors/' . $language; + $icondir = SQUID_CONFBASE . '/icons'; + $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost'); + $email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost'); + + $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); + + $logdir_cache = $logdir . '/cache.log'; + $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); + + $conf .= <<<EOD +icp_port $icp_port + +pid_filename $pidfile +cache_effective_user proxy +cache_effective_group proxy +error_directory $errordir +icon_directory $icondir +visible_hostname $hostname +cache_mgr $email +access_log $logdir_access +cache_log $logdir_cache +cache_store_log none + +EOD; + + if (!empty($settings['log_rotate'])) { + $conf .= "logfile_rotate {$settings['log_rotate']}\n"; + squid_install_cron(true); + } + else { + squid_install_cron(false); + } + + $conf .= <<<EOD +shutdown_lifetime 3 seconds + +EOD; + + if ($settings['allow_interface'] == 'on') { + $src = ''; + foreach ($real_ifaces as $iface) { + list($ip, $mask) = $iface; + $ip = long2ip(ip2long($ip) & ip2long($mask)); + $mask = 32-log((ip2long($mask) ^ ip2long('255.255.255.255'))+1,2); + $src .= " $ip/$mask"; + } + $conf .= "# Allow local network(s) on interface(s)\n"; + $conf .= "acl localnet src $src\n"; + $valid_acls[] = 'localnet'; + } + if ($settings['disable_xforward']) $conf .= "forwarded_for off\n"; + if ($settings['disable_via']) $conf .= "via off\n"; + if ($settings['disable_squidversion']) $conf .= "httpd_suppress_version_string on\n"; + if (!empty($settings['uri_whitespace'])) $conf .= "uri_whitespace {$settings['uri_whitespace']}\n"; + else $conf .= "uri_whitespace strip\n"; //only used for first run + + if(!empty($settings['dns_nameservers'])) { + $altdns = explode(";", ($settings['dns_nameservers'])); + $conf .= "dns_nameservers "; + foreach ($altdns as $dnssrv) { + $conf .= $dnssrv." "; + } +// $conf .= "\n"; //Kill blank line after DNS-Servers + } + + return $conf; +} + + +function squid_resync_cache() { + global $config, $g; + + $settings = $config['installedpackages']['squidcache']['config'][0]; + + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + $disk_cache_size = ($settings['harddisk_cache_size'] ? $settings['harddisk_cache_size'] : 100); + $level1 = ($settings['level1_subdirs'] ? $settings['level1_subdirs'] : 16); + $memory_cache_size = ($settings['memory_cache_size'] ? $settings['memory_cache_size'] : 8); + $max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size'] : 10); + $min_objsize = ($settings['minimum_object_size'] ? $settings['minimum_object_size'] : 0); + $cache_policy = ($settings['cache_replacement_policy'] ? $settings['cache_replacement_policy'] : 'heap LFUDA'); + $memory_policy = ($settings['memory_replacement_policy'] ? $settings['memory_replacement_policy'] : 'heap GDSF'); + $offline_mode = ($settings['enable_offline'] == 'on' ? 'on' : 'off'); + + if (!isset($settings['harddisk_cache_system'])) { + if ($g['platform'] == "nanobsd") { + $disk_cache_system = 'null'; + } else { + $disk_cache_system = 'ufs'; + } + } else { + $disk_cache_system = $settings['harddisk_cache_system']; + } + + if ($disk_cache_system == "null") { + $disk_cache_opts = "{$disk_cache_system} /tmp"; + } else { + $disk_cache_opts = "{$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256"; + } + + $conf = <<<EOD +cache_mem $memory_cache_size MB +maximum_object_size_in_memory 32 KB +memory_replacement_policy $memory_policy +cache_replacement_policy $cache_policy +cache_dir $disk_cache_opts +minimum_object_size $min_objsize KB +maximum_object_size $max_objsize KB +offline_mode $offline_mode + +EOD; + + if (!empty($settings['cache_swap_low'])) $conf .= "cache_swap_low {$settings['cache_swap_low']}\n"; + if (!empty($settings['cache_swap_high'])) $conf .= "cache_swap_high {$settings['cache_swap_high']}\n"; + + $donotcache = base64_decode($settings['donotcache']); + if (!empty($donotcache)) { + file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache); + $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n"; + $conf .= 'cache deny donotcache'; + } + elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) { + unlink(SQUID_ACLDIR . '/donotcache.acl'); + } + + return $conf; +} + +function squid_resync_upstream() { + global $config; + $settings = $config['installedpackages']['squidupstream']['config'][0]; + + $conf = ''; + if ($settings['proxy_forwarding'] == 'on') { + $conf .= "cache_peer {$settings['proxy_addr']} parent {$settings['proxy_port']} "; + if ($settings['icp_port'] == '7') + $conf .= "{$settings['icp_port']} no-query"; + else + $conf .= "{$settings['icp_port']}"; + + if (!empty($settings['username'])) + $conf .= " login={$settings['username']}"; + if (!empty($settings['password'])) + $conf .= ":{$settings['password']}"; + } + + return $conf; +} + +function squid_resync_redirector() { + global $config; + + $httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on'); + if ($httpav_enabled) { + $conf = "url_rewrite_program /usr/local/bin/squirm\n"; + } else { + $conf = "# No redirector configured\n"; + } + return $conf; +} + +function squid_resync_nac() { + global $config, $valid_acls; + + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $settings = $config['installedpackages']['squidnac']['config'][0]; + $webgui_port = $config['system']['webgui']['port']; + $addtl_ports = $settings['addtl_ports']; + $addtl_sslports = $settings['addtl_sslports']; + + $conf = <<<EOD + +# Setup some default acls +acl all src all +acl localhost src 127.0.0.1/32 +acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port $port 1025-65535 $addtl_ports +acl sslports port 443 563 $webgui_port $addtl_sslports +acl manager proto cache_object +acl purge method PURGE +acl connect method CONNECT +acl dynamic urlpath_regex cgi-bin \? + +EOD; + + $allowed_subnets = explode("\n", base64_decode($settings['allowed_subnets'])); + $allowed = ""; + foreach ($allowed_subnets as $subnet) { + if(!empty($subnet)) { + $subnet = trim($subnet); + $allowed .= "$subnet "; + } + } + if (!empty($allowed)) { + $conf .= "acl allowed_subnets src $allowed\n"; + $valid_acls[] = 'allowed_subnets'; + } + + $options = array( 'unrestricted_hosts' => 'src', + 'banned_hosts' => 'src', + 'whitelist' => 'dstdom_regex -i', + 'blacklist' => 'dstdom_regex -i', + ); + foreach ($options as $option => $directive) { + $contents = base64_decode($settings[$option]); + if (!empty($contents)) { + file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents); + $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n"; + $valid_acls[] = $option; + } + elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) { + unlink(SQUID_ACLDIR . "/$option.acl"); + } + } + + $conf .= <<<EOD +cache deny dynamic +http_access allow manager localhost + +EOD; + + if(!empty($settings['ext_cachemanager'])) { + $extmgr = explode(";", ($settings['ext_cachemanager'])); + $count = 1; + $conf .= "\n# Allow external cache managers\n"; +// $conf .= "acl ext_manager src ".$settings['ext_cachemanager']."\n"; + foreach ($extmgr as $mgr) { + $conf .= "acl ext_manager_".$count." src "; + $conf .= $mgr." "; + $conf .= "\n"; + $conf .= "http_access allow manager ext_manager_".$count."\n"; + $count += 1; + }} + + $conf .= <<<EOD + +http_access deny manager +http_access allow purge localhost +http_access deny purge +http_access deny !safeports +http_access deny CONNECT !sslports + +# Always allow localhost connections +http_access allow localhost + +EOD; + + return $conf; +} + +function squid_resync_traffic() { + global $config, $valid_acls; + if(!is_array($valid_acls)) + return; + $settings = $config['installedpackages']['squidtraffic']['config'][0]; + $conf = ''; + + if (!empty($settings['quick_abort_min']) || ($settings['quick_abort_min']) == "0") $conf .= "quick_abort_min {$settings['quick_abort_min']} KB\n"; + if (!empty($settings['quick_abort_max']) || ($settings['quick_abort_max']) == "0") $conf .= "quick_abort_max {$settings['quick_abort_max']} KB\n"; + if (!empty($settings['quick_abort_pct'])) $conf .= "quick_abort_pct {$settings['quick_abort_pct']}\n"; + + $up_limit = ($settings['max_upload_size'] ? $settings['max_upload_size'] : 0); + $down_limit = ($settings['max_download_size'] ? $settings['max_download_size'] : 0); + $conf .= "request_body_max_size $up_limit KB\n"; + if ($down_limit != 0) + $conf .= 'reply_body_max_size ' . $down_limit . " KB all \n"; + + // Only apply throttling past 10MB + // XXX: Should this really be hardcoded? + $threshold = 10 * 1024 * 1024; + $overall = $settings['overall_throttling']; + if (!isset($overall) || ($overall == 0)) + $overall = -1; + else + $overall *= 1024; + $perhost = $settings['perhost_throttling']; + if (!isset($perhost) || ($perhost == 0)) + $perhost = -1; + else + $perhost *= 1024; + $conf .= <<<EOD +delay_pools 1 +delay_class 1 2 +delay_parameters 1 $overall/$overall $perhost/$perhost +delay_initial_bucket_level 100 + +EOD; + + if(! empty($settings['unrestricted_hosts'])) { + foreach (array('unrestricted_hosts') as $item) { + if (in_array($item, $valid_acls)) + $conf .= "# Do not throttle unrestricted hosts\n"; + $conf .= "delay_access 1 deny $item\n"; + } + } + + if ($settings['throttle_specific'] == 'on') { + $exts = array(); + $binaries = 'bin,cab,sea,ar,arj,tar,tgz,gz,tbz,bz2,zip,7z,exe,com'; + $cdimages = 'iso,bin,mds,nrg,gho,bwt,b5t,pqi'; + $multimedia = 'aiff?,asf,avi,divx,mov,mp3,mp4,wmv,mpe?g,qt,ra?m'; + foreach (array( 'throttle_binaries' => $binaries, + 'throttle_cdimages' => $cdimages, + 'throttle_multimedia' => $multimedia) as $field => $set) { + if ($settings[$field] == 'on') + $exts = array_merge($exts, explode(",", $set)); + } + + foreach (explode(",", $settings['throttle_others']) as $ext) { + if (!empty($ext)) $exts[] = $ext; + } + + $contents = ''; + foreach ($exts as $ext) + $contents .= "\.$ext\$\n"; + file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents); + + $conf .= "# Throttle extensions matched in the url\n"; + $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; + $conf .= "delay_access 1 allow throttle_exts\n"; + $conf .= "delay_access 1 deny all\n"; + } + else + $conf .= "delay_access 1 allow all\n"; + + return $conf; +} + +function squid_resync_auth() { + global $config, $valid_acls; + + $settings = $config['installedpackages']['squidauth']['config'][0]; + $settingsnac = $config['installedpackages']['squidnac']['config'][0]; + $settingsconfig = $config['installedpackages']['squid']['config'][0]; + $conf = ''; + + // Deny the banned guys before allowing the good guys + if(! empty($settingsnac['banned_hosts'])) { + if (squid_is_valid_acl('banned_hosts')) { + $conf .= "# These hosts are banned\n"; + $conf .= "http_access deny banned_hosts\n"; + } + } + if(! empty($settingsnac['banned_macs'])) { + if (squid_is_valid_acl('banned_macs')) { + $conf .= "# These macs are banned\n"; + $conf .= "http_access deny banned_macs\n"; + } + } + + // Unrestricted hosts take precendence over blacklist + if(! empty($settingsnac['unrestricted_hosts'])) { + if (squid_is_valid_acl('unrestricted_hosts')) { + $conf .= "# These hosts do not have any restrictions\n"; + $conf .= "http_access allow unrestricted_hosts\n"; + } + } + if(! empty($settingsnac['unrestricted_macs'])) { + if (squid_is_valid_acl('unrestricted_macs')) { + $conf .= "# These hosts do not have any restrictions\n"; + $conf .= "http_access allow unrestricted_macs\n"; + } + } + + // Whitelist and blacklist also take precendence over other allow rules + if(! empty($settingsnac['whitelist'])) { + if (squid_is_valid_acl('whitelist')) { + $conf .= "# Always allow access to whitelist domains\n"; + $conf .= "http_access allow whitelist\n"; + } + } + if(! empty($settingsnac['blacklist'])) { + if (squid_is_valid_acl('blacklist')) { + $conf .= "# Block access to blacklist domains\n"; + $conf .= "http_access deny blacklist\n"; + } + } + + $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); + $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); + // Allow the remaining ACLs if no authentication is set + if ($auth_method == 'none') { + $conf .="# Setup allowed acls\n"; + $allowed = array('allowed_subnets'); + if ($settingsconfig['allow_interface'] == 'on') { + $conf .= "# Allow local network(s) on interface(s)\n"; + $allowed[] = "localnet"; + } + $allowed = array_filter($allowed, 'squid_is_valid_acl'); + foreach ($allowed as $acl) + $conf .= "http_access allow $acl\n"; + } + else { + $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); + if (!empty($noauth)) { + $conf .= "acl noauth src $noauth\n"; + $valid_acls[] = 'noauth'; + } + + // Set up the external authentication programs + $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 60); + $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); + $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); + switch ($auth_method) { + case 'local': + $conf .= 'auth_param basic program /usr/local/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n"; + break; + case 'ldap': + $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); + $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); + $conf .= "auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; + break; + case 'radius': + $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); + $conf .= "auth_param basic program /usr/local/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; + break; + case 'msnt': + $conf .= "auth_param basic program /usr/local/libexec/squid/msnt_auth\n"; + squid_resync_msnt(); + break; + } + $conf .= <<<EOD +auth_param basic children $processes +auth_param basic realm $prompt +auth_param basic credentialsttl $auth_ttl minutes +acl password proxy_auth REQUIRED + +EOD; + + // Onto the ACLs + $password = array('localnet', 'allowed_subnets'); + $passwordless = array('unrestricted_hosts'); + if ($settings['unrestricted_auth'] == 'on') { + // Even the unrestricted hosts should authenticate + $password = array_merge($password, $passwordless); + $passwordless = array(); + } + $passwordless[] = 'noauth'; + $password = array_filter($password, 'squid_is_valid_acl'); + $passwordless = array_filter($passwordless, 'squid_is_valid_acl'); + + // Allow the ACLs that don't need to authenticate + foreach ($passwordless as $acl) + $conf .= "http_access allow $acl\n"; + + // Allow the other ACLs as long as they authenticate + foreach ($password as $acl) + $conf .= "http_access allow password $acl\n"; + } + + if(!empty($config['installedpackages']['squid']['config'][0]['custom_options'])) { + $custopts = explode(";", ($config['installedpackages']['squid']['config'][0]['custom_options'])); + $conf .= "# Custom options\n"; + foreach ($custopts as $custopt) { + $conf .= $custopt."\n"; + } + } + + $conf .= "# Default block all to be sure\n"; + $conf .= "http_access deny all\n"; + + return $conf; +} + +function squid_resync_users() { + global $config; + + $users = $config['installedpackages']['squidusers']['config']; + $contents = ''; + if (is_array($users)) { + foreach ($users as $user) + $contents .= $user['username'] . ':' . crypt($user['password'], base64_encode($user['password'])) . "\n"; + } + file_put_contents(SQUID_PASSWD, $contents); + chown(SQUID_PASSWD, 'proxy'); + chmod(SQUID_PASSWD, 0600); +} + +function squid_resync_msnt() { + global $config; + + $settings = $config['installedpackages']['squidauth']['config'][0]; + $pdcserver = $settings['auth_server']; + $bdcserver = str_replace(',',' ',$settings['msnt_secondary']); + $ntdomain = $settings['auth_ntdomain']; + + file_put_contents(SQUID_CONFBASE."/msntauth.conf","server {$pdcserver} {$bdcserver} {$ntdomain}"); + chown(SQUID_CONFBASE."/msntauth.conf", 'proxy'); + chmod(SQUID_CONFBASE."/msntauth.conf", 0600); +} + +function squid_resync() { + global $config; + conf_mount_rw(); + $conf = squid_resync_general() . "\n"; + $conf .= squid_resync_cache() . "\n"; + $conf .= squid_resync_redirector() . "\n"; + $conf .= squid_resync_upstream() . "\n"; + $conf .= squid_resync_nac() . "\n"; + $conf .= squid_resync_traffic() . "\n"; + $conf .= squid_resync_auth(); + squid_resync_users(); + + /* make sure pinger is executable */ + if(file_exists("/usr/local/libexec/squid/pinger")) + exec("chmod a+x /usr/local/libexec/squid/pinger"); + + foreach (array( SQUID_CONFBASE, + SQUID_ACLDIR, + SQUID_BASE ) as $dir) { + make_dirs($dir); + squid_chown_recursive($dir, 'proxy', 'proxy'); + } + + file_put_contents(SQUID_CONFBASE . '/squid.conf', $conf); + + $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'].'/'; + + if(!is_dir($log_dir)) { + log_error("Creating squid log dir $log_dir"); + make_dirs($log_dir); + squid_chown_recursive($log_dir, 'proxy', 'proxy'); + } + + squid_dash_z(); + + if (!is_service_running('squid')) { + log_error("Starting Squid"); + mwexec("/usr/local/sbin/squid"); + } else { + log_error("Reloading Squid for configuration sync"); + mwexec("/usr/local/sbin/squid -k reconfigure"); + } + + // Sleep for a couple seconds to give squid a chance to fire up fully. + for ($i=0; $i < 10; $i++) { + if (!is_service_running('squid')) + sleep(1); + } + filter_configure(); + conf_mount_ro(); +} + +function squid_print_javascript_auth() { + global $config; + $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); + + // No authentication for transparent proxy + if ($transparent_proxy) { + $javascript = <<<EOD +<script language="JavaScript"> +<!-- +function on_auth_method_changed() { + document.iform.auth_method.disabled = 1; + document.iform.auth_server.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_prompt.disabled = 1; + document.iform.auth_processes.disabled = 1; + document.iform.auth_ttl.disabled = 1; + document.iform.unrestricted_auth.disabled = 1; + document.iform.no_auth_hosts.disabled = 1; +} +--> +</script> + +EOD; + } + else { + $javascript = <<<EOD +<script language="JavaScript"> +<!-- +function on_auth_method_changed() { + var field = document.iform.auth_method; + var auth_method = field.options[field.selectedIndex].value; + + if (auth_method == 'none') { + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_prompt.disabled = 1; + document.iform.auth_processes.disabled = 1; + document.iform.auth_ttl.disabled = 1; + document.iform.unrestricted_auth.disabled = 1; + document.iform.no_auth_hosts.disabled = 1; + } + else { + document.iform.auth_prompt.disabled = 0; + document.iform.auth_processes.disabled = 0; + document.iform.auth_ttl.disabled = 0; + document.iform.unrestricted_auth.disabled = 0; + document.iform.no_auth_hosts.disabled = 0; + } + + switch (auth_method) { + case 'local': + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + break; + case 'ldap': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 0; + document.iform.ldap_user.disabled = 0; + document.iform.ldap_pass.disabled = 0; + document.iform.ldap_version.disabled = 0; + document.iform.ldap_userattribute.disabled = 0; + document.iform.ldap_filter.disabled = 0; + document.iform.ldap_basedomain.disabled = 0; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + break; + case 'radius': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 0; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 0; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + break; + case 'msnt': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 0; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 0; + break; + } +} +--> +</script> + +EOD; + } + + print($javascript); +} + +function squid_print_javascript_auth2() { + print("<script language=\"JavaScript\">on_auth_method_changed()</script>\n"); +} + +function squid_generate_rules($type) { + global $config; + + $squid_conf = $config['installedpackages']['squid']['config'][0]; + + if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { + return; + } + + if (!is_service_running('squid')) { + log_error("SQUID is installed but not started. Not installing \"{$type}\" rules."); + return; + } + + $ifaces = explode(",", $squid_conf['active_interface']); + $ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ifaces); + $port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128); + + $fw_aliases = filter_generate_aliases(); + if(strstr($fw_aliases, "pptp =")) + $PPTP_ALIAS = "\$pptp"; + else + $PPTP_ALIAS = "\$PPTP"; + if(strstr($fw_aliases, "PPPoE =")) + $PPPOE_ALIAS = "\$PPPoE"; + else + $PPPOE_ALIAS = "\$pppoe"; + + switch($type) { + case 'nat': + $rules .= "\n# Setup Squid proxy redirect\n"; + if ($squid_conf['private_subnet_proxy_off'] == 'on') { + foreach ($ifaces as $iface) { + $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n"; + } + } + if (!empty($squid_conf['defined_ip_proxy_off'])) { + $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); + $exempt_ip = ""; + foreach ($defined_ip_proxy_off as $ip_proxy_off) { + if(!empty($ip_proxy_off)) { + $ip_proxy_off = trim($ip_proxy_off); + if (is_alias($ip_proxy_off)) + $ip_proxy_off = '$'.$ip_proxy_off; + $exempt_ip .= ", $ip_proxy_off"; + } + } + $exempt_ip = substr($exempt_ip,2); + foreach ($ifaces as $iface) { + $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port 80\n"; + } + } + if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { + $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); + $exempt_dest = ""; + foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { + if(!empty($ip_proxy_off_dest)) { + $ip_proxy_off_dest = trim($ip_proxy_off_dest); + if (is_alias($ip_proxy_off_dest)) + $ip_proxy_off_dest = '$'.$ip_proxy_off_dest; + $exempt_dest .= ", $ip_proxy_off_dest"; + } + } + $exempt_dest = substr($exempt_dest,2); + foreach ($ifaces as $iface) { + $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port 80\n"; + } + } + foreach ($ifaces as $iface) { + $rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n"; + } + /* Handle PPPOE case */ + if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { + $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port 80 -> 127.0.0.1 port 80\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port 80 -> 127.0.0.1 port 80\n"; + } + $rules .= "\n"; + break; + case 'filter': + case 'rule': + foreach ($ifaces as $iface) { + $rules .= "# Setup squid pass rules for proxy\n"; + $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n"; + $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n"; + $rules .= "\n"; + }; + if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { + $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port $port flags S/SA keep state\n"; + } + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port $port flags S/SA keep state\n"; + } + break; + default: + break; + } + + return $rules; +} + +?> diff --git a/config/squid3-reverse/squid.xml b/config/squid3-reverse/squid.xml new file mode 100644 index 00000000..f82cf81a --- /dev/null +++ b/config/squid3-reverse/squid.xml @@ -0,0 +1,342 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squid</name> + <version>2.6.STABLE18</version> + <title>Proxy server: General settings</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <menu> + <name>Proxy server</name> + <tooltiptext>Modify the proxy server's settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </menu> + <service> + <name>squid</name> + <rcfile>squid.sh</rcfile> + <executable>squid</executable> + <description>Proxy server Service</description> + </service> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Local Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + </tabs> + <!-- Installation --> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/squid.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/squid_cache.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/squid_nac.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/squid_ng.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/squid_traffic.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/squid_upstream.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/squid_auth.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/squid_users.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/etc/rc.d/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/proxy_monitor.sh</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/squid_cache.xml</item> + </additional_files_needed> + <fields> + <field> + <fielddescr>Proxy interface</fielddescr> + <fieldname>active_interface</fieldname> + <description>The interface(s) the proxy server will bind to.</description> + <type>interfaces_selection</type> + <required/> + <default_value>lan</default_value> + <multiple/> + </field> + <field> + <fielddescr>Allow users on interface</fielddescr> + <fieldname>allow_interface</fieldname> + <description>If this field is checked, the users connected to the interface selected in the 'Proxy interface' field will be allowed to use the proxy, i.e., there will be no need to add the interface's subnet to the list of allowed subnets. This is just a shortcut.</description> + <type>checkbox</type> + <required/> + <default_value>on</default_value> + </field> + <field> + <fielddescr>Transparent proxy</fielddescr> + <fieldname>transparent_proxy</fieldname> + <description>If transparent mode is enabled, all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description> + <type>checkbox</type> + <enablefields>private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest</enablefields> + <required/> + </field> + <field> + <fielddescr>Bypass proxy for Private Address Space (RFC 1918) destination</fielddescr> + <fieldname>private_subnet_proxy_off</fieldname> + <description>Do not forward traffic to Private Address Space (RFC 1918) <b>destination</b> through the proxy server but directly through the firewall.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Bypass proxy for these source IPs</fielddescr> + <fieldname>defined_ip_proxy_off</fieldname> + <description>Do not forward traffic from these <b>source</b> IPs, hostnames, or aliases through the proxy server but directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description> + <type>input</type> + <size>80</size> + </field> + <field> + <fielddescr>Bypass proxy for these destination IPs</fielddescr> + <fieldname>defined_ip_proxy_off_dest</fieldname> + <description>Do not proxy traffic going to these <b>destination</b> IPs, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description> + <type>input</type> + <size>80</size> + </field> + <field> + <fielddescr>Enabled logging</fielddescr> + <fieldname>log_enabled</fieldname> + <description>This will enable the access log. Don't switch this on if you don't have much disk space left.</description> + <type>checkbox</type> + <enablefields>log_query_terms,log_user_agents</enablefields> + </field> + <field> + <fielddescr>Log store directory</fielddescr> + <fieldname>log_dir</fieldname> + <description>The directory where the log will be stored (note: do not end with a / mark)</description> + <type>input</type> + <size>60</size> + <required/> + <default_value>/var/squid/logs</default_value> + </field> + <field> + <fielddescr>Log rotate</fielddescr> + <fieldname>log_rotate</fieldname> + <description>Defines how many days of logfiles will be kept. Rotation is disabled if left empty.</description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>Proxy port</fielddescr> + <fieldname>proxy_port</fieldname> + <description>This is the port the proxy server will listen on.</description> + <type>input</type> + <size>5</size> + <required/> + <default_value>3128</default_value> + </field> + <field> + <fielddescr>ICP port</fielddescr> + <fieldname>icp_port</fieldname> + <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP.</description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>Visible hostname</fielddescr> + <fieldname>visible_hostname</fieldname> + <description>This is the URL to be displayed in proxy server error messages.</description> + <type>input</type> + <size>60</size> + <default_value>localhost</default_value> + </field> + <field> + <fielddescr>Administrator email</fielddescr> + <fieldname>admin_email</fieldname> + <description>This is the email address displayed in error messages to the users.</description> + <type>input</type> + <size>60</size> + <default_value>admin@localhost</default_value> + </field> + <field> + <fielddescr>Language</fielddescr> + <fieldname>error_language</fieldname> + <description>Select the language in which the proxy server will display error messages to users.</description> + <type>select</type> + <default_value>English</default_value> + </field> + <field> + <fielddescr>Disable X-Forward</fielddescr> + <fieldname>disable_xforward</fieldname> + <description>If not set, Squid will include your system's IP address or name in the HTTP requests it forwards.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Disable VIA</fielddescr> + <fieldname>disable_via</fieldname> + <description>If not set, Squid will include a Via header in requests and replies as required by RFC2616.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>What to do with requests that have whitespace characters in the URI</fielddescr> + <fieldname>uri_whitespace</fieldname> + <description><b> strip:</b> The whitespace characters are stripped out of the URL. This is the behavior recommended by RFC2396. <p> <b> deny:</b> The request is denied. The user receives an "Invalid Request" message.<p> <b> allow:</b> The request is allowed and the URI is not changed. The whitespace characters remain in the URI.<p> <b> encode:</b> The request is allowed and the whitespace characters are encoded according to RFC1738.<p> <b> chop:</b> The request is allowed and the URI is chopped at the first whitespace.</description> + <type>select</type> + <default_value>strip</default_value> + <options> + <option> + <name>strip</name> + <value>strip</value> + </option> + <option> + <name>deny</name> + <value>deny</value> + </option> + <option> + <name>allow</name> + <value>allow</value> + </option> + <option> + <name>encode</name> + <value>encode</value> + </option> + <option> + <name>chop</name> + <value>chop</value> + </option> + </options> + </field> + <field> + <fielddescr>Use alternate DNS-servers for the proxy-server</fielddescr> + <fieldname>dns_nameservers</fieldname> + <description>If you want to use other DNS-servers than the DNS-forwarder, enter the IPs here, separated by semi-colons (;).</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Suppress Squid Version</fielddescr> + <fieldname>disable_squidversion</fieldname> + <description>If set, suppress Squid version string info in HTTP headers and HTML error pages.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Custom Options</fielddescr> + <fieldname>custom_options</fieldname> + <description>You can put your own custom options here, separated by semi-colons (;). They'll be added to the configuration. They need to be squid.conf native options, otherwise squid will NOT work.</description> + <type>textarea</type> + <cols>65</cols> + <rows>5</rows> + </field> + </fields> + <custom_php_command_before_form> + squid_before_form_general(&$pkg); + </custom_php_command_before_form> + <custom_add_php_command> + squid_resync(); + </custom_add_php_command> + <custom_php_validation_command> + squid_validate_general($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + exec("/bin/rm -f /usr/local/etc/rc.d/squid"); + </custom_php_resync_config_command> + <custom_php_install_command> + update_status("Checking Squid cache... One moment please..."); + update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."); + squid_install_command(); + squid_resync(); + exec("/bin/rm -f /usr/local/etc/rc.d/squid"); + </custom_php_install_command> + <custom_php_deinstall_command> + squid_deinstall_command(); + exec("/bin/rm -f /usr/local/etc/rc.d/squid*"); + </custom_php_deinstall_command> + <filter_rules_needed>squid_generate_rules</filter_rules_needed> +</packagegui>
\ No newline at end of file diff --git a/config/squid3-reverse/squid_auth.inc b/config/squid3-reverse/squid_auth.inc new file mode 100644 index 00000000..7c99a01b --- /dev/null +++ b/config/squid3-reverse/squid_auth.inc @@ -0,0 +1,446 @@ +<?php +/* $Id$ */ + +/* + squid_auth.inc + part of pfSense (www.pfSense.com) + + Copyright (C) 2005 Michael Capp <michael.capp@gmail.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ + +function global_eval_auth_options() +{ + global $config; + conf_mount_rw(); + config_lock(); + + switch ($config['installedpackages']['squidauth']['config'][0]['auth_method']) { + case "none": + dynamic_auth_content("pkg_edit"); + dynamic_no_auth(); + break; + case "local_auth": + dynamic_auth_content("pkg"); + /* create empty passwd file to prevent stat error with squid reload */ + touch ("/usr/local/etc/squid/advanced/ncsa/passwd"); + dynamic_local_auth(); + break; + case "ldap_bind": + dynamic_auth_content("pkg_edit"); + dynamic_ldap_auth(); + break; + case "domain_auth": + $filecontents = file("/usr/local/pkg/squid_auth.xml"); + dynamic_auth_content("pkg_edit"); + dynamic_domain_auth(); + break; + case "radius_auth": + $filecontents = file("/usr/local/pkg/squid_auth.xml"); + dynamic_auth_content("pkg_edit"); + dynamic_radius_auth(); + break; + default: + $filecontents = file("/usr/local/pkg/squid_auth.xml"); + dynamic_auth_content("pkg_edit"); + dynamic_no_auth(); + break; + } + + config_unlock(); + conf_mount_ro(); + +} /* end function global_eval_auth_options */ + +function dynamic_no_auth() { + global $config; + conf_mount_rw(); + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); + fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); + fwrite($fout, "<packagegui>\n"); + fwrite($fout, " <name>squidextnoauth</name>\n"); + fwrite($fout, " <title>Services: Proxy Server -> Extended Authentication Settings</title>\n"); + fwrite($fout, " <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tabs>\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>General Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Upstream Proxy</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Cache Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Network Access Control</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Traffic Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Extended Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); + fwrite($fout, " <active/>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </tabs>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <fields>\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>No Authentication Defined</fielddescr>\n"); + fwrite($fout, " <fieldname>no_auth</fieldname>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, " </fields>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <custom_add_php_command_late>\n"); + fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");"); + fwrite($fout, "\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); + fwrite($fout, " </custom_add_php_command_late>\n"); + fwrite($fout, "\n"); + fwrite($fout, "</packagegui>\n"); + fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); +} + +function dynamic_local_auth() { + global $config; + conf_mount_rw(); + + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); + + fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); + fwrite($fout, "\n"); + fwrite($fout, "<packagegui>\n"); + fwrite($fout, " <name>squidextlocalauth</name>\n"); + fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n"); + fwrite($fout, " <version>2.5.10_4</version>\n"); + fwrite($fout, " <configpath>installedpackages->package->squidextlocalauth->configuration->settings</configpath>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <files></files>\n"); + fwrite($fout, " <menu></menu>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <aftersaveredirect>/pkg.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tabs>\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>General Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Upstream Proxy</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Cache Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Network Access Control</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Traffic Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Extended Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&id=0</url>\n"); + fwrite($fout, " <active/>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </tabs>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <adddeleteeditpagefields>\n"); + fwrite($fout, " <columnitem>\n"); + fwrite($fout, " <fielddescr>Username</fielddescr>\n"); + fwrite($fout, " <fieldname>username</fieldname>\n"); + fwrite($fout, " </columnitem>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <columnitem>\n"); + fwrite($fout, " <fielddescr>Description</fielddescr>\n"); + fwrite($fout, " <fieldname>description</fieldname>\n"); + fwrite($fout, " </columnitem>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <columnitem>\n"); + fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n"); + fwrite($fout, " <fieldname>group</fieldname>\n"); + fwrite($fout, " </columnitem>\n"); + fwrite($fout, " </adddeleteeditpagefields>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <fields>\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Username</fielddescr>\n"); + fwrite($fout, " <fieldname>username</fieldname>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>15</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Password</fielddescr>\n"); + fwrite($fout, " <fieldname>password</fieldname>\n"); + fwrite($fout, " <type>password</type>\n"); + fwrite($fout, " <size>8</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Description (Optional)</fielddescr>\n"); + fwrite($fout, " <fieldname>description</fieldname>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>30</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n"); + fwrite($fout, " <fieldname>group</fieldname>\n"); + fwrite($fout, " <type>select</type>\n"); + fwrite($fout, " <options>\n"); + fwrite($fout, " <option><name>Standard</name><value>Standard</value></option>\n"); + fwrite($fout, " <option><name>Extended</name><value>Extended</value></option>\n"); + fwrite($fout, " </options>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </fields>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <custom_add_php_command_late>\n"); + fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n"); + fwrite($fout, "\n"); + fwrite($fout, " mod_htpasswd();\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); + fwrite($fout, " </custom_add_php_command_late>\n"); + fwrite($fout, "\n"); + fwrite($fout, "</packagegui>\n"); + + fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); +} + +function dynamic_ldap_auth() { + global $config; + conf_mount_rw(); + + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); + + fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); + fwrite($fout, "\n"); + fwrite($fout, "<packagegui>\n"); + fwrite($fout, " <name>squidextldapauth</name>\n"); + fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n"); + fwrite($fout, " <version>2.5.11</version>\n"); + fwrite($fout, " <configpath>installedpackages->package->squidextldapauth->configuration->settings</configpath>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <files></files>\n"); + fwrite($fout, " <menu></menu>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tabs>\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>General Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Upstream Proxy</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Cache Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Network Access Control</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Traffic Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Extended Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); + fwrite($fout, " <active/>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </tabs>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <fields>\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Base DN</fielddescr>\n"); + fwrite($fout, " <fieldname>ldap_basedn</fieldname>\n"); + fwrite($fout, " <description>This is the base where the LDAP search starts. All subsequent organizational units (OUs)will be included. Example: \"ou=users,o=company\" will search for users in and under the specified company.</description>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>50</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>LDAP Server</fielddescr>\n"); + fwrite($fout, " <fieldname>ldap_server</fieldname>\n"); + fwrite($fout, " <description>This is the LDAP server that the bind will be attempted against.</description>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>20</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>LDAP Type</fielddescr>\n"); + fwrite($fout, " <fieldname>ldap_type</fieldname>\n"); + fwrite($fout, " <description>This specifies the supported LDAP types.</description>\n"); + fwrite($fout, " <type>select</type>\n"); + fwrite($fout, " <options>\n"); + fwrite($fout, " <option><name>Active Directory</name><value>active_directory</value></option>\n"); + fwrite($fout, " <option><name>Novell eDirectory</name><value>novell_edirectory</value></option>\n"); + fwrite($fout, " <option><name>LDAP v2</name><value>ldap_v2</value></option>\n"); + fwrite($fout, " <option><name>LDAP v3</name><value>ldap_v3</value></option>\n"); + fwrite($fout, " </options>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>LDAP Port</fielddescr>\n"); + fwrite($fout, " <fieldname>ldap_port</fieldname>\n"); + fwrite($fout, " <description>This is the port that LDAP bind will attempt on. The default is \"389\".</description>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>5</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Bind DN Username</fielddescr>\n"); + fwrite($fout, " <fieldname>bind_dn_username</fieldname>\n"); + fwrite($fout, " <description>If \"anonymous bind\" is not supported, please specify the bind username that can access the Base DN hierarchy.</description>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>30</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Bind DN Password</fielddescr>\n"); + fwrite($fout, " <fieldname>bind_dn_password</fieldname>\n"); + fwrite($fout, " <description>This is the associated password with the Bind DN Username previously specified.</description>\n"); + fwrite($fout, " <type>password</type>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </fields>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <custom_add_php_command_late>\n"); + fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n"); + fwrite($fout, "\n"); + fwrite($fout, " mod_htpasswd();\n"); + fwrite($fout, "\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); + fwrite($fout, " </custom_add_php_command_late>\n"); + fwrite($fout, "\n"); + fwrite($fout, "</packagegui>\n"); + + fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); +} + +/* dynamically re-writes all squid xml files to handle adddeletecolumnitems properly */ +function dynamic_auth_content($pkgvar) { + + switch ($pkgvar) { + case "pkg": + if ($handle = opendir("/usr/local/pkg")) { + while (($file = readdir($handle)) != false) { + if (stristr($file, "squid_") && stristr($file, ".xml")) { + $filecontents = file("/usr/local/pkg/" . $file); + $fout = fopen("/usr/local/pkg/" . $file, "w"); + foreach($filecontents as $line) { + if (stristr($line, "<url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>")) { + fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&id=0</url>\n"); + } else { + fwrite($fout, $line); + } + } + } + } + } + break; + + case "pkg_edit": + if ($handle = opendir("/usr/local/pkg")) { + while (($file = readdir($handle)) != false) { + if (stristr($file, "squid_") && stristr($file, ".xml")) { + $filecontents = file("/usr/local/pkg/" . $file); + $fout = fopen("/usr/local/pkg/" . $file,"w"); + foreach($filecontents as $line) { + if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&id=0</url>")) { + fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); + } else { + fwrite($fout, $line); + } + } + } + } + } + break; + } + +} /* end function dynamic_auth_content */ +?>
\ No newline at end of file diff --git a/config/squid3-reverse/squid_auth.xml b/config/squid3-reverse/squid_auth.xml new file mode 100644 index 00000000..c8e34553 --- /dev/null +++ b/config/squid3-reverse/squid_auth.xml @@ -0,0 +1,240 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidauth</name> + <version>none</version> + <title>Proxy server: Authentication</title> + <include_file>squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Local Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + </tabs> + <fields> + <field> + <fielddescr>Authentication method</fielddescr> + <fieldname>auth_method</fieldname> + <description>Select an authentication method. This will allow users to be authenticated by local or external services.</description> + <type>select</type> + <required/> + <default_value>none</default_value> + <options> + <option><name>None</name><value>none</value></option> + <option><name>Local</name><value>local</value></option> + <option><name>LDAP</name><value>ldap</value></option> + <option><name>RADIUS</name><value>radius</value></option> + <option><name>NT domain</name><value>msnt</value></option> + </options> + <onchange>on_auth_method_changed()</onchange> + </field> + <field> + <fielddescr>LDAP version</fielddescr> + <fieldname>ldap_version</fieldname> + <description>Enter LDAP protocol version (2 or 3).</description> + <type>select</type> + <default_value>2</default_value> + <options> + <option><name>2</name><value>2</value></option> + <option><name>3</name><value>3</value></option> + </options> + </field> + <field> + <fielddescr>Authentication server</fielddescr> + <fieldname>auth_server</fieldname> + <description>Enter here the IP or hostname of the server that will perform the authentication.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Authentication server port</fielddescr> + <fieldname>auth_server_port</fieldname> + <description>Enter here the port to use to connect to the authentication server. Leave this field blank to use the authentication method's default port.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>NT domain</fielddescr> + <fieldname>auth_ntdomain</fieldname> + <description>Enter here the NT domain.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>LDAP server user DN</fielddescr> + <fieldname>ldap_user</fieldname> + <description>Enter here the user DN to use to connect to the LDAP server.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>LDAP password</fielddescr> + <fieldname>ldap_pass</fieldname> + <description>Enter here the password to use to connect to the LDAP server.</description> + <type>password</type> + <size>60</size> + </field> + <field> + <fielddescr>LDAP base domain</fielddescr> + <fieldname>ldap_basedomain</fieldname> + <description>For LDAP authentication, enter here the base domain in the LDAP server.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>LDAP username DN attribute</fielddescr> + <fieldname>ldap_userattribute</fieldname> + <description>Enter LDAP username DN attibute.</description> + <type>input</type> + <size>60</size> + <default_value>uid</default_value> + </field> + <field> + <fielddescr>LDAP search filter</fielddescr> + <fieldname>ldap_filter</fieldname> + <description>Enter LDAP search filter.</description> + <type>input</type> + <size>60</size> + <default_value>(&(objectClass=person)(uid=%s))</default_value> + </field> + <field> + <fielddescr>RADIUS secret</fielddescr> + <fieldname>radius_secret</fieldname> + <description>The RADIUS secret for RADIUS authentication.</description> + <type>password</type> + <size>60</size> + </field> + <field> + <fielddescr>Secondary NT servers</fielddescr> + <fieldname>msnt_secondary</fieldname> + <description>Comma-separated list of secondary servers to be used for NT domain authentication.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Authentication prompt</fielddescr> + <fieldname>auth_prompt</fieldname> + <description>This string will be displayed at the top of the authentication request window.</description> + <type>input</type> + <default_value>Please enter your credentials to access the proxy</default_value> + </field> + <field> + <fielddescr>Authentication processes</fielddescr> + <fieldname>auth_processes</fieldname> + <description>The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly.</description> + <type>input</type> + <size>60</size> + <default_value>5</default_value> + </field> + <field> + <fielddescr>Authentication TTL</fielddescr> + <fieldname>auth_ttl</fieldname> + <description>This specifies for how long (in minutes) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.</description> + <type>input</type> + <size>60</size> + <default_value>60</default_value> + </field> + <field> + <fielddescr>Requiere authentication for unrestricted hosts</fielddescr> + <fieldname>unrestricted_auth</fieldname> + <description>If this option is enabled, even users tagged as unrestricted through access control are required to authenticate to use the proxy.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Subnets that don't need authentication</fielddescr> + <fieldname>no_auth_hosts</fieldname> + <description>Enter each subnet or IP address on a new line (in CIDR format, e.g.: 10.5.0.0/16, 192.168.1.50/32) that should not be asked for authentication to access the proxy.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + </fields> + <custom_php_validation_command> + squid_validate_auth($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_after_form_command> + squid_print_javascript_auth2(); + </custom_php_after_form_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> + <custom_php_before_form_command> + squid_print_javascript_auth2(); + </custom_php_before_form_command> + <custom_php_after_head_command> + $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); + if($transparent_proxy) + $input_errors[] = "Authentication cannot be enabled while transparent proxy mode is enabled"; + squid_print_javascript_auth(); + </custom_php_after_head_command> +</packagegui> diff --git a/config/squid3-reverse/squid_cache.xml b/config/squid3-reverse/squid_cache.xml new file mode 100644 index 00000000..881f15b3 --- /dev/null +++ b/config/squid3-reverse/squid_cache.xml @@ -0,0 +1,224 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidcache</name> + <version>none</version> + <title>Proxy server: Cache management</title> + <include_file>squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Local Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + </tabs> + <fields> + <field> + <fielddescr>Hard disk cache size</fielddescr> + <fieldname>harddisk_cache_size</fieldname> + <description>This is the amount of disk space (in megabytes) to use for cached objects.</description> + <type>input</type> + <required/> + <default_value>100</default_value> + </field> + <field> + <fielddescr>Hard disk cache system</fielddescr> + <fieldname>harddisk_cache_system</fieldname> + <description>This specifies the kind of storage system to use. <p> <b> ufs </b> is the old well-known Squid storage format that has always been there. <p> <b> aufs </b> uses POSIX-threads to avoid blocking the main Squid process on disk-I/O. (Formerly known as async-io.) <p> <b> diskd </b> uses a separate process to avoid blocking the main Squid process on disk-I/O. <p> <b> null </b> Does not use any storage. Ideal for Embedded/NanoBSD.</description> + <type>select</type> + <default_value>ufs</default_value> + <options> + <option><name>ufs</name><value>ufs</value></option> + <option><name>aufs</name><value>aufs</value></option> + <option><name>diskd</name><value>diskd</value></option> + <option><name>null</name><value>null</value></option> + </options> + </field> + <field> + <fielddescr>Hard disk cache location</fielddescr> + <fieldname>harddisk_cache_location</fieldname> + <description>This is the directory where the cache will be stored. (note: do not end with a /). If you change this location, squid needs to make a new cache, this could take a while</description> + <type>input</type> + <size>60</size> + <required/> + <default_value>/var/squid/cache</default_value> + </field> + <field> + <fielddescr>Memory cache size</fielddescr> + <fieldname>memory_cache_size</fieldname> + <description>This is the amount of physical RAM (in megabytes) to be used for negative cache and in-transit objects. This value should not exceed more than 50% of the installed RAM. The minimum value is 1MB.</description> + <type>input</type> + <required/> + <default_value>8</default_value> + </field> + <field> + <fielddescr>Minimum object size</fielddescr> + <fieldname>minimum_object_size</fieldname> + <description>Objects smaller than the size specified (in kilobytes) will not be saved on disk. The default value is 0, meaning there is no minimum.</description> + <type>input</type> + <required /> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Maximum object size</fielddescr> + <fieldname>maximum_object_size</fieldname> + <description>Objects larger than the size specified (in kilobytes) will not be saved on disk. If you wish to increase speed more than you want to save bandwidth, this should be set to a low value.</description> + <type>input</type> + <required/> + <default_value>4</default_value> + </field> + <field> + <fielddescr>Level 1 subdirectories</fielddescr> + <fieldname>level1_subdirs</fieldname> + <description>Each level-1 directory contains 256 subdirectories, so a value of 256 level-1 directories will use a total of 65536 directories for the hard disk cache. This will significantly slow down the startup process of the proxy service, but can speed up the caching under certain conditions.</description> + <type>select</type> + <default_value>16</default_value> + <options> + <option><name>4</name><value>4</value></option> + <option><name>8</name><value>8</value></option> + <option><name>16</name><value>16</value></option> + <option><name>32</name><value>32</value></option> + <option><name>64</name><value>64</value></option> + <option><name>128</name><value>128</value></option> + <option><name>256</name><value>256</value></option> + </options> + </field> + <field> + <fielddescr>Memory replacement policy</fielddescr> + <fieldname>memory_replacement_policy</fieldname> + <description>The memory replacement policy determines which objects are purged from memory when space is needed. The default policy for memory replacement is GDSF. <p> <b> LRU: Last Recently Used Policy </b> - The LRU policies keep recently referenced objects. i.e., it replaces the object that has not been accessed for the longest time. <p> <b> Heap GDSF: Greedy-Dual Size Frequency </b> - The Heap GDSF policy optimizes object-hit rate by keeping smaller, popular objects in cache. It achieves a lower byte hit rate than LFUDA though, since it evicts larger (possibly popular) objects. <p> <b> Heap LFUDA: Least Frequently Used with Dynamic Aging </b> - The Heap LFUDA policy keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate since one large, popular object will prevent many smaller, slightly less popular objects from being cached. <p> <b> Heap LRU: Last Recently Used </b> - Works like LRU, but uses a heap instead. <p> Note: If using the LFUDA replacement policy, the value of Maximum Object Size should be increased above its default of 12KB to maximize the potential byte hit rate improvement of LFUDA.</description> + <type>select</type> + <default_value>heap GDSF</default_value> + <options> + <option><name>LRU</name><value>lru</value></option> + <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> + <option><name>Heap GDSF</name><value>heap GDSF</value></option> + <option><name>Heap LRU</name><value>heap LRU</value></option> + </options> + </field> + <field> + <fielddescr>Cache replacement policy</fielddescr> + <fieldname>cache_replacement_policy</fieldname> + <description>The cache replacement policy decides which objects will remain in cache and which objects are replaced to create space for the new objects. The default policy for cache replacement is LFUDA. Please see the type descriptions specified in the memory replacement policy for additional detail.</description> + <type>select</type> + <default_value>heap LFUDA</default_value> + <options> + <option><name>LRU</name><value>lru</value></option> + <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> + <option><name>Heap GDSF</name><value>heap GDSF</value></option> + <option><name>Heap LRU</name><value>heap LRU</value></option> + </options> + </field> + <field> + <fielddescr>Low-water-mark in %</fielddescr> + <fieldname>cache_swap_low</fieldname> + <description>Cache replacement begins when the swap usage is above the low-low-water mark and attempts to maintain utilisation near the low-water-mark.</description> + <type>input</type> + <default_value>90</default_value> + </field> + <field> + <fielddescr>High-water-mark in %</fielddescr> + <fieldname>cache_swap_high</fieldname> + <description>As swap utilisation gets close to the high-water-mark object eviction becomes more aggressive.</description> + <type>input</type> + <default_value>95</default_value> + </field> + <field> + <fielddescr>Do not cache</fielddescr> + <fieldname>donotcache</fieldname> + <description>Enter each domain or IP address on a new line that should never be cached.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Enable offline mode</fielddescr> + <fieldname>enable_offline</fieldname> + <description>Enable this option and the proxy server will never try to validate cached objects. The offline mode gives access to more cached information than the proposed feature would allow (stale cached versions, where the origin server should have been contacted).</description> + <type>checkbox</type> + <required/> + </field> + </fields> + <custom_php_command_before_form> + if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) { + $needs_dash_z = true; + } + </custom_php_command_before_form> + <custom_php_validation_command> + squid_validate_cache($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + if($needs_dash_z) + squid_dash_z(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid3-reverse/squid_extauth.xml b/config/squid3-reverse/squid_extauth.xml new file mode 100644 index 00000000..41d9f633 --- /dev/null +++ b/config/squid3-reverse/squid_extauth.xml @@ -0,0 +1,106 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidextnoauth</name> + <version>none</version> + <title>Services: Proxy Server -> Extended Authentication Settings</title> + <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url> + </tab> + + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + + <tab> + <text>Auth</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + + <tab> + <text>Extended Auth</text> + <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url> + <active/> + </tab> + + </tabs> + <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath> + <fields> + <field> + <fielddescr>No Authentication Defined</fielddescr> + <fieldname>no_auth</fieldname> + <type>text</type> + </field> + </fields> + + <custom_add_php_command_late> + require_once("/usr/local/pkg/squid_ng.inc"); + + global_write_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + </custom_add_php_command_late> + +</packagegui> diff --git a/config/squid3-reverse/squid_nac.xml b/config/squid3-reverse/squid_nac.xml new file mode 100644 index 00000000..193a89c6 --- /dev/null +++ b/config/squid3-reverse/squid_nac.xml @@ -0,0 +1,143 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidnac</name> + <version>none</version> + <title>Proxy server: Access control</title> + <include_file>squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Local Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + </tabs> + <fields> + <field> + <fielddescr>Allowed subnets</fielddescr> + <fieldname>allowed_subnets</fieldname> + <description>Enter each subnet on a new line that is allowed to use the proxy. The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24). Note that the proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Unrestricted IPs</fielddescr> + <fieldname>unrestricted_hosts</fieldname> + <description>Enter each unrestricted IP address on a new line that is not to be filtered out by the other access control directives set in this page.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Banned host addresses</fielddescr> + <fieldname>banned_hosts</fieldname> + <description>Enter each IP address on a new line that is not to be allowed to use the proxy.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Whitelist</fielddescr> + <fieldname>whitelist</fieldname> + <description>Enter each destination domain on a new line that will be accessable to the users that are allowed to use the proxy. You also can use regular expressions.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Blacklist</fielddescr> + <fieldname>blacklist</fieldname> + <description>Enter each destination domain on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>External Cache-Managers</fielddescr> + <fieldname>ext_cachemanager</fieldname> + <description>Enter the IPs for the external Cache Managers to be allowed here, separated by semi-colons (;).</description> + <type>input</type> + <size>60</size> + </field> + </fields> + <custom_php_validation_command> + squid_validate_nac($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid3-reverse/squid_ng.inc b/config/squid3-reverse/squid_ng.inc new file mode 100644 index 00000000..03f6d48c --- /dev/null +++ b/config/squid3-reverse/squid_ng.inc @@ -0,0 +1,1070 @@ +<?php +/* $Id$ */ + +/* + squid_ng.inc + part of pfSense (www.pfSense.com) + + Copyright (C) 2005 Michael Capp <michael.capp@gmail.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ + +if(!function_exists("filter_configure")) + require_once("filter.inc"); + +function global_write_squid_config() +{ + global $config; + conf_mount_rw(); + config_lock(); + + /* define squid configuration file in variable for replace function */ + $squidconfig = "/usr/local/etc/squid/squid.conf"; + + /* squid.xml values */ + $active_interface = $config['installedpackages']['squid']['config'][0]['active_interface']; + $transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy']; + $log_enabled = $config['installedpackages']['squid']['config'][0]['log_enabled']; + $urlfier_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable']; + $accesslog_disabled = $config['installedpackages']['squid']['config'][0]['accesslog_disabled']; + $log_query_terms = $config['installedpackages']['squid']['config'][0]['log_query_terms']; + $log_user_agents = $config['installedpackages']['squid']['config'][0]['log_user_agents']; + $proxy_port = $config['installedpackages']['squid']['config'][0]['proxy_port']; + $visible_hostname = $config['installedpackages']['squid']['config'][0]['visible_hostname']; + $cache_admin_email = $config['installedpackages']['squid']['config'][0]['cache_admin_email']; + $error_language = $config['installedpackages']['squid']['config'][0]['error_language']; + $cachemgr_enabled = $config['installedpackages']['squid']['config'][0]['cachemgr_enabled']; + + /* squid_upstream.xml values */ + $proxy_forwarding = $config['installedpackages']['squidupstream']['config'][0]['proxy_forwarding']; + $client_ip_forwarding = $config['installedpackages']['squidupstream']['config'][0]['client_ip_forwarding']; + $user_forwarding = $config['installedpackages']['squidupstream']['config'][0]['user_forwarding']; + $upstream_proxy = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy']; + $upstream_proxy_port = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy_port']; + $upstream_username = $config['installedpackages']['squidupstream']['config'][0]['upstream_username']; + $upstream_password = $config['installedpackages']['squidupstream']['config'][0]['upstream_psasword']; + + /* squid_cache.xml values */ + $memory_cache_size = $config['installedpackages']['squidcache']['config'][0]['memory_cache_size']; + $harddisk_cache_size = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']; + $minimum_object_size = $config['installedpackages']['squidcache']['config'][0]['minimum_object_size']; + $maximum_object_size = $config['installedpackages']['squidcache']['config'][0]['maximum_object_size']; + $level_subdirs = $config['installedpackages']['squidcache']['config'][0]['level_subdirs']; + $memory_replacement = $config['installedpackages']['squidcache']['config'][0]['memory_replacement']; + $cache_replacement = $config['installedpackages']['squidcache']['config'][0]['cache_replacement']; + $domain = $config['installedpackages']['squidcache']['config'][0]['domain']; + $enable_offline = $config['installedpackages']['squidcache']['config'][0]['enable_offline']; + + /* squid_nac.xml values */ + $allowed_subnets = $config['installedpackages']['squidnac']['config'][0]['allowed_subnets']; + $unrestricted_ip_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_ip_address']; + $unrestricted_mac_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_mac_addresses']; + $banned_ip_addr = $config['installedpackages']['squidnac']['config'][0]['banned_ip_addresses']; + $banned_mac_addr = $config['installedpackages']['squidnac']['config'][0]['banned_mac_addresses']; + $override_hosts = $config['installedpackages']['squidnac']['config'][0]['override_hosts']; + + /* squid_traffic.xml values */ + $max_download_size = $config['installedpackages']['squidtraffic']['config'][0]['max_download_size']; + $max_upload_size = $config['installedpackages']['squidtraffic']['config'][0]['max_upload_size']; + $dl_overall = $config['installedpackages']['squidtraffic']['config'][0]['dl_overall']; + $dl_per_host = $config['installedpackages']['squidtraffic']['config'][0]['dl_per_host']; + $throttle_binary_files = $config['installedpackages']['squidtraffic']['config'][0]['throttle_binary_files']; + $throttle_cd_images = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_images']; + $throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia']; + + /* squid_auth.xml values */ + $auth_method = $config['installedpackages']['squidauth']['config'][0]['auth_method']; + $auth_processes = $config['installedpackages']['squidauth']['config'][0]['auth_processes']; + $auth_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['auth_cache_ttl']; + $limit_ip_addr = $config['installedpackages']['squidauth']['config'][0]['limit_ip_addr']; + $user_ip_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['user_ip_cache_ttl']; + $req_unrestricted_auth = $config['installedpackages']['squidauth']['config'][0]['req_unrestricted_auth']; + $auth_realm_prompt = $config['installedpackages']['squidauth']['config'][0]['auth_realm_prompt']; + $no_domain_auth = $config['installedpackages']['squidauth']['config'][0]['no_domain_auth']; + $min_pass_length = $config['installedpackages']['squidauth']['config'][0]['min_pass_length']; + $bypass_extended = $config['installedpackages']['squidauth']['config'][0]['bypass_extended']; + + /* squid_extauth.xml (ldap) values */ + $ldap_basedn = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_basedn']; + $ldap_server = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_server']; + $ldap_type = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_type']; + $ldap_port = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_port']; + $bind_dn_username = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_username']; + $bind_dn_password = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_password']; + + /* squid_extauth.xml (radius) values */ + $radius_server = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_server']; + $radius_port = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_port']; + $radius_identifier = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_identifier']; + $radius_secret = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_secret']; + + /* static variable assignments for directory mapping */ + $acldir = "/usr/local/etc/squid/advanced/acls"; + $ncsadir = "/usr/local/etc/squid/advanced/ncsa"; + $ntlmdir = "/usr/local/etc/squid/advanced/ntlm"; + $radiusdir = "/usr/local/etc/squid/advanced/radius"; + + $fout = fopen($squidconfig, "w"); + + $config_array = array('shutdown_lifetime 5 seconds' . "\n\n"); + + if (isset($cachemgr_enabled) && ($cachemgr_enabled == "on")) { + mwexec("cp /usr/local/libexec/squid/cachemgr.cgi /usr/local/www/cachemgr.cgi"); + mwexec("chmod a+rx /usr/local/www/cachemgr.cgi"); + } else { + mwexec("rm -f /usr/local/www/cachemgr.cgi"); + } + unset($cachemgr_enabled); + + if (!isset($icp_port) or ($icp_port == "")) { + $icp_port = "3130"; + } + $config_array[] = 'icp_port ' . $icp_port . "\n"; + unset($icp_port); + + if(!isset($proxy_port) or ($proxy_port == "")) { + $proxy_port = "3128"; + } + + if (isset($transparent_proxy) && ($transparent_proxy != "on")) { + $int = convert_friendly_interface_to_real_interface_name($active_interface); + $listen_ip = find_interface_ip($int); + + $config_array[] = 'http_port ' . $listen_ip . ':' . $proxy_port . "\n\n"; + $config_array[] = 'acl QUERY urlpath_regex cgi-bin \?' . "\n"; + $config_array[] = 'no_cache deny QUERY' . "\n\n"; + } + $config_array[] = 'http_port 127.0.0.1:' . $proxy_port . "\n\n"; + unset($proxy_port); + + if (isset($domain) && ($domain !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/dst_nocache.acl","w"); + + $domain_array = split("; ",$domain); + foreach ($domain_array as $no_cache_domain) { + fwrite($aclout, $no_cache_domain . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl no_cache_domains dstdomain "' . $acldir . '/dst_nocache.acl"' . "\n"; + $config_array[] = 'no_cache deny no_cache_domains' . "\n\n"; + } + unset($no_cache_domain); + unset($domain_array); + unset($domain); + + $config_array[] = 'cache_effective_user squid' . "\n"; + $config_array[] = 'cache_effective_group squid' . "\n\n"; + $config_array[] = 'pid_filename /var/run/squid.pid' . "\n\n"; + + if (!isset($memory_cache_size) or ($memory_cache_size == "")) { + $memory_cache_size = "8"; + } + $config_array[] = 'cache_mem ' . $memory_cache_size . ' MB' . "\n"; + unset($memory_cache_size); + + if (!isset($harddisk_cache_size) or ($harddisk_cache_size == "")) { + $harddisk_cache_size = "500"; + } + + if (!isset($level_subdirs) or ($level_subdirs == "")) { + $level_subdirs = "16"; + } + + $config_array[] = 'cache_dir diskd /var/squid/cache ' . $harddisk_cache_size . ' ' . $level_subdirs . ' 256' . "\n\n"; + unset($harddisk_cache_size); + unset($level_subdirs); + + if (!isset($error_language) or ($error_language == "")) { + $error_language = "English"; + } + $config_array[] = 'error_directory /usr/local/etc/squid/errors/' . $error_language . "\n\n"; + unset($error_language); + + if (isset($offline_mode) && ($offline_mode == "on")) { + $config_array[] = 'offline_mode on' . "\n\n"; + } else { + $config_array[] = 'offline_mode off' . "\n\n"; + } + + if (!isset($memory_replacement) or ($memory_replacement == "")) { + $memory_replacement = "heap GDSF"; + } + $config_array[] = 'memory_replacement_policy ' . $memory_replacement . "\n"; + unset($memory_replacement); + + if (!isset($cache_replacement) or ($cache_replacement == "")) { + $cache_replacement="heap GDSF"; + } + $config_array[] = 'cache_replacement_policy ' . $cache_replacement . "\n\n"; + unset($cache_replacement); + + if (isset($accesslog_disabled) && ($accesslog_disabled == "on")) { + $config_array[] = 'cache_access_log none' . "\n"; + } else { + $config_array[] = 'cache_access_log /var/log/access.log' . "\n"; + } + $config_array[] = 'cache_log /var/log/cache.log' . "\n"; + $config_array[] = 'cache_store_log none' . "\n"; + unset($accesslog_disabled); + unset($log_enabled); + + if (isset($log_query_terms) && ($log_query_terms == "on")) { + $config_array[] = 'strip_query_terms off' . "\n"; + } else { + $config_array[] = 'strip_query_terms on' . "\n"; + } + unset($log_query_terms); + + $config_array[] = 'useragent_log /var/log/useragent.log' . "\n\n"; + unset($log_user_agents); + + $config_array[] = 'log_mime_hdrs off' . "\n"; + $config_array[] = 'emulate_httpd_log on' . "\n"; + + switch ($user_forwarding) { + case "on": + $config_array[] = 'forwarded_for on' . "\n\n"; + break; + case "off": + $config_array[] = 'forwarded_for off' . "\n\n"; + break; + default: + $config_array[] = 'forwarded_for off' . "\n\n"; + break; + } + unset($user_forwarding); + + switch ($auth_method) { + case "none": + break; + case "local_auth": + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd' . "\n"; + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + + break; + case "radius_auth"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_rad_auth -h ' . $radius_server . ' -p ' . $radius_port . ' -i ' . $radius_identifier . ' -w ' . $radius_secret . "\n"; + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + + break; + case "ldap_bind"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_ldap_auth'; + $config_array[] = ' -b "' . $ldap_basedn . '"'; + $config_array[] = ' -D "' . $bind_dn_username . '"'; + $config_array[] = " -w " . $bind_dn_password; + $config_array[] = ' -f "(&(objectClass=person)(cn=%s))"'; + $config_array[] = " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n"; + + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + + break; + case "windows_auth"; + break; + } + + if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n"; + + $throttle_out = fopen($acldir . "/dst_throttle_binary.acl", "w"); + fwrite($throttle_out, $binary_out); + fclose($throttle_out); + $config_array[] = 'acl for_throttled_binary url_regex -i "' . $acldir . '/dst_throttle_binary.acl"' . "\n"; + } else { + if (file_exists($acldir . "/dst_throttle_binary.acl")) unlink($acldir . "/dst_throttle_binary.acl"); + } + unset($throttle_binary_files); + unset($throttle_out); + unset($binary_out); + + if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $cd_out = "\.b5t$\n\.bin$\n\.bwt$\n\.cdi$\n\.cue$\n\.gho$\n\.img$\n\.iso$\n\.mds$\n\.nrg$\n\.pqi$\n"; + + $throttle_out = fopen($acldir . "/dst_throttle_cd.acl","w"); + fwrite($throttle_out, $cd_out); + fclose($throttle_out); + $config_array[] = 'acl for_throttled_cd url_regex -i "' . $acldir . '/dst_throttle_cd.acl"' . "\n"; + } else { + if (file_exists($acldir . "/dst_throttle_cd.acl")) { + unlink($acldir . "/dst_throttle_cd.acl"); + } + } + unset($throttle_cd_images); + unset($throttle_out); + unset($cd_out); + + if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $multimedia_out = "\.aiff?$\n\.asf$\n\.avi$\n\.divx$\n\.mov$\n\.mp3$\n\.mpe?g$\n\.qt$\n\.ra?m$\n"; + + $throttle_out = fopen($acldir . "/dst_throttle_multimedia.acl","w"); + fwrite($throttle_out, $multimedia_out); + fclose($throttle_out); + $config_array[] = 'acl for_throttled_multimedia url_regex -i "' . $acldir . '/dst_throttle_multimedia.acl"' . "\n"; + } else { + if (file_exists($acldir . "/dst_throttle_multimedia.acl")) { + unlink($acldir . "/dst_throttle_multimedia.acl"); + } + } + unset($throttle_multimedia); + unset($multimedia_out); + unset($throttle_out); + + $config_array[] = 'acl within_timeframe time MTWHFAS 00:00-24:00' . "\n\n"; + + /* obtain interface subnet and address for Squid rules */ + $lactive_interface = strtolower($active_interface); + + $lancfg = $config['interfaces'][$lactive_interface]; + $lanif = $lancfg['if']; + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + $config_array[] = 'acl all src 0.0.0.0/0.0.0.0' . "\n"; + $config_array[] = 'acl localnet src ' . $lansa . '/' . $lansn . "\n"; + $config_array[] = 'acl localhost src 127.0.0.1/255.255.255.255' . "\n"; + $config_array[] = 'acl SSL_ports port 443 563 873 # https, snews, rsync' . "\n"; + $config_array[] = 'acl Safe_ports port 80 # http' . "\n"; + $config_array[] = 'acl Safe_ports port 21 # ftp' . "\n"; + $config_array[] = 'acl Safe_ports port 443 563 873 # https, snews, rsync' . "\n"; + $config_array[] = 'acl Safe_ports port 70 # gopher' . "\n"; + $config_array[] = 'acl Safe_ports port 210 # wais' . "\n"; + $config_array[] = 'acl Safe_ports port 1025-65535 # unregistered ports' . "\n"; + $config_array[] = 'acl Safe_ports port 280 # http-mgmt' . "\n"; + $config_array[] = 'acl Safe_ports port 488 # gss-http' . "\n"; + $config_array[] = 'acl Safe_ports port 591 # filemaker' . "\n"; + $config_array[] = 'acl Safe_ports port 777 # multiling http' . "\n"; + $config_array[] = 'acl Safe_ports port 800 # Squids port (for icons)' . "\n\n"; + + /* allow access through proxy for custom admin port */ + $custom_port = $config['system']['webgui']['port']; + if (isset($custom_port) && ($custom_port !== "")) { + $config_array[] = 'acl pf_admin_port port ' . $custom_port . "\n"; + unset($custom_port); + } else { + $admin_protocol = $config['system']['webgui']['protocol']; + switch ($admin_protocol) { + case "http"; + $config_array[] = 'acl pf_admin_port port 80' ."\n"; + break; + case "https"; + $config_array[] = 'acl pf_admin_port port 443' . "\n"; + break; + default; + $config_array[] = 'acl pf_admin_port port 80' . "\n"; + break; + } + unset($admin_protocol); + } + + /* define override hosts as specified in squid_nac.xml */ + if (isset($override_hosts) && ($override_hosts !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_override_hosts.acl", "w"); + + $override_hosts_array = split("; ", $override_hosts); + foreach ($override_hosts_array as $ind_override_host) { + fwrite($aclout, $ind_override_host . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl override_hosts src "/usr/local/etc/squid/advanced/acls/src_override_hosts.acl"' . "\n"; + } + /* clear variables */ + unset($override_hosts_array); + unset($ind_override_host); + unset($override_hosts); + + /* define subnets allowed to utilize proxy service */ + if (isset($allowed_subnets) && ($allowed_subnets !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + mwexec("touch {$acldir}/src_subnets.acl"); + } + + $aclout = fopen($acldir . "/src_subnets.acl","w"); + + $allowed_subnets_array = split("; ",$allowed_subnets); + foreach ($allowed_subnets_array as $ind_allowed_subnets) { + fwrite($aclout, $ind_allowed_subnets . "\n"); + } + + fclose($aclout); + } else { + + $aclout = fopen($acldir . "/src_subnets.acl","w"); + fwrite($aclout, $lansa . "/" . $lansn . "\n"); + fclose($aclout); + } + + $config_array[] = 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n"; + + unset($allowed_subnets_array); + unset($ind_allowed_subnets); + unset($allowed_subnets); + + /* define ip addresses that have 'unrestricted' access */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_unrestricted_ip.acl","w"); + + $unrestricted_ip_array = split("; ",$unrestricted_ip_addr); + foreach ($unrestricted_ip_array as $ind_unrestricted_ip) { + fwrite($aclout, $ind_unrestricted_ip . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_unrestricted_ip src "/usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"' . "\n"; + } + unset($unrestricted_ip_array); + unset($unrestricted_ip_addr); + unset($ind_unrestricted_ip); + + /* define mac addresses that have 'unrestricted' access */ + if (isset($unrestricted_mac_addr) && ($unrestricted_mac_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_unrestricted_mac.acl","w"); + + $unrestricted_mac_array = split("; ",$unrestricted_mac_addr); + foreach ($unrestricted_mac_array as $ind_unrestricted_mac) { + fwrite($aclout, $ind_unrestricted_mac . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_unrestricted_mac src "/usr/local/etc/squid/advanced/acls/src_unrestricted_mac.acl"' . "\n"; + } + unset($unrestricted_mac_array); + unset($unrestricted_mac_addr); + unset($ind_unrestricted_mac); + + /* define ip addresses that are banned from using the proxy service */ + if (isset($banned_ip_addr) && ($banned_ip_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_banned_ip.acl","w"); + + $banned_ip_array = split("; ",$banned_ip_addr); + foreach ($banned_ip_array as $ind_banned_ip) { + fwrite($aclout, $ind_banned_ip . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n"; + } + unset($banned_ip_addr); + unset($banned_ip_addr); + unset($ind_banned_ip); + + /* define mac addresses that are banned from using the proxy service */ + if (isset($banned_mac_addr) && ($banned_mac_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_banned_mac.acl","w"); + + $banned_mac_array = split("; ",$banned_mac_addr); + foreach ($banned_mac_array as $ind_banned_mac) { + fwrite($aclout, $ind_banned_mac . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_banned_mac src "/usr/local/etc/squid/advanced/acls/src_banned_mac.acl"' . "\n"; + } + unset($banned_mac_array); + unset($banned_mac_addr); + unset($ind_banned_mac); + + $config_array[] = 'acl pf_ips dst ' . $lanip . "\n"; + $config_array[] = 'acl CONNECT method CONNECT' . "\n\n"; + + if (isset($auth_method) && ($auth_method == "none")) { + $config_array[] = 'http_access allow localnet' . "\n"; + } + $config_array[] = 'http_access allow localhost' . "\n"; + + if (isset($override_hosts) && ($override_hosts !== "")) { + $config_array[] = 'http_access allow override_hosts' . "\n"; + } + $config_array[] = "\n"; + + switch ($config['system']['webgui']['protocol']) { + case "http": + $config_array[] = 'http_access allow pf_ips' . "\n"; + $config_array[] = 'http_access allow pf_admin_port' . "\n"; + $config_array[] = 'http_access deny !pf_networks' . "\n\n"; + break; + case "https": + $config_array[] = 'http_access allow CONNECT pf_ips' . "\n"; + $config_array[] = 'http_access allow CONNECT pf_admin_port' . "\n"; + $config_array[] = 'http_access deny CONNECT !pf_networks' . "\n\n"; + break; + } + + $config_array[] = 'http_access deny !Safe_ports' . "\n"; + $config_array[] = 'http_access deny CONNECT !SSL_ports' . "\n\n"; + + if (isset($auth_method) && ($auth_method != "none")) { + $config_array[] = 'http_access allow pf_networks for_inetusers within_timeframe' . "\n"; + } + + $config_array[] = 'http_access deny all' . "\n\n"; + + if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "")) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + + if ($dl_overall == "unlimited") { + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . "\n"; + } else { + $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; + } + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr == "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; + + /* this will define bandwidth delay restrictions for specified throttles */ + if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; + } + if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; + } + if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; + } else { + $config_array[] = 'delay_access 1 allow all' . "\n"; + } + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; + } + + if (isset($dl_per_host) && ($dl_per_host !== "") and isset($dl_overall) && ($dl_overall == "")) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + + if ($dl_per_host == "unlimited") { + $config_array[] = 'delay_parameters 1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . '-1/-1 -1/-1' . "\n"; + } else { + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . "\n"; + } + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; + + /* this will define bandwidth delay restrictions for specified throttles */ + if ($throttle_binary_files == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; + } + if ($throttle_cd_images == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; + } + if ($throttle_multimedia == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' ."\n"; + } else { + $config_array[] = 'delay_access 1 allow all' . "\n"; + } + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n\n"; + } + + if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host !== "")) { + /* if no bandwidth restrictions are specified, then these parameters are not necessary */ + if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { + + if ((isset($dl_overall) && ($dl_overall == "unlimited")) and (isset($dl_per_host) && ($dl_per_host !== ""))) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_overall * 250) . "\n"; + } elseif (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "unlimited")) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; + } + } + + if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; + + /* this will define bandwidth delay restrictions for specified throttles */ + if ($throttle_binary_files == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; + } + if ($throttle_cd_images == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; + } + if ($throttle_multimedia == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; + } else { + $config_array[] = 'delay_access 1 allow all' . "\n"; + } + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; + } + } + + $config_array[] = 'header_access X-Forwarded-For deny all' . "\n"; + $config_array[] = 'header_access Via deny all' . "\n\n"; + + /* TODO: acl customization for snmp support */ + /* fwrite($fout, "\n"); */ + + if (isset($urlfilter_enable) && ($urlfilter_enable == "on")) { + $config_array[] = 'redirect_program /usr/sbin/squidGuard' . "\n"; + $config_array[] = 'redirect_children 5' . "\n\n"; + } + + if (isset($max_upload_size) && ($max_upload_size != "")) { + $config_array[] = 'request_body_max_size ' . $max_download_size . 'KB' . "\n"; + } + + if (isset($max_download_size) && ($max_download_size != "")) { + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'reply_body_max_size 0 allow pf_unrestricted_ip' . "\n"; + /* fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n"); */ + $config_array[] = 'reply_body_max_size ' . $max_download_size * 1024 . ' allow all' . "\n\n"; + } + + /* set default value for maximum_object_size */ + if (!isset($maximum_object_size) or ($maximum_object_size == "")) { + $maximum_object_size = "4096"; + } + + /* set default value for minimum_object_size */ + if (!isset($minimum_object_size) or ($minimum_object_size == "")) { + $minimum_object_size = "0"; + } + $config_array[] = 'maximum_object_size ' . $maximum_object_size . ' KB' . "\n"; + $config_array[] = 'minimum_object_size ' . $minimum_object_size . ' KB' . "\n\n"; + + if (isset($proxy_forwarding) && ($proxy_forwarding == "on")) { + $config_array[] = 'cache_peer ' . $upstream_proxy . ' parent ' . $upstream_proxy_port . ' 3130 login=' . upstream_username . ':' . upstream_password . ' default no-query' . "\n"; + $config_array[] = 'never_direct allow all' . "\n"; + } + unset($proxy_forwarding); + + + /* define default ruleset for transparent proxy operation */ + if (isset($transparent_proxy) && ($transparent_proxy == "on")) { + $config_array[] = 'httpd_accel_host virtual' . "\n"; + $config_array[] = 'httpd_accel_port 80' . "\n"; + $config_array[] = 'httpd_accel_with_proxy on' . "\n"; + $config_array[] = 'httpd_accel_uses_host_header on' . "\n\n"; + } + unset($transparent_proxy); + + + /* define visible hostname */ + if (isset($visible_hostname) && ($visible_hostname !== "")) { + $config_array[] = 'visible_hostname ' . $visible_hostname . "\n"; + } + unset($visible_hostname); + + /* define cache administrators email address within error messages */ + if (isset($cache_admin_email) && ($cache_admin_email !== "")) { + $config_array[] = 'cache_mgr ' . $cache_admin_email . "\n\n"; + } + unset($cache_admin_email); + + /* write configuration file */ + foreach ($config_array as $config_item) + { + fwrite($fout, trim($config_item)); + + if (stristr($config_item, "\n")) + { + for ($i = 1; $i < count(explode("\n", $config_item)); $i++) + { + fwrite($fout, "\n"); + } + } + + } + fclose($fout); + + conf_mount_ro(); + config_unlock(); + + touch($squidconfig); +} /* end function write_squid_config */ + +function custom_php_install_command() { + /* write initial static config for transparent proxy */ + write_static_squid_config(); + + touch("/tmp/custom_php_install_command"); + + /* make sure this all exists, see: + * http://forum.pfsense.org/index.php?topic=23.msg2391#msg2391 + */ + update_output_window("Setting up Squid environment..."); + mwexec("mkdir -p /var/squid"); + mwexec("chown squid:squid /var/squid"); + mwexec("mkdir -p /var/squid/logs"); + mwexec("chown squid:squid /var/squid/logs"); + mwexec("mkdir -p /var/squid/cache"); + mwexec("chown squid:squid /var/squid/cache"); + mwexec("mkdir -p /usr/local/etc/squid/advanced"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced"); + mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls"); + mwexec("touch /usr/local/etc/squid/advanced/acls/src_subnets.acl"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl"); + mwexec("touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); + mwexec("cp /usr/local/etc/squid/mime.conf.default /usr/local/etc/squid/mime.conf"); + + + /* set a few extra items noted by regan */ + update_output_window("Creating logs and setting user information..."); + $fdsquid = fopen("/usr/local/etc/rc.d/aSquid.sh", "w"); + fwrite($fdsquid, "#/bin/sh\n"); + fwrite($fdsquid, "# \n"); + fwrite($fdsquid, "# This file was created by the pfSense package system\n"); + fwrite($fdsquid, "# Sets up squid option on each bootup that are not persistent\n"); + fwrite($fdsquid, "# \n\n"); + fwrite($fdsquid, "chown squid:wheel /dev/pf\n"); + fwrite($fdsquid, "chmod ug+rw /dev/pf\n"); + fwrite($fdsquid, "touch /var/log/useragent.log\n"); + fwrite($fdsquid, "touch /var/log/access.log\n"); + fwrite($fdsquid, "touch /var/log/cache.log\n"); + fwrite($fdsquid, "chown squid:wheel /var/log/cache.log\n"); + fwrite($fdsquid, "chown squid:wheel /var/log/access.log\n"); + fwrite($fdsquid, "chown squid:wheel /var/log/useragent.log\n"); + fwrite($fdsquid, "\n"); + fclose($fdsquid); + mwexec("chmod a+rx /usr/local/etc/rc.d/aSquid.sh"); + mwexec("/usr/local/etc/rc.d/aSquid.sh"); + + update_output_window("Creating Proxy Server initialization scripts..."); + $start = "touch /tmp/ro_root_mount; /usr/local/sbin/squid -D; touch /tmp/filter_dirty"; + $stop = "/usr/local/sbin/squid -k shutdown"; + write_rcfile(array( + "file" => "squid.sh", + "start" => $start, + "stop" => $stop + ) + ); + + mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh"); + + /* create log directory hierarchies if they don't exist */ + update_output_window("Creating required directory hierarchies..."); + + if (!file_exists("/var/squid/logs")) { + mwexec("mkdir -p /var/squid/logs"); + } + mwexec("/usr/sbin/chown squid:squid /var/squid/logs"); + + + if (!file_exists("/var/squid/cache")) { + mwexec("mkdir -p /var/squid/cache"); + } + mwexec("/usr/sbin/chown squid:squid /var/squid/cache"); + + if (!file_exists("/usr/local/etc/squid/advanced/acls")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls"); + + if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa"); + + if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm"); + + if (!file_exists("/usr/local/etc/squid/advanced/radius")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/radius"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius"); + + $devfs_file = fopen("/etc/devfs.conf", "a"); + fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable. "); + fwrite($devfs_file, "own pf root:squid"); + fwrite($devfs_file, "perm pf 0640"); + fclose($devfs_file); + + update_output_window("Initializing Cache... This may take a moment..."); + mwexec("/usr/local/sbin/squid -z"); + + update_output_window("Starting Proxy Server..."); + start_service("squid"); +} + +function custom_php_deinstall_command() { + update_output_window("Stopping proxy service..."); + stop_service("squid"); + sleep(1); + /* brute force any remaining squid processes out */ + mwexec("/usr/bin/killall squid"); + mwexec("/usr/bin/killall pinger"); + update_output_window("Recursively removing directories hierarchies. If existant, log files in /var/squid/logs will remain..."); + mwexec("rm -rf /var/squid/cache"); + update_output_window("Removing configuration files..."); + unlink_if_exists("/usr/local/etc/rc.d/squid.sh"); + unlink_if_exists("/usr/local/libexec/squid"); + unlink_if_exists("/usr/local/etc/rc.d/aSquid.sh"); + mwexec("rm -f /usr/local/etc/rc.d/squid*"); + mwexec("rm -f /usr/local/www/cachemgr.cgi"); + filter_configure(); +} + +function write_static_squid_config() { + touch("/tmp/write_static_squid_config"); + global $config; + $lancfg = $config['interfaces']['lan']; + $lanif = $lancfg['if']; + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + $fout = fopen("/usr/local/etc/squid/squid.conf","w"); + fwrite($fout, "#\n"); + fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n"); + fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n"); + fwrite($fout, "#\n"); + + /* set # of dns children */ + fwrite($fout, "dns_children 15\n"); + + fwrite($fout, "shutdown_lifetime 5 seconds\n"); + fwrite($fout, "icp_port 0\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); + fwrite($fout, "no_cache deny QUERY\n"); + fwrite($fout, "\n"); + + fwrite($fout, "pid_filename /var/run/squid.pid\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_mem 24 MB\n"); + fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n"); + fwrite($fout, "\n"); + + fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n"); + fwrite($fout, "\n"); + + fwrite($fout, "memory_replacement_policy heap GDSF\n"); + fwrite($fout, "cache_replacement_policy heap GDSF\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_access_log none\n"); + fwrite($fout, "cache_log none\n"); + fwrite($fout, "cache_store_log none\n"); + fwrite($fout, "\n"); + + fwrite($fout, "log_mime_hdrs off\n"); + fwrite($fout, "emulate_httpd_log on\n"); + fwrite($fout, "forwarded_for off\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl all src 0.0.0.0/0.0.0.0\n"); + fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); + fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); + fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n"); + fwrite($fout, "acl Safe_ports port 80 # http\n"); + fwrite($fout, "acl Safe_ports port 21 # ftp\n"); + fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n"); + fwrite($fout, "acl Safe_ports port 70 # gopher\n"); + fwrite($fout, "acl Safe_ports port 210 # wais\n"); + fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); + fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n"); + fwrite($fout, "acl Safe_ports port 488 # gss-http\n"); + fwrite($fout, "acl Safe_ports port 591 # filemaker\n"); + fwrite($fout, "acl Safe_ports port 777 # multiling http\n"); + fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl CONNECT method CONNECT\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#access to squid; local machine; no restrictions\n"); + fwrite($fout, "http_access allow localnet\n"); + fwrite($fout, "http_access allow localhost\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#Deny non web services\n"); + fwrite($fout, "http_access deny !Safe_ports\n"); + fwrite($fout, "http_access deny CONNECT !SSL_ports\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#Set custom configured ACLs\n"); + fwrite($fout, "http_access deny all\n"); + fwrite($fout, "visible_hostname pfSense\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_effective_user squid\n"); + fwrite($fout, "cache_effective_group squid\n"); + fwrite($fout, "\n"); + + fwrite($fout, "maximum_object_size 4096 KB\n"); + fwrite($fout, "minimum_object_size 0 KB\n"); + fwrite($fout, "\n"); + + fwrite($fout, "request_body_max_size 0 KB\n"); + fwrite($fout, "reply_body_max_size 0 allow all\n"); + fwrite($fout, "\n"); + + fwrite($fout, "httpd_accel_host virtual\n"); + fwrite($fout, "httpd_accel_port 80\n"); + fwrite($fout, "httpd_accel_with_proxy on\n"); + fwrite($fout, "httpd_accel_uses_host_header on\n"); + + fclose($fout); +} + +function mod_htpasswd() { + global $config; + conf_mount_rw(); + config_lock(); + + if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); + + $passfile = fopen("/usr/local/etc/squid/advanced/ncsa/passwd", "w+"); + + if (isset($config['installedpackages']['squidextlocalauth']['config']) && $config['installedpackages']['squidextlocalauth']['config'] != "") { + foreach($config['installedpackages']['squidextlocalauth']['config'] as $rowhelper) { + $encpass = generate_htpasswd($rowhelper['username'], $rowhelper['password']); + fwrite($passfile, $rowhelper['username'] . ":" . $encpass . "\n"); + } + } + + fclose($passfile); + + conf_mount_ro(); + config_unlock(); +} + +function generate_htpasswd($username, $password) { + $all = explode( " ", + "a b c d e f g h i j k l m n o p q r s t u v w x y z " + . "A B C D E F G H I J K L M N O P Q R S T U V W X Y Z " + . "0 1 2 3 4 5 6 7 8 9"); + + for ($i = 0; $i < 9; $i++) { + srand((double)microtime()*1000000); + $randy = rand(0,61); + $seed .= $all[$randy]; + } + + $crypt = crypt($password, "$1$$seed"); + return $crypt; +} + +?> diff --git a/config/squid3-reverse/squid_ng.xml b/config/squid3-reverse/squid_ng.xml new file mode 100644 index 00000000..cb535cd3 --- /dev/null +++ b/config/squid3-reverse/squid_ng.xml @@ -0,0 +1,267 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squid</name> + <version>2.5.12_4</version> + <title>Services: Proxy Server</title> + <category>Security</category> + <aftersaveredirect>/pkg_edit.php?xml=squid_ng.xml&id=0</aftersaveredirect> + <include_file>/usr/local/pkg/squid_ng.inc</include_file> + <menu> + <name>Squid</name> + <tooltiptext>Modify settings for Proxy Server</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url> + </menu> + <menu> + <name>Squid stats</name> + <tooltiptext>Show Squid statistics</tooltiptext> + <section>Services</section> + <url>/cachemgr.cgi</url> + </menu> + <service> + <name>squid</name> + <rcfile>squid.sh</rcfile> + </service> + <tabs> + <tab> + <text>General Settings</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Network Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Auth</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Extended Auth</text> + <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url> + </tab> + </tabs> + <configpath>installedpackages->package->squidng->configuration->settings</configpath> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid3/squid_cache.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid3/squid_nac.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid3/squid_ng.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid3/squid_traffic.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid3/squid_upstream.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid3/squid_auth.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid3/squid_auth.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid3/squid_extauth.xml</item> + </additional_files_needed> + <fields> + <field> + <fielddescr>Proxy Listening Interface</fielddescr> + <fieldname>active_interface</fieldname> + <description>This defines the active listening interface to which the proxy server will listen for its requests.</description> + <type>interfaces_selection</type> + </field> + <field> + <fielddescr>Transparent Proxy</fielddescr> + <fieldname>transparent_proxy</fieldname> + <description>If transparent mode is enabled; all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>URL Filtering Enabled</fielddescr> + <fieldname>urlfilter_enable</fieldname> + <description>This enables the advanced functionality in conjunction with squidGuard to provide an array of URL filtering options. This squidGuard functionality can be additionally configured from Services -> Advanced Proxy Filtering</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Disable Access Log</fielddescr> + <fieldname>accesslog_disabled</fieldname> + <description>Disable the access log entirely. By default, Squid keeps a log of all requests it processes in /var/log/access.log. This can grow to be fairly large. If you do not require this logging, check this box to disable.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Log Query Terms</fielddescr> + <fieldname>log_query_terms</fieldname> + <description>This will log the complete URL rather than the part of the URL containing dynamic queries.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Log User Agents</fielddescr> + <fieldname>log_user_agents</fieldname> + <description>This will enable the useragent string to be written to a separate log. The results are not shown in the GUI and should only be used for debugging purposes.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Proxy Port</fielddescr> + <fieldname>proxy_port</fieldname> + <description>This is the port the Proxy Server will listen for client requests on. The default is 3128.</description> + <type>input</type> + <size>4</size> + <combinefieldsend>true</combinefieldsend> + </field> + <field> + <fielddescr>ICP Port</fielddescr> + <fieldname>icp_port</fieldname> + <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. The default value is 0, which means this function is disabled.</description> + <type>input</type> + <size>4</size> + </field> + <field> + <fielddescr>Visible Hostname</fielddescr> + <fieldname>visible_hostname</fieldname> + <description>This URL is displayed on the Proxy Server error messages.</description> + <type>input</type> + <size>35</size> + </field> + <field> + <fielddescr>Cache Administrator E-Mail</fielddescr> + <fieldname>cache_admin_email</fieldname> + <description>This E-Mail address is displayed on the Proxy Server error messages.</description> + <type>input</type> + <size>35</size> + </field> + <field> + <fielddescr>Error Messages Language</fielddescr> + <fieldname>error_language</fieldname> + <description>Select the language in which the Proxy Server shall display error messages to users.</description> + <type>select</type> + <options> + <option><name>Bulgarian</name><value>Bulgarian</value></option> + <option><name>Catalan</name><value>Catalan</value></option> + <option><name>Czech</name><value>Czech</value></option> + <option><name>Danish</name><value>Danish</value></option> + <option><name>Dutch</name><value>Dutch</value></option> + <option><name>English</name><value>English</value></option> + <option><name>Estonian</name><value>Estonian</value></option> + <option><name>Finnish</name><value>Finnish</value></option> + <option><name>French</name><value>French</value></option> + <option><name>German</name><value>German</value></option> + <option><name>Hebrew</name><value>Hebrew</value></option> + <option><name>Hungarian</name><value>Hungarian</value></option> + <option><name>Italian</name><value>Italian</value></option> + <option><name>Japanese</name><value>Japanese</value></option> + <option><name>Korean</name><value>Korean</value></option> + <option><name>Lithuanian</name><value>Lithuanian</value></option> + <option><name>Polish</name><value>Polish</value></option> + <option><name>Portuguese</name><value>Portuguese</value></option> + <option><name>Romanian</name><value>Romanian</value></option> + <option><name>Russian-1251</name><value>Russian-1251</value></option> + <option><name>Russian-koi8-r</name><value>Russian-koi8-r</value></option> + <option><name>Serbian</name><value>Serbian</value></option> + <option><name>Simplify Chinese</name><value>Simplify Chinese</value></option> + <option><name>Slovak</name><value>Slovak</value></option> + <option><name>Spanish</name><value>Spanish</value></option> + <option><name>Swedish</name><value>Swedish</value></option> + <option><name>Traditional Chinese</name><value>Traditional Chinese</value></option> + <option><name>Turkish</name><value>Turkish</value></option> + </options> + </field> + <field> + <fielddescr>Enable cachemgr</fielddescr> + <fieldname>cachemgr_enabled</fieldname> + <description>Enable Squid's cachemgr.cgi to provide stats. Once enabled you can access this from the pfSense menus. <b>Note:</b> This page is not secured by pfSense, any user with access to the pfSense admin port can view the stats. The page prompts for a password but it only required for shutting down Squid.</description> + <type>checkbox</type> + </field> + + </fields> + <custom_add_php_command_late> + global_write_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + start_service("squid"); + </custom_add_php_command_late> + <custom_php_install_command> + custom_php_install_command(); + write_static_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + start_service("squid"); + </custom_php_install_command> + <custom_php_deinstall_command> + custom_php_deinstall_command(); + stop_service("squid"); + </custom_php_deinstall_command> +</packagegui> diff --git a/config/squid3-reverse/squid_traffic.xml b/config/squid3-reverse/squid_traffic.xml new file mode 100644 index 00000000..d560a7ad --- /dev/null +++ b/config/squid3-reverse/squid_traffic.xml @@ -0,0 +1,177 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidtraffic</name> + <version>none</version> + <title>Proxy server: Traffic management</title> + <include_file>squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Local Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + </tabs> + <fields> + <field> + <fielddescr>Maximum download size</fielddescr> + <fieldname>max_download_size</fieldname> + <description>Limit the maximum total download size to the size specified here (in kilobytes). Set to 0 to disable.</description> + <type>input</type> + <required/> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Maximum upload size</fielddescr> + <fieldname>max_upload_size</fieldname> + <description>Limit the maximum total upload size to the size specified here (in kilobytes). Set to 0 to disable.</description> + <type>input</type> + <required/> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Overall bandwidth throttling</fielddescr> + <fieldname>overall_throttling</fieldname> + <description>This value specifies (in kilobytes per second) the bandwidth throttle for downloads. Users will gradually have their download speed increased according to this value. Set to 0 to disable bandwidth throttling.</description> + <type>input</type> + <required/> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Per-host throttling</fielddescr> + <fieldname>perhost_throttling</fieldname> + <description>This value specifies the download throttling per host. Set to 0 to disable this.</description> + <type>input</type> + <required/> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Throttle only specific extensions</fielddescr> + <fieldname>throttle_specific</fieldname> + <description>Leave this checked to be able to choose the extensions that throttling will be applied to. Otherwise, all files will be throttled.</description> + <type>checkbox</type> + <enablefields>throttle_binaries,throttle_cdimages,throttle_multimedia,throttle_others</enablefields> + <default_value>on</default_value> + </field> + <field> + <fielddescr>Throttle binary files</fielddescr> + <fieldname>throttle_binaries</fieldname> + <description>Check this to apply bandwidth throttle to binary files. This includes compressed archives and executables.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Throttle CD images</fielddescr> + <fieldname>throttle_cdimages</fieldname> + <description>Check this to apply bandwidth throttle to CD image files.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Throttle multimedia files</fielddescr> + <fieldname>throttle_multimedia</fieldname> + <description>Check this to apply bandwidth throttle to multimedia files, such as movies or songs.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Throttle other extensions</fielddescr> + <fieldname>throttle_others</fieldname> + <description>Comma-separated list of extensions to apply bandwidth throttle to.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Finish transfer if less than x KB remaining</fielddescr> + <fieldname>quick_abort_min</fieldname> + <description>If the transfer has less than x KB remaining, it will finish the retrieval. Set to 0 to abort the transfer immediately.</description> + <type>input</type> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Abort transfer if more than x KB remaining</fielddescr> + <fieldname>quick_abort_max</fieldname> + <description>If the transfer has more than x KB remaining, it will abort the retrieval. Set to 0 to abort the transfer immediately.</description> + <type>input</type> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Finish transfer if more than x % finished</fielddescr> + <fieldname>quick_abort_pct</fieldname> + <description>If more than x % of the transfer has completed, it will finish the retrieval.</description> + <type>input</type> + <default_value>0</default_value> + </field> + </fields> + <custom_php_validation_command> + squid_validate_traffic($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid3-reverse/squid_upstream.xml b/config/squid3-reverse/squid_upstream.xml new file mode 100644 index 00000000..ad494524 --- /dev/null +++ b/config/squid3-reverse/squid_upstream.xml @@ -0,0 +1,133 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidupstream</name> + <version>none</version> + <title>Proxy server: Upstream proxy settings</title> + <include_file>squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Local Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + </tabs> + <fields> + <field> + <fielddescr>Enable forwarding</fielddescr> + <fieldname>proxy_forwarding</fieldname> + <description>This option enables the proxy server to forward requests to an upstream server.</description> + <type>checkbox</type> + <enablefields>proxy_addr,proxy_port,icp_port,username,password</enablefields> + <required/> + </field> + <field> + <fielddescr>Hostname</fielddescr> + <fieldname>proxy_addr</fieldname> + <description>Enter here the IP address or host name of the upstream proxy.</description> + <type>input</type> + </field> + <field> + <fielddescr>TCP port</fielddescr> + <fieldname>proxy_port</fieldname> + <description>Enter the port to use to connect to the upstream proxy.</description> + <type>input</type> + <size>5</size> + <default_value>3128</default_value> + </field> + <field> + <fielddescr>ICP port</fielddescr> + <fieldname>icp_port</fieldname> + <description>Enter the port to connect to the upstream proxy for the ICP protocol. Use port number 7 to disable ICP communication between the proxies.</description> + <type>input</type> + <size>5</size> + <default_value>7</default_value> + </field> + <field> + <fielddescr>Username</fielddescr> + <fieldname>username</fieldname> + <description>If the upstream proxy requires a username, specify it here.</description> + <type>input</type> + </field> + <field> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>If the upstream proxy requires a password, specify it here.</description> + <type>password</type> + </field> + </fields> + <custom_php_validation_command> + squid_validate_upstream($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid3-reverse/squid_users.xml b/config/squid3-reverse/squid_users.xml new file mode 100644 index 00000000..eef6389f --- /dev/null +++ b/config/squid3-reverse/squid_users.xml @@ -0,0 +1,120 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidusers</name> + <version>none</version> + <title>Proxy server: Local users</title> + <include_file>squid.inc</include_file> + <delete_string>A proxy server user has been deleted.</delete_string> + <addedit_string>A proxy server user has been created/modified.</addedit_string> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Local Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + <active/> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Username</fielddescr> + <fieldname>username</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <fielddescr>Username</fielddescr> + <fieldname>username</fieldname> + <description>Enter the username here.</description> + <type>input</type> + <required/> + </field> + <field> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Enter the password here.</description> + <type>password</type> + <required/> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>You may enter a description here for your reference (not parsed).</description> + <type>input</type> + </field> + </fields> + <custom_php_resync_config_command> + squid_resync_users(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid3/squid.inc b/config/squid3/squid.inc index 417eaeae..c1b5b419 100644 --- a/config/squid3/squid.inc +++ b/config/squid3/squid.inc @@ -344,17 +344,6 @@ function squid_validate_general($post, $input_errors) { $input_errors[] = "You can not run squid on the same port as the webgui"; } - if (($post['transparent_proxy'] != 'on') && ($post['private_subnet_proxy_off'] == 'on')) { - $input_errors[] = "You can not bypass traffic to private subnets without using the transparent proxy."; - } - - if (($post['transparent_proxy'] != 'on') && !empty($post['defined_ip_proxy_off'])) { - $input_errors[] = "You can not bypass traffic from specific IPs without using the transparent proxy."; - } - if (($post['transparent_proxy'] != 'on') && !empty($post['defined_ip_proxy_off_dest'])) { - $input_errors[] = "You can not bypass traffic to specific IPs without using the transparent proxy."; - } - foreach (array('defined_ip_proxy_off') as $hosts) { foreach (explode(";", $post[$hosts]) as $host) { $host = trim($host); diff --git a/config/squid3/squid.xml b/config/squid3/squid.xml index 414ac0ff..f82cf81a 100644 --- a/config/squid3/squid.xml +++ b/config/squid3/squid.xml @@ -166,6 +166,7 @@ <fieldname>transparent_proxy</fieldname> <description>If transparent mode is enabled, all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description> <type>checkbox</type> + <enablefields>private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest</enablefields> <required/> </field> <field> @@ -177,14 +178,14 @@ <field> <fielddescr>Bypass proxy for these source IPs</fielddescr> <fieldname>defined_ip_proxy_off</fieldname> - <description>Do not forward traffic from these <b>source</b> IPs, hostnames, or aliases through the proxy server but directly through the firewall. Separate by semi-colons (;).</description> + <description>Do not forward traffic from these <b>source</b> IPs, hostnames, or aliases through the proxy server but directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description> <type>input</type> <size>80</size> </field> <field> <fielddescr>Bypass proxy for these destination IPs</fielddescr> <fieldname>defined_ip_proxy_off_dest</fieldname> - <description>Do not proxy traffic going to these <b>destination</b> IPs, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;).</description> + <description>Do not proxy traffic going to these <b>destination</b> IPs, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description> <type>input</type> <size>80</size> </field> diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc index f622bd71..89f25b46 100644 --- a/config/unbound/unbound.inc +++ b/config/unbound/unbound.inc @@ -769,17 +769,19 @@ function unbound_add_host_entries() { $added_item = array(); foreach ($hosts as $host) { $current_host = $host['host']; + if ($host['host'] != "") + $host['host'] = $host['host']."."; if(!$added_item[$current_host]) { - $host_entries .= "local-data-ptr: \"{$host['ip']} {$host['host']}.{$host['domain']}\"\n"; + $host_entries .= "local-data-ptr: \"{$host['ip']} {$host['host']}{$host['domain']}\"\n"; if(function_exists("is_ipaddrv6")) { if (is_ipaddrv6($host['ip'])) - $host_entries .= "local-data: \"{$host['host']}.{$host['domain']} IN AAAA {$host['ip']}\"\n"; + $host_entries .= "local-data: \"{$host['host']}{$host['domain']} IN AAAA {$host['ip']}\"\n"; else - $host_entries .= "local-data: \"{$host['host']}.{$host['domain']} IN A {$host['ip']}\"\n"; + $host_entries .= "local-data: \"{$host['host']}{$host['domain']} IN A {$host['ip']}\"\n"; } else - $host_entries .= "local-data: \"{$host['host']}.{$host['domain']} IN A {$host['ip']}\"\n"; + $host_entries .= "local-data: \"{$host['host']}{$host['domain']} IN A {$host['ip']}\"\n"; if (!empty($host['descr']) && $unboundcfg['txtsupport'] == 'on') - $host_entries .= "local-data: '{$host['host']}.{$host['domain']} TXT \"".addslashes($host['descr'])."\"'\n"; + $host_entries .= "local-data: '{$host['host']}{$host['domain']} TXT \"".addslashes($host['descr'])."\"'\n"; // Do not add duplicate entries $added_item[$current_host] = true; diff --git a/config/unbound/unbound.xml b/config/unbound/unbound.xml index 04b3f91c..ff73d1ed 100644 --- a/config/unbound/unbound.xml +++ b/config/unbound/unbound.xml @@ -47,7 +47,7 @@ <name>Unbound DNS</name> <tooltiptext>Setup Unbound specific settings</tooltiptext> <section>Services</section> - <url>pkg_edit.php?xml=unbound.xml&id=0</url> + <url>/pkg_edit.php?xml=unbound.xml&id=0</url> </menu> <service> <name>unbound</name> diff --git a/config/unbound/unbound_acls.xml b/config/unbound/unbound_acls.xml index 992a9c63..7c6840ce 100644 --- a/config/unbound/unbound_acls.xml +++ b/config/unbound/unbound_acls.xml @@ -47,7 +47,7 @@ <name>Unbound DNS</name> <tooltiptext>Setup Unbound specific settings</tooltiptext> <section>Services</section> - <url>pkg_edit.php?xml=unbound.xml&id=0</url> + <url>/pkg_edit.php?xml=unbound.xml&id=0</url> </menu> <tabs> <tab> diff --git a/config/unbound/unbound_advanced.xml b/config/unbound/unbound_advanced.xml index 03ba8157..10449b2d 100644 --- a/config/unbound/unbound_advanced.xml +++ b/config/unbound/unbound_advanced.xml @@ -47,7 +47,7 @@ <name>Unbound DNS</name> <tooltiptext>Setup Unbound specific settings</tooltiptext> <section>Services</section> - <url>pkg_edit.php?xml=unbound.xml&id=0</url> + <url>/pkg_edit.php?xml=unbound.xml&id=0</url> </menu> <service> <name>unbound</name> diff --git a/config/varnish64/varnish.inc b/config/varnish64/varnish.inc index 50d804fb..abf07018 100644 --- a/config/varnish64/varnish.inc +++ b/config/varnish64/varnish.inc @@ -141,7 +141,6 @@ function varnish_get_url_mappings_txt() { else{ if(!$isfirst) $urlmappings .= "\telse "; - #req.http.host == "procesual.trf1.jus.br" $urlmappings .= "if (req.$req $fieldtype ".'"'.$url['directorurl'].$url['directorurl2'].'") {'."\n"; #check failover $urlbackend = "\t\t\tset req.backend = ".$url['directorname'].";"; @@ -283,7 +282,7 @@ function get_backend_config_txt() { else $first_byte_timeout = "300s"; if($backend['probe_url']) - if (preg_match("@^(http)://([a-zA-Z0-9.]*)/(.*)$@",$backend['probe_url'],$matches)){ + if (preg_match("@^(http)://([a-zA-Z0-9.-]*)/(.*)$@",$backend['probe_url'],$matches)){ $probe_url=".request =\n"; $probe_url.="\t\t\t".'"GET /'.$matches[3].' HTTP/1.1"'."\n"; $probe_url.="\t\t\t".'"Accept: text/*"'."\n"; @@ -395,7 +394,7 @@ function sync_package_varnish() { } $vcl_recv_set_basic='#BASIC VCL RULES SETTING'."\n"; $vcl_recv_action_basic='#BASIC VCL RULES ACTIONS'."\n"; - $plataform=posix_uname(); + #$plataform=posix_uname(); foreach($config['installedpackages']['varnishsettings']['config'] as $vcl) { if($vcl['fixgzip']){ $vcl_recv_set_basic.="\t#Fix gzip compression\n"; @@ -405,7 +404,7 @@ function sync_package_varnish() { $vcl_recv_set_basic.="\t".'else if (req.http.Accept-Encoding ~ "deflate") {'."\n\t\tset req.http.Accept-Encoding = ".'"deflate"'.";\n\t\t}\n"; $vcl_recv_set_basic.="\telse\t{\n\t\tunset req.http.Accept-Encoding;\n\t\t}\n\t}\n"; } - if($vcl['clientbalance'] && $plataform['machine'] == 'amd64'){ + #if($vcl['clientbalance'] && $plataform['machine'] == 'amd64'){ $vcl_recv_set_basic.="\t#set client balance identity\n"; switch ($vcl['clientbalance']){ case 'url': @@ -418,7 +417,7 @@ function sync_package_varnish() { $vcl_recv_set_basic.="\t".'set client.identity = req.http.user-agent;'."\n\n"; break; } - } + #} if($vcl['grace'] ){ $vcl_grace_time="set beresp.grace = ".$vcl['grace'].";\n\t\t"; } diff --git a/config/varnish64/varnish_settings.xml b/config/varnish64/varnish_settings.xml index fdbf91e2..0576caad 100644 --- a/config/varnish64/varnish_settings.xml +++ b/config/varnish64/varnish_settings.xml @@ -166,7 +166,7 @@ <field> <fielddescr>Client identity method</fielddescr> <fieldname>clientbalance</fieldname> - <description><![CDATA[Select how varnish will balance clients when using client Load Balance method. (Choose IP address on i386 systems)]]></description> + <description><![CDATA[Select how varnish will balance clients when using client Load Balance method.]]></description> <type>select</type> <options> <option><name>IP address (keep sessions working)</name><value>ip</value></option> diff --git a/config/widget-antivirus/antivirus_status.widget.php b/config/widget-antivirus/antivirus_status.widget.php index a908d7b8..bcd057b3 100644 --- a/config/widget-antivirus/antivirus_status.widget.php +++ b/config/widget-antivirus/antivirus_status.widget.php @@ -71,9 +71,13 @@ function dwg_avbases_info() $db = '<table width="100%" border="0" cellspacing="0" cellpadding="1" ><tbody>'; $db .= '<tr class="vncellt" ><td>Database</td><td>Date</td><td>Ver.</td><td>Builder</td></tr>'; $db .= havp_avdb_info("daily.cld"); + $db .= havp_avdb_info("daily.cvd"); $db .= havp_avdb_info("bytecode.cld"); + $db .= havp_avdb_info("bytecode.cvd"); + $db .= havp_avdb_info("main.cld"); $db .= havp_avdb_info("main.cvd"); $db .= havp_avdb_info("safebrowsing.cld"); + $db .= havp_avdb_info("safebrowsing.cvd"); $db .= '</tbody></table>'; return $db; } |