diff options
Diffstat (limited to 'config')
45 files changed, 1873 insertions, 307 deletions
diff --git a/config/apcupsd/apcupsd.inc b/config/apcupsd/apcupsd.inc index c123861c..9ebb263b 100644 --- a/config/apcupsd/apcupsd.inc +++ b/config/apcupsd/apcupsd.inc @@ -224,5 +224,45 @@ EOF; } +function check_nis_running_apcupsd(){ + global $config, $g; + + if (is_array($config['installedpackages']['apcupsd'])){ + $apcupsd_config = $config['installedpackages']['apcupsd']['config'][0]; + + if ($apcupsd_config['apcupsdenabled']=="on" && $apcupsd_config['netserver']=="on" ) + return(true); + } + + return(false); +} + + +function check_nis_ip_apcupsd(){ + global $config, $g; + + if (is_array($config['installedpackages']['apcupsd'])){ + $apcupsd_config = $config['installedpackages']['apcupsd']['config'][0]; + + if ($apcupsd_config['apcupsdenabled']=="on" && $apcupsd_config['netserver']=="on" ) + return($apcupsd_config['nisip']); + } + + return(false); +} + +function check_nis_port_apcupsd(){ + global $config, $g; + + if (is_array($config['installedpackages']['apcupsd'])){ + $apcupsd_config = $config['installedpackages']['apcupsd']['config'][0]; + + if ($apcupsd_config['apcupsdenabled']=="on" && $apcupsd_config['netserver']=="on" ) + return($apcupsd_config['nisport']); + } + + return(false); +} + ?> diff --git a/config/apcupsd/apcupsd.xml b/config/apcupsd/apcupsd.xml index 8a42f352..bef6c330 100644 --- a/config/apcupsd/apcupsd.xml +++ b/config/apcupsd/apcupsd.xml @@ -40,7 +40,7 @@ <name>Apcupsd</name> <title>Services: Apcupsd (General)</title> <category>Monitoring</category> - <version>0.3.2</version> + <version>0.3.4</version> <include_file>/usr/local/pkg/apcupsd.inc</include_file> <addedit_string>Apcupsd has been created/modified.</addedit_string> <delete_string>Apcupsd has been deleted.</delete_string> diff --git a/config/apcupsd/apcupsd_mail.php b/config/apcupsd/apcupsd_mail.php index d5b97f92..3b13309c 100755 --- a/config/apcupsd/apcupsd_mail.php +++ b/config/apcupsd/apcupsd_mail.php @@ -29,7 +29,7 @@ require_once("pkg-utils.inc"); require_once("globals.inc"); -require_once("phpmailer/class.phpmailer.php"); +require_once("phpmailer/PHPMailerAutoload.php"); global $config, $g; diff --git a/config/apcupsd/apcupsd_status.php b/config/apcupsd/apcupsd_status.php index 693ec290..a8d3776d 100755 --- a/config/apcupsd/apcupsd_status.php +++ b/config/apcupsd/apcupsd_status.php @@ -28,6 +28,7 @@ */ require("guiconfig.inc"); +require_once("apcupsd.inc"); $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version < 2.0) @@ -38,6 +39,9 @@ include("head.inc"); function puts( $arg ) { echo "$arg\n"; } +if (isset($_GET['strapcaccess'])) + $strapcaccess = trim($_GET['strapcaccess']); + ?> <style> @@ -98,14 +102,66 @@ pre { <div id="mainarea" style="padding-top: 0px; padding-bottom: 0px; "> <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6"> - <tr><td> + <form name="frm_apcupsd_status" method="GET"> + <tr> + <td width="14%" valign="top" class="vncellreq">Host:</td> + <td width="86%" class="vtable"> + <input name="strapcaccess" type="text" class="formfld unknown" id="strapcaccess" size="22" value="<? echo "{$strapcaccess}"; ?>"> + <br/> + <span class="vexpl"> + Default: <b>localhost</b><br/> + apcaccess uses apcupsd's inbuilt Network Information Server (NIS) to obtain the current status information <br/> + from the UPS on the local or remote computer. It is therefore necessary to have the following configuration directives: <br/> + NETSERVER on<br/> + NISPORT 3551<br/> + <br/> + <?php if ($pf_version < 2.2): ?> + <input type="Submit" value="Execute" class="formbtn" disabled/> + <?php else: ?> + <input type="Submit" value="Execute" class="formbtn"/> + <?php endif; ?> + </span> + </td> + </tr> + </form> + <tr><td colspan="2"> <?php - puts("<pre>"); - putenv("PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"); - $ph = popen('apcaccess 2>&1', "r" ); - while ($line = fgets($ph)) echo htmlspecialchars($line); - pclose($ph); - puts("</pre>"); + $nis_server = check_nis_running_apcupsd(); + + if ($pf_version >= 2.2){ + if($strapcaccess) { + echo "Running: apcaccess -h {$strapcaccess} <br/>"; + puts("<pre>"); + putenv("PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"); + $ph = popen("apcaccess -h {$strapcaccess} 2>&1", "r" ); + while ($line = fgets($ph)) echo htmlspecialchars($line); + pclose($ph); + puts("</pre>"); + }elseif($nis_server){ + $nisip=(check_nis_ip_apcupsd() != ''? check_nis_ip_apcupsd() : "0.0.0.0"); + $nisport=(check_nis_port_apcupsd() != ''? check_nis_port_apcupsd() : "3551"); + echo "Running: apcaccess -h {$nisip}:{$nisport} <br/>"; + puts("<pre>"); + putenv("PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"); + $ph = popen("apcaccess -h localhost 2>&1", "r" ); + while ($line = fgets($ph)) echo htmlspecialchars($line); + pclose($ph); + puts("</pre>"); + }else + echo "Network Information Server (NIS) not running, in order to run apcaccess on localhost, you need to enable it on APCupsd General settings. <br/>"; + }else{ + echo "pfSense version prior to 2.2 runs APCupsd 3.14.10 and apcaccess doesn't accept host parameter. <br/>"; + if ($nis_server){ + puts("<pre>"); + putenv("PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"); + $ph = popen("apcaccess 2>&1", "r" ); + while ($line = fgets($ph)) echo htmlspecialchars($line); + pclose($ph); + puts("</pre>"); + }else + echo "Network Information Server (NIS) not running, in order to run apcaccess on localhost, you need to enable it on APCupsd General settings. <br/>"; + } + ?> </td></tr> </table> diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index df231821..00076816 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -134,7 +134,42 @@ function freeradius_install_command() { $rcfile = array(); $rcfile['file'] = 'radiusd.sh'; - $rcfile['start'] = FREERADIUS_ETC . '/rc.d/radiusd onestart'; + $freeradius_etc_dir = FREERADIUS_ETC; + $rcfile['start'] = <<<EOD +SERVICENAME="radiusd" + LOCKFILE="/tmp/\${SERVICENAME}_start.lock" + PIDFILE="/var/run/\${SERVICENAME}.pid" + + # prevent this part of script from running in parallel + if ( set -o noclobber; echo "\$\$" > "\$LOCKFILE") 2> /dev/null; then + # make sure lock file is removed even if script is terminated + trap 'rm -f "\$LOCKFILE"; exit \$?' INT TERM EXIT + + {$freeradius_etc_dir}/rc.d/radiusd onestart + + # try to wait until the service starts + if [ ! -f "\$PIDFILE" ]; then + echo "\$SERVICENAME.sh: PID file was not found" + + for i in 1 2 3 4 5; do + if [ -f "\$PIDFILE" ]; then + echo "\$SERVICENAME.sh: Service started PID: `cat \$PIDFILE`" + break + else + echo "\$SERVICENAME.sh: Waiting 0.5 seconds" + sleep 0.5 + fi + done + else + echo "\$SERVICENAME.sh: Service running PID: `cat \$PIDFILE`" + fi + + rm -f "\$LOCKFILE" + trap - INT TERM EXIT + else + echo "\$SERVICENAME.sh: Cannot continue at this moment, this script is already trying to start service PID: \$(cat \$LOCKFILE)" + fi +EOD; $rcfile['stop'] = FREERADIUS_ETC . '/rc.d/radiusd onestop'; write_rcfile($rcfile); conf_mount_ro(); diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml index 78c65372..8982d93e 100644 --- a/config/freeradius2/freeradiussettings.xml +++ b/config/freeradius2/freeradiussettings.xml @@ -183,9 +183,9 @@ </options> </field> <field> - <fielddescr>Log Bad Authentication Attempts</fielddescr> + <fielddescr>Log Password on Authentication Failure</fielddescr> <fieldname>varsettingsauthbadpass</fieldname> - <description><![CDATA[If an authentication fails then it will log the username and <b>wrong</b> password visible in syslog. Logging must be enabled. (Default: no)]]></description> + <description><![CDATA[Log the <b>password</b> of failed authentication attempts to syslog. Not recommended for security reasons. Logging must be enabled. (Default: no)]]></description> <type>select</type> <default_value>no</default_value> <options> @@ -204,9 +204,9 @@ <size>80</size> </field> <field> - <fielddescr>Log good authentication attempts?</fielddescr> + <fielddescr>Log Password on Authentication Success</fielddescr> <fieldname>varsettingsauthgoodpass</fieldname> - <description><![CDATA[If an authentication succeeds then it will log the username and <b>correct</b> password visible in syslog. Logging must be enabled. (Default: no)]]></description> + <description><![CDATA[Log the <b>password</b> of successful authentication attempts to syslog. Not recommended for security reasons. Logging must be enabled. (Default: no)]]></description> <type>select</type> <default_value>no</default_value> <options> diff --git a/config/ftpproxy/ftpproxy.inc b/config/ftpproxy/ftpproxy.inc new file mode 100644 index 00000000..7fc54775 --- /dev/null +++ b/config/ftpproxy/ftpproxy.inc @@ -0,0 +1,147 @@ +<?php +function sync_package_ftpproxy() { + conf_mount_rw(); + config_lock(); + global $config; + $cf = $config['installedpackages']['ftpclientproxy']['config'][0]; + + /* Proxy is not enabled, kill the daemon and issue a filter reload. */ + if ($cf["proxy_enable"] != "on") { + mwexec("/usr/bin/killall -9 ftp-proxy"); + filter_configure(); + return; + } + $interface_list = explode(",", $cf['localints']); + /* Bail if there is nothing to do */ + if (empty($interface_list)) { + log_error("FTP Proxy cannot sync: No interfaces selected."); + return; + } + + $start = "/usr/bin/killall -9 ftp-proxy\n"; + $start .= "\t/usr/sbin/ftp-proxy "; + + if ($cf["anononly"] == "on") { + $start .= " -A "; + } + if (is_ipaddr($cf["sourceaddr"])) { + $start .= " -a " . escapeshellarg($cf["sourceaddr"]); + } + if (is_port($cf["bindport"])) { + $start .= " -p " . escapeshellarg($cf["bindport"]); + } + if (is_numeric($cf["maxessions"]) && ($cf["maxessions"] >= 1) && ($cf["maxessions"] <= 500)) { + $start .= " -m " . escapeshellarg($cf["maxessions"]); + } + if (!empty($cf["tsq"])) { + $start .= " -q " . escapeshellarg($cf["tsq"]); + } + if ($cf["src20"] == "on") { + $start .= " -r "; + } + if (is_numeric($cf["idletimeout"]) && ($cf["idletimeout"] > 0) && ($cf["idletimeout"] <= 86400)) { + $start .= " -t " . escapeshellarg($cf["idletimeout"]); + } + if ($cf["log"] == "on") { + $start .= " -v "; + } + $start .= "\n"; + + write_rcfile(array( + "file" => "ftp-proxy.sh", + "start" => $start, + "stop" => "/usr/bin/killall -9 ftp-proxy" + ) + ); + restart_service("ftp-proxy"); + conf_mount_ro(); + config_unlock(); + filter_configure(); +} + +function validate_form_ftpproxy($post, &$input_errors) { + if (empty($post["localints"])) { + $input_errors[] = 'One or more Local Interfaces must be selected'; + } + if (!empty($post["sourceaddr"]) && !is_ipaddr($post["sourceaddr"])) { + $input_errors[] = 'You must specify a valid ip address in the \'Source Address\' field'; + } + if (!empty($post["bindport"]) && !is_port($post["bindport"])) { + $input_errors[] = 'You must specify a valid port number in the \'Bind Port\' field'; + } + if (!empty($post["maxessions"]) && (!is_numeric($post["maxessions"]) || ($post["maxessions"] < 1) || ($post["maxessions"] > 500))) { + $input_errors[] = 'You must specify a valid number in the \'Max Sessions\' field (Between 1 and 500)'; + } + if (!empty($post["idletimeout"]) && (is_numeric($post["idletimeout"]) || ($post["idletimeout"] <= 0) || ($post["idletimeout"] > 86400))) { + $input_errors[] = 'You must specify a valid number in the \'Idle Timeout\' field (Between 1 and 86400)'; + } + if (!empty($post["bypasssrc"]) && !(is_alias($post["bypasssrc"]) || is_subnetv4($post["bypasssrc"]) || is_ipaddr($post["bypasssrc"]))) { + $input_errors[] = 'You must specify a valid IP address or alias for Proxy Bypass: Source'; + } + if (!empty($post["bypassdst"]) && !(is_alias($post["bypassdst"]) || is_subnetv4($post["bypassdst"]) || is_ipaddr($post["bypassdst"]))) { + $input_errors[] = 'You must specify a valid IP address or alias for Proxy Bypass: Destination'; + } +} + +function ftpproxy_get_port() { + global $config; + $cf = $config['installedpackages']['ftpclientproxy']['config'][0]; + if (!empty($cf["bindport"]) && is_port($cf["bindport"])) { + return $cf["bindport"]; + } else { + return 8021; + } +} + +function ftpproxy_generate_rules($type) { + global $config; + $cf = $config['installedpackages']['ftpclientproxy']['config'][0]; + $interface_list = explode(",", $cf['localints']); + + /* Proxy is not enabled, therefore, no rules/anchors. */ + if ($cf["proxy_enable"] != "on") { + return; + } + + /* Bail if there is nothing to do */ + if (empty($interface_list)) { + log_error("FTP Proxy cannot sync: No interfaces selected."); + return; + } + + $rules = ""; + switch ($type) { + case "nat": + $rules .= "nat-anchor \"ftp-proxy/*\"\n"; + $rules .= "rdr-anchor \"ftp-proxy/*\"\n"; + + foreach ($interface_list as $interface_friendly) { + if (empty($interface_friendly)) { + continue; + } + $interface = get_real_interface($interface_friendly); + if (empty($interface)) { + continue; + } + if (is_subnetv4($cf["bypasssrc"]) || is_ipaddr($cf["bypasssrc"])) { + $rules .= "no rdr on {$interface} inet proto tcp from {$cf['bypasssrc']} to any port 21\n"; + } elseif (is_alias($cf["bypasssrc"])) { + $rules .= "no rdr on {$interface} inet proto tcp from \${$cf['bypasssrc']} to any port 21\n"; + } + if (is_subnetv4($cf["bypassdst"]) || is_ipaddr($cf["bypassdst"])) { + $rules .= "no rdr on {$interface} inet proto tcp from any to {$cf['bypassdst']} port 21\n"; + } elseif (is_alias($cf["bypassdst"])) { + $rules .= "no rdr on {$interface} inet proto tcp from any to \${$cf['bypassdst']} port 21\n"; + } + $rules .= "rdr pass on {$interface} inet proto tcp from any to any port 21 -> 127.0.0.1 port " . ftpproxy_get_port() . "\n"; + } + break; + case "filter": + $rules .= "anchor \"ftp-proxy/*\"\n"; + // $rules = "pass out proto tcp from any to any port 21\n"; + break; + + } + return $rules; +} +?>
\ No newline at end of file diff --git a/config/ftpproxy/ftpproxy.xml b/config/ftpproxy/ftpproxy.xml new file mode 100644 index 00000000..5bd123dc --- /dev/null +++ b/config/ftpproxy/ftpproxy.xml @@ -0,0 +1,116 @@ +<packagegui> + <name>FTP Client Proxy</name> + <version>0.2</version> + <title>FTP Client Proxy</title> + <aftersaveredirect>pkg_edit.php?xml=ftpproxy.xml</aftersaveredirect> + <include_file>/usr/local/pkg/ftpproxy.inc</include_file> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>https://packages.pfsense.org/packages/config/ftpproxy/ftpproxy.inc</item> + </additional_files_needed> + <menu> + <name>FTP Client Proxy</name> + <tooltiptext>Modify FTP Client Proxy settings.</tooltiptext> + <section>Services</section> + <configfile>ftpproxy.xml</configfile> + <url>/pkg_edit.php?xml=ftpproxy.xml</url> + </menu> + <service> + <name>ftp-proxy</name> + <rcfile>ftp-proxy.sh</rcfile> + <executable>ftp-proxy</executable> + <description>Client FTP Proxy Daemon</description> + </service> + <fields> + <field> + <name>General Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Proxy Enabled</fielddescr> + <fieldname>proxy_enable</fieldname> + <description>Enable the FTP Proxy.</description> + <type>checkbox</type> + <default_value>off</default_value> + </field> + <field> + <fielddescr>Local Interface</fielddescr> + <fieldname>localints</fieldname> + <type>interfaces_selection</type> + <description>Select the local (LAN type) interfaces which contain FTP clients.</description> + <required/> + <multiple/> + </field> + <field> + <fielddescr>Anonymous Only</fielddescr> + <fieldname>anononly</fieldname> + <description>Only permit anonymous FTP connections using the "ftp" or "anonymous" users.</description> + <type>checkbox</type> + <default_value>off</default_value> + </field> + <field> + <fielddescr>Source Address</fielddescr> + <fieldname>sourceaddr</fieldname> + <description>Enter a VIP to be the source of outgoing control traffic. Leave blank to use the default WAN IP address.</description> + <type>input</type> + </field> + <field> + <fielddescr>Proxy Bypass: Source</fielddescr> + <fieldname>bypasssrc</fieldname> + <description>Enter an IP address or alias for source client host(s) which should bypass the proxy.</description> + <type>input</type> + </field> + <field> + <fielddescr>Proxy Bypass: Destination</fielddescr> + <fieldname>bypassdst</fieldname> + <description>Enter an IP address or alias for destination server host(s) which should bypass the proxy.</description> + <type>input</type> + </field> + <field> + <fielddescr>Bind Port (Default: 8021)</fielddescr> + <fieldname>bindport</fieldname> + <description>Port where the proxy will listen for redirected connections. Do not set this to 21.</description> + <type>input</type> + </field> + <field> + <fielddescr>Maximum Sessions (Default: 100)</fielddescr> + <fieldname>maxessions</fieldname> + <description>Maximum number of concurrent FTP sessions. When the proxy reaches this limit, new connections are denied. Must be between 1 and 500.</description> + <type>input</type> + </field> + <field> + <fielddescr>Traffic Shaping Queue</fielddescr> + <fieldname>tsq</fieldname> + <description>Create rules with the specified queue appended so that data connections can be queued.</description> + <type>input</type> + </field> + <field> + <fielddescr>Rewrite Source to Port 20</fielddescr> + <fieldname>src20</fieldname> + <description>Rewrite source port to 20 in active mode to suit ancient clients that insist on this behavior.</description> + <type>checkbox</type> + <default_value>off</default_value> + </field> + <field> + <fielddescr>Idle Timeout (Default: 86400)</fielddescr> + <fieldname>idletimeout</fieldname> + <description>(Seconds) Number of seconds that the control connection can be idle, before the proxy will disconnect. The maximum is 86400 seconds. Do not set this too low, because the control connection is usually idle when large data transfers are taking place.</description> + <type>input</type> + </field> + <field> + <fielddescr>Log Connections</fielddescr> + <fieldname>log</fieldname> + <description>Set the 'log' flag on pf rules committed by ftp-proxy.</description> + <type>checkbox</type> + <default_value>off</default_value> + </field> + + </fields> + <custom_php_resync_config_command> + sync_package_ftpproxy(); + </custom_php_resync_config_command> + <custom_php_validation_command> + validate_form_ftpproxy($_POST, $input_errors); + </custom_php_validation_command> +</packagegui> diff --git a/config/lightsquid/lightsquid.inc b/config/lightsquid/lightsquid.inc index 399e0572..054713a1 100644 --- a/config/lightsquid/lightsquid.inc +++ b/config/lightsquid/lightsquid.inc @@ -175,6 +175,9 @@ function lightsquid_resync() { if (!file_exists("/usr/bin/perl")) mwexec("ln -s /usr/local/bin/perl /usr/bin/perl"); + // Fixup library path so GD can find its libraries for graphs. + mwexec("/sbin/ldconfig -m " . LIGHTSQUID_BASE . "/lib/"); + // create lightsquid report catalog if (!file_exists(LS_REPORTPATH)) { update_log("lightsquid_install: Create report dir " . LS_REPORTPATH); diff --git a/config/lightsquid/lightsquid.xml b/config/lightsquid/lightsquid.xml index 0f6baf37..63eaabe4 100644 --- a/config/lightsquid/lightsquid.xml +++ b/config/lightsquid/lightsquid.xml @@ -46,7 +46,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>lightsquid</name> - <version>1.8.2 pkg v.2.34</version> + <version>1.8.2 pkg v.2.35</version> <title>Services: Proxy Reports (LightSquid, SQStat) -> Settings</title> <category>Status</category> <include_file>/usr/local/pkg/lightsquid.inc</include_file> diff --git a/config/ntopng/ntopng.xml b/config/ntopng/ntopng.xml index b656e483..9382912a 100644 --- a/config/ntopng/ntopng.xml +++ b/config/ntopng/ntopng.xml @@ -39,7 +39,7 @@ ]]> </copyright> <name>ntopng</name> - <version>1.1 v0.1</version> + <version>1.2 v0.5</version> <title>Diagnostics: ntopng Settings</title> <savetext>Change</savetext> <aftersaveredirect>pkg_edit.php?xml=ntopng.xml</aftersaveredirect> @@ -96,7 +96,12 @@ <field> <fielddescr>DNS Mode</fielddescr> <fieldname>dns_mode</fieldname> - <description>Configures how name resolution is handled</description> + <description> + Configures how name resolution is handled<br/><br/> + Additionally, GeoIP Data can provide location information about IP addresses.<br/> + This product includes GeoLite data created by MaxMind, available from <a href="http://www.maxmind.com">http://www.maxmind.com</a>.<br/> + <input type="submit" name="Submit" value="Update GeoIP Data"> + </description> <type>select</type> <default_value>0</default_value> <options> @@ -121,13 +126,22 @@ <field> <fielddescr>Historical Data Storage</fielddescr> <fieldname>dump_flows</fieldname> - <description>Turn historical data storages on</description> + <description>Enable historical data storage</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Disable Alerts</fielddescr> + <fieldname>disable_alerts</fieldname> + <description>Disables all alerts generated by ntopng, such as flooding notifications</description> <type>checkbox</type> </field> </fields> <custom_php_global_functions> <![CDATA[ function sync_package_ntopng() { + if ($_POST['Submit'] == "Update GeoIP Data") { + return; + } conf_mount_rw(); config_lock(); global $config; @@ -185,7 +199,12 @@ if ($ntopng_config['dump_flows'] >= on) { $dump_flows = "-F"; } - + + // Disable alerts + if ($ntopng_config['disable_alerts'] >= on) { + $disable_alerts = "-H"; + } + $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version >= 2.2) { $redis_path = "/usr/pbi/ntopng-" . php_uname("m") . "/local/bin"; @@ -199,7 +218,7 @@ // Add support for --data-dir /somewhere, --httpdocs-dir /somewhereelse, // --dump-timeline (on/off) --http-port, --https-port - $start .= "\t/usr/local/bin/ntopng -d /var/db/ntopng -G /var/run/ntopng.pid -s -e {$dump_flows} {$ifaces} {$dns_mode} {$aggregations} {$local_networks} &"; + $start .= "\t/usr/local/bin/ntopng -d /var/db/ntopng -G /var/run/ntopng.pid -s -e {$disable_alerts} {$dump_flows} {$ifaces} {$dns_mode} {$aggregations} {$local_networks} &"; write_rcfile(array( "file" => "ntopng.sh", "start" => $start, @@ -211,6 +230,7 @@ // Wait for ntopng to shut down cleanly. sleep(20); } + ntopng_fixup_geoip(); start_service("ntopng"); sleep(2); @@ -222,6 +242,30 @@ conf_mount_ro(); config_unlock(); } + function ntopng_update_geoip() { + mwexec("/usr/pbi/ntopng-" . php_uname("m") . "/bin/ntopng-geoipupdate.sh"); + ntopng_fixup_geoip(); + restart_service("ntopng"); + } + function ntopng_fixup_geoip() { + $target_dir = "/usr/pbi/ntopng-" . php_uname("m") . "/local/share/ntopng/httpdocs/geoip"; + $source_dir = "/usr/pbi/ntopng-" . php_uname("m") . "/share/ntopng"; + + foreach(glob("{$source_dir}/Geo*.dat*") as $geofile) { + /* Decompress if needed. */ + if (substr($geofile, -3, 3) == ".gz") { + mwexec("/usr/bin/gzip -d " . escapeshellarg($geofile)); + } + } + + /* Use a separate glob since the filenames could have changed since the last run */ + foreach(glob("{$source_dir}/Geo*.dat*") as $geofile) { + $target_file = $target_dir . '/' . basename($geofile); + if (!file_exists($target_file)) { + symlink($geofile, $target_file); + } + } + } ]]> </custom_php_global_functions> <custom_add_php_command> @@ -232,7 +276,7 @@ </custom_php_resync_config_command> <custom_php_install_command> <![CDATA[ - mwexec_bg("/usr/pbi/ntopng-" . php_uname("m") . "/bin/geoipupdate.sh"); + ntopng_update_geoip(); sync_package_ntopng(); ]]> </custom_php_install_command> @@ -246,6 +290,9 @@ $input_errors[] = "You must provide (and confirm) ntopng's password."; if ($_POST['password'] != $_POST['passwordagain']) $input_errors[] = "The provided passwords did not match."; + if ($_POST['Submit'] == "Update GeoIP Data") { + ntopng_update_geoip(); + } } ]]> </custom_php_validation_command> diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index f635bbd0..16ccb6a4 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -40,7 +40,7 @@ require_once("pfsense-utils.inc"); global $current_openvpn_version, $current_openvpn_version_rev; $current_openvpn_version = "2.3.6"; -$current_openvpn_version_rev = "01"; +$current_openvpn_version_rev = "03"; function openvpn_client_export_install() { global $current_openvpn_version; diff --git a/config/openvpn-client-export/openvpn-client-export.xml b/config/openvpn-client-export/openvpn-client-export.xml index 15986428..42a3c327 100755 --- a/config/openvpn-client-export/openvpn-client-export.xml +++ b/config/openvpn-client-export/openvpn-client-export.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="utf-8" ?> <packagegui> <name>OpenVPN Client Export</name> - <version>1.2.15</version> + <version>1.2.16</version> <title>OpenVPN Client Export</title> <include_file>/usr/local/pkg/openvpn-client-export.inc</include_file> <backup_file></backup_file> diff --git a/config/pfblockerng/geoipupdate.sh b/config/pfblockerng/geoipupdate.sh index 302f81f5..dc6f2af6 100644 --- a/config/pfblockerng/geoipupdate.sh +++ b/config/pfblockerng/geoipupdate.sh @@ -1,7 +1,7 @@ #!/bin/sh # # pfBlockerNG MaxMind GeoLite GeoIP Updater Script - By BBcan177@gmail.com -# Copyright (C) 2014 BBcan177@gmail.com +# Copyright (C) 2015 BBcan177@gmail.com # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as diff --git a/config/pfblockerng/pfblockerng.inc b/config/pfblockerng/pfblockerng.inc index a1ee6abc..1a1c87a2 100644 --- a/config/pfblockerng/pfblockerng.inc +++ b/config/pfblockerng/pfblockerng.inc @@ -3,7 +3,7 @@ pfBlockerNG.inc pfBlockerNG - Copyright (C) 2014 BBcan177@gmail.com + Copyright (C) 2015 BBcan177@gmail.com All rights reserved. part of the Postfix package for pfSense @@ -78,6 +78,7 @@ function pfb_global() { $pfb['log'] = "{$pfb['logdir']}/pfblockerng.log"; $pfb['supptxt'] = "{$pfb['dbdir']}/pfbsuppression.txt"; $pfb['script'] = 'sh /usr/local/pkg/pfblockerng/pfblockerng.sh'; + $pfb['aliasarchive'] = "/usr/pbi/pfblockerng-" . php_uname("m") . "/etc/aliastables.tar.bz2"; # General Variables $pfb['config'] = $config['installedpackages']['pfblockerng']['config'][0]; @@ -225,8 +226,11 @@ function pfb_create_suppression_file() { if ($pfb['found']) { $pfb_suppress = str_replace(" ", "\n", $config['aliases']['alias'][$pfb_id]['address']); - if (!empty($pfb_suppress)) + if (!empty($pfb_suppress)) { @file_put_contents("{$pfb['supptxt']}",$pfb_suppress, LOCK_EX); + } else { + unlink_if_exists("{$pfb['supptxt']}"); + } } else { # Delete Suppression File if Alias is Empty. unlink_if_exists("{$pfb['supptxt']}"); @@ -334,6 +338,58 @@ function ip_range_to_subnet_array_temp2($ip1, $ip2) { } +// Archive Aliastables for NanoBSD and RAMDisk Installations +function pfb_aliastables($mode) { + global $g,$config,$pfb; + $earlyshellcmd = "/usr/local/pkg/pfblockerng/pfblockerng.sh aliastables"; + $msg = ""; + + // Only Execute function if Platform is NanoBSD or Ramdisks are used. + if (($g['platform'] != "pfSense") || isset($config['system']['use_mfs_tmpvar'])) { + conf_mount_rw(); + if ($mode == "update") { + // Archive Aliastable Folder + exec ("cd {$pfb['aliasdir']}; ls -A pfB_*.txt && /usr/bin/tar -jcvf {$pfb['aliasarchive']} pfB_*.txt >/dev/null 2>&1"); + $msg = "\n\nArchiving Aliastable Folder\n"; + } + elseif ($mode == "conf") { + // Check conf file for earlyshellcmd + if (is_array($config['system']['earlyshellcmd'])) { + $a_earlyshellcmd = &$config['system']['earlyshellcmd']; + if (!preg_grep("/pfblockerng.sh aliastables/", $a_earlyshellcmd)) { + $a_earlyshellcmd[] = "{$earlyshellcmd}"; + $msg = "\n** Adding earlyshellcmd **\n"; + } + } + else { + $config['system']['earlyshellcmd'] = "{$earlyshellcmd}"; + $msg = "\n** Adding earlyshellcmd **\n"; + } + } + conf_mount_ro(); + } + else { + if (file_exists("{$pfb['aliasarchive']}")) { + // Remove Aliastables archive if found. + conf_mount_rw(); + @unlink_if_exists("{$pfb['aliasarchive']}"); + conf_mount_ro(); + } + // Remove earlyshellcmd if found. + if (is_array($config['system']['earlyshellcmd'])) { + $a_earlyshellcmd = &$config['system']['earlyshellcmd']; + if (preg_grep("/pfblockerng.sh aliastables/", $a_earlyshellcmd)) { + $a_earlyshellcmd = preg_grep("/pfblockerng.sh aliastables/", $a_earlyshellcmd, PREG_GREP_INVERT); + $msg = "\n** Removing earlyshellcmd **\n"; + } + } + } + + if ($msg != "") + pfb_logger("{$msg}","1"); +} + + # Main pfBlockerNG Function function sync_package_pfblockerng($cron = "") { @@ -365,14 +421,8 @@ function sync_package_pfblockerng($cron = "") { } } - # TBC if Required ! (Fetch Timeout in 2.2) - - #apply fetch timeout to pfsense-utils.inc - $pfsense_utils = file_get_contents('/etc/inc/pfsense-utils.inc'); - $new_pfsense_utils = preg_replace("/\/usr\/bin\/fetch -q/","/usr/bin/fetch -T 5 -q",$pfsense_utils); - if ($new_pfsense_utils != $pfsense_utils) { - @file_put_contents('/etc/inc/pfsense-utils.inc',$new_pfsense_utils, LOCK_EX); - } + // Call function for NanoBSD/Ramdisk processes. + pfb_aliastables("conf"); # Collect pfSense Max Table Size Entry $pfb['table_limit'] = ($config['system']['maximumtableentries'] != "" ? $config['system']['maximumtableentries'] : "2000000"); @@ -1173,7 +1223,7 @@ function sync_package_pfblockerng($cron = "") { $pattern8 = '[A-Fa-f0-9]{1,4}:[A-Fa-f0-9]{1,4}:[A-Fa-f0-9]{1,4}::\/[0-9]{2}'; $pattern9 = '[A-Fa-f0-9]{1,4}:([A-Fa-f0-9]{1,4}::)\/[0-9]{2}'; $pattern10 = '[A-Fa-f0-9]{1,4}::\/[0-9]{2}'; - $pfb['ipv6'] = "/^($pattern1)$|^($pattern2)$|^($pattern3)$|^($pattern4)$|^($pattern5)$|^($pattern6)$|^($pattern7)$|^($pattern8)$|^($pattern9)$|^($pattern10)$/"; + $pfb['ipv6'] = "/($pattern1)|($pattern2)|($pattern3)|($pattern4)|($pattern5)|($pattern6)|($pattern7)|($pattern8)|($pattern9)|($pattern10)/"; $pfb['supp_update'] = FALSE; $list_type = array ("pfblockernglistsv4" => "_v4", "pfblockernglistsv6" => "_v6"); @@ -2191,6 +2241,7 @@ function sync_package_pfblockerng($cron = "") { unset ($other_rules,$fother_rules,$permit_rules,$fpermit_rules,$match_rules,$fmatch_rules); } + ################################# # Closing Processes # ################################# @@ -2223,6 +2274,9 @@ function sync_package_pfblockerng($cron = "") { #load filter file which will create the pfctl tables filter_configure(); + + // Call function for NanoBSD/Ramdisk processes. + pfb_aliastables("update"); } else { # Don't Execute on User 'Save' if (!$pfb['save']) { @@ -2253,8 +2307,11 @@ function sync_package_pfblockerng($cron = "") { $log = implode($result_pfctl); pfb_logger("{$log}","1"); } + + // Call function for NanoBSD/Ramdisk processes. + pfb_aliastables("update"); } else { - $log = "\n No Changes to Aliases, Skipping pfctl Update \n"; + $log = "\nNo Changes to Aliases, Skipping pfctl Update \n"; pfb_logger("{$log}","1"); } } @@ -2282,7 +2339,7 @@ function sync_package_pfblockerng($cron = "") { ######################################### - # Define/Apply CRON Jobs # + # Define/Apply CRON Jobs # ######################################### # Clear any existing pfBlockerNG Cron Jobs @@ -2291,13 +2348,13 @@ function sync_package_pfblockerng($cron = "") { # Replace Cron job with any User Changes to $pfb_min if ($pfb['enable'] == "on") { # Define pfBlockerNG CRON Job - $pfb_cmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> {$pfb['log']} 2>&1"; + $pfb_cmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> {$pfb['log']} 2>&1"; # $pfb['min'] ( User Defined Variable. Variable defined at start of Script ) - $pfb_hour = "*"; - $pfb_mday = "*"; - $pfb_month = "*"; - $pfb_wday = "*"; - $pfb_who = "root"; + $pfb_hour = "*"; + $pfb_mday = "*"; + $pfb_month = "*"; + $pfb_wday = "*"; + $pfb_who = "root"; install_cron_job($pfb_cmd, true, $pfb['min'], $pfb_hour, $pfb_mday, $pfb_month, $pfb_wday, $pfb_who); } @@ -2311,12 +2368,12 @@ function sync_package_pfblockerng($cron = "") { # MaxMind GeoIP Cron Hour is randomized between 0-23 Hour to minimize effect on MaxMind Website - $pfb_gmin = "0"; - $pfb_ghour = rand(0,23); - $pfb_gmday = "1,2,3,4,5,6,7"; - $pfb_gmonth = "*"; - $pfb_gwday = "2"; - $pfb_gwho = "root"; + $pfb_gmin = "0"; + $pfb_ghour = rand(0,23); + $pfb_gmday = "1,2,3,4,5,6,7"; + $pfb_gmonth = "*"; + $pfb_gwday = "2"; + $pfb_gwho = "root"; install_cron_job($pfb_gcmd, true, $pfb_gmin, $pfb_ghour, $pfb_gmday, $pfb_gmonth, $pfb_gwday, $pfb_gwho); } @@ -2413,6 +2470,15 @@ function pfblockerng_php_deinstall_command() { rmdir_recursive("{$pfb['dbdir']}"); rmdir_recursive("{$pfb['logdir']}"); + // Remove Aliastables archive and earlyshellcmd if found. + @unlink_if_exists("{$pfb['aliasarchive']}"); + if (is_array($config['system']['earlyshellcmd'])) { + $a_earlyshellcmd = &$config['system']['earlyshellcmd']; + if (preg_grep("/pfblockerng.sh aliastables/", $a_earlyshellcmd)) { + $a_earlyshellcmd = preg_grep("/pfblockerng.sh aliastables/", $a_earlyshellcmd, PREG_GREP_INVERT); + } + } + # Remove Settings from Config if (is_array($config['installedpackages']['pfblockerng'])) unset($config['installedpackages']['pfblockerng']); diff --git a/config/pfblockerng/pfblockerng.js b/config/pfblockerng/pfblockerng.js index cef0ce3b..e1c1ca20 100644 --- a/config/pfblockerng/pfblockerng.js +++ b/config/pfblockerng/pfblockerng.js @@ -1,6 +1,6 @@ /* pfBlockerNG update engine */ -// Part of pfBlockerNG by BBCan177@gmail.com (c) 2014 +// Part of pfBlockerNG by BBCan177@gmail.com (c) 2015 // // Javascript and Integration modifications by J. Nieuwenhuizen diff --git a/config/pfblockerng/pfblockerng.php b/config/pfblockerng/pfblockerng.php index 0ca3aa7d..8c0c478d 100644 --- a/config/pfblockerng/pfblockerng.php +++ b/config/pfblockerng/pfblockerng.php @@ -3,7 +3,7 @@ pfBlockerNG.php pfBlockerNG - Copyright (C) 2014 BBcan177@gmail.com + Copyright (C) 2015 BBcan177@gmail.com All rights reserved. Based upon pfBlocker by @@ -12,7 +12,7 @@ Hour Schedule Convertor code by Snort Package - Copyright (c) 2014 Bill Meeks + Copyright (c) 2015 Bill Meeks Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -251,7 +251,7 @@ if ($argv[1] == 'gc') { } if ($argv[1] == 'cron') { - $hour = date('H'); + $hour = date('G'); $dow = date('N'); $pfb['update_cron'] = FALSE; @@ -270,7 +270,7 @@ if ($argv[1] == 'cron') { $sch2 = strval($shour); for ($i=0; $i<11; $i++) { $shour += 2; - if ($shour > 24) + if ($shour >= 24) $shour -= 24; $sch2 .= "," . strval($shour); } @@ -280,7 +280,7 @@ if ($argv[1] == 'cron') { $sch3 = strval($shour); for ($i=0; $i<7; $i++) { $shour += 3; - if ($shour > 24) + if ($shour >= 24) $shour -= 24; $sch3 .= "," . strval($shour); } @@ -290,7 +290,7 @@ if ($argv[1] == 'cron') { $sch4 = strval($shour); for ($i=0; $i<5; $i++) { $shour += 4; - if ($shour > 24) + if ($shour >= 24) $shour -= 24; $sch4 .= "," . strval($shour); } @@ -300,7 +300,7 @@ if ($argv[1] == 'cron') { $sch6 = strval($shour); for ($i=0; $i<3; $i++) { $shour += 6; - if ($shour > 24) + if ($shour >= 24) $shour -= 24; $sch6 .= "," . strval($shour); } @@ -310,7 +310,7 @@ if ($argv[1] == 'cron') { $sch8 = strval($shour); for ($i=0; $i<2; $i++) { $shour += 8; - if ($shour > 24) + if ($shour >= 24) $shour -= 24; $sch8 .= "," . strval($shour); } @@ -319,7 +319,7 @@ if ($argv[1] == 'cron') { $shour = intval(substr($pfb['hour'], 0, 2)); $sch12 = strval($shour) . ","; $shour += 12; - if ($shour > 24) + if ($shour >= 24) $shour -= 24; $sch12 .= strval($shour); @@ -696,7 +696,7 @@ $xml = <<<EOF pfblockerng_{$cont_name}.xml pfBlockerNG - Copyright (C) 2014 BBcan177@gmail.com + Copyright (C) 2015 BBcan177@gmail.com All rights reserved. Based upon pfblocker for pfSense @@ -1001,7 +1001,7 @@ $xmlrep = <<<EOF pfBlockerNG_Reputation.xml pfBlockerNG - Copyright (C) 2014 BBcan177@gmail.com + Copyright (C) 2015 BBcan177@gmail.com All rights reserved. Based upon pfblocker for pfSense diff --git a/config/pfblockerng/pfblockerng.sh b/config/pfblockerng/pfblockerng.sh index cc11be6b..e010a6e5 100644 --- a/config/pfblockerng/pfblockerng.sh +++ b/config/pfblockerng/pfblockerng.sh @@ -1,6 +1,6 @@ #!/bin/sh # pfBlockerNG IP Reputation Script - By BBcan177@gmail.com - 04-12-14 -# Copyright (C) 2014 BBcan177@gmail.com +# Copyright (C) 2015 BBcan177@gmail.com # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as @@ -35,6 +35,7 @@ etblock=$(echo $8 | sed 's/,/, /g') etmatch=$(echo $9 | sed 's/,/, /g') # File Locations +aliasarchive="/usr/pbi/pfblockerng-$mtype/etc/aliastables.tar.bz2" pathgeoipdat=/usr/pbi/pfblockerng-$mtype/share/GeoIP/GeoIP.dat pfbsuppression=/var/db/pfblockerng/pfbsuppression.txt masterfile=/var/db/pfblockerng/masterfile @@ -46,6 +47,7 @@ errorlog=/var/log/pfblockerng/error.log etdir=/var/db/pfblockerng/ET tmpxlsx=/tmp/xlsx/ +pfbdbdir=/var/db/pfblockerng/ pfbdeny=/var/db/pfblockerng/deny/ pfborig=/var/db/pfblockerng/original/ pfbmatch=/var/db/pfblockerng/match/ @@ -65,6 +67,17 @@ syncfile=/tmp/pfbsyncfile matchfile=/tmp/pfbmatchfile tempmatchfile=/tmp/pfbtempmatchfile +PLATFORM=`cat /etc/platform` +USE_MFS_TMPVAR=`/usr/bin/grep -c use_mfs_tmpvar /cf/conf/config.xml` +DISK_NAME=`/bin/df /var/db/rrd | /usr/bin/tail -1 | /usr/bin/awk '{print $1;}'` +DISK_TYPE=`/usr/bin/basename ${DISK_NAME} | /usr/bin/cut -c1-2` + +if [ "${PLATFORM}" != "pfSense" ] || [ ${USE_MFS_TMPVAR} -gt 0 ] || [ "${DISK_TYPE}" = "md" ]; then + /usr/local/bin/php /etc/rc.conf_mount_rw >/dev/null 2>&1 + if [ ! -d $pfbdbdir ]; then mkdir $pfbdbdir; fi + if [ ! -d $pfsense_alias_dir ]; then mkdir $pfsense_alias_dir; fi +fi + if [ ! -f $masterfile ]; then touch $masterfile; fi if [ ! -f $mastercat ]; then touch $mastercat; fi if [ ! -f $tempfile ]; then touch $tempfile; fi @@ -79,6 +92,16 @@ if [ ! -d $pfbmatch ]; then mkdir $pfbmatch; fi if [ ! -d $etdir ]; then mkdir $etdir; fi if [ ! -d $tmpxlsx ]; then mkdir $tmpxlsx; fi + +# Exit Function to set mount RO if required before Exiting +exitnow() { + if [ "${PLATFORM}" != "pfSense" ] || [ ${USE_MFS_TMPVAR} -gt 0 ] || [ "${DISK_TYPE}" = "md" ]; then + /usr/local/bin/php /etc/rc.conf_mount_ro >/dev/null 2>&1 + fi + exit +} + + ########## # Process to condense an IP range if a "Max" amount of IP addresses are found in a /24 range per Alias Group. process24() { @@ -86,7 +109,7 @@ process24() { if [ ! -x $pathgeoip ]; then echo "Process24 - Application [ GeoIP ] Not found. Can't proceed." echo "Process24 - Application [ GeoIP ] Not found. Can't proceed. [ $now ]" >> $errorlog - exit + exitnow fi # Download MaxMind GeoIP.dat Binary on first Install. @@ -98,7 +121,7 @@ fi if [ ! -f $pathgeoipdat ]; then echo "Process24 - Database GeoIP [ GeoIP.Dat ] not found. Can't proceed." echo "Process24 - Database GeoIP [ GeoIP.Dat ] not found. Can't proceed. [ $now ]" >> $errorlog - exit + exitnow fi count=$(grep -c ^ $pfbdeny$alias".txt") @@ -192,6 +215,7 @@ echo "-------------------------------------------------------" cocount=$(grep -cv "^1\.1\.1\.1" $pfbdeny$alias".txt") echo "Post /24 Count [ $cocount ]"; echo fi +exitnow } @@ -247,6 +271,7 @@ printf "%-10s %-10s %-10s %-30s\n" "Original" "Masterfile" "Outfile" "Sanity Che echo "----------------------------------------------------------" printf "%-10s %-10s %-10s %-30s\n" "$countg" "$countm" "$counto" " [ $sanity ]" echo "----------------------------------------------------------" +exitnow } @@ -257,7 +282,7 @@ suppress() { if [ ! -x $pathgrepcidr ]; then echo "Application [ Grepcidr ] Not found. Can't proceed. [ $now ]" echo "Application [ Grepcidr ] Not found. Can't proceed. [ $now ]" >> errorlog - exit + exitnow fi if [ -e "$pfbsuppression" ] && [ -s "$pfbsuppression" ]; then @@ -270,7 +295,7 @@ if [ -e "$pfbsuppression" ] && [ -s "$pfbsuppression" ]; then echo; echo "===[ Suppression Stats ]========================================"; echo printf "%-20s %-10s %-10s %-10s %-10s\n" "List" "Pre" "RFC1918" "Suppress" "Masterfile" echo "----------------------------------------------------------------" - exit + exitnow fi for i in $cc; do @@ -342,7 +367,7 @@ else echo "===[ Suppression Stats ]========================================"; echo printf "%-20s %-10s %-10s %-10s %-10s\n" "List" "Pre" "RFC1918" "Suppress" "Masterfile" echo "----------------------------------------------------------------" - exit + exitnow fi for i in $cc; do alias=$(echo "${i%|*}") @@ -372,6 +397,7 @@ else fi done fi +exitnow } @@ -382,7 +408,7 @@ duplicate() { if [ ! -x $pathgrepcidr ]; then echo "Application [ Grepcidr ] Not found. Can't proceed. [ $now ]" echo "Application [ Grepcidr ] Not found. Can't proceed. [ $now ]" >> errorlog - exit + exitnow fi dupcheck=yes @@ -415,6 +441,7 @@ printf "%-10s %-10s %-10s %-30s\n" "Original" "Masterfile" "Outfile" " [ Post Du echo "----------------------------------------------------------" printf "%-10s %-10s %-10s %-30s\n" "$countg" "$countm" "$counto" " [ $sanity ]" echo "----------------------------------------------------------" +exitnow } @@ -425,7 +452,7 @@ deduplication() { if [ ! -x $pathgeoip ]; then echo "d-duplication - Application [ GeoIP ] Not found. Can't proceed." echo "d-duplication - Application [ GeoIP ] Not found. Can't proceed. [ $now ]" >> $errorlog - exit + exitnow fi # Download MaxMind GeoIP.dat on first Install. @@ -438,7 +465,7 @@ fi if [ ! -f $pathgeoipdat ]; then echo "d-duplication - Database GeoIP [ GeoIP.Dat ] not found. Can't proceed." echo "d-duplication - Database GeoIP [ GeoIP.Dat ] not found. Can't proceed. [ $now ]" >> $errorlog - exit + exitnow fi > $tempfile; > $tempfile2; > $dupfile; > $addfile; > $dedupfile; > $matchfile; > $tempmatchfile; count=0; dcount=0; mcount=0; mmcount=0 @@ -541,6 +568,7 @@ echo " [ Post d-Deduplication count ] [ $count ]"; echo # Write "1.1.1.1" to empty Final Blocklist Files emptyfiles=$(find $pfbdeny -size 0) for i in $emptyfiles; do echo "1.1.1.1" > $i; done +exitnow } @@ -551,7 +579,7 @@ pdeduplication(){ if [ ! -x $pathgeoip ]; then echo "p-duplication - Application [ GeoIP ] Not found. Can't proceed." echo "p-duplication - Application [ GeoIP ] Not found. Can't proceed. [ $now ]" >> $errorlog - exit + exitnow fi # Download MaxMind GeoIP.dat on first Install. @@ -563,7 +591,7 @@ fi if [ ! -f $pathgeoipdat ]; then echo "p-duplication - Database GeoIP [ GeoIP.Dat ] not found. Can't proceed." echo "p-duplication - Database GeoIP [ GeoIP.Dat ] not found. Can't proceed. [ $now ]" >> $errorlog - exit + exitnow fi > $tempfile; > $tempfile2; > $dupfile; > $addfile; > $dedupfile; count=0; dcount=0 @@ -616,6 +644,7 @@ echo; echo " [ Post p-Deduplication count ] [ $count ]" # Write "1.1.1.1" to empty Final Blocklist Files emptyfiles=$(find $pfbdeny -size 0) for i in $emptyfiles; do echo "1.1.1.1" > $i; done +exitnow } @@ -626,7 +655,7 @@ processet() { if [ ! -x $pathgunzip ]; then echo "Application [ Gunzip ] Not found, Can't proceed." echo "Application [ Gunzip ] Not found, Can't proceed. [ $now ]" >> $errorlog - exit + exitnow fi if [ -s $pfborig$alias".gz" ]; then @@ -714,6 +743,7 @@ if [ -s $pfborig$alias".gz" ]; then else echo; echo "No ET .GZ File Found!" fi +exitnow } # Process to extract IP addresses from XLSX Files @@ -722,7 +752,7 @@ processxlsx() { if [ ! -x $pathtar ]; then echo "Application [ TAR ] Not found, Can't proceed." echo "Application [ TAR ] Not found, Can't proceed. [ $now ]" >> $errorlog - exit + exitnow fi if [ -s $pfborig$alias".zip" ]; then @@ -738,6 +768,7 @@ else echo "XLSX Download File Missing" echo " [ $alias ] XLSX Download File Missing [ $now ]" >> $errorlog fi +exitnow } closingprocess() { @@ -856,6 +887,7 @@ echo; echo "pfSense Table Stats"; echo "-------------------" $pathpfctl -s memory | grep "table-entries" pfctlcount=$($pathpfctl -vvsTables | awk '/Addresses/ {s+=$2}; END {print s}') echo "Table Usage Count " $pfctlcount +exitnow } remove() { @@ -883,6 +915,15 @@ emptychk=$(find $masterfile -size 0) if [ ! "$emptychk" == "" ]; then rm -r $masterfile; rm -r $mastercat fi +exitnow +} + +# Process to restore aliasables from archive on reboot ( NanoBSD and Ramdisk Installations only ) +aliastables() { + if [ "${PLATFORM}" != "pfSense" ] || [ ${USE_MFS_TMPVAR} -gt 0 ] || [ "${DISK_TYPE}" = "md" ]; then + [ -f $aliasarchive ] && cd $pfsense_alias_dir && /usr/bin/tar -jxvf $aliasarchive + fi + exitnow } @@ -920,8 +961,11 @@ case $1 in remove) remove ;; + aliastables) + aliastables + ;; *) - exit + exitnow ;; esac -exit
\ No newline at end of file +exitnow
\ No newline at end of file diff --git a/config/pfblockerng/pfblockerng.widget.php b/config/pfblockerng/pfblockerng.widget.php index 647017ff..229e084b 100644 --- a/config/pfblockerng/pfblockerng.widget.php +++ b/config/pfblockerng/pfblockerng.widget.php @@ -3,7 +3,7 @@ pfBlockerNG.widget.php pfBlockerNG - Copyright (C) 2014 BBcan177@gmail.com + Copyright (C) 2015 BBcan177@gmail.com All rights reserved. Based Upon pfblocker : diff --git a/config/pfblockerng/pfblockerng.xml b/config/pfblockerng/pfblockerng.xml index 54c6c061..6f7e34ec 100644 --- a/config/pfblockerng/pfblockerng.xml +++ b/config/pfblockerng/pfblockerng.xml @@ -10,7 +10,7 @@ pfBlockerNG.xml pfBlockerNG - Copyright (C) 2014 BBcan177@gmail.com + Copyright (C) 2015 BBcan177@gmail.com All rights reserved. Based upon pfblocker for pfSense @@ -234,6 +234,7 @@ <fieldname>pfb_keep</fieldname> <type>checkbox</type> <description>Keep Settings and Lists intact when pfBlockerNG is Disabled or After pfBlockerNG Re-Install/De-Install</description> + <default_value>on</default_value> </field> <field> <fielddescr>CRON MIN Start Time</fielddescr> @@ -455,7 +456,7 @@ <fieldname>credits</fieldname> <type>info</type> <description><![CDATA[<strong> - pfBlockerNG</strong> Created in 2014 by <a target=_new href='https://forum.pfsense.org/index.php?action=profile;u=238481'>BBcan177.</a> + pfBlockerNG</strong> Created in 2015 by <a target=_new href='https://forum.pfsense.org/index.php?action=profile;u=238481'>BBcan177.</a> <br /><br />Based upon pfBlocker by Marcello Coutinho and Tom Schaefer.<br /> Country Database GeoLite distributed under the Creative Commons Attribution-ShareAlike 3.0 Unported License by: MaxMind Inc. @ <a target=_new href='http://www.maxmind.com'>MaxMind.com</a>. diff --git a/config/pfblockerng/pfblockerng_alerts.php b/config/pfblockerng/pfblockerng_alerts.php index f03f7040..c67420b9 100644 --- a/config/pfblockerng/pfblockerng_alerts.php +++ b/config/pfblockerng/pfblockerng_alerts.php @@ -3,14 +3,14 @@ pfBlockerNG_Alerts.php pfBlockerNG - Copyright (C) 2014 BBcan177@gmail.com + Copyright (C) 2015 BBcan177@gmail.com All rights reserved. Portions of this code are based on original work done for pfSense from the following contributors: Parts based on works from Snort_alerts.php - Copyright (C) 2014 Bill Meeks + Copyright (C) 2015 Bill Meeks All rights reserved. Javascript Hostname Lookup modifications by J. Nieuwenhuizen @@ -41,8 +41,12 @@ // Auto-Resolve Hostnames if (isset($_REQUEST['getpfhostname'])) { - $getpfhostname = htmlspecialchars($_REQUEST['getpfhostname']); - $hostname = htmlspecialchars(gethostbyaddr($getpfhostname), ENT_QUOTES); + $getpfhostname = trim(htmlspecialchars($_REQUEST['getpfhostname'])); + if (strlen($getpfhostname) >= 8) { + $hostname = htmlspecialchars(gethostbyaddr($getpfhostname), ENT_QUOTES); + } else { + $hostname = $getpfhostname; + } if ($hostname == $getpfhostname) { $hostname = 'unknown'; } @@ -52,9 +56,8 @@ if (isset($_REQUEST['getpfhostname'])) { require_once("util.inc"); require_once("guiconfig.inc"); -require_once("filter_log.inc"); require_once("/usr/local/pkg/pfblockerng/pfblockerng.inc"); - +global $rule_list; pfb_global(); // Application Paths @@ -66,6 +69,9 @@ $filter_logfile = "{$g['varlog_path']}/filter.log"; $pathgeoipdat = "/usr/pbi/pfblockerng-" . php_uname("m") . "/share/GeoIP/GeoIP.dat"; $pathgeoipdat6 = "/usr/pbi/pfblockerng-" . php_uname("m") . "/share/GeoIP/GeoIPv6.dat"; +// Define Alerts Log filter Rollup window variable. (Alert Filtering Code adapted from B.Meeks - Snort Package) +$pfb['filterlogentries'] = FALSE; + // Emerging Threats IQRisk Header Name Reference $pfb['et_header'] = TRUE; $et_header = $config['installedpackages']['pfblockerngreputation']['config'][0]['et_header']; @@ -88,11 +94,11 @@ $rule_list = array(); $results = array(); $data = exec ("/sbin/pfctl -vv -sr | grep 'pfB_'", $results); -if (empty($config['installedpackages']['pfblockerngglobal']['pfbdenycnt'])) +if (!isset($config['installedpackages']['pfblockerngglobal']['pfbdenycnt'])) $config['installedpackages']['pfblockerngglobal']['pfbdenycnt'] = '25'; -if (empty($config['installedpackages']['pfblockerngglobal']['pfbpermitcnt'])) +if (!isset($config['installedpackages']['pfblockerngglobal']['pfbpermitcnt'])) $config['installedpackages']['pfblockerngglobal']['pfbpermitcnt'] = '5'; -if (empty($config['installedpackages']['pfblockerngglobal']['pfbmatchcnt'])) +if (!isset($config['installedpackages']['pfblockerngglobal']['pfbmatchcnt'])) $config['installedpackages']['pfblockerngglobal']['pfbmatchcnt'] = '5'; if (empty($config['installedpackages']['pfblockerngglobal']['alertrefresh'])) $config['installedpackages']['pfblockerngglobal']['alertrefresh'] = 'off'; @@ -124,6 +130,53 @@ if (is_array($config['installedpackages']['pfblockerngglobal'])) { $pfbmatchcnt = $config['installedpackages']['pfblockerngglobal']['pfbmatchcnt']; } + +function pfb_match_filter_field($flent, $fields) { + foreach ($fields as $key => $field) { + if ($field == null) + continue; + if ((strpos($field, '!') === 0)) { + $field = substr($field, 1); + $field_regex = str_replace('/', '\/', str_replace('\/', '/', $field)); + if (@preg_match("/{$field_regex}/i", $flent[$key])) + return false; + } + else { + $field_regex = str_replace('/', '\/', str_replace('\/', '/', $field)); + if (!@preg_match("/{$field_regex}/i", $flent[$key])) + return false; + } + } + return true; +} + + +if ($_POST['filterlogentries_submit']) { + // Set flag for filtering alert entries + $pfb['filterlogentries'] = TRUE; + + // Note the order of these fields must match the order decoded from the alerts log + $filterfieldsarray = array(); + $filterfieldsarray[0] = $_POST['filterlogentries_rule'] ? $_POST['filterlogentries_rule'] : null; + $filterfieldsarray[2] = $_POST['filterlogentries_int'] ? $_POST['filterlogentries_int'] : null; + $filterfieldsarray[6] = strtolower($_POST['filterlogentries_proto']) ? $_POST['filterlogentries_proto'] : null; + + // Remove any zero-length spaces added to the IP address that could creep in from a copy-paste operation + $filterfieldsarray[7] = $_POST['filterlogentries_srcip'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_srcip']) : null; + $filterfieldsarray[8] = $_POST['filterlogentries_dstip'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_dstip']) : null; + + $filterfieldsarray[9] = $_POST['filterlogentries_srcport'] ? $_POST['filterlogentries_srcport'] : null; + $filterfieldsarray[10] = $_POST['filterlogentries_dstport'] ? $_POST['filterlogentries_dstport'] : null; + $filterfieldsarray[99] = $_POST['filterlogentries_date'] ? $_POST['filterlogentries_date'] : null; +} + + +if ($_POST['filterlogentries_clear']) { + $pfb['filterlogentries'] = TRUE; + $filterfieldsarray = array(); +} + + // Collect pfBlockerNG Firewall Rules if (!empty($results)) { foreach ($results as $result) { @@ -293,6 +346,112 @@ function check_lan_dest($lan_ip,$lan_mask,$dest_ip,$dest_mask="32") { } +// Parse Filter log for pfBlockerNG Alerts +function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermitcnt, $pfbmatchcnt) { + global $pfb, $rule_list, $filterfieldsarray; + $fields_array = array(); + $logarr = ""; + $denycnt = 0; + $permitcnt = 0; + $matchcnt = 0; + + if (file_exists($logfile)) { + exec("/usr/local/sbin/clog " . escapeshellarg($logfile) . " | grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/grep 'filterlog:' | /usr/bin/tail -r -n {$tail}", $logarr); + } + else return; + + if (!empty($logarr) && !empty($rule_list['id'])) { + foreach ($logarr as $logent) { + $pfbalert = array(); + $log_split = ""; + + if (!preg_match("/(.*)\s(.*)\sfilterlog:\s(.*)$/", $logent, $log_split)) + continue; + + list($all, $pfbalert[99], $host, $rule) = $log_split; + $rule_data = explode(",", $rule); + $pfbalert[0] = $rule_data[0]; // Rulenum + + // Skip Alert if Rule is not a pfBNG Alert + if (!in_array($pfbalert[0], $rule_list['id'])) + continue; + + $pfbalert[1] = $rule_data[4]; // Realint + $pfbalert[3] = $rule_data[6]; // Act + $pfbalert[4] = $rule_data[8]; // Version + + if ($pfbalert[4] == "4") { + $pfbalert[5] = $rule_data[15]; // Protocol ID + $pfbalert[6] = $rule_data[16]; // Protocol + $pfbalert[7] = $rule_data[18]; // SRC IP + $pfbalert[8] = $rule_data[19]; // DST IP + $pfbalert[9] = $rule_data[20]; // SRC Port + $pfbalert[10] = $rule_data[21]; // DST Port + $pfbalert[11] = $rule_data[23]; // TCP Flags + } else { + $pfbalert[5] = $rule_data[13]; // Protocol ID + $pfbalert[6] = $rule_data[12]; // Protocol + $pfbalert[7] = $rule_data[15]; // SRC IP + $pfbalert[8] = $rule_data[16]; // DST IP + $pfbalert[9] = $rule_data[17]; // SRC Port + $pfbalert[10] = $rule_data[18]; // DST Port + $pfbalert[11] = $rule_data[20]; // TCP Flags + } + + if ($pfbalert[5] == "6" || $pfbalert[5] == "17") { + // skip + } else { + $pfbalert[9] = ""; + $pfbalert[10] = ""; + $pfbalert[11] = ""; + } + + // Skip Repeated Alerts + if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) + continue; + + $pfbalert[2] = convert_real_interface_to_friendly_descr($rule_data[4]); // Friendly Interface Name + $pfbalert[6] = str_replace("TCP", "TCP-", strtoupper($pfbalert[6]), $pfbalert[6]) . $pfbalert[11]; // Protocol Flags + + // If Alerts Filtering is selected, process Filters as required. + if ($pfb['filterlogentries'] && !pfb_match_filter_field($pfbalert, $filterfieldsarray)) { + continue; + } + + if ($pfbalert[3] == "block") { + if ($denycnt < $pfbdenycnt) { + $fields_array['Deny'][] = $pfbalert; + $denycnt++; + } + } + elseif ($pfbalert[3] == "pass") { + if ($permitcnt < $pfbpermitcnt) { + $fields_array['Permit'][] = $pfbalert; + $permitcnt++; + } + } + elseif ($pfbalert[3] == "unkn(%u)" || $pfbalert[3] == "unkn(11)") { + if ($matchcnt < $pfbmatchcnt) { + $fields_array['Match'][] = $pfbalert; + $matchcnt++; + } + } + + // Exit function if Sufficinet Matches found. + if ($denycnt >= $pfbdenycnt && $permitcnt >= $pfbpermitcnt && $matchcnt >= $pfbmatchcnt) { + unset ($pfbalert, $logarr); + return $fields_array; + } + + // Collect Details for Repeated Alert Comparison + $previous_srcip = $pfbalert[3] . $pfbalert[7] . $pfbalert[9]; + $previous_dstip = $pfbalert[3] . $pfbalert[8] . $pfbalert[10]; + } + unset ($pfbalert, $logarr); + return $fields_array; + } +} + $pgtitle = gettext("pfBlockerNG: Alerts"); include_once("head.inc"); ?> @@ -341,7 +500,7 @@ if ($savemsg) { </tr> <tr> <td><div id="mainarea"> - <table id="maintable" class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6"> + <table id="maintable" class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="4"> <tr> <td colspan="3" class="vncell" align="left"><?php echo gettext("LINKS :"); ?> <a href='/firewall_aliases.php' target="_blank"><?php echo gettext("Firewall Alias"); ?></a> @@ -369,6 +528,70 @@ if ($savemsg) { <?php printf(gettext("Currently Suppressing %s$pfbsupp_cnt%s Hosts."), '<strong>', '</strong>');?> </td> </tr> + <tr> + <td colspan="3" class="listtopic"><?php echo gettext("Alert Log View Filter"); ?></td> + </tr> + <tr id="filter_enable_row" style="display:<?php if (!$pfb['filterlogentries']) {echo "table-row;";} else {echo "none;";} ?>"> + <td width="10%" class="vncell"><?php echo gettext('Filter Options'); ?></td> + <td width="90%" class="vtable"> + <input name="show_filter" id="show_filter" type="button" class="formbtns" value="<?=gettext("Show Filter");?>" onclick="enable_showFilter();" /> + <?=gettext("Click to display advanced filtering options dialog");?> + </td> + </tr> + <tr id="filter_options_row" style="display:<?php if (!$pfb['filterlogentries']) {echo "none;";} else {echo "table-row;";} ?>"> + <td colspan="2"> + <table width="100%" border="0" cellspacing="0" cellpadding="1" summary="action"> + <tr> + <td valign="top"> + <div align="center"><?=gettext("Date");?></div> + <div align="center"><input id="filterlogentries_date" name="filterlogentries_date" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[99] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Interface");?></div> + <div align="center"><input id="filterlogentries_int" name="filterlogentries_int" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[2] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Rule Number Only");?></div> + <div align="center"><input id="filterlogentries_rule" name="filterlogentries_rule" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[0] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Protocol");?></div> + <div align="center"><input id="filterlogentries_proto" name="filterlogentries_proto" class="formfld search" type="text" size="15" value="<?= $filterfieldsarray[6] ?>" /></div> + </td> + </tr> + <tr> + <td valign="top"> + <div align="center"><?=gettext("Source IP Address");?></div> + <div align="center"><input id="filterlogentries_srcip" name="filterlogentries_srcip" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[7] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Source Port");?></div> + <div align="center"><input id="filterlogentries_srcport" name="filterlogentries_srcport" class="formfld search" type="text" size="5" value="<?= $filterfieldsarray[9] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Destination IP Address");?></div> + <div align="center"><input id="filterlogentries_dstip" name="filterlogentries_dstip" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[8] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Destination Port");?></div> + <div align="center"><input id="filterlogentries_dstport" name="filterlogentries_dstport" class="formfld search" type="text" size="5" value="<?= $filterfieldsarray[10] ?>" /></div> + </td> + </tr> + <td colspan="5" style="vertical-align:bottom"> + <br /><?printf(gettext('Regex Style Matching Only! %1$s Regular Expression Help link%2$s.'), '<a target="_blank" href="http://www.php.net/manual/en/book.pcre.php">', '</a>');?> <?=gettext("Precede with exclamation (!) as first character to exclude match.) ");?> + <br /><?printf(gettext("Example: ( ^80$ - Match Port 80, ^80$|^8080$ - Match both port 80 & 8080 ) "));?><br /> + </tr> + <tr> + <td colspan="1" style="vertical-align:bottom"> + <div align="left"><input id="filterlogentries_submit" name="filterlogentries_submit" type="submit" class="formbtns" value="<?=gettext("Apply Filter");?>" title="<?=gettext("Apply filter"); ?>" /> + <input id="filterlogentries_clear" name="filterlogentries_clear" type="submit" class="formbtns" value="<?=gettext("Clear");?>" title="<?=gettext("Remove filter");?>" /> + <input id="filterlogentries_hide" name="filterlogentries_hide" type="button" class="formbtns" value="<?=gettext("Hide");?>" onclick="enable_hideFilter();" title="<?=gettext("Hide filter options");?>" /></div> + </td> + </tr> + </table> + </td> + </tr> + <!--Create Three Output Windows 'Deny', 'Permit' and 'Match'--> <?php foreach (array ("Deny" => $pfb['denydir'] . " " . $pfb['nativedir'], "Permit" => $pfb['permitdir'], "Match" => $pfb['matchdir']) as $type => $pfbfolder ): switch($type) { @@ -394,16 +617,9 @@ if ($savemsg) { <table id="maintable" class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6"> <tr> <!--Print Table Info--> - <td colspan="2" class="listtopic"><?php printf(gettext(" {$type} - Last %s Alert Entries."), "{$pfbentries}"); ?> - <?php if ($pfb['pfsenseversion'] >= '2.2'): ?> - <?php if (!is_array($config['syslog']) || !array_key_exists("reverse", $config['syslog'])): ?> - <?php echo gettext("Firewall Logs must be in Reverse Order."); ?> - <?php endif; ?> - <?php else: ?> - <?php echo gettext("Firewall Rule changes can unsync these Alerts."); ?> - <?php if (!is_array($config['syslog']) || !array_key_exists("reverse", $config['syslog'])): ?> - <?php echo gettext("Firewall Logs must be in Reverse Order."); ?> - <?php endif; ?> + <td colspan="2" class="listtopic"><?php printf(gettext(" {$type} - Last %s Alert Entries."),"{$pfbentries}"); ?> + <?php if ($type == "Deny"): ?> + <?php echo gettext("Firewall Rule changes can unsync these Alerts."); ?> <?php endif; ?> </td> </tr> @@ -411,12 +627,12 @@ if ($savemsg) { <td width="100%" colspan="2"> <table id="pfbAlertsTable" style="table-layout: fixed;" width="100%" class="sortable" border="0" cellpadding="0" cellspacing="0"> <colgroup> - <col width="8%" align="center" axis="date"> + <col width="7%" align="center" axis="date"> <col width="6%" align="center" axis="string"> - <col width="16%" align="center" axis="string"> + <col width="15%" align="center" axis="string"> <col width="6%" align="center" axis="string"> - <col width="20%" align="center" axis="string"> - <col width="20%" align="center" axis="string"> + <col width="21%" align="center" axis="string"> + <col width="21%" align="center" axis="string"> <col width="3%" align="center" axis="string"> <col width="13%" align="center" axis="string"> </colgroup> @@ -450,9 +666,9 @@ if ($pfb['runonce']) { } else { $pfblines = (exec("/usr/local/sbin/clog {$filter_logfile} | /usr/bin/grep -c ^") /2 ); } - $fields_array = conv_log_filter($filter_logfile, $pfblines, $pfblines); - $continents = array('pfB_Africa','pfB_Antartica','pfB_Asia','pfB_Europe','pfB_NAmerica','pfB_Oceania','pfB_SAmerica','pfB_Top'); + $fields_array = conv_log_filter_lite($filter_logfile, $pfblines, $pfblines, $pfbdenycnt, $pfbpermitcnt, $pfbmatchcnt); + $continents = array('pfB_Africa','pfB_Antartica','pfB_Asia','pfB_Europe','pfB_NAmerica','pfB_Oceania','pfB_SAmerica','pfB_Top'); $supp_ip_txt .= "Clicking this Suppression Icon, will immediately remove the Block.\n\nSuppressing a /32 CIDR is better than Suppressing the full /24"; $supp_ip_txt .= " CIDR.\nThe Host will be added to the pfBlockerNG Suppress Alias Table.\n\nOnly 32 or 24 CIDR IPs can be Suppressed with the '+' Icon."; @@ -473,7 +689,10 @@ if ($pfb['runonce']) { // Collect Virtual IP Aliases for Inbound/Outbound List Matching if (is_array($config['virtualip']['vip'])) { foreach ($config['virtualip']['vip'] as $list) { - $pfb_local[] = $list['subnet']; + if ($list['type'] == "single" && $list['subnet_bits'] == "32") + $pfb_local[] = $list['subnet']; + elseif ($list['type'] == "single" || $list['type'] == "network") + $pfb_local = array_merge (subnet_expand ("{$list['subnet']}/{$list['subnet_bits']}"), $pfb_local); } } // Collect NAT IP Addresses for Inbound/Outbound List Matching @@ -514,30 +733,31 @@ if ($pfb['runonce']) { $counter = 0; // Process Fields_array and generate Output -if (!empty($fields_array)) { - foreach ($fields_array as $fields) { +if (!empty($fields_array[$type]) && !empty($rule_list)) { + $key = 0; + foreach ($fields_array[$type] as $fields) { $rulenum = ""; $alert_ip = ""; $supp_ip = ""; $pfb_query = ""; - $rulenum = $fields['rulenum']; - if ($fields['act'] == $rtype && !empty($rule_list) && in_array($rulenum, $rule_list['id']) && $counter < $pfbentries) { - - // Skip Repeated Events - if (($fields['dstip'] . $fields['dstport']) == $previous_dstip || ($fields['srcip'] . $fields['srcport']) == $previous_srcip) { - continue; - } - - $proto = str_replace("TCP", "TCP-", $fields['proto']) . $fields['tcpflags']; + /* Fields_array Reference [0] = Rulenum [6] = Protocol + [1] = Real Interface [7] = SRC IP + [2] = Friendly Interface Name [8] = DST IP + [3] = Action [9] = SRC Port + [4] = Version [10] = DST Port + [5] = Protocol ID [11] = Flags + [99] = Timestamp */ + $rulenum = $fields[0]; + if ($counter < $pfbentries) { // Cleanup Port Output - if ($fields['proto'] == "ICMP") { - $srcport = $fields['srcport']; - $dstport = $fields['dstport']; + if ($fields[6] == "ICMP" || $fields[6] == "ICMPV6") { + $srcport = ""; + $dstport = ""; } else { - $srcport = " :" . $fields['srcport']; - $dstport = " :" . $fields['dstport']; + $srcport = ":" . $fields[9]; + $dstport = ":" . $fields[10]; } // Don't add Suppress Icon to Country Block Lines @@ -546,16 +766,10 @@ if (!empty($fields_array)) { } // Add DNS Resolve and Suppression Icons to External IPs only. GeoIP Code to External IPs only. - if (in_array($fields['dstip'], $pfb_local) || check_lan_dest($lan_ip,$lan_mask,$fields['dstip'],"32")) { + if (in_array($fields[8], $pfb_local) || check_lan_dest($lan_ip,$lan_mask,$fields[8],"32")) { // Destination is Gateway/NAT/VIP $rule = $rule_list[$rulenum]['name'] . "<br />(" . $rulenum .")"; - $host = $fields['srcip']; - - if (is_ipaddrv4($host)) { - $country = substr(exec("$pathgeoip -f $pathgeoipdat $host"),23,2); - } else { - $country = substr(exec("$pathgeoip6 -f $pathgeoipdat6 $host"),26,2); - } + $host = $fields[7]; $alert_ip .= "<a href='/pfblockerng/pfblockerng_diag_dns.php?host={$host}' title=\" " . gettext("Resolve host via Rev. DNS lookup"); $alert_ip .= "\"> <img src=\"/themes/{$g['theme']}/images/icons/icon_log.gif\" width=\"11\" height=\"11\" border=\"0\" "; @@ -563,30 +777,22 @@ if (!empty($fields_array)) { if ($pfb_query != "Country" && $rtype == "block" && $pfb['supp'] == "on") { $supp_ip .= "<input type='image' name='addsuppress[]' onclick=\"hostruleid('{$host}','{$rule_list[$rulenum]['name']}');\" "; - $supp_ip .= "src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\" title=\""; + $supp_ip .= "src=\"../themes/{$g['theme']}/images/icons/icon_pass_add.gif\" title=\""; $supp_ip .= gettext($supp_ip_txt) . "\" border=\"0\" width='11' height='11'/>"; } if ($pfb_query != "Country" && $rtype == "block" && $hostlookup == "on") { - $hostname = getpfbhostname('src', $fields['srcip'], $counter); + $hostname = getpfbhostname('src', $fields[7], $counter); } else { $hostname = ""; } - $src_icons = $alert_ip . " " . $supp_ip . " "; - $dst_icons = ""; - $scc = $country; - $dcc = ""; + $src_icons = $alert_ip . " " . $supp_ip . " "; + $dst_icons = ""; } else { // Outbound $rule = $rule_list[$rulenum]['name'] . "<br />(" . $rulenum .")"; - $host = $fields['dstip']; - - if (is_ipaddrv4($host)) { - $country = substr(exec("$pathgeoip -f $pathgeoipdat $host"),23,2); - } else { - $country = substr(exec("$pathgeoip6 -f $pathgeoipdat6 $host"),26,2); - } + $host = $fields[8]; $alert_ip .= "<a href='/pfblockerng/pfblockerng_diag_dns.php?host={$host}' title=\"" . gettext("Resolve host via Rev. DNS lookup"); $alert_ip .= "\"> <img src=\"/themes/{$g['theme']}/images/icons/icon_log.gif\" width=\"11\" height=\"11\" border=\"0\" "; @@ -594,20 +800,25 @@ if (!empty($fields_array)) { if ($pfb_query != "Country" && $rtype == "block" && $pfb['supp'] == "on") { $supp_ip .= "<input type='image' name='addsuppress[]' onclick=\"hostruleid('{$host}','{$rule_list[$rulenum]['name']}');\" "; - $supp_ip .= "src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\" title=\""; + $supp_ip .= "src=\"../themes/{$g['theme']}/images/icons/icon_pass_add.gif\" title=\""; $supp_ip .= gettext($supp_ip_txt) . "\" border=\"0\" width='11' height='11'/>"; } if ($pfb_query != "Country" && $rtype == "block" && $hostlookup == "on") { - $hostname = getpfbhostname('dst', $fields['dstip'], $counter); + $hostname = getpfbhostname('dst', $fields[8], $counter); } else { $hostname = ""; } - $src_icons = ""; - $dst_icons = $alert_ip . " " . $supp_ip . " "; - $scc = ""; - $dcc = $country; + $src_icons = ""; + $dst_icons = $alert_ip . " " . $supp_ip . " "; + } + + // Determine Country Code of Host + if (is_ipaddrv4($host)) { + $country = substr(exec("$pathgeoip -f $pathgeoipdat $host"),23,2); + } else { + $country = substr(exec("$pathgeoip6 -f $pathgeoipdat6 $host"),26,2); } # IP Query Grep Exclusion @@ -615,21 +826,19 @@ if (!empty($fields_array)) { $pfb_ex2 = "grep -v 'pfB\_\|/32\|/24\|\_v6\.txt' | grep -m1 '/'"; // Find List which contains Blocked IP Host - if ($pfb_query == "Country") { - # Skip - } else { + if (is_ipaddrv4($host) && $pfb_query != "Country") { // Search for exact IP Match $host1 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '\'$1\.$2\.$3\.$4\'', $host); - $pfb_query = exec("grep -rHm1 {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/:.*//' -e 's/\..*/ /' | {$pfb_ex1}"); + $pfb_query = exec("/usr/bin/grep -rHm1 {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/:.*//' -e 's/\..*/ /' | {$pfb_ex1}"); // Search for IP in /24 CIDR if (empty($pfb_query)) { $host1 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '\'$1\.$2\.$3\.0/24\'', $host); - $pfb_query = exec("grep -rHm1 {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex1}"); + $pfb_query = exec("/usr/bin/grep -rHm1 {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex1}"); } // Search for First Two IP Octets in CIDR Matches Only. Skip any pfB (Country Lists) or /32,/24 Addresses. if (empty($pfb_query)) { $host1 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '\'^$1\.$2\.\'', $host); - $pfb_query = exec("grep -rH {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex2}"); + $pfb_query = exec("/usr/bin/grep -rH {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex2}"); } // Search for First Two IP Octets in CIDR Matches Only (Subtract 1 from second Octet on each loop). // Skip (Country Lists) or /32,/24 Addresses. @@ -638,7 +847,7 @@ if (!empty($fields_array)) { $host2 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '$2', $host); for ($cnt = 1; $cnt <= 5; $cnt++) { $host3 = $host2 - $cnt . '\''; - $pfb_query = exec("grep -rH {$host1}{$host3} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex2}"); + $pfb_query = exec("/usr/bin/grep -rH {$host1}{$host3} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex2}"); // Break out of loop if found. if (!empty($pfb_query)) $cnt = 6; @@ -647,26 +856,30 @@ if (!empty($fields_array)) { // Search for First Three Octets if (empty($pfb_query)) { $host1 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '\'^$1\.$2\.$3\.\'', $host); - $pfb_query = exec("grep -rH {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex2}"); + $pfb_query = exec("/usr/bin/grep -rH {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex2}"); } // Search for First Two Octets if (empty($pfb_query)) { $host1 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '\'^$1\.$2\.\'', $host); - $pfb_query = exec("grep -rH {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex2}"); + $pfb_query = exec("/usr/bin/grep -rH {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex2}"); } // Report Specific ET IQRisk Details if ($pfb['et_header'] && preg_match("/{$et_header}/", $pfb_query)) { $host1 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '\'$1\.$2\.$3\.$4\'', $host); - $pfb_query = exec("grep -Hm1 {$host1} {$pfb['etdir']}/* | sed -e 's/^.*[a-zA-Z]\///' -e 's/:.*//' -e 's/\..*/ /' -e 's/ET_/ET IPrep /' "); + $pfb_query = exec("/usr/bin/grep -Hm1 {$host1} {$pfb['etdir']}/* | sed -e 's/^.*[a-zA-Z]\///' -e 's/:.*//' -e 's/\..*/ /' -e 's/ET_/ET IPrep /' "); if (empty($pfb_query)) { $host1 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '\'$1.$2.$3.0/24\'', $host); - $pfb_query = exec("grep -rHm1 {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex1}"); + $pfb_query = exec("/usr/bin/grep -rHm1 {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex1}"); } } - // Default to "No Match" if not found. - if (empty($pfb_query)) - $pfb_query = "No Match"; } + elseif (is_ipaddrv6($host) && $pfb_query != "Country") { + $pfb_query = exec("/usr/bin/grep -Hm1 {$host} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | grep -v 'pfB\_'"); + } + + // Default to "No Match" if not found. + if (empty($pfb_query)) + $pfb_query = "No Match"; # Split List Column into Two lines. unset ($pfb_match); @@ -681,9 +894,19 @@ if (!empty($fields_array)) { } } - $pfb_matchtitle = "Country Block Rules cannot be suppressed.\n\nTo allow a particular Country IP, either remove the particular Country or add the Host\nto a Permit Alias in the Firewall Tab.\n\nIf the IP is not listed beside the List, this means that the Block is a /32 entry.\nOnly /32 or /24 CIDR Hosts can be suppressed.\n\nIf (Duplication) Checking is not enabled. You may see /24 and /32 CIDR Blocks for a given blocked Host"; + // Add []'s to IPv6 Addresses and add a zero-width space as soft-break opportunity after each colon if we have an IPv6 address (from Snort) + if ($fields[4] == "6") { + $fields[97] = "[" . str_replace(":", ":​", $fields[7]) . "]"; + $fields[98] = "[" . str_replace(":", ":​", $fields[8]) . "]"; + } + else { + $fields[97] = $fields[7]; + $fields[98] = $fields[8]; + } // Truncate Long List Names + $pfb_matchtitle = "Country Block Rules cannot be suppressed.\n\nTo allow a particular Country IP, either remove the particular Country or add the Host\nto a Permit Alias in the Firewall Tab.\n\nIf the IP is not listed beside the List, this means that the Block is a /32 entry.\nOnly /32 or /24 CIDR Hosts can be suppressed.\n\nIf (Duplication) Checking is not enabled. You may see /24 and /32 CIDR Blocks for a given blocked Host"; + if (strlen($pfb_match[1]) >= 17) { $pfb_matchtitle = $pfb_match[1]; $pfb_match[1] = substr($pfb_match[1], 0, 16) . '...'; @@ -691,31 +914,28 @@ if (!empty($fields_array)) { // Print Alternating Line Shading if ($pfb['pfsenseversion'] > '2.0') { - $alertRowEvenClass = "listMReven"; - $alertRowOddClass = "listMRodd"; + $alertRowEvenClass = "listMReven"; + $alertRowOddClass = "listMRodd"; } else { - $alertRowEvenClass = "listr"; - $alertRowOddClass = "listr"; + $alertRowEvenClass = "listr"; + $alertRowOddClass = "listr"; } - // Collect Details for Repeated Alert Comparison - $previous_srcip = $fields['srcip'] . $fields['srcport']; - $previous_dstip = $fields['dstip'] . $fields['dstport']; - $countrycode = trim($scc . $dcc); - $alertRowClass = $counter % 2 ? $alertRowEvenClass : $alertRowOddClass; echo "<tr class='{$alertRowClass}'> - <td class='listMRr' align='center'>{$fields['time']}</td> - <td class='listMRr' align='center'>{$fields['interface']}</td> + <td class='listMRr' align='center'>{$fields[99]}</td> + <td class='listMRr' align='center'>{$fields[2]}</td> <td class='listMRr' align='center' title='The pfBlockerNG Rule that Blocked this Host.'>{$rule}</td> - <td class='listMRr' align='center'>{$proto}</td> - <td nowrap='nowrap' class='listMRr' align='center' style='sorttable_customkey:{$fields['srcip']};' sorttable_customkey='{$fields['srcip']}'>{$src_icons}{$fields['srcip']}{$srcport}<br /><small>{$hostname['src']}</small></td> - <td nowrap='nowrap' class='listMRr' align='center' style='sorttable_customkey:{$fields['dstip']};' sorttable_customkey='{$fields['dstip']}'>{$dst_icons}{$fields['dstip']}{$dstport}<br /><small>{$hostname['dst']}</small></td> - <td class='listMRr' align='center'>{$countrycode}</td> + <td class='listMRr' align='center'>{$fields[6]}</td> + <td class='listMRr' align='center' style='sorttable_customkey:{$fields[7]};' sorttable_customkey='{$fields[7]}'>{$src_icons}{$fields[97]}{$srcport}<br /><small>{$hostname['src']}</small></td> + <td class='listMRr' align='center' style='sorttable_customkey:{$fields[8]};' sorttable_customkey='{$fields[8]}'>{$dst_icons}{$fields[98]}{$dstport}<br /><small>{$hostname['dst']}</small></td> + <td class='listMRr' align='center'>{$country}</td> <td class='listbg' align='center' title='{$pfb_matchtitle}' style=\"font-size: 10px word-wrap:break-word;\">{$pfb_match[1]}<br />{$pfb_match[2]}</td></tr>"; $counter++; if ($counter > 0 && $rtype == "block") { $mycounter = $counter; + } else { + $mycounter = 0; } } } @@ -725,6 +945,7 @@ if (!empty($fields_array)) { </table> </table> <?php endforeach; ?> <!--End - Create Three Output Windows 'Deny', 'Permit' and 'Match'--> +<?php unset ($fields_array); ?> </td></tr> </table> @@ -762,9 +983,22 @@ function findhostnames(counter) { ) } -var lines = <?php echo $mycounter; ?>; -for (alertcount = 0; alertcount < lines; alertcount++) { - setTimeout(findhostnames(alertcount), 30); +var alertlines = <?php echo $mycounter; ?>; +var autoresolve = "<?php echo $config['installedpackages']['pfblockerngglobal']['hostlookup']; ?>"; +if ( autoresolve == "on" ) { + for (alertcount = 0; alertcount < alertlines; alertcount++) { + setTimeout(findhostnames(alertcount), 30); + } +} + +function enable_showFilter() { + document.getElementById("filter_enable_row").style.display="none"; + document.getElementById("filter_options_row").style.display="table-row"; +} + +function enable_hideFilter() { + document.getElementById("filter_enable_row").style.display="table-row"; + document.getElementById("filter_options_row").style.display="none"; } //]]> diff --git a/config/pfblockerng/pfblockerng_diag_dns.php b/config/pfblockerng/pfblockerng_diag_dns.php index b2f07464..b44bc71c 100644 --- a/config/pfblockerng/pfblockerng_diag_dns.php +++ b/config/pfblockerng/pfblockerng_diag_dns.php @@ -3,7 +3,7 @@ pfBlockerNG_diag_dns.php pfBlockerNG - Copyright (C) 2014 BBcan177@gmail.com + Copyright (C) 2015 BBcan177@gmail.com All rights reserved. Original Code by: @@ -47,11 +47,11 @@ if (is_array($config['aliases']['alias'])) { } $aliasname = str_replace(array(".","-"), "_", $host); $alias_exists = false; -$counter=0; -foreach($a_aliases as $a) { - if($a['name'] == $aliasname) { +$counter = 0; +foreach ($a_aliases as $a) { + if ($a['name'] == $aliasname) { $alias_exists = true; - $id=$counter; + $id = $counter; } $counter++; } @@ -65,36 +65,39 @@ if ($pfs_version > '2.2') { $cmd = '/usr/bin/dig'; } - -if(isset($_POST['create_alias']) && (is_hostname($host) || is_ipaddr($host))) { - if($_POST['override']) +if (isset($_POST['create_alias']) && (is_hostname($host) || is_ipaddr($host))) { + if ($_POST['override']) { $override = true; + } $resolved = gethostbyname($host); $type = "hostname"; - if($resolved) { + if ($resolved) { $resolved = array(); exec("{$cmd} {$host_esc} A | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); $isfirst = true; - foreach($resolved as $re) { - if($re <> "") { - if(!$isfirst) + foreach ($resolved as $re) { + if ($re <> "") { + if (!$isfirst) { $addresses .= " "; + } $addresses .= rtrim($re) . "/32"; $isfirst = false; } } $newalias = array(); - if($override) + if ($override) { $alias_exists = false; - if($alias_exists == false) { + } + if ($alias_exists == false) { $newalias['name'] = $aliasname; $newalias['type'] = "network"; $newalias['address'] = $addresses; $newalias['descr'] = "Created from Diagnostics-> DNS Lookup"; - if($override) + if ($override) { $a_aliases[$id] = $newalias; - else + } else { $a_aliases[] = $newalias; + } write_config(); $createdalias = true; } @@ -118,8 +121,9 @@ if ($_POST) { exec("/usr/bin/grep nameserver /etc/resolv.conf | /usr/bin/cut -f2 -d' '", $dns_servers); foreach ($dns_servers as $dns_server) { $query_time = exec("{$cmd} {$host_esc} " . escapeshellarg("@" . trim($dns_server)) . " | /usr/bin/grep Query | /usr/bin/cut -d':' -f2"); - if($query_time == "") + if ($query_time == "") { $query_time = gettext("No response"); + } $new_qt = array(); $new_qt['dns_server'] = $dns_server; $new_qt['query_time'] = $query_time; @@ -137,18 +141,20 @@ if ($_POST) { $type = "ip"; $resolved = gethostbyaddr($host); $ipaddr = $host; - if ($host != $resolved) + if ($host != $resolved) { $hostname = $resolved; + } } elseif (is_hostname($host)) { $type = "hostname"; $resolved = gethostbyname($host); - if($resolved) { + if ($resolved) { $resolved = array(); exec("{$cmd} {$host_esc} A | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); } $hostname = $host; - if ($host != $resolved) + if ($host != $resolved) { $ipaddr = $resolved[0]; + } } if ($host == $resolved) { @@ -157,6 +163,11 @@ if ($_POST) { } } +if ( ($_POST['host']) && ($_POST['dialog_output']) ) { + display_host_results ($host,$resolved,$dns_speeds); + exit; +} + function display_host_results ($address,$hostname,$dns_speeds) { $map_lengths = function($element) { return strlen($element[0]); }; @@ -179,12 +190,12 @@ function display_host_results ($address,$hostname,$dns_speeds) { include("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="pfblockerng diag dns"> <tr> <td> <?php if ($input_errors) print_input_errors($input_errors); ?> <form action="/pfblockerng/pfblockerng_diag_dns.php" method="post" name="iform" id="iform"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <table width="100%" border="0" cellpadding="6" cellspacing="0" summary="tabcont"> <tr> <td colspan="2" valign="top" class="listtopic"> <?=gettext("Resolve DNS hostname or IP");?></td> </tr> @@ -192,68 +203,67 @@ include("head.inc"); ?> <td width="22%" valign="top" class="vncellreq"><?=gettext("Hostname or IP");?></td> <td width="78%" class="vtable"> <?=$mandfldhtml;?> - <table> + <table summary="results"> <tr><td valign="top"> - <input name="host" type="text" class="formfld" id="host" size="20" value="<?=htmlspecialchars($host);?>"> + <input name="host" type="text" class="formfld unknown" id="host" size="20" value="<?=htmlspecialchars($host);?>"> </td> - <td> <?php if ($resolved && $type) { ?> - = <font size="+1"> + <td valign="middle"> = </td><td> + <font size="+1"> <?php $found = 0; - if(is_array($resolved)) { - foreach($resolved as $hostitem) { - if($hostitem <> "") { - echo $hostitem . "<br/>"; + if (is_array($resolved)) { + foreach ($resolved as $hostitem) { + if ($hostitem <> "") { + echo $hostitem . "<br />"; $found++; } } } else { - echo $resolved; - } - if($found > 0) { ?> - <br/><font size='-2'> - <?PHP if($alias_exists) { ?> + echo $resolved; + } + if ($found > 0) { ?> + <br /></font><font size='-2'> + <?php if ($alias_exists) { ?> An alias already exists for the hostname <?= htmlspecialchars($host) ?>. <br /> <input type="hidden" name="override" value="true"/> <input type="submit" name="create_alias" value="Overwrite Alias"/> - <?PHP } else { - if(!$createdalias) { ?> + <?php } else { + if (!$createdalias) { ?> <input type="submit" name="create_alias" value="Create Alias from These Entries"/> - <?PHP } else { ?> + <?php } else { ?> Alias created with name <?= htmlspecialchars($newalias['name']) ?> - <?PHP } + <?php } } } ?> - <font size="-1"> - <? } ?> - </td></tr></table> - </td> + <?php } ?> + </font></td></tr></table> + </td> </tr> -<?php if($_POST): ?> +<?php if ($_POST): ?> <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Resolution time per server");?></td> - <td width="78%" class="vtable"> - <table width="170" border="1" cellpadding="2" style="border-width: 1px 1px 1px 1px; border-collapse: collapse;"> + <td width="22%" valign="top" class="vncell"><?=gettext("Resolution time per server");?></td> + <td width="78%" class="vtable"> + <table width="170" border="0" cellpadding="6" cellspacing="0" summary="resolution time"> <tr> - <td> - <b><?=gettext("Server");?></b> + <td class="listhdrr"> + <?=gettext("Server");?> </td> - <td> - <b><?=gettext("Query time");?></b> + <td class="listhdrr"> + <?=gettext("Query time");?> </td> </tr> <?php - if(is_array($dns_speeds)) - foreach($dns_speeds as $qt): + if (is_array($dns_speeds)) + foreach ($dns_speeds as $qt): ?> <tr> - <td> + <td class="listlr"> <?=$qt['dns_server']?> </td> - <td> + <td class="listr"> <?=$qt['query_time']?> </td> </tr> @@ -261,58 +271,59 @@ include("head.inc"); ?> endforeach; ?> </table> - </td> + </td> </tr> <?php endif; ?> <?php if (!$input_errors && $ipaddr) { ?> <tr> - - <td width="22%" valign="top" class="vncell"><?=gettext("More Information:");?></td> + <td width="22%" valign="top" class="vncell"><?=gettext("More Information:");?></td> <td width="78%" class="vtable"> - <a target="_new" href ="/diag_ping.php?host=<?=htmlspecialchars($host)?>&interface=wan&count=3"><?=gettext("Ping");?></a> <br/> + <a target="_new" href ="/diag_ping.php?host=<?=htmlspecialchars($host)?>&interface=wan&count=3"><?=gettext("Ping");?></a> <br /> <a target="_new" href ="/diag_traceroute.php?host=<?=htmlspecialchars($host)?>&ttl=18"><?=gettext("Traceroute");?></a> <p/> - <?=gettext("NOTE: The following links are to external services, so their reliability cannot be guaranteed.");?><br/><br/> + <?=gettext("NOTE: The following links are to external services, so their reliability cannot be guaranteed.");?><br/><br /> <a target="_new" href="http://private.dnsstuff.com/tools/whois.ch?ip=<?php echo $ipaddr; ?>"><?=gettext("IP WHOIS @ DNS Stuff");?></a><br /> <a target="_new" href="http://private.dnsstuff.com/tools/ipall.ch?ip=<?php echo $ipaddr; ?>"><?=gettext("IP Info @ DNS Stuff");?></a> - <?=gettext("NOTE: The following links are to external services, so their reliability cannot be guaranteed.");?><br/><br/> - <a target="_new" href="http://kb.bothunter.net/ipInfo/nowait.php?IP=<?php echo $ipaddr; ?>"><?=gettext("BOTHunter");?></a><br/> - <a target="_new" href="http://www.ipvoid.com/scan/<?php echo $ipaddr; ?>/"><?=gettext("IPVOID");?></a><br/> - <a target="_new" href="http://www.tcpiputils.com/browse/ip-address/<?php echo $ipaddr; ?>/"><?=gettext("TCPUtils");?></a><br/> - <a target="_new" href="https://www.herdprotect.com/ip-address-<?php echo $ipaddr; ?>.aspx"><?=gettext("Herd Protect");?></a><br/> - <a target="_new" href="https://www.senderbase.org/lookup/ip/?search_string=<?php echo $ipaddr; ?>"><?=gettext("SenderBase");?></a><br/> - <a target="_new" href="http://www.ip-tracker.org/locator/ip-lookup.php?ip=<?php echo $ipaddr; ?>"><?=gettext("IP Tracker");?></a><br/> + <?=gettext("NOTE: The following links are to external services, so their reliability cannot be guaranteed.");?><br /><br /> + <a target="_new" href="http://kb.bothunter.net/ipInfo/nowait.php?IP=<?php echo $ipaddr; ?>"><?=gettext("BOTHunter");?></a><br /> + <a target="_new" href="http://www.ipvoid.com/scan/<?php echo $ipaddr; ?>/"><?=gettext("IPVOID");?></a><br /> + <a target="_new" href="http://www.tcpiputils.com/browse/ip-address/<?php echo $ipaddr; ?>/"><?=gettext("TCPUtils");?></a><br /> + <a target="_new" href="https://www.herdprotect.com/ip-address-<?php echo $ipaddr; ?>.aspx"><?=gettext("Herd Protect");?></a><br /> + <a target="_new" href="https://www.senderbase.org/lookup/ip/?search_string=<?php echo $ipaddr; ?>"><?=gettext("SenderBase");?></a><br /> + <a target="_new" href="http://www.ip-tracker.org/locator/ip-lookup.php?ip=<?php echo $ipaddr; ?>"><?=gettext("IP Tracker");?></a><br /> - <a target="_new" href="https://www.fortiguard.com/ip_rep/index.php?data=/<?php echo $ipaddr; ?>?"><?=gettext("FortiGuard");?></a><br/> - <a target="_new" href="https://www.projecthoneypot.org/ip_<?php echo $ipaddr; ?>"><?=gettext("Project HoneyPot");?></a><br/> - <a target="_new" href="https://www.virustotal.com/en/ip-address/<?php echo $ipaddr; ?>/information"><?=gettext("VirusTotal Info");?></a><br/> - <a target="_new" href="https://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=<?php echo $ipaddr; ?>"><?=gettext("McAfee Threat Center");?></a><br/> - <a target="_new" href="http://sitecheck2.sucuri.net/results/<?php echo $ipaddr; ?>"><?=gettext("Securi SiteCheck");?></a><br/> - <a target="_new" href="https://www.dshield.org/ipinfo.html?IP=<?php echo $ipaddr; ?>"><?=gettext("DShield Threat Lookup");?></a><br/> - <a target="_new" href="https://isc.sans.edu/ipinfo.html?ip=<?php echo $ipaddr; ?>"><?=gettext("Internet Storm Center");?></a><br/> - <a target="_new" href="https://www.mywot.com/en/scorecard/<?php echo $ipaddr; ?>"><?=gettext("Web of Trust (WOT) Scorecard");?></a><br/> - <a target="_new" href="https://quttera.com/sitescan/<?php echo $ipaddr; ?>"><?=gettext("Quattera");?></a><br/> - <a target="_new" href="https://www.iblocklist.com/search.php?string=<?php echo $ipaddr; ?>"><?=gettext("I-Block List");?></a><br/> + <a target="_new" href="https://www.fortiguard.com/ip_rep/index.php?data=/<?php echo $ipaddr; ?>?"><?=gettext("FortiGuard");?></a><br /> + <a target="_new" href="https://www.projecthoneypot.org/ip_<?php echo $ipaddr; ?>"><?=gettext("Project HoneyPot");?></a><br /> + <a target="_new" href="https://www.virustotal.com/en/ip-address/<?php echo $ipaddr; ?>/information"><?=gettext("VirusTotal Info");?></a><br /> + <a target="_new" href="https://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=<?php echo $ipaddr; ?>"><?=gettext("McAfee Threat Center");?></a><br /> + <a target="_new" href="http://sitecheck2.sucuri.net/results/<?php echo $ipaddr; ?>"><?=gettext("Securi SiteCheck");?></a><br /> + <a target="_new" href="https://www.dshield.org/ipinfo.html?IP=<?php echo $ipaddr; ?>"><?=gettext("DShield Threat Lookup");?></a><br /> + <a target="_new" href="https://isc.sans.edu/ipinfo.html?ip=<?php echo $ipaddr; ?>"><?=gettext("Internet Storm Center");?></a><br /> + <a target="_new" href="https://www.mywot.com/en/scorecard/<?php echo $ipaddr; ?>"><?=gettext("Web of Trust (WOT) Scorecard");?></a><br /> + <a target="_new" href="https://quttera.com/sitescan/<?php echo $ipaddr; ?>"><?=gettext("Quattera");?></a><br /> + <a target="_new" href="https://www.iblocklist.com/search.php?string=<?php echo $ipaddr; ?>"><?=gettext("I-Block List");?></a><br /> <p/> - <?=gettext("NOTE: Mail Server DNSRBL Lookups");?><br/><br/> - <a target="_new" href="https://senderscore.org/lookup.php?lookup=<?php echo $ipaddr; ?>&ipLookup=Go"><?=gettext("SenderScore");?></a><br/> - <a target="_new" href="http://www.spamhaus.org/query/bl?ip=<?php echo $ipaddr; ?>"><?=gettext("Spamhaus Blocklist");?></a><br/> - <a target="_new" href="http://www.spamcop.net/w3m?action=checkblock&ip=<?php echo $ipaddr; ?>"><?=gettext("SPAMcop Blocklist");?></a><br/> - <a target="_new" href="http://multirbl.valli.org/lookup/<?php echo $ipaddr; ?>.html"><?=gettext("multirbl RBL Lookup");?></a><br/> - <a target="_new" href="http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a<?php echo $ipaddr; ?>&run=toolpage"><?=gettext("MXToolbox");?></a><br/> + <?=gettext("NOTE: Mail Server DNSRBL Lookups");?><br /><br /> + <a target="_new" href="https://senderscore.org/lookup.php?lookup=<?php echo $ipaddr; ?>&ipLookup=Go"><?=gettext("SenderScore");?></a><br /> + <a target="_new" href="http://www.spamhaus.org/query/bl?ip=<?php echo $ipaddr; ?>"><?=gettext("Spamhaus Blocklist");?></a><br /> + <a target="_new" href="http://www.spamcop.net/w3m?action=checkblock&ip=<?php echo $ipaddr; ?>"><?=gettext("SPAMcop Blocklist");?></a><br /> + <a target="_new" href="http://multirbl.valli.org/lookup/<?php echo $ipaddr; ?>.html"><?=gettext("multirbl RBL Lookup");?></a><br /> + <a target="_new" href="http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a<?php echo $ipaddr; ?>&run=toolpage"><?=gettext("MXToolbox");?></a><br /> </td> </tr> <?php } ?> <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <br/> - <input name="Submit" type="submit" class="formbtn" value="<?=gettext("DNS Lookup");?>"> + <td width="22%" valign="top"> </td> + <td width="78%"> + <br /> + <input name="Submit" type="submit" class="formbtn" value="<?=gettext("DNS Lookup");?>"> </td> </tr> </table> -</td></tr></table> </form> -<?php include("fend.inc"); ?>
\ No newline at end of file +</td></tr></table> +<?php include("fend.inc"); ?> +</body> +</html>
\ No newline at end of file diff --git a/config/pfblockerng/pfblockerng_log.php b/config/pfblockerng/pfblockerng_log.php index 74f513a2..4c25ce29 100644 --- a/config/pfblockerng/pfblockerng_log.php +++ b/config/pfblockerng/pfblockerng_log.php @@ -3,7 +3,7 @@ pfBlockerNG_Log.php pfBlockerNG - Copyright (c) 2014 BBcan177@gmail.com + Copyright (c) 2015 BBcan177@gmail.com All rights reserved. Portions of this code are based on original work done for the @@ -17,7 +17,7 @@ All rights reserved. Adapted for Suricata by: - Copyright (C) 2014 Bill Meeks + Copyright (C) 2015 Bill Meeks All rights reserved. Javascript and Integration modifications by J. Nieuwenhuizen diff --git a/config/pfblockerng/pfblockerng_sync.xml b/config/pfblockerng/pfblockerng_sync.xml index 00186af8..f6cee305 100644 --- a/config/pfblockerng/pfblockerng_sync.xml +++ b/config/pfblockerng/pfblockerng_sync.xml @@ -10,7 +10,7 @@ pfBlockerNG_sync.xml pfBlockerNG - Copyright (C) 2014 BBcan177@gmail.com + Copyright (C) 2015 BBcan177@gmail.com All rights reserved. Based upon pfblocker for pfSense diff --git a/config/pfblockerng/pfblockerng_top20.xml b/config/pfblockerng/pfblockerng_top20.xml index ccaf68a0..db898112 100644 --- a/config/pfblockerng/pfblockerng_top20.xml +++ b/config/pfblockerng/pfblockerng_top20.xml @@ -10,7 +10,7 @@ pfBlockerNG_Top20.xml pfBlockerNG - Copyright (C) 2014 BBcan177@gmail.com + Copyright (C) 2015 BBcan177@gmail.com All rights reserved. Based upon pfblocker for pfSense diff --git a/config/pfblockerng/pfblockerng_update.php b/config/pfblockerng/pfblockerng_update.php index 99480900..f3a18231 100644 --- a/config/pfblockerng/pfblockerng_update.php +++ b/config/pfblockerng/pfblockerng_update.php @@ -3,7 +3,7 @@ /* pfBlockerNG_Update.php pfBlockerNG - Copyright (C) 2014 BBcan177@gmail.com + Copyright (C) 2015 BBcan177@gmail.com All rights reserved. Portions of this code are based on original work done for diff --git a/config/pfblockerng/pfblockerng_v4lists.xml b/config/pfblockerng/pfblockerng_v4lists.xml index 6df839ed..febfd597 100644 --- a/config/pfblockerng/pfblockerng_v4lists.xml +++ b/config/pfblockerng/pfblockerng_v4lists.xml @@ -9,7 +9,7 @@ pfBlockerNG_v4lists.xml pfBlockerNG - Copyright (C) 2014 BBcan177@gmail.com + Copyright (C) 2015 BBcan177@gmail.com All rights reserved. Based upon pfblocker for pfSense diff --git a/config/pfblockerng/pfblockerng_v6lists.xml b/config/pfblockerng/pfblockerng_v6lists.xml index 15d788cf..10a866c0 100644 --- a/config/pfblockerng/pfblockerng_v6lists.xml +++ b/config/pfblockerng/pfblockerng_v6lists.xml @@ -9,7 +9,7 @@ pfBlockerNG_v6lists.xml pfBlockerNG - Copyright (C) 2014 BBcan177@gmail.com + Copyright (C) 2015 BBcan177@gmail.com All rights reserved. Based upon pfblocker for pfSense diff --git a/config/quagga_ospfd/quagga_ospfd.inc b/config/quagga_ospfd/quagga_ospfd.inc index 17c13246..140bac8a 100644 --- a/config/quagga_ospfd/quagga_ospfd.inc +++ b/config/quagga_ospfd/quagga_ospfd.inc @@ -266,8 +266,14 @@ function quagga_ospfd_install_conf() { $carp_ip_status_check = ""; if (is_ipaddr($ospfd_conf['carpstatusip'])) { - $carpcheckinterface = trim(find_carp_interface($ospfd_conf['carpstatusip'])); - $carp_ip_status_check = <<<EOF + + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); + switch ($pfs_version) { + case "2.0": + case "2.1": + /* Check for 2.1 and before */ + $carpcheckinterface = trim(find_carp_interface($ospfd_conf['carpstatusip'])); + $carp_ip_status_check = <<<EOF CARP_STATUS=`/sbin/ifconfig {$carpcheckinterface} | /usr/bin/grep carp: | /usr/bin/awk '{print \$2;}'` if [ \${CARP_STATUS} != "MASTER" ]; then @@ -275,6 +281,27 @@ if [ \${CARP_STATUS} != "MASTER" ]; then fi EOF; + break; + case "2.2": + default: + /* Check for 2.2 and later */ + if (is_array($config['virtualip']['vip'])) { + foreach ($config['virtualip']['vip'] as $vip) { + if (($vip['mode'] == "carp") && ($vip['subnet'] == $ospfd_conf['carpstatusip'])) { + $carpcheckinterface = escapeshellarg(get_real_interface($vip['interface'])); + $vhid = escapeshellarg($vip['vhid']); + $carp_ip_status_check = <<<EOF + +CARP_STATUS=`/sbin/ifconfig {$carpcheckinterface} | /usr/bin/grep 'carp:' | /usr/bin/grep 'vhid {$vhid}' | /usr/bin/awk '{print \$2;}'` +if [ \${CARP_STATUS} != "MASTER" ]; then + exit; +fi +EOF; + } + } + } + break; + } } @@ -395,4 +422,37 @@ function quagga_get_carp_status_by_ip($ipaddr) { return $status; } +function quagga_ospfd_plugin_carp($pluginparams) { + global $config; + require_once("service-utils.inc"); + // Called when a CARP interface changes state + // $pluginparams['event'] either 'rc.carpmaster' or 'rc.carpbackup' + // $pluginparams['interface'] contains the affected interface + + /* If there is no OSPF config, then stop */ + if(is_array($config['installedpackages']['quaggaospfd']['config'])) { + $ospfd_conf = &$config['installedpackages']['quaggaospfd']['config'][0]; + } else { + return null; + } + /* If there is no properly configured CARP status check IP, then stop */ + if (!is_ipaddr($ospfd_conf['carpstatusip'])) { + return null; + } + list($vhid, $iface) = explode("@", trim($pluginparams['interface'])); + $friendly = convert_real_interface_to_friendly_interface_name($iface); + $carp_iface = "{$friendly}_vip${vhid}"; + + /* If this CARP transition is not from the IP address to check, then stop. */ + if (get_interface_ip($carp_iface) != $ospfd_conf['carpstatusip']) { + return null; + } + + /* Start or stop the service as needed based on the CARP transition. */ + if ($pluginparams['event'] == "rc.carpmaster") { + start_service("Quagga OSPFd"); + } elseif ($pluginparams['event'] == "rc.carpbackup") { + stop_service("Quagga OSPFd"); + } +} ?> diff --git a/config/quagga_ospfd/quagga_ospfd.xml b/config/quagga_ospfd/quagga_ospfd.xml index 8edfcc3f..617b5da0 100644 --- a/config/quagga_ospfd/quagga_ospfd.xml +++ b/config/quagga_ospfd/quagga_ospfd.xml @@ -1,6 +1,6 @@ <packagegui> <name>quagga_ospfd</name> - <version>0.6.1</version> + <version>0.6.5</version> <title>Services: Quagga OSPFd</title> <include_file>/usr/local/pkg/quagga_ospfd.inc</include_file> <aftersaveredirect>pkg_edit.php?xml=quagga_ospfd.xml&id=0</aftersaveredirect> @@ -67,6 +67,11 @@ <executable>zebra</executable> <description>Quagga core/abstraction daemon</description> </service> + <plugins> + <item> + <type>plugin_carp</type> + </item> + </plugins> <fields> <field> <fielddescr>Master Password</fielddescr> diff --git a/config/siproxd/siproxd.inc b/config/siproxd/siproxd.inc index d76f79d3..d9830fb2 100644 --- a/config/siproxd/siproxd.inc +++ b/config/siproxd/siproxd.inc @@ -32,7 +32,8 @@ if(!function_exists("filter_configure")) require_once("service-utils.inc"); // Check to find out on which system the package is running -if (substr(trim(file_get_contents("/etc/version")),0,3) == "2.0") { +$pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); +if ($pfs_version == "2.0") { define('SIPROXD', '/usr/local'); } else { define('SIPROXD', '/usr/pbi/siproxd-' . php_uname("m")); @@ -108,7 +109,7 @@ function siproxd_generate_rules($type) { } function sync_package_siproxd() { - global $config; + global $config, $pfs_version; // put the constant to a variable $varSIPROXD = SIPROXD; @@ -250,9 +251,14 @@ function sync_package_siproxd() { fclose($fout); + if ($pfs_version == '2.2') + $bin_dir='bin'; + else + $bin_dir='sbin'; + write_rcfile(array( "file" => "siproxd.sh", - "start" => "$varSIPROXD/sbin/siproxd -c $varSIPROXD/etc/siproxd.conf &", + "start" => "$varSIPROXD/{$bin_dir}/siproxd -c $varSIPROXD/etc/siproxd.conf &", "stop" => "/usr/bin/killall -9 siproxd" ) ); diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 60573130..1f1a7d24 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -46,8 +46,8 @@ <requirements>None</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> - <version>2.9.7.0</version> - <title>Services:2.9.7.0 pkg v3.2.3</title> + <version>2.9.7.2</version> + <title>Services:2.9.7.2 pkg v3.2.4</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> diff --git a/config/snort/snort_alerts.widget.php b/config/snort/snort_alerts.widget.php index 552dab61..96c70562 100644 --- a/config/snort/snort_alerts.widget.php +++ b/config/snort/snort_alerts.widget.php @@ -46,7 +46,7 @@ $alertColClass = "listMRr"; /* check if Snort widget alert display lines value is set */ $snort_nentries = $config['widgets']['widget_snort_display_lines']; -if (!isset($snort_nentries) || $snort_nentries < 0) +if (!isset($snort_nentries) || $snort_nentries <= 0) $snort_nentries = 5; /* array sorting of the alerts */ @@ -95,7 +95,11 @@ if (isset($_GET['getNewAlerts'])) { // See if saving new display line count value if(isset($_POST['widget_snort_display_lines'])) { - $config['widgets']['widget_snort_display_lines'] = $_POST['widget_snort_display_lines']; + if($_POST['widget_snort_display_lines'] == "") { + unset($config['widgets']['widget_snort_display_lines']); + } else { + $config['widgets']['widget_snort_display_lines'] = max(intval($_POST['widget_snort_display_lines']), 1); + } write_config("Saved Snort Alerts Widget Displayed Lines Parameter via Dashboard"); header("Location: ../../index.php"); } diff --git a/config/snort/snort_defs.inc b/config/snort/snort_defs.inc index 43ecada6..906dd465 100644 --- a/config/snort/snort_defs.inc +++ b/config/snort/snort_defs.inc @@ -50,7 +50,7 @@ if (!defined("SNORT_BIN_VERSION")) { if (!empty($snortver[0])) define("SNORT_BIN_VERSION", $snortver[0]); else - define("SNORT_BIN_VERSION", "2.9.7.0"); + define("SNORT_BIN_VERSION", "2.9.7.2"); } if (!defined("SNORT_SID_MODS_PATH")) define('SNORT_SID_MODS_PATH', "{$g['vardb_path']}/snort/sidmods/"); diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php index 1d56fc13..297e833b 100644 --- a/config/snort/snort_generate_conf.php +++ b/config/snort/snort_generate_conf.php @@ -895,7 +895,7 @@ EOD; /* def AppID preprocessor */ $appid_memcap = $snortcfg['sf_appid_mem_cap'] * 1024 * 1024; -$appid_params = "app_detector_dir " . SNORT_APPID_ODP_PATH . ", \\\n\tmemcap {$appid_memcap}"; +$appid_params = "app_detector_dir " . rtrim(SNORT_APPID_ODP_PATH, '/') . ", \\\n\tmemcap {$appid_memcap}"; if ($snortcfg['sf_appid_statslog'] == "on") { $appid_params .= ", \\\n\tapp_stats_filename app-stats.log"; $appid_params .= ", \\\n\tapp_stats_period {$snortcfg['sf_appid_stats_period']}"; diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php index de8ac308..941a8151 100644 --- a/config/snort/snort_migrate_config.php +++ b/config/snort/snort_migrate_config.php @@ -533,7 +533,7 @@ unset($r); // Log a message if we changed anything if ($updated_cfg) { - $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.2.3"; + $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.2.4"; log_error("[Snort] Settings successfully migrated to new configuration format..."); } else diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php index 7ab8b3db..f93f1c87 100644 --- a/config/snort/snort_post_install.php +++ b/config/snort/snort_post_install.php @@ -263,8 +263,8 @@ if (stristr($config['widgets']['sequence'], "snort_alerts-container") === FALSE) $config['widgets']['sequence'] .= ",{$snort_widget_container}"; /* Update Snort package version in configuration */ -$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.2.3"; -write_config("Snort pkg v3.2.3: post-install configuration saved."); +$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.2.4"; +write_config("Snort pkg v3.2.4: post-install configuration saved."); /* Done with post-install, so clear flag */ unset($g['snort_postinstall']); diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index c29b1810..90ce1e7d 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -452,7 +452,7 @@ if ($savemsg) { <tr> <td width="5%" class="listr" style="text-align: center;"> <img src="../themes/<?=$g['theme'];?>/images/icons/icon_advanced.gif" width="11" height="11" border="0" title="<?=gettext("Auto-managed by settings on SID Mgmt tab");?>" /></td> - <td colspan="5" class="listr"><a href='suricata_rules.php?id=<?=$id;?>&openruleset=<?=$community_rules_file;?>'><?=gettext("{$msg_community}");?></a></td> + <td colspan="5" class="listr"><a href='snort_rules.php?id=<?=$id;?>&openruleset=<?=$community_rules_file;?>'><?=gettext("{$msg_community}");?></a></td> </tr> <?php else: ?> <tr> @@ -465,7 +465,7 @@ if ($savemsg) { <tr> <td width="5%" class="listr" style="text-align: center;"> <input type="checkbox" name="toenable[]" value="<?=$community_rules_file;?>" checked="checked"/></td> - <td colspan="5" class="listr"><a href='suricata_rules.php?id=<?=$id;?>&openruleset=<?=$community_rules_file;?>'><?php echo gettext("{$msg_community}"); ?></a></td> + <td colspan="5" class="listr"><a href='snort_rules.php?id=<?=$id;?>&openruleset=<?=$community_rules_file;?>'><?php echo gettext("{$msg_community}"); ?></a></td> </tr> <?php else: ?> <tr> @@ -531,7 +531,7 @@ if ($savemsg) { sort($snortrules); $i = count($emergingrules); if ($i < count($snortsorules)) - $i = count(snortsorules); + $i = count($snortsorules); if ($i < count($snortrules)) $i = count($snortrules); diff --git a/config/sudo/sudo.inc b/config/sudo/sudo.inc index a69d9211..a8107029 100644 --- a/config/sudo/sudo.inc +++ b/config/sudo/sudo.inc @@ -28,6 +28,7 @@ */ require_once("config.inc"); +global $pfs_version; $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); switch ($pfs_version) { case "1.2": @@ -84,8 +85,11 @@ function sudo_install() { } function sudo_write_config() { - global $config; + global $config, $pfs_version; $sudoers = ""; + if ($pfs_version == "2.2") { + mwexec_bg("/sbin/ldconfig -m /usr/pbi/sudo-" . php_uname("m") . "/local/lib/"); + } conf_mount_rw(); $sudoconf = "Plugin sudoers_policy " . SUDO_LIBEXEC_DIR . "/sudoers.so\n"; diff --git a/config/sudo/sudo.xml b/config/sudo/sudo.xml index 2fccab24..069606ba 100644 --- a/config/sudo/sudo.xml +++ b/config/sudo/sudo.xml @@ -3,7 +3,7 @@ <description>Sudo Command Control</description> <requirements>None</requirements> <name>sudo</name> - <version>0.2.1</version> + <version>0.2.5</version> <title>Sudo - Shell Command Privilege Delegation Utility</title> <include_file>/usr/local/pkg/sudo.inc</include_file> <menu> diff --git a/config/vhosts/vhosts.inc b/config/vhosts/vhosts.inc index d0b14652..1958632e 100644 --- a/config/vhosts/vhosts.inc +++ b/config/vhosts/vhosts.inc @@ -659,7 +659,7 @@ function vhosts_sync_package_php() $tmp .= " \"PHP_FCGI_MAX_REQUESTS\" => \"500\",\n"; $tmp .= " \"PHP_FCGI_CHILDREN\" => \"1\"\n"; $tmp .= " ),\n"; - $tmp .= " \"bin-path\" => \"/usr/local/php5/php-cgi\"\n"; + $tmp .= " \"bin-path\" => \"/usr/local/bin/php\"\n"; $tmp .= " )\n"; $tmp .= " )\n"; $tmp .= ")\n"; @@ -681,11 +681,11 @@ function vhosts_sync_package_php() ); //add or update a service - $a_service = &$config['installedpackages']['service']; $ent['name'] = "vhosts-ssl-$x"; $ent['rcfile'] = "vhosts-".$ipaddress."-".$port."-ssl.sh"; $ent['executable'] = "vhosts-".$ipaddress."-".$port."-ssl"; $ent['description'] = "vHosts SSL, Host: $host, IP Address: ".$ipaddress.", port: ".$port." desc: ".$description; + $ent['custom_php_service_status_command'] = "\$vhost_output=''; exec('/bin/pgrep -anf '.".escapeshellarg($ent['executable']).", \$vhost_output, \$retval); \$rc=(intval(\$retval) == 0);"; $a_service = $config['installedpackages']['service']; $service_id = get_service_id ($a_service, 'name', "vhosts-ssl-$x"); if (is_int($service_id)) { diff --git a/config/vnstat2/vnstat2.inc b/config/vnstat2/vnstat2.inc index f248083e..c875be52 100644 --- a/config/vnstat2/vnstat2.inc +++ b/config/vnstat2/vnstat2.inc @@ -63,8 +63,8 @@ function change_vnstat_conf(){ $config['installedpackages']['vnstat2']['config'][0]['vnstat_phpfrontend'] = $_POST['vnstat_phpfrontend']; write_conf_f(); write_config(); - $no_vnstat_phpfrontend = $config['installedpackages']['vnstat2']['config'][0]['vnstat_phpfrontend']; - if ($no_vnstat_phpfrontend == "on"){ + + if ($config['installedpackages']['vnstat2']['config'][0]['vnstat_phpfrontend'] == "on"){ vnstat_php_frontend(); } else { @@ -195,12 +195,10 @@ function vnstat_install_config() { } vnstat_link_config(); // Add MonthRotate value to config.xml and write /usr/local/etc/vnstat.conf - $no_monthrotate = $config['installedpackages']['vnstat2']['config'][0]['monthrotate']; - if ($no_monthrotate == ""){ + if ($config['installedpackages']['vnstat2']['config'][0]['monthrotate'] == ""){ $config['installedpackages']['vnstat2']['config'][0]['monthrotate'] = "1"; } - $no_vnstat_phpfrontend = $config['installedpackages']['vnstat2']['config'][0]['vnstat_phpfrontend']; - if ($no_vnstat_phpfrontend == "on"){ + if ($config['installedpackages']['vnstat2']['config'][0]['vnstat_phpfrontend'] == "on"){ vnstat_php_frontend(); } write_conf_f(); @@ -214,7 +212,7 @@ function vnstat_install_config() { function vnstat_php_frontend(){ global $config; // Copy vnstat_php_frontend to www - exec("cp -a /usr/local/pkg/vnstat2/vnstat_php_frontend/. /usr/local/www/vnstat2/"); + exec("/bin/cp -a /usr/local/pkg/vnstat2/vnstat_php_frontend/. /usr/local/www/vnstat2/"); // Find information to be writing in config.php // $iface_list_array_items exec("ls /conf/vnstat/ | grep -v '\.'", $vnstat_nic_in); diff --git a/config/zabbix-lts/zabbix-agent-lts.xml b/config/zabbix-lts/zabbix-agent-lts.xml new file mode 100644 index 00000000..b098eb62 --- /dev/null +++ b/config/zabbix-lts/zabbix-agent-lts.xml @@ -0,0 +1,179 @@ +<?xml version="1.0" encoding="utf-8"?> +<packagegui> +<copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + zabbix-agent-lts.xml + part of the Zabbix package for pfSense + Copyright (C) 2013 Danilo G. Baio + Copyright (C) 2013 Marcello Coutinho + + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <name>zabbixagentlts</name> + <title>Services: Zabbix Agent LTS</title> + <category>Monitoring</category> + <version>0.8.3</version> + <include_file>/usr/local/pkg/zabbix-lts.inc</include_file> + <addedit_string>Zabbix Agent LTS has been created/modified.</addedit_string> + <delete_string>Zabbix Agent LTS has been deleted.</delete_string> + <restart_command>/usr/local/etc/rc.d/zabbix_agentd_lts.sh restart</restart_command> + <additional_files_needed> + <item>https://packages.pfsense.org/packages/config/zabbix-lts/zabbix-lts.inc</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <menu> + <name>Zabbix Agent LTS</name> + <tooltiptext>Setup Zabbix Agent specific settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=zabbix-agent-lts.xml&id=0</url> + </menu> + <service> + <name>zabbix_agentd_lts</name> + <rcfile>zabbix_agentd_lts.sh</rcfile> + <executable>zabbix_agentd</executable> + <description>Zabbix Agent LTS host monitor daemon</description> + </service> + <tabs> + <tab> + <text>Agent</text> + <url>/pkg_edit.php?xml=zabbix-agent-lts.xml&id=0</url> + <active /> + </tab> + </tabs> + <fields> + <field> + <name>Zabbix Agent LTS Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable</fielddescr> + <fieldname>agentenabled</fieldname> + <description>Enable Zabbix Agent LTS service</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Server</fielddescr> + <fieldname>server</fieldname> + <description>List of comma delimited IP addresses (or hostnames) of ZABBIX servers</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Server Active</fielddescr> + <fieldname>serveractive</fieldname> + <description>List of comma delimited IP:port (or hostname:port) pairs of Zabbix servers for active checks</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Hostname</fielddescr> + <fieldname>hostname</fieldname> + <description>Unique hostname. Required for active checks and must match hostname as configured on the Zabbix server (case sensitive).</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Listen IP</fielddescr> + <fieldname>listenip</fieldname> + <default_value>0.0.0.0</default_value> + <type>input</type> + <size>60</size> + <description>Listen IP for connections from the server (default 0.0.0.0 for all interfaces)</description> + </field> + <field> + <fielddescr>Listen Port</fielddescr> + <fieldname>listenport</fieldname> + <default_value>10050</default_value> + <type>input</type> + <size>5</size> + <description>Listen port for connections from the server (default 10050)</description> + </field> + <field> + <fielddescr>Refresh Active Checks</fielddescr> + <fieldname>refreshactchecks</fieldname> + <default_value>120</default_value> + <type>input</type> + <size>5</size> + <description>The agent will refresh list of active checks once per 120 (default) seconds.</description> + </field> + <field> + <fielddescr>Timeout</fielddescr> + <fieldname>timeout</fieldname> + <default_value>3</default_value> + <type>input</type> + <size>5</size> + <description>Timeout (default 3). Do not spend more that Timeout seconds on getting requested value (1-30). The agent does not kill timeouted User Parameters processes!</description> + </field> + <field> + <fielddescr>Buffer Send</fielddescr> + <fieldname>buffersend</fieldname> + <default_value>5</default_value> + <type>input</type> + <size>5</size> + <description>Buffer Send (default 5). Do not keep data longer than N seconds in buffer (1-3600).</description> + </field> + <field> + <fielddescr>Buffer Size</fielddescr> + <fieldname>buffersize</fieldname> + <default_value>100</default_value> + <type>input</type> + <size>5</size> + <description>Buffer Size (default 100). Maximum number of values in a memory buffer (2-65535). The agent will send all collected data to Zabbix server or proxy if the buffer is full.</description> + </field> + <field> + <fielddescr>Start Agents</fielddescr> + <fieldname>startagents</fieldname> + <default_value>3</default_value> + <type>input</type> + <size>5</size> + <description>Start Agents (default 3). Number of pre-forked instances of zabbix_agentd that process passive checks (0-100).If set to 0, disables passive checks and the agent will not listen on any TCP port.</description> + </field> + <field> + <fielddescr>User Parameters</fielddescr> + <fieldname>userparams</fieldname> + <encoding>base64</encoding> + <type>textarea</type> + <rows>5</rows> + <cols>50</cols> + <description>User-defined parameter to monitor. There can be several user-defined parameters. Value has form, example: UserParameter=users,who|wc -l</description> + </field> + </fields> + <custom_php_install_command>sync_package_zabbix_lts();</custom_php_install_command> + <custom_php_command_before_form></custom_php_command_before_form> + <custom_php_after_head_command></custom_php_after_head_command> + <custom_php_after_form_command></custom_php_after_form_command> + <custom_php_validation_command>validate_input_zabbix_lts($_POST, $input_errors);</custom_php_validation_command> + <custom_add_php_command></custom_add_php_command> + <custom_php_resync_config_command>sync_package_zabbix_lts();</custom_php_resync_config_command> + <custom_php_deinstall_command>php_deinstall_zabbix_agent_lts();</custom_php_deinstall_command> +</packagegui> diff --git a/config/zabbix-lts/zabbix-lts.inc b/config/zabbix-lts/zabbix-lts.inc new file mode 100644 index 00000000..450b78a1 --- /dev/null +++ b/config/zabbix-lts/zabbix-lts.inc @@ -0,0 +1,360 @@ +<?php +/* $Id$ */ +/* ========================================================================== */ +/* + zabbix-lts.inc + part of the Zabbix package for pfSense + Copyright (C) 2013 Danilo G. Baio + Copyright (C) 2013 Marcello Coutinho + + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ +require_once("util.inc"); +require_once("functions.inc"); +require_once("pkg-utils.inc"); +require_once("globals.inc"); + +function php_install_zabbix_lts(){ + sync_package_zabbix_lts(); +} + +function php_deinstall_zabbix_agent_lts(){ + global $config, $g; + + conf_mount_rw(); + + define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix22-agent-' . php_uname("m")); + + exec("/usr/bin/killall zabbix_agentd"); + unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/rc.d/zabbix_agentd_lts.sh"); + unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix22/zabbix_agentd.conf"); + unlink_if_exists("/var/log/zabbix-lts/zabbix_agentd_lts.log"); + unlink_if_exists("/var/run/zabbix-lts/zabbix_agentd_lts.pid"); + + if (!is_array($config['installedpackages']['zabbixproxylts'])){ + if (is_dir("/var/log/zabbix-lts")) + exec("/bin/rm -r /var/log/zabbix-lts/"); + if (is_dir("/var/run/zabbix-lts")) + exec("/bin/rm -r /var/run/zabbix-lts/"); + } + + conf_mount_ro(); +} + +function php_deinstall_zabbix_proxy_lts(){ + global $config, $g; + + conf_mount_rw(); + + define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix22-proxy-' . php_uname("m")); + + exec("/usr/bin/killall zabbix_proxy"); + unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/rc.d/zabbix_proxy_lts.sh"); + unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix22/zabbix_proxy.conf"); + unlink_if_exists("/var/log/zabbix-lts/zabbix_proxy_lts.log"); + unlink_if_exists("/var/run/zabbix-lts/zabbix_proxy_lts.pid"); + + if (!is_array($config['installedpackages']['zabbixagentlts'])){ + if (is_dir("/var/log/zabbix-lts")) + exec("/bin/rm -r /var/log/zabbix-lts/"); + if (is_dir("/var/run/zabbix-lts")) + exec("/bin/rm -r /var/run/zabbix-lts/"); + } + + if (is_dir("/var/db/zabbix-lts")) + exec("/bin/rm -r /var/db/zabbix-lts/"); + + conf_mount_ro(); +} + +function validate_input_zabbix_lts($post, &$input_errors){ + + if (isset($post['proxyenabled'])){ + if (!is_numericint($post['serverport'])) { + $input_errors[]='Server Port is not numeric.'.$ServerPort; + } + + if (!is_numericint($post['configfrequency'])) { + $input_errors[]='Config Frequency is not numeric.'; + } + } + if (isset($post['agentenabled'])){ + if (!preg_match("/\w+/", $post['server'])) { + $input_errors[]='Server field is required.'; + } + + if (!preg_match("/\w+/", $post['hostname'])) { + $input_errors[]='Hostname field is required.'; + } + + if ($post['listenip'] != '') { + if (!is_ipaddr_configured($post['listenip']) && !preg_match("/(127.0.0.1|0.0.0.0)/",$post['listenip'])) { + $input_errors[]='Listen IP is not a configured IP address.'; + } + } + + if ($post['listenport'] != '') { + if (!preg_match("/^\d+$/", $post['listenport'])) { + $input_errors[]='Listen Port is not numeric.'; + } + } + + if ($post['refreshactchecks'] != '') { + if (!preg_match("/^\d+$/", $post['refreshactchecks'])) { + $input_errors[]='Refresh Active Checks is not numeric.'; + } elseif ( $post['refreshactchecks'] < 60 || $post['refreshactchecks'] > 3600 ) { + $input_errors[]='You must enter a valid value for \'Refresh Active Checks\''; + } + } + + if ($post['timeout'] != '') { + if (!is_numericint($post['timeout'])) { + $input_errors[]='Timeout is not numeric.'; + } elseif ( $post['timeout'] < 1 || $post['timeout'] > 30 ) { + $input_errors[]='You must enter a valid value for \'Timeout\''; + } + } + + if ($post['buffersend'] != '') { + if (!is_numericint($post['buffersend'])) { + $input_errors[]='Buffer Send is not numeric.'; + } elseif ( $post['buffersend'] < 1 || $post['buffersend'] > 3600 ) { + $input_errors[]='You must enter a valid value for \'Buffer Send\''; + } + } + + if ($post['buffersize'] != '') { + if (!is_numericint($post['buffersize'])) { + $input_errors[]='Bufer Size is not numeric.'; + } elseif ( $post['buffersize'] < 2 || $post['buffersize'] > 65535 ) { + $input_errors[]='You must enter a valid value for \'Buffer Size\''; + } + } + + if ($post['startagents'] != '') { + if (!is_numericint($post['startagents'])) { + $input_errors[]='Start Agents is not numeric.'; + } elseif ( $post['startagents'] < 0 || $post['startagents'] > 100 ) { + $input_errors[]='You must enter a valid value for \'Start Agents\''; + } + } + } +} + +function sync_package_zabbix_lts(){ + global $config, $g; + + conf_mount_rw(); + + define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix22-agent-' . php_uname("m")); + define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix22-proxy-' . php_uname("m")); + + #check zabbix proxy config + if (is_array($config['installedpackages']['zabbixproxylts'])){ + $zbproxy_config = $config['installedpackages']['zabbixproxylts']['config'][0]; + if ($zbproxy_config['proxyenabled']=="on"){ + $Mode=(is_numericint($zbproxy_config['proxymode'])?$zbproxy_config['proxymode'] : 0); + $AdvancedParams=base64_decode($zbproxy_config['advancedparams']); + + $zbproxy_conf_file = <<< EOF +Server={$zbproxy_config['server']} +ServerPort={$zbproxy_config['serverport']} +Hostname={$zbproxy_config['hostname']} +PidFile=/var/run/zabbix-lts/zabbix_proxy_lts.pid +DBName=/var/db/zabbix-lts/proxy.db +LogFile=/var/log/zabbix-lts/zabbix_proxy_lts.log +ConfigFrequency={$zbproxy_config['configfrequency']} +FpingLocation=/usr/local/sbin/fping +#there's currently no fping6 (IPv6) dependency in the package, but if there was, the binary would likely also be in /usr/local/sbin +Fping6Location=/usr/local/sbin/fping6 +ProxyMode={$Mode} +{$AdvancedParams} + +EOF; + file_put_contents(ZABBIX_PROXY_BASE . "/etc/zabbix22/zabbix_proxy.conf", strtr($zbproxy_conf_file, array("\r" => ""))); + } + } + /* check zabbix agent settings*/ + if (is_array($config['installedpackages']['zabbixagentlts'])){ + $zbagent_config = $config['installedpackages']['zabbixagentlts']['config'][0]; + if ($zbagent_config['agentenabled']=="on"){ + $RefreshActChecks=(preg_match("/(\d+)/",$zbagent_config['refreshactchecks'],$matches)? $matches[1] : "120"); + $BufferSend=(preg_match("/(\d+)/",$zbagent_config['buffersend'],$matches)? $matches[1] : "5" ); + $BufferSize=(preg_match("/(\d+)/",$zbagent_config['buffersize'],$matches)? $matches[1] : "100"); + $StartAgents=(preg_match("/(\d+)/",$zbagent_config['startagents'],$matches)? $matches[1] :"3" ); + $UserParams=base64_decode($zbagent_config['userparams']); + $ListenIp=($zbagent_config['listenip'] != ''? $zbagent_config['listenip'] : "0.0.0.0"); + $ListenPort=($zbagent_config['listenport'] != ''? $zbagent_config['listenport'] : "10050"); + $TimeOut=($zbagent_config['timeout'] != ''? $zbagent_config['timeout'] : "3"); + + $zbagent_conf_file = <<< EOF +Server={$zbagent_config['server']} +ServerActive={$zbagent_config['serveractive']} +Hostname={$zbagent_config['hostname']} +ListenIP={$ListenIp} +ListenPort={$ListenPort} +RefreshActiveChecks={$RefreshActChecks} +DebugLevel=3 +PidFile=/var/run/zabbix-lts/zabbix_agentd_lts.pid +LogFile=/var/log/zabbix-lts/zabbix_agentd_lts.log +LogFileSize=1 +Timeout={$TimeOut} +BufferSend={$BufferSend} +BufferSize={$BufferSize} +StartAgents={$StartAgents} +{$UserParams} + +EOF; + file_put_contents(ZABBIX_AGENT_BASE . "/etc/zabbix22/zabbix_agentd.conf", strtr($zbagent_conf_file, array("\r" => ""))); + } + } + $want_sysctls = array( + 'kern.ipc.shmall' => '2097152', + 'kern.ipc.shmmax' => '2147483648', + 'kern.ipc.semmsl' => '250' + ); + $sysctls = array(); + #check sysctl file values + $sc_file=""; + if (file_exists("/etc/sysctl.conf")) { + $sc = file("/etc/sysctl.conf"); + foreach ($sc as $line) { + list($sysk, $sysv) = explode("=", $line, 2); + if (preg_match("/\w/",$line) && !array_key_exists($sysk, $want_sysctls)) + $sc_file.=$line; + } + } + foreach ($want_sysctls as $ws=> $wv) { + $sc_file .= "{$ws}={$wv}\n"; + exec("/sbin/sysctl {$ws}={$wv}"); + } + file_put_contents("/etc/sysctl.conf", $sc_file); + + #check bootloader values + $lt_file=""; + $want_tunables = array( + 'kern.ipc.semopm' => '100', + 'kern.ipc.semmni' => '128', + 'kern.ipc.semmns' => '32000', + 'kern.ipc.shmmni' => '4096' + ); + $tunables = array(); + if (file_exists("/boot/loader.conf")) { + $lt = file("/boot/loader.conf"); + foreach ($lt as $line) { + list($tunable, $val) = explode("=", $line, 2); + if (preg_match("/\w/",$line) && !array_key_exists($tunable, $want_tunables)) + $lt_file.=$line; + } + } + foreach ($want_tunables as $wt => $wv) { + $lt_file.= "{$wt}={$wv}\n"; + } + file_put_contents("/boot/loader.conf", $lt_file); + + /*check startup script files*/ + /* create a few directories and ensure the sample files are in place */ + if (!is_dir(ZABBIX_PROXY_BASE . "/etc/zabbix22")) + exec("/bin/mkdir -p " . ZABBIX_PROXY_BASE . "/etc/zabbix22"); + + $dir_checks = <<< EOF +if [ ! -d /var/log/zabbix-lts ] + then + /bin/mkdir -p /var/log/zabbix-lts + /usr/sbin/chmod 755 /var/log/zabbix-lts + fi +/usr/sbin/chown -R zabbix:zabbix /var/log/zabbix-lts + +if [ ! -d /var/run/zabbix-lts ] + then + /bin/mkdir -p /var/run/zabbix-lts + /usr/sbin/chmod 755 /var/run/zabbix-lts + fi +/usr/sbin/chown -R zabbix:zabbix /var/run/zabbix-lts + +if [ ! -d /var/db/zabbix-lts ] + then + /bin/mkdir -p /var/db/zabbix-lts + /usr/sbin/chmod 755 /var/db/zabbix-lts + fi +/usr/sbin/chown -R zabbix:zabbix /var/db/zabbix-lts + +EOF; + + $zproxy_rcfile="/usr/local/etc/rc.d/zabbix_proxy_lts.sh"; + if (is_array($zbproxy_config) && $zbproxy_config['proxyenabled']=="on"){ + $zproxy_start= strtr($dir_checks, array("\r" => "")). "\necho \"Starting Zabbix Proxy LTS\"...\n"; + /* start zabbix proxy */ + $zproxy_start .= ZABBIX_PROXY_BASE . "/sbin/zabbix_proxy\n"; + + $zproxy_stop = "echo \"Stopping Zabbix Proxy LTS\"\n"; + $zproxy_stop .= "/usr/bin/killall zabbix_proxy\n"; + $zproxy_stop .= "/bin/sleep 5\n"; + + /* write out rc.d start/stop file */ + write_rcfile(array( + "file" => "zabbix_proxy_lts.sh", + "start" => $zproxy_start, + "stop" => $zproxy_stop + ) + ); + mwexec("{$zproxy_rcfile} restart"); + }else{ + if (file_exists($zproxy_rcfile)){ + mwexec("{$zproxy_rcfile} stop"); + unlink($zproxy_rcfile); + } + } + + $zagent_rcfile="/usr/local/etc/rc.d/zabbix_agentd_lts.sh"; + if (is_array($zbagent_config) && $zbagent_config['agentenabled']=="on"){ + $zagent_start .= strtr($dir_checks, array("\r" => "")). "\necho \"Starting Zabbix Agent LTS...\"\n"; + $zagent_start .= ZABBIX_AGENT_BASE . "/sbin/zabbix_agentd\n"; + + $zagent_stop = "echo \"Stopping Zabbix Agent LTS...\"\n"; + $zagent_stop .= "/usr/bin/killall zabbix_agentd\n"; + $zagent_stop .= "/bin/sleep 5\n"; + + /* write out rc.d start/stop file */ + write_rcfile(array( + "file" => "zabbix_agentd_lts.sh", + "start" => "$zagent_start", + "stop" => "$zagent_stop" + ) + ); + mwexec("{$zagent_rcfile} restart"); + }else{ + if (file_exists($zagent_rcfile)){ + mwexec("{$zagent_rcfile} stop"); + unlink($zagent_rcfile); + } + } + + conf_mount_ro(); +} + +?> diff --git a/config/zabbix-lts/zabbix-proxy-lts.xml b/config/zabbix-lts/zabbix-proxy-lts.xml new file mode 100644 index 00000000..de9f1e1c --- /dev/null +++ b/config/zabbix-lts/zabbix-proxy-lts.xml @@ -0,0 +1,150 @@ +<?xml version="1.0" encoding="utf-8"?> +<packagegui> +<copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + zabbix-proxy-lts.xml + part of the Zabbix package for pfSense + Copyright (C) 2013 Danilo G. Baio + Copyright (C) 2013 Marcello Coutinho + + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <name>zabbixproxylts</name> + <title>Services: Zabbix Proxy LTS</title> + <category>Monitoring</category> + <version>0.8.3</version> + <include_file>/usr/local/pkg/zabbix-lts.inc</include_file> + <addedit_string>Zabbix Proxy has been created/modified.</addedit_string> + <delete_string>Zabbix Proxy has been deleted.</delete_string> + <restart_command>/usr/local/etc/rc.d/zabbix_proxy_lts.sh restart</restart_command> + <additional_files_needed> + <item>https://packages.pfsense.org/packages/config/zabbix-lts/zabbix-lts.inc</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <menu> + <name>Zabbix Proxy LTS</name> + <tooltiptext>Setup Zabbix Proxy LTS specific settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=zabbix-proxy-lts.xml&id=0</url> + </menu> + <service> + <name>zabbix_proxy_lts</name> + <rcfile>zabbix_proxy_lts.sh</rcfile> + <executable>zabbix_proxy</executable> + <description>Zabbix Proxy LTS collection daemon</description> + </service> + <tabs> + <tab> + <text>Proxy</text> + <url>/pkg_edit.php?xml=zabbix-proxy-lts.xml&id=0</url> + <active /> + </tab> + </tabs> + <fields> + <field> + <name>Zabbix Proxy LTS Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable</fielddescr> + <fieldname>proxyenabled</fieldname> + <description>Enable Zabbix Proxy LTS service</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Server</fielddescr> + <fieldname>server</fieldname> + <description>List of comma delimited IP addresses (or hostnames) of ZABBIX servers</description> + <default_value>127.0.0.1</default_value> + <type>input</type> + <size>60</size> + <required>true</required> + </field> + <field> + <fielddescr>Server Port</fielddescr> + <fieldname>serverport</fieldname> + <description>Port of Zabbix trapper on Zabbix server. default value 10051</description> + <default_value>10051</default_value> + <type>input</type> + <size>6</size> + <required>true</required> + </field> + <field> + <fielddescr>Hostname</fielddescr> + <fieldname>hostname</fieldname> + <description>Unique, case-sensitive proxy name. Make sure the proxy name is known to the server</description> + <default_value>localhost</default_value> + <type>input</type> + <size>50</size> + <required>true</required> + </field> + <field> + <fielddescr>Proxy Mode</fielddescr> + <fieldname>proxymode</fieldname> + <description>Select Zabbix proxy mode (Active is default)</description> + <type>select</type> + <default_value>0</default_value> + <options> + <option><name>Active</name><value>0</value></option> + <option><name>Passive</name><value>1</value></option> + </options> + <required>true</required> + </field> + <field> + <fielddescr>Config Frequency</fielddescr> + <fieldname>configfrequency</fieldname> + <description>How often the proxy retrieves configuration data from the Zabbix server in seconds. Ignored if the proxy runs in passive mode.</description> + <default_value>3600</default_value> + <type>input</type> + <size>10</size> + <required>true</required> + </field> + <field> + <fielddescr>Advanced Parameters</fielddescr> + <fieldname>advancedparams</fieldname> + <encoding>base64</encoding> + <type>textarea</type> + <rows>5</rows> + <cols>50</cols> + <description>Advanced parameters. There are some rarely used parameters that sometimes need to be defined. Value has form, example: StartDiscoverers=10</description> + </field> + </fields> + <custom_php_install_command>sync_package_zabbix_lts();</custom_php_install_command> + <custom_php_command_before_form></custom_php_command_before_form> + <custom_php_after_head_command></custom_php_after_head_command> + <custom_php_after_form_command></custom_php_after_form_command> + <custom_php_validation_command>validate_input_zabbix_lts($_POST, $input_errors);</custom_php_validation_command> + <custom_add_php_command></custom_add_php_command> + <custom_php_resync_config_command>sync_package_zabbix_lts();</custom_php_resync_config_command> + <custom_php_deinstall_command>php_deinstall_zabbix_proxy_lts();</custom_php_deinstall_command> +</packagegui> |