aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rw-r--r--config/havp/havp.inc656
-rw-r--r--config/havp/havp.xml250
-rw-r--r--config/squid/squid.xml8
-rw-r--r--config/squid3/squid.xml8
4 files changed, 914 insertions, 8 deletions
diff --git a/config/havp/havp.inc b/config/havp/havp.inc
new file mode 100644
index 00000000..85427eb2
--- /dev/null
+++ b/config/havp/havp.inc
@@ -0,0 +1,656 @@
+<?php
+/*
+ havp.inc
+ Part of pfSense package
+ Copyright (C) 2008 Serg Dvorianceev
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* ! ÍÀVP v.0.88 !*/
+
+require_once('globals.inc');
+require_once('config.inc');
+require_once('util.inc');
+require_once('pfsense-utils.inc');
+require_once('pkg-utils.inc');
+require_once('filter.inc');
+require_once('service-utils.inc');
+
+# defines
+define('HV_USER', 'havp');
+define('HV_AV_USER', 'havp');
+
+define('HV_WORKDIR', '/usr/local/etc/havp');
+define('HV_CONFIGFILE', '/havp.config');
+define('HV_WHITELISTFILE', '/whitelist');
+define('HV_BLACKLISTFILE', '/blacklist');
+
+define('HV_PIDFILE', '/var/run/havp.pid');
+define('HV_LOGDIR', '/var/log/havp');
+define('HV_AVLOGDIR', '/var/log/clamav');
+define('HV_ACCESSLOG', '/access.log');
+define('HV_LOG', '/havp.log');
+define('HV_TEMPDIR', '/var/tmp');
+define('HV_HAVPTEMPDIR', '/var/tmp/havp');
+define('HV_SCANTEMPFILE', '/havp/havp-XXXXXX');
+define('HV_DEFAULTPORT', '3125');
+define('HV_DEFAULTADDR', '127.0.0.1');
+define('HV_TEMPLATEPATH', '/usr/local/share/examples/havp/templates');
+define('HV_CRONNAME_AVUPD','havp_av_update');
+define('HV_CRONCMD_AVUPD', '/usr/local/etc/rc.d/clamav-freshclam start');
+define('HV_CRONKEY_AVUPD', '/clamav-freshclam');
+define('HV_AVUPD_SCRIPT', '/usr/local/etc/rc.d/havp_avupdate.sh');
+define('HV_FRESHCLAM_CONFIGFILE', '/usr/local/etc/freshclam.conf');
+
+# XML fields
+define('XML_HAVPENABLE', 'enable');
+define('XML_HAVPLANG', 'havplang');
+define('XML_PARENTPROXY', 'parentproxy');
+define('XML_WHITELIST', 'whitelist');
+define('XML_BLACKLIST', 'blacklist');
+define('XML_PROXYIFACE', 'proxyiface');
+define('XML_PROXYPORT', 'proxyport');
+define('XML_USEEXTIFACE', 'listenextinterface');
+define('XML_XFORWARDEDFOR', 'xforwardedfor');
+define('XML_FAILSCANERROR', 'failscanerror');
+define('XML_LANGUAGE', 'lang');
+define('XML_SCANIMG', 'scanimg');
+define('XML_SCANARC', 'scanarc');
+define('XML_SCANMAXSIZE', 'scanmaxsize');
+define('XML_MAXDOWNLOADSIZE', 'maxdownloadsize');
+define('XML_SYSLOG', 'syslog');
+define('XML_HAVPUPDATE', 'havpavupdate');
+# define('','');
+
+function havp_install(){
+ havp_check_system();
+}
+
+function havp_deinstall() {
+ havp_setup_cron(HV_CRONNAME_AVUPD,"", "");
+ mwexec("rm -rf " . HV_AVUPD_SCRIPT);
+ mwexec("rm -rf " . HV_PIDFILE);
+}
+
+function havp_resync() {
+ global $config;
+ $pfconf = $config['installedpackages']['havp']['config'][0];
+
+ havp_check_system();
+
+ # whitelist and blacklist
+ # also white-listed:
+ $whitelist = havp_whitelist_def() . "\n" . str_replace(" ", "\n", base64_decode($pfconf[XML_WHITELIST]));
+ $blacklist = str_replace(" ", "\n", base64_decode($pfconf[XML_BLACKLIST]));
+ # stupid havp parser - error on 0x0D:
+ $whitelist = str_replace("\r", "", $whitelist);
+ $blacklist = str_replace("\r", "", $blacklist);
+ file_put_contents(HV_WORKDIR . HV_WHITELISTFILE, $whitelist);
+ file_put_contents(HV_WORKDIR . HV_BLACKLISTFILE, $blacklist);
+
+ # config havp
+ file_put_contents(HV_WORKDIR . HV_CONFIGFILE, havp_config());
+ set_file_access(HV_WORKDIR, HV_USER, '0755');
+
+ # config freshclam
+ file_put_contents(HV_FRESHCLAM_CONFIGFILE, havp_config_freshclam());
+ set_file_access(HV_FRESHCLAM_CONFIGFILE, HV_AV_USER, '0664');
+
+ # cron task
+ $on = false;
+ $opt = array("0", "*", "*", "*", "*", "root", "/usr/bin/nice -n20 " . HV_AVUPD_SCRIPT);
+ switch($pfconf['havpavupdate']) {
+ case 'none': $on = false; break;
+ case 'hv_01h': $on = true; $opt[1]= "*/1"; break;
+ case 'hv_02h': $on = true; $opt[1]= "*/2"; break;
+ case 'hv_03h': $on = true; $opt[1]= "*/3"; break;
+ case 'hv_04h': $on = true; $opt[1]= "*/4"; break;
+ case 'hv_06h': $on = true; $opt[1]= "*/6"; break;
+ case 'hv_08h': $on = true; $opt[1]= "*/8"; break;
+ case 'hv_12h': $on = true; $opt[1]= "*/12"; break;
+ case 'hv_24h': $on = true; $opt[1]= "0"; break;
+ default: break;
+ }
+ havp_setup_cron(HV_CRONNAME_AVUPD, $opt, $on);
+
+ mwexec("killall havp");
+ mwexec("killall havp");
+ mwexec("/usr/local/sbin/havp -c /usr/local/etc/havp" . HV_CONFIGFILE);
+
+mountRAMdisk();
+
+}
+
+function havp_check_system() {
+
+ # workdir permissions
+ set_file_access(HV_WORKDIR, HV_USER, '');
+
+ # tempdir
+ if (!file_exists(HV_HAVPTEMPDIR)) mwexec("mkdir -p " . HV_HAVPTEMPDIR);
+ set_file_access(HV_HAVPTEMPDIR, HV_USER, '');
+
+ # template permissions
+ set_file_access(HV_TEMPLATEPATH, HV_USER, '');
+
+ # log files exists ?
+ if (!file_exists(HV_LOGDIR . HV_ACCESSLOG)) file_put_contents(HV_LOGDIR . HV_ACCESSLOG, '');
+ if (!file_exists(HV_LOGDIR . HV_LOG)) file_put_contents(HV_LOGDIR . HV_LOG, '');
+ # log dir permissions
+ set_file_access(HV_LOGDIR, HV_USER, '0764');
+
+ # pid file
+ if (!file_exists(HV_PIDFILE)) file_put_contents(HV_PIDFILE, '');
+ set_file_access(HV_PIDFILE, HV_USER, '0664');
+
+ # freshclam config permissions
+ if (!file_exists(HV_FRESHCLAM_CONFIGFILE)) file_put_contents(HV_FRESHCLAM_CONFIGFILE, '');
+ set_file_access(HV_FRESHCLAM_CONFIGFILE, HV_AV_USER, '0664');
+
+ # log files exists ?
+ if (!file_exists(HV_AVLOGDIR . '/clamd.log')) file_put_contents(HV_AVLOGDIR . '/clamd.log', '');
+ if (!file_exists(HV_AVLOGDIR . '/freshclam.log')) file_put_contents(HV_AVLOGDIR . '/freshclam.log', '');
+ # log dir permissions
+ set_file_access(HV_AVLOGDIR, HV_USER, '0777');
+
+ # checking dir's and permissions
+ # "DatabaseDirectory /var/db/clamav";
+ # "UpdateLogFile /var/log/clamav/freshclam.log";
+
+ # AV update script
+ file_put_contents(HV_AVUPD_SCRIPT, havp_AVupdate_script());
+ set_file_access(HV_AVUPD_SCRIPT, HV_AV_USER, '0755');
+}
+
+function havp_validate_settings($post, $input_errors) {
+ $submit = isset($_GET['submit']) ? $_GET['submit'] : $_POST['submit'];
+
+ # manual update AV database
+ if ($submit === 'Update_AV')
+ havp_update_AV();
+ else {
+ $prxport = trim($post[XML_PROXYPORT]);
+ if (!empty($prxport) && !is_port($prxport))
+ $input_errors[] = 'You must enter a valid port number in the \'Proxy port\' field';
+
+ # check whitelist
+ $lst = explode("\n", str_replace(" ", "\n", $post[XML_WHITELIST]));
+ foreach ($lst as $dm) {
+ $dm = trim($dm);
+ if ($dm && check_bw_domain($dm) === false)
+ $input_errors[] = "Invalid whitelist element '$dm'.";
+ }
+
+ # check blacklist
+ $lst = explode("\n", str_replace(" ", "\n", $post[XML_BLACKLIST]));
+ foreach ($lst as $dm) {
+ $dm = trim($dm);
+ if ($dm && check_bw_domain($dm) === false)
+ $input_errors[] = "Invalid blacklist element '$dm'.";
+ }
+ }
+
+}
+
+function havp_config() {
+ global $config;
+ $pfconf = $config['installedpackages']['havp']['config'][0];
+ $conf = array();
+
+ $conf[] =
+"# ============================================================
+# HAVP config file
+# This file generated automaticly with HAVP configurator (part of pfSense)
+# (C)2008 Serg Dvoriancev
+# email: dv_serg@mail.ru
+# ============================================================
+";
+
+ $conf[] = "USER " . HV_USER;
+ $conf[] = "GROUP " . HV_USER;
+ $conf[] = "DAEMON true";
+ $conf[] = "PIDFILE " . HV_PIDFILE;
+ $conf[] = "\n# For single user home use, 8 should be minimum.";
+ $conf[] = "# For 500 users corporate use, start at 40.";
+ $conf[] = "SERVERNUMBER 3";
+ $conf[] = "MAXSERVERS 100";
+
+ # log
+ $conf[] = "\n# log ";
+ $conf[] = "ACCESSLOG " . HV_LOGDIR . HV_ACCESSLOG;
+ $conf[] = "ERRORLOG " . HV_LOGDIR . HV_LOG;
+ # syslog
+ $syslog = ($pfconf[XML_SYSLOG] === 'on') ? 'true' : 'false';
+ $conf[] = "\n# syslog";
+ $conf[] = "USESYSLOG $syslog"; # use syslog?
+ $conf[] = "SYSLOGNAME havp";
+ $conf[] = "SYSLOGFACILITY daemon";
+ $conf[] = "SYSLOGLEVEL info";
+ #
+ $conf[] = "\n# Level of HAVP logging\n# 0 = Only serious errors and information\n# 1 = Less interesting information is included";
+ $conf[] = "LOG_OKS true"; # true - for debug, false - for work
+ $conf[] = "LOGLEVEL 1"; # 0 - work level, 1 - debug level
+
+ # temp
+ $conf[] = "\n# temp ";
+ $conf[] = "SCANTEMPFILE " . HV_TEMPDIR . HV_SCANTEMPFILE;
+ $conf[] = "TEMPDIR " . HV_TEMPDIR;
+
+ $conf[] = "\n#";
+ $conf[] = "DBRELOAD 180";
+ $conf[] = "TRANSPARENT false";
+ $conf[] = "FORWARDED_IP false";
+
+ # X-FORWARD
+ $conf[] = "\n# X-FORWARD: proxy can include system's IP address or name in the HTTP requests it forwards";
+ $v = ($pfconf[XML_XFORWARDEDFOR] === 'on') ? "true" : "false";
+ $conf[] = "X_FORWARDED_FOR $v";
+
+ # parent proxy = [proxy:port]
+ if (!empty($pfconf[XML_PARENTPROXY])) {
+ $prxy = str_replace(" ", ":", $pfconf[XML_PARENTPROXY]);
+ $prxy = explode(":", $prxy);
+ $conf[] = "\n# parent proxy ";
+ $conf[] = "PARENTPROXY {$prxy[0]}";
+ $conf[] = "PARENTPORT {$prxy[1]}";
+ }
+
+ # proxy listening on
+ $conf[] = "\n# havp is listening on ";
+ $pxyport = HV_DEFAULTPORT;
+ $pxyaddr = HV_DEFAULTADDR;
+ if (!empty($pfconf[XML_PROXYPORT])) $pxyport = $pfconf[XML_PROXYPORT];
+ if ($pfconf[XML_USEEXTIFACE] === 'on' && !empty($pfconf[XML_PROXYIFACE])) {
+ $pxyaddr = get_real_interface_address($pfconf[XML_PROXYIFACE]);
+ $pxyaddr = $pxyaddr[0];
+ }
+ $conf[] = "PORT $pxyport";
+ $conf[] = "BIND_ADDRESS $pxyaddr";
+
+ # template files language
+ $conf[] = "\n# Path to template files ";
+ if (!empty($pfconf[XML_LANGUAGE]))
+ $conf[] = "TEMPLATEPATH " . HV_TEMPLATEPATH . "/" . trim($pfconf[XML_LANGUAGE]);
+ else $conf[] = "TEMPLATEPATH " . HV_TEMPLATEPATH . "/en";
+
+ $conf[] = "\n# whitelist and blacklist";
+ $conf[] = "WHITELISTFIRST true";
+ $conf[] = "WHITELIST /usr/local/etc/havp" . HV_WHITELISTFILE;
+ $conf[] = "BLACKLIST /usr/local/etc/havp" . HV_BLACKLISTFILE;
+
+ # failscanerror - pass/block files if scanner error
+ $conf[] = "\n# block file if error scanning";
+ $v = ($pfconf[XML_FAILSCANERROR] === 'on') ? "true" : "false";
+ $conf[] = "FAILSCANERROR $v";
+
+ $conf[] = "\n# scanner ";
+ $conf[] = "SCANNERTIMEOUT 10";
+ $conf[] = "RANGE false";
+
+ $conf[] = "\n# stream";
+ $conf[] = "STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS";
+ $conf[] = "STREAMSCANSIZE 20000";
+
+ # scan image
+ $v = ($pfconf[XML_SCANIMG] === 'on') ? "true" : "false";
+ $conf[] = "SCANIMAGES $v";
+
+ $val = (!empty($pfconf[XML_SCANMAXSIZE]) && is_numeric($pfconf[XML_SCANMAXSIZE])) ? $pfconf[XML_SCANMAXSIZE] : 0;
+ $conf[] = "MAXSCANSIZE $v";
+
+ $conf[] = "# KEEPBACKBUFFER 200000";
+ $conf[] = "# KEEPBACKTIME 5";
+
+ $conf[] = "# After Trickling Time (seconds), some bytes are sent to browser to keep the connection alive";
+ $conf[] = "TRICKLING 30";
+
+ $conf[] = "# Downloads larger than MAXDOWNLOADSIZE will be blocked.";
+ $val = (!empty($pfconf[XML_DOWNLOADMAXSIZE]) && is_numeric($pfconf[XML_DOWNLOADMAXSIZE])) ? $pfconf[XML_DOWNLOADMAXSIZE] : 0;
+ $conf[] = "MAXDOWNLOADSIZE $val";
+
+ $conf[] = "\n# ClamAV Library Scanner (libclamav) ";
+ $conf[] = "ENABLECLAMLIB true";
+ $conf[] = "# Should we block encrypted archives?";
+ $conf[] = "# CLAMBLOCKENCRYPTED false";
+ $conf[] = "# Should we block files that go over maximum archive limits?";
+ $conf[] = "# CLAMBLOCKMAX false";
+ $conf[] = "# Scanning limits inside archives (filesize = MB):";
+ $conf[] = "# CLAMMAXFILES 1000";
+ $conf[] = "# CLAMMAXFILESIZE 10";
+ $conf[] = "# CLAMMAXRECURSION 8";
+ $conf[] = "# CLAMMAXRATIO 250";
+
+ $conf[] = "";
+ return implode("\n", $conf);
+}
+
+function havp_config_freshclam()
+{
+ global $config;
+ $pfconf = $config['installedpackages']['havp']['config'][0];
+ $conf = array();
+
+ $conf[] =
+"# ============================================================
+# freshclam(HAVP) config file
+# This file generated automaticly with HAVP configurator (part of pfSense)
+# (C)2008 Serg Dvoriancev
+# email: dv_serg@mail.ru
+# ============================================================
+";
+ $conf[] = "DatabaseDirectory /var/db/clamav";
+# --
+# disable log to file while error not solved:
+# "ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log)."
+# --
+# $conf[] = "UpdateLogFile /var/log/clamav/freshclam.log";
+
+ if ($pfconf[XML_SYSLOG] === 'on') {
+ $conf[] = "\n# syslog";
+ $conf[] = "LogSyslog yes";
+ $conf[] = "LogFacility LOG_LOCAL6"; # LOG_LOCAL6 | LOG_MAIL
+ }
+
+ $conf[] = "\n# pid";
+ $conf[] = "PidFile /var/run/clamav/freshclam.pid";
+
+ $conf[] = "\n# db";
+ $conf[] = "DatabaseOwner clamav";
+ $conf[] = "AllowSupplementaryGroups yes";
+ $conf[] = "DNSDatabaseInfo current.cvd.clamav.net";
+
+ $avsrv = $pfconf['avupdateserver'];
+ $avsrv = explode(" ", trim($avsrv));
+
+ foreach ($avsrv as $asr)
+ if (!empty($asr))
+ $conf[] = "DatabaseMirror $asr";
+
+ # regional mirror
+ if (!empty($pfconf['dbregion'])) {
+ $conf[] = '# regional db';
+ switch($pfconf['dbregion']) {
+ case 'au': $conf[] = "DatabaseMirror clamav.mirror.ayudahosting.com.au"; break; # australia
+ case 'ca': $conf[] = "DatabaseMirror clamav.mirror.rafal.ca"; break; # canada
+ case 'cn': $conf[] = "DatabaseMirror 4most2.clamav.ialfa.net"; break; # china
+ case 'eu': $conf[] = "DatabaseMirror clamav.edpnet.net"; break; # europe
+ case 'id': $conf[] = "DatabaseMirror db.clamav.or.id"; break; # indonesia
+ case 'jp': $conf[] = "DatabaseMirror clamavdb2.ml-club.jp"; break; # japan
+ case 'kr': $conf[] = "DatabaseMirror clamav.hostway.co.kr"; break; # korea
+ case 'ml': $conf[] = "DatabaseMirror clamav.doubleukay.com"; break; # malaysia
+ case 'ru': $conf[] = "DatabaseMirror clamav.citrin.ru"; break; # russia
+ case 'sa': $conf[] = "DatabaseMirror clamav.dial-up.net"; break; # south africa
+ case 'tw': $conf[] = "DatabaseMirror clamav.cs.pu.edu.tw"; break; # taiwan
+ case 'uk': $conf[] = "DatabaseMirror clamav.oucs.ox.ac.uk"; break; # united kingdom
+ case 'us': $conf[] = "DatabaseMirror clamav.catt.com "; break; # united states
+ default: break;
+ }
+ }
+
+# $conf[] = "DatabaseMirror db.ru.clamav.net";
+# $conf[] = "DatabaseMirror db.us.clamav.net";
+
+ $conf[] = "\n# DO NOT TOUCH the following line ";
+ $conf[] = "DatabaseMirror database.clamav.net";
+
+ $conf[] = "\n# Number of database checks per day. Default: 12 (every two hours)";
+ $chks = 0;
+ switch($pfconf['havpavupdate']) {
+ case 'none': $chks = 0; break;
+ case 'hv_01h': $chks = 24; break;
+ case 'hv_02h': $chks = 12; break;
+ case 'hv_03h': $chks = 8; break;
+ case 'hv_04h': $chks = 6; break;
+ case 'hv_06h': $chks = 4; break;
+ case 'hv_08h': $chks = 3; break;
+ case 'hv_12h': $chks = 2; break;
+ case 'hv_24h': $chks = 1; break;
+ }
+ $conf[] = "Checks $chks";
+
+# $conf[] = "# Proxy settings"; # future
+#HTTPProxyServer myproxy.com
+#HTTPProxyPort 1234
+#HTTPProxyUsername myusername
+#HTTPProxyPassword mypass
+
+# MAKE GUI Errors display
+# Run command when database update process fails.
+# Default: disabled
+#OnErrorExecute command
+
+# Run command when freshclam reports outdated version.
+# In the command string %v will be replaced by the new version number.
+# Default: disabled
+#OnOutdatedExecute command
+
+# Enable debug messages in libclamav.
+# Default: disabled
+#Debug
+
+ $conf[] = "";
+ return implode("\n", $conf);
+}
+
+function havp_whitelist_def() {
+ $whitelist = array();
+
+ $whitelist[] = "*sourceforge.net/*clamav-*";
+ $whitelist[] = "*pfsense.com/*";
+ $whitelist[] = "*.microsoft.com/*";
+ $whitelist[] = "*.windowsupdate.com/*"; # M$ & M$ update
+ # media and image extensions
+ $whitelist[] = "*/*.gif\n*/*.swf\n*/*.png\n*/*.jpg\n*/*.jpeg\n*/*.mov\n*/*.avi\n*/*.flv\n*/*.bmp\n*/*.ico\n*/*.pdf\n*/*.mp3\n*/*.wma\n*/*.wmv\n*/*.ogg";
+
+ return implode("\n", $whitelist);
+}
+
+# RAM disk
+# Mem - RAM
+# 128M - 16M
+# 256M - 32M
+# 512M - 64M
+# 1G - 128M
+#
+function mountRAMdisk()
+{
+# disabled for VMware
+# return;
+
+ # detach and free all resources used by /dev/md10:
+ mwexec("umount /var/tmp/havp");
+ mwexec("mdconfig -d -u 10");
+
+ # create and mount a 8MByte swap backed file system on /var/tmp/havp by /dev/md10:
+ mwexec("mdconfig -a -t swap -s 1M -u 10");
+ mwexec("newfs -U /dev/md10");
+ mwexec("mount /dev/md10 /var/tmp/havp");
+ mwexec("chmod 1777 /var/tmp/havp");
+}
+
+# ------------------------------------------------------------------------------
+function set_file_access($dir, $owner, $mod) {
+ mwexec("chgrp -R -v $owner $dir");
+ mwexec("chown -R -v $owner $dir");
+ if (!empty($mod)) {
+ mwexec( "chmod -R -v $mod $dir");
+ }
+}
+
+# Src from squid.inc
+# Copyright (C) 2006 Scott Ullrich
+# Copyright (C) 2006 Fernando Lemos
+function get_real_interface_address($iface) {
+ global $config;
+
+ $iface = convert_friendly_interface_to_real_interface_name($iface);
+ $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6"));
+ list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line);
+
+ return array($ip, long2ip(hexdec($netmask)));
+}
+#-------------------------------------------------------------------------------
+
+function havp_update_AV() {
+ # AV update script
+ if (file_exists(HV_AVUPD_SCRIPT)) {
+ file_put_contents(HV_AVUPD_SCRIPT, havp_AVupdate_script());
+ set_file_access(HV_AVUPD_SCRIPT, HV_AV_USER, '0755');
+ }
+ mwexec(HV_AVUPD_SCRIPT);
+}
+
+# *** check black/white list domain ***
+# Lines can hold URLs with wildcards with following rules:
+# Line must cointain Domain/Path
+# Domains can have a wildcard at begin.
+# Pages can hav a wildcard at begin and end.
+# URLs without wildcards are exact
+# Examples:
+# (1) www.server-side.de (Only this URL is whitelisted)
+# (2) www.server-side.de/* (Domain is completely whitelisted)
+# (3) *server-side.de/index.html
+# (4) */*.gif (All .gif are whitelisted)
+# (5) www.server-side.de/novirus*
+# (6) www.server-side.de/*novirus*
+
+function check_bw_domain($_dm) {
+ $domain = "";
+ $path = "";
+ $pos = strpos($_dm, "/");
+
+ if ($pos === false) {
+ $domain = $_dm;
+ $path = "";
+ }
+ else {
+ $domain = substr($_dm, 0, $pos);
+ $path = substr($_dm, $pos+1);
+ }
+
+ $fmt = "[a-zA-Z0-9_-]";
+
+ # Domains can have a wildcard at begin '*xxx.xxx' - *my.domain.com
+ if (!eregi("^(\*)|((\*){0,1}($fmt\.){0,}$fmt{1,})$", $domain)) return false;
+
+ # Path can have a wildcard at begin and end '*xxx*'
+ if ($path && !eregi("^(\*){0,1}(.[^\*][^=]){0,}(\*){0,1}$", $path)) return false;
+
+
+ return true;
+}
+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+function havp_AVupdate_script() {
+
+# *** AV update script ***
+
+$scr = <<<EOD
+#!/bin/sh
+# AV update script
+# This file was automatically generated
+# by the pfSense service handler.
+/usr/local/bin/freshclam
+wait
+/usr/local/bin/sigtool --unpack-current daily.cvd
+/usr/local/bin/sigtool --unpack-current main.cvd
+wait
+EOD;
+
+# --- AV update script ---
+
+ return $scr;
+}
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# === UNDER CONSTRUCTION ===
+
+# $day: 1, 2, .., 31, *, mon, tue, wed, thu, fri, sat, sun ; every day : [$day]
+# $mon: 1, 2, .., 12, * ; every mon: [$mon] [15]-[01]-[2001]
+# $time = 'hh:mm': '12:00' - at 12:00; '*:*' - at any time; '/hh:/mm' - every hh every /mm
+# havp_crontask('my_task', '15', '/1', '15:30', 'root' 'start_cmd', true);
+function havp_crontask($task_name, $day, $mon, $time, $who, $cmd, $enabled)
+{
+
+}
+
+# / === UNDER CONSTRUCTION ===
+
+# $options: [0]='minute', [1]='hour', [2]='mday', [3]='month', [4]='wday', [5]='who', [6]='command'
+#
+function havp_setup_cron($task_name, $options, $on_off) {
+ global $config;
+ $cron_item = array();
+
+ # $on_off = TRUE/FALSE - install/deinstall cron task:
+ # prepare new cron item
+ if (is_array($options)) {
+ $cron_item['task_name'] = $task_name;
+ $cron_item['minute'] = $options[0];
+ $cron_item['hour'] = $options[1];
+ $cron_item['mday'] = $options[2];
+ $cron_item['month'] = $options[3];
+ $cron_item['wday'] = $options[4];
+ $cron_item['who'] = ($options[5]) ? $options[5] : 'nobody';
+ $cron_item['command'] = $options[6];
+ }
+
+ # unset old cron task with $task_name
+ if ($task_name !== "") {
+ $flag_cron_upd = false;
+
+ # delete old cron task if exists
+ foreach($config['cron']['item'] as $key => $val) {
+ if ($config['cron']['item'][$key]['task_name'] === $task_name) {
+ unset($config['cron']['item'][$key]);
+ $flag_cron_upd = true;
+
+ # log ! cron task deleted !
+ break;
+ }
+ }
+
+ # set new cron task
+ if (($on_off === true) and !empty($cron_item)) {
+ $config['cron']['item'][] = $cron_item;
+ $flag_cron_upd = true;
+
+ # log ! cron task installed !
+ }
+
+ # write config and configure cron only if cron task modified
+ if ($flag_cron_upd === true) {
+ write_config("Installed cron task '$task_name' for 'havp' package");
+ configure_cron();
+ # log ! cron stored !
+ }
+ }
+ else {
+ # ! error $name !
+
+ # if error - break function
+ return;
+ }
+}
+?>
diff --git a/config/havp/havp.xml b/config/havp/havp.xml
new file mode 100644
index 00000000..a70b09bc
--- /dev/null
+++ b/config/havp/havp.xml
@@ -0,0 +1,250 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<packagegui>
+ <name>havp</name>
+ <title>Services: Antivirus proxy server (havp + clamav) -> Settings</title>
+ <category>Status</category>
+ <version>1.7.1</version>
+ <include_file>havp.inc</include_file>
+
+ <!-- Installation -->
+ <menu>
+ <name>HTTP Antivirus</name>
+ <tooltiptext>Proxy server antivirus</tooltiptext>
+ <section>Services</section>
+ <url>/pkg_edit.php?xml=havp.xml&amp;id=0</url>
+ </menu>
+
+ <additional_files_needed>
+ <item>http://www.pfsense.com/packages/config/havp/havp.inc</item>
+ </additional_files_needed>
+
+ <tabs>
+ <tab>
+ <text>Settings</text>
+ <url>/pkg_edit.php?xml=havp.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <fielddescr>Enable</fielddescr>
+ <fieldname>enable</fieldname>
+ <description>Check this for enable proxy.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Use external interface</fielddescr>
+ <fieldname>listenextinterface</fieldname>
+ <description>Select this for use external interface, otherwise the proxy will use the internal interface '127.0.0.1'. Cascade you other proxy to the HAVP as 'parent proxy' via '127.0.0.1' ip.</description>
+ <type>checkbox</type>
+ <enablefields>proxyiface</enablefields>
+ </field>
+ <field>
+ <fielddescr>Proxy interface</fielddescr>
+ <fieldname>proxyiface</fieldname>
+ <description>The interface(s) the proxy server will bind to.</description>
+ <type>interfaces_selection</type>
+ <required/>
+ <default_value>lan</default_value>
+ </field>
+ <field>
+ <fielddescr>Proxy port</fielddescr>
+ <fieldname>proxyport</fieldname>
+ <description>This is the port the proxy server will listen on.</description>
+ <type>input</type>
+ <size>10</size>
+ <required/>
+ <default_value>3128</default_value>
+ </field>
+ <field>
+ <fielddescr>Parent proxy</fielddescr>
+ <fieldname>parentproxy</fieldname>
+ <description>
+ Enter the parent proxy as PROXY:PORT format or leave empty.
+ </description>
+ <type>input</type>
+ <size>90</size>
+ </field>
+ <field>
+ <fielddescr>Language</fielddescr>
+ <fieldname>lang</fieldname>
+ <description>Select the language in which the proxy server will display error messages to users.</description>
+ <type>select</type>
+ <value>en</value>
+ <options>
+ <option><value>br</value><name>Brazil</name></option>
+ <option><value>de</value><name>Germany</name></option>
+ <option><value>en</value><name>English</name></option>
+ <option><value>es</value><name>Spain</name></option>
+ <option><value>fr</value><name>French</name></option>
+ <option><value>it</value><name>Italian</name></option>
+ <option><value>nf</value><name>Norfolk Island</name></option>
+ <option><value>pl</value><name>Poland</name></option>
+ <option><value>ru</value><name>Russian</name></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Max download size</fielddescr>
+ <fieldname>maxdownloadsize</fieldname>
+ <description>Enter value or leave empty. Value in bytes. Downloads larger than 'Max download size' will be blocked. Only if not Whitelisted!</description>
+ <type>input</type>
+ <size>10</size>
+ <default_value></default_value>
+ </field>
+ <field>
+ <fielddescr>Disable X-Forward</fielddescr>
+ <fieldname>xforwardedfor</fieldname>
+ <description>If not set, proxy will include your system's IP address or name in the HTTP requests it forwards.</description>
+ <type>checkbox</type>
+ </field>
+
+ <field>
+ <fielddescr>Whitelist</fielddescr>
+ <fieldname>whitelist</fieldname>
+ <description>
+ Enter each destination url on a new line that will be accessable to the users without scanning.
+ Use '*' symbol for mask. Example: *.pfsense.com/*, *sourceforge.net/*clamav-*, */*.xml, */*.inc
+ </description>
+ <type>textarea</type>
+ <cols>60</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
+
+ <field>
+ <fielddescr>Blacklist</fielddescr>
+ <fieldname>blacklist</fieldname>
+ <description>Enter each destination domain on a new line that will be accessable to the users that are allowed to use the proxy.</description>
+ <type>textarea</type>
+ <cols>60</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
+<!-- Scanner -->
+ <field>
+ <fielddescr>Block file if error scanning</fielddescr>
+ <fieldname>failscanerror</fieldname>
+ <description>If set, the proxy will block the files on which an error scanning.</description>
+ <type>checkbox</type>
+ </field>
+
+ <field>
+ <fielddescr>Scan max file size</fielddescr>
+ <fieldname>scanmaxsize</fieldname>
+ <description>
+ Enter here value in bytes (5, 10, 15, 20) or leave empty.
+ Files larger than this limit won't be scanned.
+ Empty or 0 also disables the limit.
+ NOTE: Setting limit is a security risk, because some archives like
+ ZIP need all the data to be scanned properly! Use this only if you
+ can't afford temporary space for big files. Also scanner settings
+ will affect how many files will be scanned inside an archive etc.
+ </description>
+ <type>input</type>
+ <size>10</size>
+ </field>
+
+ <field>
+ <fielddescr>Scan images</fielddescr>
+ <fieldname>scanimg</fieldname>
+ <description>Check this for scan image files.</description>
+ <type>checkbox</type>
+ </field>
+
+ <field>
+ <fielddescr>Scan archives</fielddescr>
+ <fieldname>scanarc</fieldname>
+ <description>Check this for scan within archives and compressed files.</description>
+ <type>checkbox</type>
+ </field>
+
+ <field>
+ <fielddescr>Scan archive max file size</fielddescr>
+ <fieldname>scanarcmaxsize</fieldname>
+ <value>10M</value>
+ <description>
+ Enter here value in megabytes (15M) or leave empty.
+ Files in archives larger than this limit won't be scanned.
+ Value of 0 also disables the limit.
+ </description>
+ <type>input</type>
+ <size>10</size>
+ </field>
+
+ <field>
+ <fielddescr>AV bases update</fielddescr>
+ <fieldname>havpavupdate</fieldname>
+ <description>
+ &lt;input name='submit' type='submit' value='Update_AV'&gt;
+ Press button for update AV database now.
+ </description>
+ <type>select</type>
+ <value>hv_none</value>
+ <options>
+ <option><name>none</name><value>hv_none</value></option>
+ <option><name>every 1 hours</name><value>hv_01h</value></option>
+ <option><name>every 2 hours</name><value>hv_02h</value></option>
+ <option><name>every 3 hours</name><value>hv_03h</value></option>
+ <option><name>every 4 hours</name><value>hv_04h</value></option>
+ <option><name>every 6 hours</name><value>hv_06h</value></option>
+ <option><name>every 8 hours</name><value>hv_08h</value></option>
+ <option><name>every 12 hours</name><value>hv_12h</value></option>
+ <option><name>every 24 hours</name><value>hv_24h</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Regional AV database update mirror</fielddescr>
+ <fieldname>dbregion</fieldname>
+ <description>Select regional database mirror.</description>
+ <type>select</type>
+ <value></value>
+ <options>
+ <option><value></value><name>-----</name></option>
+ <option><value>au</value><name>Australia</name></option>
+ <option><value>eu</value><name>Europe</name></option>
+ <option><value>ca</value><name>Canada</name></option>
+ <option><value>cn</value><name>China</name></option>
+ <option><value>id</value><name>Indonesia</name></option>
+ <option><value>jp</value><name>Japan</name></option>
+ <option><value>kr</value><name>Korea</name></option>
+ <option><value>ml</value><name>Malaysia</name></option>
+ <option><value>ru</value><name>Russian</name></option>
+ <option><value>sa</value><name>South africa</name></option>
+ <option><value>tw</value><name>Taiwan</name></option>
+ <option><value>uk</value><name>United Kingdom</name></option>
+ <option><value>us</value><name>United States</name></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Optional AV database update servers</fielddescr>
+ <fieldname>avupdateserver</fieldname>
+ <description>Enter here space separated AV update servers, or leave empty.</description>
+ <type>textarea</type>
+ <cols>60</cols>
+ <rows>5</rows>
+ </field>
+
+ <field>
+ <fielddescr>Syslog</fielddescr>
+ <fieldname>syslog</fieldname>
+ <description>Check this for enable Syslog.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Log</fielddescr>
+ <fieldname>log</fieldname>
+ <description>Check this for enable log.</description>
+ <type>checkbox</type>
+ </field>
+ </fields>
+ <custom_php_validation_command>
+ havp_validate_settings($_POST, &amp;$input_errors);
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ havp_resync();
+ </custom_php_resync_config_command>
+ <custom_php_install_command>
+ </custom_php_install_command>
+ <custom_php_deinstall_command>
+ </custom_php_deinstall_command>
+</packagegui> \ No newline at end of file
diff --git a/config/squid/squid.xml b/config/squid/squid.xml
index 4c8bc4ab..a119e647 100644
--- a/config/squid/squid.xml
+++ b/config/squid/squid.xml
@@ -169,15 +169,15 @@
<required/>
</field>
<field>
- <fielddescr>Do NOT proxy Private Address Space (RFC 1918)</fielddescr>
+ <fielddescr>Bypass proxy for Private Address Space (RFC 1918) destination</fielddescr>
<fieldname>private_subnet_proxy_off</fieldname>
- <description>Do not forward traffic to Private Address Space (RFC 1918) &lt;b&gt;destination&lt;/b&gt; through the proxy server.</description>
+ <description>Do not forward traffic to Private Address Space (RFC 1918) &lt;b&gt;destination&lt;/b&gt; through the proxy server but directly through the firewall.</description>
<type>checkbox</type>
</field>
<field>
- <fielddescr>Do NOT proxy these IPs</fielddescr>
+ <fielddescr>Bypass proxy for these source IPs</fielddescr>
<fieldname>defined_ip_proxy_off</fieldname>
- <description>Do not forward traffic from these &lt;b&gt;source&lt;/b&gt; IPs through the proxy server. Separate by semi-colons (;).</description>
+ <description>Do not forward traffic from these &lt;b&gt;source&lt;/b&gt; IPs through the proxy server but directly through the firewall. Separate by semi-colons (;).</description>
<type>input</type>
<size>80</size>
</field>
diff --git a/config/squid3/squid.xml b/config/squid3/squid.xml
index 8529526e..662805da 100644
--- a/config/squid3/squid.xml
+++ b/config/squid3/squid.xml
@@ -169,15 +169,15 @@
<required/>
</field>
<field>
- <fielddescr>Do NOT proxy Private Address Space (RFC 1918)</fielddescr>
+ <fielddescr>Bypass proxy for Private Address Space (RFC 1918) destination</fielddescr>
<fieldname>private_subnet_proxy_off</fieldname>
- <description>Do not forward traffic to Private Address Space (RFC 1918) &lt;b&gt;destination&lt;/b&gt; through the proxy server.</description>
+ <description>Do not forward traffic to Private Address Space (RFC 1918) &lt;b&gt;destination&lt;/b&gt; through the proxy server but directly through the firewall.</description>
<type>checkbox</type>
</field>
<field>
- <fielddescr>Do NOT proxy these IPs</fielddescr>
+ <fielddescr>Bypass proxy for these source IPs</fielddescr>
<fieldname>defined_ip_proxy_off</fieldname>
- <description>Do not forward traffic from these &lt;b&gt;source&lt;/b&gt; IPs through the proxy server. Separate by semi-colons (;).</description>
+ <description>Do not forward traffic from these &lt;b&gt;source&lt;/b&gt; IPs through the proxy server but directly through the firewall. Separate by semi-colons (;).</description>
<type>input</type>
<size>80</size>
</field>