diff options
Diffstat (limited to 'config')
108 files changed, 5100 insertions, 1152 deletions
diff --git a/config/apache_mod_security-dev/apache.template b/config/apache_mod_security-dev/apache.template index 69ffb9c7..ab981a9e 100644 --- a/config/apache_mod_security-dev/apache.template +++ b/config/apache_mod_security-dev/apache.template @@ -4,69 +4,8 @@ if(file_exists( APACHEDIR ."/libexec/apache22/mod_memcache.so")) $mod_mem_cache = "LoadModule memcache_module libexec/apache22/mod_memcache.so\n"; } - -/* -<IfModule mod_security2.c> - - - # Turn the filtering engine On or Off - SecFilterEngine On - - # XXX Add knobs for these - SecRuleEngine On - SecRequestBodyAccess On - SecResponseBodyAccess On - - SecRequestBodyInMemoryLimit {$secrequestbodyinmemorylimit} - SecRequestBodyLimit {$secrequestbodylimit} - - {$mod_security_custom} - - SecResponseBodyMimeTypesClear - SecResponseBodyMimeType (null) text/plain text/html text/css text/xml - - # XXX Add knobs for these - SecUploadDir /var/spool/apache/private - SecUploadKeepFiles Off - - # The audit engine works independently and - # can be turned On of Off on the per-server or - # on the per-directory basis - SecAuditEngine {$secauditengine} - - # XXX Add knobs for these - # Make sure that URL encoding is valid - SecFilterCheckURLEncoding On - - # XXX Add knobs for these - # Unicode encoding check - SecFilterCheckUnicodeEncoding On - - # XXX Add knobs for these - # Only allow bytes from this range - SecFilterForceByteRange 1 255 - - # Help prevent the effects of a Slowloris-type of attack - # $secreadstatelimit - - # Cookie format checks. - SecFilterCheckCookieFormat On - - # The name of the audit log file - SecAuditLog logs/audit_log - - #http-guardian Anti-dos protection - {$SecGuardianLog} - - # Should mod_security inspect POST payloads - SecFilterScanPOST On - - # Include rules from rules/ directory - {$mod_security_rules} - -</IfModule> - -*/ + if($mods_settings['enablemodsecurity']=="on") + $mod_security_module= "LoadModule security2_module libexec/apache22/mod_security2.so\n"; $apache_dir=APACHEDIR; $apache_config = <<<EOF @@ -176,7 +115,7 @@ LoadModule status_module libexec/apache22/mod_status.so LoadModule autoindex_module libexec/apache22/mod_autoindex.so LoadModule asis_module libexec/apache22/mod_asis.so LoadModule info_module libexec/apache22/mod_info.so -LoadModule cgi_module libexec/apache22/mod_cgi.so +#LoadModule cgi_module libexec/apache22/mod_cgi.so LoadModule vhost_alias_module libexec/apache22/mod_vhost_alias.so LoadModule negotiation_module libexec/apache22/mod_negotiation.so LoadModule dir_module libexec/apache22/mod_dir.so @@ -188,6 +127,7 @@ LoadModule alias_module libexec/apache22/mod_alias.so LoadModule rewrite_module libexec/apache22/mod_rewrite.so LoadModule reqtimeout_module libexec/apache22/mod_reqtimeout.so {$mod_mem_cache} +{$mod_security_module} <IfModule !mpm_netware_module> <IfModule !mpm_winnt_module> @@ -564,9 +504,13 @@ AcceptFilter https none # Proxysettings {$mod_proxy} +# Mod status +{$mod_status} + + # Include anything else Include etc/apache22/Includes/*.conf EOF; -?>
\ No newline at end of file +?> diff --git a/config/apache_mod_security-dev/apache_balancer.xml b/config/apache_mod_security-dev/apache_balancer.xml index b3acba57..5e02f9d4 100755 --- a/config/apache_mod_security-dev/apache_balancer.xml +++ b/config/apache_mod_security-dev/apache_balancer.xml @@ -75,7 +75,12 @@ <active/> </tab> <tab> - <text>Virutal Hosts</text> + <text>Location(s)</text> + <url>/pkg.php?xml=apache_location.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virtual Hosts</text> <url>/pkg.php?xml=apache_virtualhost.xml</url> <tab_level>2</tab_level> </tab> @@ -103,23 +108,24 @@ <fielddescr>Description</fielddescr> <fieldname>description</fieldname> </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> - <name>apache Reverse Peer Mappings</name> + <name>Apache Reverse Peer Mappings</name> <type>listtopic</type> </field> <field> <fielddescr>Enable</fielddescr> <fieldname>enable</fieldname> - <description>If this field is checked, then this server poll will be available for virtual hosts config.</description> + <description>If this field is checked, then this server pool will be available for Virtual Hosts configuration.</description> <type>checkbox</type> </field> <field> <fielddescr>Balancer name</fielddescr> <fieldname>name</fieldname> - <description><![CDATA[Name to identify this peer on apache conf<br> - example: www_site1]]></description> + <description><![CDATA[Name to identify this peer in Apache configuration<br> + Example: www_site1]]></description> <type>input</type> <size>20</size> </field> @@ -133,61 +139,66 @@ <field> <fielddescr>Protocol</fielddescr> <fieldname>proto</fieldname> - <description><![CDATA[Protocol listening on this internal server(s) port.]]></description> + <description><![CDATA[Protocol used on the internal server(s).]]></description> <type>select</type> - <options> - <option> <name>HTTP</name> <value>http</value> </option> - <option> <name>HTTPS</name> <value>https</value> </option> - </options> + <options> + <option> <name>HTTP</name> <value>http</value> </option> + <option> <name>HTTPS</name> <value>https</value> </option> + </options> </field> -<field> - <fielddescr> - <![CDATA[Internal Servers]]> - </fielddescr> + <field> + <name><![CDATA[Internal Server(s)]]></name> + <type>listtopic</type> + </field> + <field> + <fielddescr><![CDATA[Internal Servers]]></fielddescr> <fieldname>additionalparameters</fieldname> - <type>rowhelper</type> - <rowhelper> + <type>rowhelper</type> + <dontdisplayname/> + <usecolspan2/> + <movable>on</movable> + <rowhelper> <rowhelperfield> - <fielddescr>fqdn or ip</fielddescr> - <fieldname>host</fieldname> - <description>Internal site IP or Hostnamesite</description> - <type>input</type> - <size>20</size> + <fielddescr>FQDN or IP Address</fielddescr> + <fieldname>host</fieldname> + <description>Internal site IP or site hostname</description> + <type>input</type> + <size>27</size> </rowhelperfield> <rowhelperfield> - <fielddescr>port</fielddescr> - <fieldname>port</fieldname> - <description>Internal site port</description> - <type>input</type> - <size>4</size> + <fielddescr>Port</fielddescr> + <fieldname>port</fieldname> + <description>Internal site port</description> + <type>input</type> + <size>5</size> </rowhelperfield> <rowhelperfield> - <fielddescr>routeid</fielddescr> - <fieldname>routeid</fieldname> - <description>id to define stick connections</description> - <type>input</type> - <size>4</size> + <fielddescr>Route ID</fielddescr> + <fieldname>routeid</fieldname> + <description>ID to define sticky connections</description> + <type>input</type> + <size>6</size> </rowhelperfield> <rowhelperfield> - <fielddescr>weight</fielddescr> - <fieldname>loadfactor</fieldname> - <description>Server weight</description> - <type>input</type> - <size>4</size> + <fielddescr>Weight</fielddescr> + <fieldname>loadfactor</fieldname> + <description>Server weight</description> + <type>input</type> + <size>4</size> </rowhelperfield> <rowhelperfield> - <fielddescr>ping</fielddescr> - <fieldname>ping</fieldname> - <description>Server ping test interval</description> - <type>input</type> - <size>4</size> + <fielddescr>Ping</fielddescr> + <fieldname>ping</fieldname> + <description>Server ping test interval</description> + <type>input</type> + <size>6</size> </rowhelperfield> <rowhelperfield> - <fielddescr>ttl</fielddescr> - <fieldname>ttl</fieldname> - <description>Server pint ttl</description> - <type>input</type> - <size>4</size> + <fielddescr>TTL</fielddescr> + <fieldname>ttl</fieldname> + <description>Server ping TTL</description> + <type>input</type> + <size>6</size> </rowhelperfield> </rowhelper> </field> @@ -196,4 +207,4 @@ <custom_php_resync_config_command> apache_mod_security_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_location.xml b/config/apache_mod_security-dev/apache_location.xml new file mode 100644 index 00000000..ea957f43 --- /dev/null +++ b/config/apache_mod_security-dev/apache_location.xml @@ -0,0 +1,237 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + apache_location.xml + part of apache_mod_security package (http://www.pfSense.com) + Copyright (C)2012 Marcello Coutinho + Copyright (C)2013 Stephane Lapie <stephane.lapie@asahinet.com> + All rights reserved. +*/ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ========================================================================== */ +]]> + </copyright> + <name>apachelocation</name> + <version>1.0</version> + <title>Apache reverse proxy: Locations</title> + + <tabs> + <tab> + <text>Apache</text> + <url>/pkg_edit.php?xml=apache_settings.xml&id=0</url> + <active/> + </tab> + <tab> + <text>ModSecurity</text> + <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=apache_mod_security_sync.xml</url> + </tab> + <tab> + <text>Daemon Options</text> + <url>/pkg_edit.php?xml=apache_settings.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Backends / Balancers</text> + <url>/pkg.php?xml=apache_balancer.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Location(s)</text> + <url>/pkg.php?xml=apache_location.xml</url> + <active/> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virtual Hosts</text> + <url>/pkg.php?xml=apache_virtualhost.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Logs</text> + <url>/apache_view_logs.php</url> + <tab_level>2</tab_level> + </tab> + </tabs> + <adddeleteeditpagefields> + <movable>on</movable> + <columnitem> + <fielddescr>Identifier</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Compress</fielddescr> + <fieldname>compress</fieldname> + </columnitem> + <columnitem> + <fielddescr>Site Path</fielddescr> + <fieldname>sitepath</fieldname> + <listmodeoff>/</listmodeoff> + </columnitem> + <columnitem> + <fielddescr>Balancer</fielddescr> + <fieldname>balancer</fieldname> + </columnitem> + <columnitem> + <fielddescr>LB Method</fielddescr> + <fieldname>lbmethod</fieldname> + </columnitem> + <columnitem> + <fielddescr>Backendpath</fielddescr> + <fieldname>backendpath</fieldname> + <listmodeoff>/</listmodeoff> + </columnitem> + <columnitem> + <fielddescr>Modsecurity</fielddescr> + <fieldname>modsecgroup</fieldname> + <listmodeoff>None</listmodeoff> + </columnitem> + <columnitem> + <fielddescr>Rule Manipulation</fielddescr> + <fieldname>modsecmanipulation</fieldname> + <listmodeoff>None</listmodeoff> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>Location Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr><![CDATA[Identifier]]></fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[Location name/identifier.]]></description> + <type>input</type> + <required/> + <size>20</size> + </field> + <field> + <fielddescr><![CDATA[gzip?]]></fielddescr> + <fieldname>compress</fieldname> + <description>Compress data to save bandwidth?</description> + <type>select</type> + <options> + <option><name>yes</name><value>yes</value></option> + <option><name>no</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr><![CDATA[Site Path]]></fielddescr> + <fieldname>sitepath</fieldname> + <description><![CDATA[Site path to publish.<br>leave blank to use /]]></description> + <type>input</type> + <size>30</size> + </field> + <field> + <fielddescr><![CDATA[Balancer]]></fielddescr> + <fieldname>balancer</fieldname> + <description>Server balancer / pool</description> + <source><![CDATA[$config['installedpackages']['apachebalancer']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <show_disable_value>none</show_disable_value> + <type>select_source</type> + <size>5</size> + </field> + <field> + <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'>LB Method</a>]]></fielddescr> + <fieldname>lbmethod</fieldname> + <description>Server balance method</description> + <type>select</type> + <options> + <option><name>byrequests</name><value>byrequests</value></option> + <option><name>bytraffic</name><value>bytraffic</value></option> + <option><name>bybusyness</name><value>bybusyness</value></option> + </options> + </field> + <field> + <fielddescr>Backend Path</fielddescr> + <fieldname>backendpath</fieldname> + <description><![CDATA[Backend redirect path.<br>Leave blank to use /]]></description> + <type>input</type> + <size>30</size> + </field> + <field> + <fielddescr><![CDATA[ModSecurity]]></fielddescr> + <fieldname>modsecgroup</fieldname> + <description>Choose ModSecurity group to use on this virtual host.</description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['apachemodsecuritygroups']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <show_disable_value>none</show_disable_value> + </field> + <field> + <fielddescr><![CDATA[Manipulations]]></fielddescr> + <fieldname>modsecmanipulation</fieldname> + <description>Choose Modsecurity group to use on this virtual host.</description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['apachemodsecuritymanipulation']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <show_disable_value>none</show_disable_value> + </field> + <field> + <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'> Balancer options</a>]]></fielddescr> + <fieldname>options</fieldname> + <description><![CDATA[Additional proxypass options for this path.<br>ex: ttl=60 stickysession='JSESSIONID']]></description> + <type>input</type> + <size>30</size> + </field> + <field> + <name>Custom Location Options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Custom Options</fielddescr> + <fieldname>custom</fieldname> + <description><![CDATA[Pass extra Apache config for this Location. This is useful for SSLRequire rules for example.]]></description> + <type>textarea</type> + <cols>90</cols> + <rows>10</rows> + <encoding>base64</encoding> + <dontdisplayname/> + <usecolspan2/> + </field> + </fields> + <service> + <name>apache_mod_security</name> + <rcfile>apache_mod_security.sh</rcfile> + <executable>httpd</executable> + </service> + <custom_php_resync_config_command> + apache_mod_security_resync(); + </custom_php_resync_config_command> + <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> +</packagegui> diff --git a/config/apache_mod_security-dev/apache_logs_data.php b/config/apache_mod_security-dev/apache_logs_data.php index 256ff144..fdcc04b0 100644 --- a/config/apache_mod_security-dev/apache_logs_data.php +++ b/config/apache_mod_security-dev/apache_logs_data.php @@ -92,7 +92,7 @@ if ($_GET) { // Apply filter and color if ($filter != "") $line = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>",$line); - $agent_info="onmouseover=\"jQuery('#bowserinfo').empty().html('{$line[13]}');\"\n"; + $agent_info="onmouseover=\"jQuery('#browserinfo').empty().html('{$line[13]}');\"\n"; echo "<tr valign=\"top\" $agent_info>\n"; echo "<td class=\"listlr\" align=\"center\" nowrap>{$line[5]}({$line[6]})</td>\n"; echo "<td class=\"listr\" align=\"center\">{$line[1]}</td>\n"; diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc index fb83f9a6..31be95cf 100644 --- a/config/apache_mod_security-dev/apache_mod_security.inc +++ b/config/apache_mod_security-dev/apache_mod_security.inc @@ -3,7 +3,8 @@ apache_mod_security.inc part of apache_mod_security package (http://www.pfSense.com) Copyright (C) 2009, 2010 Scott Ullrich - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho + Copyright (C) 2013 Stephane Lapie <stephane.lapie@asahinet.com> All rights reserved. Redistribution and use in source and binary forms, with or without @@ -28,6 +29,7 @@ POSSIBILITY OF SUCH DAMAGE. */ +$shortcut_section = "apache"; // Check to find out on which system the package is running $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version > 2.0) @@ -35,9 +37,9 @@ if ($pf_version > 2.0) else define('APACHEDIR', '/usr/local'); // End of system check -define ('MODSECURITY_DIR','modsecurity-crs_2.2.5'); +define ('MODSECURITY_DIR','crs'); // Rules directory location -define("rules_directory", APACHEDIR . "/". MODSECURITY_DIR); +define("RULES_DIRECTORY", APACHEDIR . "/". MODSECURITY_DIR); function apache_textarea_decode($base64){ return preg_replace("/\r\n/","\n",base64_decode($base64)); } @@ -57,10 +59,6 @@ function apache_get_real_interface_address($iface) { // Ensure NanoBSD can write. pkg_mgr will remount RO conf_mount_rw(); -// Needed mod_security directories -if(!is_dir(APACHEDIR . "/". MODSECURITY_DIR)) - safe_mkdir(APACHEDIR . "/". MODSECURITY_DIR); - // Startup function function apache_mod_security_start() { exec(APACHEDIR . "/sbin/httpd -D NOHTTPACCEPT -k start"); @@ -127,24 +125,179 @@ function apache_mod_security_resync() { global $config, $g; apache_mod_security_install(); $dirs=array("base", "experimental","optional", "slr"); - if (! file_exists(APACHEDIR ."/". MODSECURITY_DIR . "/LICENSE")) - exec ("tar -xzf /usr/local/pkg/modsecurity-crs_2.2.5.tar.gz -C ".APACHEDIR); + log_error("apache_mod_security_package: configuration resync is starting."); + if (! file_exists(APACHEDIR ."/". MODSECURITY_DIR . "/LICENSE")){ + exec ("/usr/local/bin/git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git ".APACHEDIR."/".MODSECURITY_DIR); + //chdir (APACHEDIR."/".MODSECURITY_DIR); + //exec ("/usr/local/bin/git checkout -q 2.2.8"); + } $write_config=0; foreach ($dirs as $dir){ if ($handle = opendir(APACHEDIR ."/".MODSECURITY_DIR."/{$dir}_rules")) { - $write_config++; - $config['installedpackages']["modsecurityfiles{$dir}"]['config']=array(); - while (false !== ($entry = readdir($handle))) { - if (preg_match("/(\S+).conf/",$entry,$matches)) - $config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]); - } - closedir($handle); + $write_config++; + $config['installedpackages']["modsecurityfiles{$dir}"]['config']=array(); + while (false !== ($entry = readdir($handle))) { + if (preg_match("/(\S+).conf$/",$entry,$matches)) + $config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]); + } + closedir($handle); } } if ($write_config > 0) write_config(); apache_mod_security_checkconfig(); apache_mod_security_restart(); + log_error("apache_mod_security_package: configuration resync is ending."); + + if (is_array($config['installedpackages']['apachesync']['config'])){ + $apache_sync = $config['installedpackages']['apachesync']['config'][0]; + $synconchanges = $apache_sync['synconchanges']; + $synctimeout = $apache_sync['synctimeout']; + switch ($synconchanges){ + case "manual": + if (is_array($apache_sync[row])){ + $rs = $apache_sync[row]; + } else { + log_error("apache_mod_security_package: xmlrpc sync is enabled but there is no hosts to push on apache config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ // pfSense 2.0.x + $system_carp = $config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['username'] = $system_carp['username']; + $rs[0]['password'] = $system_carp['password']; + } else if (is_array($config['hasync'])) { // pfSense 2.1 + $system_carp = $config['hasync']; + $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['username'] = $system_carp['username']; + $rs[0]['password'] = $system_carp['password']; + } else { + log_error("apache_mod_security_package: xmlrpc sync is enabled but there is no system backup hosts to push apache config."); + return; + } + break; + default: + return; + break; + } + } + if (is_array($rs)){ + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if ($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if ($password && $sync_to_ip) + apache_mod_security_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout); + } + } +} + +// Do the actual XMLRPC Sync +function apache_mod_security_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { + global $config, $g; + + if(!$username) + return; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + if(!$synctimeout) + $synctimeout=25; + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['apachesettings'] = $config['installedpackages']['apachesettings']; + $xml['apachemodsecurity'] = $config['installedpackages']['apachemodsecurity']; + $xml['apachemodsecuritysettings'] = $config['installedpackages']['apachemodsecuritysettings']; + $xml['apachebalancer'] = $config['installedpackages']['apachebalancer']; + $xml['apachevirtualhost'] = $config['installedpackages']['apachevirtualhost']; + $xml['apachelisten'] = $config['installedpackages']['apachelisten']; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("apache_mod_security_package: Beginning apache_mod_security XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after defined sync timeout value*/ + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting apache_mod_security XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting apache_mod_security XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); + } else { + log_error("apache_mod_security_package: XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell apache_mod_security to reload our settings on the destination sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/apache_mod_security.inc');\n"; + $execcmd .= "apache_mod_security_resync();"; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("apache_mod_security_package: XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting apache_mod_security XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting apache_mod_security XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); + } else { + log_error("apache_mod_security XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + + } function apache_mod_security_checkconfig() { @@ -198,7 +351,9 @@ function generate_apache_configuration() { file_notice("apache_mod_security", $error, "apache_mod_security", ""); } // Set global listening directive and ensure nothing is listening on this port already - $globalbind_ip = ($settings['globalbindtoipaddr'] ? $settings['globalbindtoipaddr'] : "*"); + $iface_address = apache_get_real_interface_address($settings['globalbindtoipaddr']); + $ip=$iface_address[0]; + $globalbind_ip = ($ip ? $ip : "*"); $globalbind_port = $settings['globalbindtoport']; if ($globalbind_port == ""){ $globalbind_port ="80"; @@ -230,7 +385,8 @@ function generate_apache_configuration() { //performance settings //reference http://httpd.apache.org/docs/2.2/mod/mpm_common.html - $performance_settings="KeepAlive {$settings['keepalive']}\n"; + $keepalive=($settings['keepalive']?$settings['keepalive']:"on"); + $performance_settings="KeepAlive {$keepalive}\n"; if ($settings['maxkeepalivereq']) $performance_settings .= "MaxKeepAliveRequests {$settings['maxkeepalivereq']}\n"; if ($settings['keepalivetimeout']) @@ -296,7 +452,7 @@ function generate_apache_configuration() { $options.=($server['routeid'] ? " route={$server['routeid']}" : ""); $options.=($server['loadfactor'] ? " loadfactor={$server['loadfactor']}" : ""); - if (isset($server['ping'])){ + if (isset($server['ping']) && $server['ping']!=""){ $options.= " ping={$server['ping']}"; $options.=($server['ttl'] ? " ttl={$server['ttl']}" : ""); } @@ -311,8 +467,50 @@ function generate_apache_configuration() { //write balancer conf file_put_contents(APACHEDIR."/etc/apache22/Includes/balancers.conf",$balancer_config,LOCK_EX); } - + + // configure modsecurity group options + //chroot apache http://forums.freebsd.org/showthread.php?t=6858 + if (is_array($config['installedpackages']['apachemodsecuritygroups'])){ + unset($mods_group); + foreach ($config['installedpackages']['apachemodsecuritygroups']['config'] as $mods_groups){ + //RULES_DIRECTORY + foreach (split(",",$mods_groups['baserules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/base_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['optionalrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/optional_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['slrrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/slr_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['experimentalrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/experimental_rules/{$baserule}.conf\n"; + } + } + } + //print "<PRE>"; + //var_dump($mods_group); + + //mod_security settings + if (is_array($config['installedpackages']['apachemodsecuritysettings'])){ + $mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0]; + + if ($mods_settings['crs10']=="" && file_exists(RULES_DIRECTORY .'/modsecurity_crs_10_setup.conf.example')){ + $config['installedpackages']['apachemodsecuritysettings']['config'][0]['crs10']=base64_encode(file_get_contents(RULES_DIRECTORY .'/modsecurity_crs_10_setup.conf.example')); + write_config("modsecurity - Load crs 10 default setup file."); + } + + $cr10_setup="Include ".RULES_DIRECTORY ."/modsecurity_crs_10_setup.conf\n"; + file_put_contents(RULES_DIRECTORY ."/modsecurity_crs_10_setup.conf",apache_textarea_decode($config['installedpackages']['apachemodsecuritygroups']['config'][0]['crs10']),LOCK_EX); + } + // create location(s) array + if (is_array($config['installedpackages']['apachelocation'])){ + foreach ($config['installedpackages']['apachelocation']['config'] as $location) + $apache_location[$location['name']]=$location; + } //configure virtual hosts + $namevirtualhosts=array(); + $namevirtualhosts[0]=$global_listen; if (is_array($config['installedpackages']['apachevirtualhost'])){ $vh_config= <<<EOF ################################################################################## @@ -332,6 +530,9 @@ EOF; $iface_address = apache_get_real_interface_address($virtualhost['interface']); $ip=$iface_address[0]; $port=($virtualhost['port'] ? $virtualhost['port'] : $default_port[$virtualhost['proto']]); + if (!in_array("{$ip}:{$port}",$namevirtualhosts)) + $namevirtualhosts[]="{$ip}:{$port}"; + $vh_config.="# {$virtualhost['description']}\n"; $vh_config.="<VirtualHost {$ip}:{$port}>\n"; $vh_config.=" ServerName ". preg_replace ("/\r\n(\S+)/","\n ServerAlias $1",base64_decode($virtualhost['primarysitehostname'])) ."\n"; @@ -378,23 +579,31 @@ EOF; $vh_config.= apache_textarea_decode($virtualhost['custom'])."\n\n"; #Check virtualhost locations - foreach ($virtualhost['row'] as $backend){ - $vh_config.=" <Location ".($backend['sitepath'] ? $backend['sitepath'] : "/").">\n"; - $vh_config.=" ProxyPass balancer://{$backend['balancer']}{$backend['backendpath']}\n"; - $vh_config.=" ProxyPassReverse balancer://{$backend['balancer']}{$backend['backendpath']}\n"; - if ($backend['compress']== "no") - $vh_config.=" SetInputFilter INFLATE\n SetOutputFilter INFLATE\n"; - if (is_array($config['installedpackages']['apachemodsecuritymanipulation'])){ - foreach($config['installedpackages']['apachemodsecuritymanipulation']['config'] as $manipulation){ - if ($backend['modsecmanipulation'] == $manipulation['name']){ - if (is_array($manipulation['row'])) - foreach ($manipulation['row'] as $secrule) - $vh_config.=" {$secrule['type']} {$secrule['value']}\n"; + foreach ($virtualhost['row'] as $be){ + if ($be['location'] != "none"){ + $backend=$apache_location[$be['location']]; + $vh_config.="# {$backend['name']}\n"; + $vh_config.=" <Location ".($backend['sitepath'] ? $backend['sitepath'] : "/").">\n"; + $vh_config.=" ProxyPass balancer://{$backend['balancer']}{$backend['backendpath']}\n"; + $vh_config.=" ProxyPassReverse balancer://{$backend['balancer']}{$backend['backendpath']}\n"; + if ($backend['compress']== "no") + $vh_config.=" SetInputFilter INFLATE\n SetOutputFilter INFLATE\n"; + if ($backend['modsecgroup']!="" && $backend['modsecgroup']!="none" && $mods_settings['enablemodsecurity']=="on"){ + $vh_config.=$mods_group[$backend['modsecgroup']]; + } + if (is_array($config['installedpackages']['apachemodsecuritymanipulation']) && $mods_settings['enablemodsecurity']=="on"){ + foreach($config['installedpackages']['apachemodsecuritymanipulation']['config'] as $manipulation){ + if ($backend['modsecmanipulation'] == $manipulation['name']){ + if (is_array($manipulation['row'])) + foreach ($manipulation['row'] as $secrule) + $vh_config.=" {$secrule['type']} {$secrule['value']}\n"; + } } } - } - $vh_config.=" </Location>\n\n"; + $vh_config.= apache_textarea_decode($backend['custom'])."\n\n"; + $vh_config.=" </Location>\n\n"; } + } $vh_config.="</VirtualHost>\n"; } } @@ -404,7 +613,7 @@ EOF; // check/fix perl version on mod_security util files $perl_files= array("httpd-guardian.pl","rules-updater.pl","runav.pl","arachni2modsec.pl","zap2modsec.pl","regression_tests/rulestest.pl"); foreach ($perl_files as $perl_file){ - $file_path=rules_directory."/util/"; + $file_path=RULES_DIRECTORY."/util/"; if (file_exists($file_path.$perl_file)){ $script=preg_replace("/#!\S+perl/","#!".APACHEDIR."/bin/perl",file_get_contents($file_path.$perl_file)); file_put_contents($file_path.$perl_file,$script,LOCK_EX); @@ -421,12 +630,8 @@ EOF; } } - //mod_security settings - if (is_array($config['installedpackages']['apachemodsecuritysettings']['config'])){ - $mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0]; - if ($mods_settings!="") - $SecGuardianLog="SecGuardianLog \"|".rules_directory."/util/httpd-guardian\""; - } + if ($mods_settings!="") + $SecGuardianLog="SecGuardianLog \"|".RULES_DIRECTORY."/util/httpd-guardian\""; //fix http-guardian.pl block bins //$file_path=APACHEDIR.MODSECURITY_DIR."/util/".$perl_lib; @@ -480,51 +685,44 @@ EOF; // Read already configured addresses if (is_array($settings['row'])){ foreach($settings['row'] as $row) { - if ($row['ipaddress'] && $row['ipport']) + if ($row['interface'] && $row['ipport']) $configuredaliases[] = $row; } } // clear list of bound addresses before updating $config['installedpackages']['apachesettings']['config'][0]['row'] = array(); - // Process proxy sites // Configure NameVirtualHost directives $aliases = ""; - $processed = array(); - if(is_array($config['installedpackages']['apachemodsecurity'])) { - foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) { - if($ams['ipaddress'] && $ams['port']) - $local_ip_port = "{$ams['ipaddress']}:{$ams['port']}"; - else - $local_ip_port = $global_listen; - // Do not add entries twice. - if(!in_array($local_ip_port, $processed)) { - // explicit bind if not global ip:port - if ($local_ip_port != $global_listen) { - $aliases .= "Listen $local_ip_port\n"; - // Automatically add this to configuration - $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['port']); - } - $mod_proxy .= "NameVirtualHost $local_ip_port\n"; - $processed[] = $local_ip_port; - } + //add NameVirtualHost and listening entries to configured virtualhosts + foreach ($namevirtualhosts as $namevirtualhost){ + // explicit bind if not global ip:port + if ($namevirtualhost != $global_listen) { + $mod_proxy .= "NameVirtualHost {$namevirtualhost}\n"; + $aliases .= "Listen $namevirtualhost\n"; + // Automatically add this to configuration + $aplisten=split(":",$namevirtualhost); + $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $aplisten[0], 'ipport' => $aplisten[1]); } } + // Process Status Page + $mod_status = ""; + if ($settings['statuspage'] == "on") { + if($settings['extendedstatuspage']== "on"){ + $extendedstatus="ExtendedStatus On"; + } + $mod_status .= <<<EOF +{$extendedstatus} +<Location /server-status> + SetHandler server-status + Order Deny,Allow + Deny from all -//** Uncomment to allow adding ip/ports not used by any site proxies -//** Otherwise unused addresses/ports will be automatically deleted from the configuration -// foreach ($configuredaliases as $ams) { -// $local_ip_port = "{$ams['ipaddress']}:{$ams['ipport']}"; -// if(!in_array($local_ip_port, $processed)) { -// // explicit bind if not global ip:port -// if ($local_ip_port != $global_listen) { -// $aliases .= "Listen $local_ip_port\n"; -// // Automatically add this to configuration -// $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['ipport']); -// } -// } -// } +EOF; + $mod_status .= "Allow from ".($settings['netaccessstatus'] ? $settings['netaccessstatus'] : "All")."\n"; + $mod_status .= "</Location>\n"; + } // update configuration with actual ip bindings write_config($pkg['addedit_string']); @@ -632,19 +830,20 @@ EOF; $mod_security_custom = $config['installedpackages']['apachesettings']['config'][0]['modsecuritycustom']; // Process and include rules - if(is_dir(rules_directory)) { + if(is_dir(RULES_DIRECTORY)) { $mod_security_rules = ""; - $files = return_dir_as_array(rules_directory); + $files = return_dir_as_array(RULES_DIRECTORY); foreach($files as $file) { - if(file_exists(rules_directory . "/" . $file)) { + if(file_exists(RULES_DIRECTORY . "/" . $file)) { // XXX: TODO integrate snorts rule on / off thingie - $file_txt = file_get_contents(rules_directory . "/" . $file); + $file_txt = file_get_contents(RULES_DIRECTORY . "/" . $file); $mod_security_rules .= $file_txt . "\n"; } } } #include file templates + include ("/usr/local/pkg/apache_mod_security.template"); include ("/usr/local/pkg/apache.template"); file_put_contents(APACHEDIR . "/etc/apache22/httpd.conf",$apache_config,LOCK_EX); diff --git a/config/apache_mod_security-dev/apache_mod_security.template b/config/apache_mod_security-dev/apache_mod_security.template index e5a2c864..d004a9ae 100644 --- a/config/apache_mod_security-dev/apache_mod_security.template +++ b/config/apache_mod_security-dev/apache_mod_security.template @@ -1,8 +1,8 @@ <?php - // Mod_security enabled? - if($modsec_settings['enablemodsecurity']) { - $enable_mod_security = true; - $mod_security = <<< EOF +// Mod_security enabled? +if($mods_settings['enablemodsecurity']=="on") { + $enable_mod_security = true; + $mod_security = <<< EOF # -- Rule engine initialization ---------------------------------------------- # Enable ModSecurity, attaching it to every transaction. Use detection @@ -208,3 +208,5 @@ SecArgumentSeparator & # SecCookieFormat 0 +EOF; +} diff --git a/config/apache_mod_security-dev/apache_mod_security_groups.xml b/config/apache_mod_security-dev/apache_mod_security_groups.xml index 92b41243..4775fb3c 100644 --- a/config/apache_mod_security-dev/apache_mod_security_groups.xml +++ b/config/apache_mod_security-dev/apache_mod_security_groups.xml @@ -73,15 +73,21 @@ <tab_level>2</tab_level> </tab> </tabs> - <adddeleteeditpagefields> + <adddeleteeditpagefields> + <movable>on</movable> <columnitem> <fielddescr>Name</fielddescr> <fieldname>name</fieldname> </columnitem> <columnitem> + <fielddescr>Logging</fielddescr> + <fieldname>secauditengine</fieldname> + </columnitem> + <columnitem> <fielddescr>Description</fielddescr> <fieldname>description</fieldname> </columnitem> + </adddeleteeditpagefields> <fields> <field> @@ -94,6 +100,7 @@ <description>Enter group name</description> <type>input</type> <size>25</size> + <required/> </field> <field> <fielddescr>Description</fielddescr> @@ -102,6 +109,7 @@ <type>input</type> <size>45</size> </field> + <field> <fielddescr>Base Rules</fielddescr> <fieldname>baserules</fieldname> @@ -182,30 +190,24 @@ <option><name>log everything, including very detailed debugging information</name><value>9</value></option> </options> </field> - <field> - <name>Custom options</name> + <name>Custom mod_security rules</name> <type>listtopic</type> </field> <field> - <fielddescr>Custom mod_security ErrorDocument</fielddescr> - <fieldname>errordocument</fieldname> - <description></description> - <type>textarea</type> - <rows>10</rows> - <cols>75</cols> - </field> - <field> <fielddescr>Custom mod_security rules</fielddescr> <fieldname>modsecuritycustom</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste any custom mod_security rules that you would like to use</description> <type>textarea</type> - <rows>10</rows> - <cols>75</cols> + <encoding>base64</encoding> + <rows>10</rows> + <cols>90</cols> </field> </fields> <custom_php_resync_config_command> apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml index 54738d83..7477e540 100644 --- a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml +++ b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml @@ -82,6 +82,7 @@ <fielddescr>Description</fielddescr> <fieldname>description</fieldname> </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> @@ -141,4 +142,4 @@ apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_mod_security_settings.xml b/config/apache_mod_security-dev/apache_mod_security_settings.xml index 985f6bcc..bbc7da4a 100644 --- a/config/apache_mod_security-dev/apache_mod_security_settings.xml +++ b/config/apache_mod_security-dev/apache_mod_security_settings.xml @@ -101,7 +101,6 @@ <fielddescr>Max request per IP</fielddescr> <fieldname>SecReadStateLimit</fieldname> <description> - //274 <![CDATA[This option limits number of POSTS accepted from same IP address and help prevent the effects of a Slowloris-type of attack.<br> More info about this attack can be found here: http://en.wikipedia.org/wiki/Slowloris ]]> @@ -124,6 +123,36 @@ <size>10</size> </field> <field> + <name>mod_security crs 10 setup</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>mod_security crs 10 setup</fielddescr> + <fieldname>crs10</fieldname> + <dontdisplayname/> + <usecolspan2/> + <description><![CDATA[<b>modsecurity_crs_10_setup.conf file.</b><br>Leave empty to load setup defaults.]]></description> + <type>textarea</type> + <encoding>base64</encoding> + <rows>15</rows> + <cols>90</cols> + </field> + <field> + <name>Custom mod_security ErrorDocument</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Custom mod_security ErrorDocument</fielddescr> + <fieldname>errordocument</fieldname> + <dontdisplayname/> + <usecolspan2/> + <description>Custom mod_security ErrorDocument.</description> + <type>textarea</type> + <encoding>base64</encoding> + <rows>10</rows> + <cols>90</cols> + </field> + <field> <name>Modsecurity addons</name> <type>listtopic</type> </field> @@ -164,4 +193,4 @@ apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_mod_security_sync.xml b/config/apache_mod_security-dev/apache_mod_security_sync.xml index 0d8d8c8f..7ecfb68e 100755 --- a/config/apache_mod_security-dev/apache_mod_security_sync.xml +++ b/config/apache_mod_security-dev/apache_mod_security_sync.xml @@ -68,8 +68,30 @@ <field> <fielddescr>Automatically sync apache configuration changes</fielddescr> <fieldname>synconchanges</fieldname> - <description>Automatically sync apache changes to the hosts defined below.</description> - <type>checkbox</type> + <description>Select a sync method for Apache + ModSecurity.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>250</default_value> + <options> + <option><name>30 seconds(Default)</name><value>30</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>250 seconds</name><value>250</value></option> + </options> </field> <field> <fielddescr>Remote Server</fielddescr> diff --git a/config/apache_mod_security-dev/apache_mod_security_view_logs.php b/config/apache_mod_security-dev/apache_mod_security_view_logs.php index 1956a217..669c71f4 100755 --- a/config/apache_mod_security-dev/apache_mod_security_view_logs.php +++ b/config/apache_mod_security-dev/apache_mod_security_view_logs.php @@ -68,7 +68,7 @@ include("head.inc"); <?php $tab_array = array(); $tab_array[] = array(gettext("Apache"), false, "/pkg_edit.php?xml=apache_settings.xml&id=0"); - $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_setttings.xml"); + $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_settings.xml"); $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=apache_mod_security_sync.xml"); $tab_array[] = array(gettext("Backends"), false, "/pkg.php?xml=apache_mod_security_backends.xml",2); $tab_array[] = array(gettext("VirtualHosts"), false, "/pkg.php?xml=apache_mod_security.xml",2); diff --git a/config/apache_mod_security-dev/apache_settings.xml b/config/apache_mod_security-dev/apache_settings.xml index 20ba59c2..1dd4bc78 100644 --- a/config/apache_mod_security-dev/apache_settings.xml +++ b/config/apache_mod_security-dev/apache_settings.xml @@ -10,7 +10,7 @@ apache_mod_security_settings.xml part of apache_mod_security package (http://www.pfSense.com) Copyright (C) 2008, 2009, 2010 Scott Ullrich - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -68,7 +68,12 @@ <tab_level>2</tab_level> </tab> <tab> - <text>Virutal Hosts</text> + <text>Location(s)</text> + <url>/pkg.php?xml=apache_location.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virtual Hosts</text> <url>/pkg.php?xml=apache_virtualhost.xml</url> <tab_level>2</tab_level> </tab> @@ -88,36 +93,35 @@ <fieldname>globalsiteadminemail</fieldname> <description>Enter the site administrators e-mail address</description> <type>input</type> + <size>25</size> </field> <field> <fielddescr>Server hostname</fielddescr> <fieldname>hostname</fieldname> <description> - <![CDATA[Enter the servers hostname<br/ + <![CDATA[Enter the servers hostname<br> NOTE: Leave blank to use this devices hostname.]]> </description> <type>input</type> + <size>25</size> </field> <field> <fielddescr>Default Bind to IP Address</fielddescr> <fieldname>globalbindtoipaddr</fieldname> <description> - <![CDATA[ - This is the IP address the Proxy Server will listen on. - <br/> - NOTE: Leave blank to bind to * - ]]> + <![CDATA[This is the IP address the Proxy Server will listen on.]]> </description> - <type>input</type> + <type>interfaces_selection</type> + <showlistenall/> + <showvirtualips/> + <showips/> </field> <field> <fielddescr>Default Bind to port</fielddescr> <fieldname>globalbindtoport</fieldname> <description> - <![CDATA[ - This is the port the Proxy Server will listen on.<br> - NOTE: Leave blank to bind to 80 - ]]> + <![CDATA[This is the port the Proxy Server will listen on.<br> + NOTE: Leave blank to bind to 80]]> </description> <type>input</type> <size>5</size> @@ -278,9 +282,42 @@ <type>input</type> <size>10</size> </field> + <field> + <name>Status Page</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Status Page</fielddescr> + <fieldname>statuspage</fieldname> + <description> + <![CDATA[Enable a status page for Apache and Mod_proxy. Access http://DefaultBindIP:DefaultBindPort/status-server]]> + </description> + <type>select</type> + <options> + <option><name>Disabled (Default)</name><value>off</value></option> + <option><name>Enabled</name><value>on</value></option> + </options> + </field> + <field> + <fielddescr>Extended Status</fielddescr> + <fieldname>extendedstatuspage</fieldname> + <description> + <![CDATA[Keep track of extended status information for each request]]> + </description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Status Page ACL</fielddescr> + <fieldname>netaccessstatus</fieldname> + <description> + <![CDATA[Networks that can access apache status page. Ex: 172.16.1.0/24<br> + NOTE: Leave blank to allow access from any ip.(Not recommended for security reasons)]]> + </description> + <type>input</type> + </field> </fields> <custom_php_resync_config_command> apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_view_logs.php b/config/apache_mod_security-dev/apache_view_logs.php index da82baaa..10bb1db6 100644 --- a/config/apache_mod_security-dev/apache_view_logs.php +++ b/config/apache_mod_security-dev/apache_view_logs.php @@ -42,7 +42,7 @@ $pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); if(strstr($pfSversion, "1.2")) $one_two = true; -$pgtitle = "Status: Apache Vhosts Logs"; +$pgtitle = "Status: Apache VirtualHost Logs"; include("head.inc"); ?> @@ -96,7 +96,7 @@ function showLog(content,url,logtype) <?php $tab_array = array(); $tab_array[] = array(gettext("Apache"), true, "/pkg_edit.php?xml=apache_settings.xml&id=0"); - $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_setttings.xml"); + $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_settings.xml"); $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=apache_mod_security_sync.xml"); display_top_tabs($tab_array); ?> @@ -106,6 +106,7 @@ function showLog(content,url,logtype) unset ($tab_array); $tab_array[] = array(gettext("Daemon Options"), false, "pkg_edit.php?xml=apache_settings.xml"); $tab_array[] = array(gettext("Backends / Balancers"), false, "/pkg.php?xml=apache_balancer.xml"); + $tab_array[] = array(gettext("Location(s)"), false, "/pkg.php?xml=apache_location.xml"); $tab_array[] = array(gettext("Virtual Hosts"), false, "/pkg.php?xml=apache_virtualhost.xml"); $tab_array[] = array(gettext("Logs"), true, "/apache_view_logs.php"); display_top_tabs($tab_array); @@ -171,8 +172,8 @@ function showLog(content,url,logtype) </tbody> </table> </form> - <div id="bowserinfo" style='padding: 5px; border: 1px dashed #990000; font-weight:bold; font-size: 0.9em; text-align: center; margin: 1px; display:block; height: 12px;'> - <span><span> + <div id="browserinfo" style='padding: 5px; border: 1px dashed #990000; font-weight:bold; font-size: 0.9em; text-align: center; margin: 1px; display:block; height: 12px;'> + <span></span> </div> <!-- Squid Table --> <table width="100%" border="0" cellpadding="0" cellspacing="0"> diff --git a/config/apache_mod_security-dev/apache_virtualhost.xml b/config/apache_mod_security-dev/apache_virtualhost.xml index 2e29a9af..747ef975 100644 --- a/config/apache_mod_security-dev/apache_virtualhost.xml +++ b/config/apache_mod_security-dev/apache_virtualhost.xml @@ -4,40 +4,41 @@ <packagegui> <copyright> <![CDATA[ - /* $Id$ */ - /* ========================================================================== */ - /* - apache_virtualhost.xml - part of apache_mod_security package (http://www.pfSense.com) - Copyright (C)2009, 2010 Scott Ullrich - Copyright (C)2012 Marcello Coutinho - All rights reserved. - */ - /* ========================================================================== */ - /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: +/* $Id$ */ +/* ========================================================================== */ +/* + apache_virtualhost.xml + part of apache_mod_security package (http://www.pfSense.com) + Copyright (C)2009, 2010 Scott Ullrich + Copyright (C)2012 Marcello Coutinho + Copyright (C)2013 Stephane Lapie <stephane.lapie@asahinet.com> + All rights reserved. +*/ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form MUST reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - /* ========================================================================== */ - ]]> + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ========================================================================== */ +]]> </copyright> <name>apachevirtualhost</name> <version>1.0</version> @@ -113,6 +114,16 @@ <chmod>0644</chmod> <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_view_logs.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/apache_mod_security-dev/pkg_apache.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/apache_mod_security-dev/apache_location.xml</item> + </additional_files_needed> <tabs> <tab> <text>Apache</text> @@ -138,7 +149,12 @@ <tab_level>2</tab_level> </tab> <tab> - <text>Virutal Hosts</text> + <text>Location(s)</text> + <url>/pkg.php?xml=apache_location.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virtual Hosts</text> <url>/pkg.php?xml=apache_virtualhost.xml</url> <tab_level>2</tab_level> <active/> @@ -150,9 +166,12 @@ </tab> </tabs> <adddeleteeditpagefields> + <movable>on</movable> <columnitem> <fielddescr>Status</fielddescr> <fieldname>enable</fieldname> + <listmodeon>Enabled</listmodeon> + <listmodeoff>Disabled</listmodeoff> </columnitem> <columnitem> <fielddescr>Iface</fielddescr> @@ -193,17 +212,14 @@ <description>Select protocols that this virtual host will accept connections</description> <type>select</type> <options> - <option><name>HTTP</name><value>http</value></option> - <option><name>HTTPS</name><value>https</value></option> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> </options> </field> <field> <fielddescr>Server Name(s)</fielddescr> <fieldname>primarysitehostname</fieldname> - <description> - <![CDATA[Enter hostnames one per line in FQDN format for this website (e.g. www.example.com)<br/> - Leave blank and define the IP Address / port above for IP site proxy (i.e. not named site proxy)]]> - </description> + <description><![CDATA[Enter hostnames one per line in FQDN format for this website (e.g. www.example.com)<br/>Leave blank and define the IP Address / port above for IP site proxy (i.e. not named site proxy)]]></description> <cols>40</cols> <rows>2</rows> <type>textarea</type> @@ -230,34 +246,28 @@ <fielddescr>Site Webmaster E-Mail address</fielddescr> <fieldname>siteemail</fieldname> <size>50</size> - <description> - <![CDATA[ - Enter the Webmaster E-Mail address for this site. - ]]> - </description> + <description><![CDATA[Enter the Webmaster E-Mail address for this site.]]></description> <type>input</type> </field> <field> <fielddescr>Site description</fielddescr> <fieldname>description</fieldname> <size>50</size> - <description> - <![CDATA[Enter a site description]]> - </description> + <description><![CDATA[Enter a site description]]></description> <type>input</type> </field> <field> <fielddescr>HTTPS SSL certificate</fielddescr> <fieldname>ssl_cert</fieldname> <description>Choose the SSL Server Certificate here.</description> - <type>select_source</type> + <type>select_source</type> <source><![CDATA[$config['cert']]]></source> <source_name>descr</source_name> <source_value>refid</source_value> <show_disable_value>none</show_disable_value> </field> <field> - <fielddescr>intermediate CA certificate(optional)</fielddescr> + <fielddescr>Intermediate CA certificate (optional)</fielddescr> <fieldname>reverse_int_ca</fieldname> <description>Select intermediate CA assigned to certificate. Not all certificates require this.</description> <type>select_source</type> @@ -271,82 +281,19 @@ <![CDATA[Location(s)]]> </fielddescr> <fieldname>locations</fieldname> - <type>rowhelper</type> - <rowhelper> - <rowhelperfield> - <fielddescr><![CDATA[gzip?]]></fielddescr> - <fieldname>compress</fieldname> - <description>Compress data to save bandwidth?</description> - <type>select</type> - <options> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> - </options> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[site path]]></fielddescr> - <fieldname>sitepath</fieldname> - <description><![CDATA[Site path to publish.<br>leave blank to use /]]></description> - <type>input</type> - <size>5</size> - </rowhelperfield> + <type>rowhelper</type> + <rowhelper> <rowhelperfield> - <fielddescr><![CDATA[Balancer]]></fielddescr> - <fieldname>balancer</fieldname> - <description>Server balancer / pool</description> - <source><![CDATA[$config['installedpackages']['apachebalancer']['config']]]></source> + <fielddescr><![CDATA[Location]]></fielddescr> + <fieldname>location</fieldname> + <description>Server Location</description> + <source><![CDATA[$config['installedpackages']['apachelocation']['config']]]></source> <source_name>name</source_name> <source_value>name</source_value> <show_disable_value>none</show_disable_value> <type>select_source</type> - <size>5</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'>LbMethod</a>]]></fielddescr> - <fieldname>lbmethod</fieldname> - <description>Server balance method</description> - <type>select</type> - <options> - <option><name>byrequests</name><value>byrequests</value></option> - <option><name>bytraffic</name><value>bytraffic</value></option> - <option><name>bybusyness</name><value>bybusyness</value></option> - </options> </rowhelperfield> - <rowhelperfield> - <fielddescr>Backend path</fielddescr> - <fieldname>backendpath</fieldname> - <description><![CDATA[Backend redirect path.<br>Leave blank to use /]]></description> - <type>input</type> - <size>5</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[ModSecurity]]></fielddescr> - <fieldname>modsecgroup</fieldname> - <description>Choose Modsecurity group to use on this virtual host.</description> - <type>select_source</type> - <source><![CDATA[$config['installedpackages']['apachemodsecuritygroups']['config']]]></source> - <source_name>name</source_name> - <source_value>name</source_value> - <show_disable_value>none</show_disable_value> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[Manipulations]]></fielddescr> - <fieldname>modsecmanipulation</fieldname> - <description>Choose Modsecurity group to use on this virtual host.</description> - <type>select_source</type> - <source><![CDATA[$config['installedpackages']['apachemodsecuritymanipulation']['config']]]></source> - <source_name>name</source_name> - <source_value>name</source_value> - <show_disable_value>none</show_disable_value> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'> Balancer options</a>]]></fielddescr> - <fieldname>options</fieldname> - <description><![CDATA[Additional proxypass options for this path.<br>ex: ttl=60 stickysession='JSESSIONID']]></description> - <type>input</type> - <size>5</size> - </rowhelperfield> - </rowhelper> + </rowhelper> </field> <field> <name>Logging</name> @@ -355,25 +302,19 @@ <field> <fielddescr>Preserve Proxy hostname</fielddescr> <fieldname>preserveproxyhostname</fieldname> - <description> - <![CDATA[ - When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address. - ]]> - </description> + <description><![CDATA[When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address.]]></description> <type>checkbox</type> </field> <field> <fielddescr>Log file</fielddescr> <fieldname>logfile</fieldname> - <description> - <![CDATA[Enable access and error log for this virtual host.]]> - </description> + <description><![CDATA[Enable access and error log for this virtual host.]]></description> <type>select</type> - <options> - <option><name>Log to default apache log file</name><value>default</value></option> - <option><name>Create a log file for this site</name><value>create</value></option> - <option><name>Do not not this website</name><value>disabled</value></option> - </options> + <options> + <option><name>Log to default apache log file</name><value>default</value></option> + <option><name>Create a log file for this site</name><value>create</value></option> + <option><name>Do not log this website</name><value>disabled</value></option> + </options> </field> <field> <name>Custom Options</name> @@ -382,21 +323,22 @@ <field> <fielddescr>Custom Options</fielddescr> <fieldname>custom</fieldname> - <description>Paste extra apache config for this virtualhost. This is usefull for rewrite rules for example.</description> + <description>Pass extra Apache config for this VirtualHost. This is useful for Rewrite rules for example.</description> <type>textarea</type> - <cols>65</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> + <dontdisplayname/> + <usecolspan2/> </field> - </fields> <service> <name>apache_mod_security</name> - <rcfile>/usr/local/etc/rc.d/apache_mod_security.sh</rcfile> + <rcfile>apache_mod_security.sh</rcfile> <executable>httpd</executable> </service> <custom_php_resync_config_command> apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/pkg_apache.inc b/config/apache_mod_security-dev/pkg_apache.inc new file mode 100755 index 00000000..97fb2417 --- /dev/null +++ b/config/apache_mod_security-dev/pkg_apache.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['apache'] = array(); +$shortcuts['apache']['main'] = "pkg_edit.php?xml=apache_virtualhost.xml"; +$shortcuts['apache']['log'] = "diag_logs.php"; +$shortcuts['apache']['status'] = "status_services.php"; +$shortcuts['apache']['service'] = "apache_mod_security"; + +?> diff --git a/config/apache_mod_security/apache_mod_security.xml b/config/apache_mod_security/apache_mod_security.xml index b2162803..c42ebddf 100644 --- a/config/apache_mod_security/apache_mod_security.xml +++ b/config/apache_mod_security/apache_mod_security.xml @@ -219,7 +219,7 @@ </fields> <service> <name>apache_mod_security</name> - <rcfile>/usr/local/etc/rc.d/apache_mod_security.sh</rcfile> + <rcfile>apache_mod_security.sh</rcfile> <executable>httpd</executable> <description>HTTP Daemon with mod_security</description> </service> diff --git a/config/arpwatch.xml b/config/arpwatch.xml index c9434075..bf163ad6 100644 --- a/config/arpwatch.xml +++ b/config/arpwatch.xml @@ -2,65 +2,64 @@ <!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ + <copyright> + <![CDATA[ +/* ========================================================================== /* - arpwatch.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. + arpwatch.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>ARP Monitoring Daemon</description> + <requirements>None</requirements> + <faq>Currently there are no FAQ items provided.</faq> <name>arpwatch</name> - <version>2.1.a13</version> + <version>2.1.a14 pkg v1.1.1</version> <title>arpwatch: Settings</title> <aftersaveredirect>pkg_edit.php?xml=arpwatch.xml&id=0</aftersaveredirect> <menu> - <name>arpwatch</name> - <tooltiptext>Modify arpwatch settings.</tooltiptext> - <section>Services</section> - <configfile>arpwatch.xml</configfile> - <url>/pkg_edit.php?xml=arpwatch.xml&id=0</url> - </menu> + <name>arpwatch</name> + <tooltiptext>Modify arpwatch settings.</tooltiptext> + <section>Services</section> + <configfile>arpwatch.xml</configfile> + <url>/pkg_edit.php?xml=arpwatch.xml&id=0</url> + </menu> <service> - <name>arpwatch</name> - <rcfile>arpwatch.sh</rcfile> - <executable>arpwatch</executable> - </service> + <name>arpwatch</name> + <rcfile>arpwatch.sh</rcfile> + <executable>arpwatch</executable> + </service> <tabs> <tab> <text>Settings</text> @@ -74,10 +73,15 @@ </tabs> <configpath>installedpackages->package->$packagename->configuration->settings</configpath> <additional_files_needed> - <prefix>/usr/local/www/</prefix> - <chmod>a+rx</chmod> - <item>http://www.pfsense.com/packages/config/arpwatch_reports.php</item> - </additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>a+rx</chmod> + <item>http://www.pfsense.com/packages/config/arpwatch_reports.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/sbin/</prefix> + <chmod>a+rx</chmod> + <item>http://www.pfsense.com/packages/config/sm.php</item> + </additional_files_needed> <fields> <field> <fielddescr>Listening Interface</fielddescr> @@ -85,21 +89,37 @@ <description>Choose the desired listening interface here.</description> <type>interfaces_selection</type> </field> + <field> + <fielddescr>Enable E-mail Notifications</fielddescr> + <fieldname>enable_email</fieldname> + <type>checkbox</type> + <description>Sends an E-mail notification for each new station and ARP change as they are seen <strong>instead of</strong> local reports.<br/>NOTE: Only works on pfSense 2.1 or later. <br/>NOTE 2: Disables local reports which rely on arpwatch debug mode, which does not work with e-mail notifications.<br/>Configure SMTP and address settings in System > Advanced on the Notifications tab</description> + </field> </fields> <custom_php_global_functions> + <![CDATA[ function sync_package_arpwatch() { global $config; + $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); conf_mount_rw(); config_lock(); $log_file = "/var/log/arp.dat"; if($_POST['interface'] != "") { - $int = $_POST['interface']; + $int = $_POST['interface']; } else { $int = $config['installedpackages']['arpwatch']['config'][0]['interface']; } + $mail = ""; + $debug = ""; + if(($pf_version > 2.0) && (isset($_POST['enable_email']) || ($config['installedpackages']['arpwatch']['config'][0]['enable_email'] == "on"))) { + if (!empty($config['notifications']['smtp']['notifyemailaddress'])) + $mail = " -m {$config['notifications']['smtp']['notifyemailaddress']}"; + } else { + $debug = "-d"; + } $int = convert_friendly_interface_to_real_interface_name($int); $start = "touch {$log_file}\n"; - $start .= "/usr/local/sbin/arpwatch -d -f {$log_file} -i {$int} > /var/log/arpwatch.reports 2>&1 &"; + $start .= "/usr/local/sbin/arpwatch {$debug} -f {$log_file} {$mail} -i {$int} > /var/log/arpwatch.reports 2>&1 &"; $stop = "/usr/bin/killall arpwatch"; write_rcfile(array( "file" => "arpwatch.sh", @@ -111,11 +131,17 @@ conf_mount_ro(); config_unlock(); } + ]]> </custom_php_global_functions> <custom_add_php_command> + <![CDATA[ sync_package_arpwatch(); + ]]> </custom_add_php_command> <custom_php_install_command> + <![CDATA[ unlink_if_exists("/usr/local/etc/rc.d/arpwatch.sh"); - </custom_php_install_command> -</packagegui>
\ No newline at end of file + @link("/usr/sbin/sm.php", "/usr/sbin/sendmail"); + ]]> + </custom_php_install_command> +</packagegui> diff --git a/config/asterisk/asterisk.inc b/config/asterisk/asterisk.inc index 642a73c2..07d3d923 100644 --- a/config/asterisk/asterisk.inc +++ b/config/asterisk/asterisk.inc @@ -58,26 +58,25 @@ function sync_package_asterisk() { #mount filesystem writeable conf_mount_rw(); - //for NanoBSD compatibility, move the /etc/asterisk configuration directory to /conf, and symlink it back - if (!file_exists("/conf/asterisk/") && file_exists(ASTERISK_LOCALBASE."/etc/asterisk/")){ - rename(ASTERISK_LOCALBASE. "/etc/asterisk", ASTERISK_CONF_DIR); - symlink (ASTERISK_CONF_DIR , ASTERISK_LOCALBASE. "/etc/asterisk"); - } - - //check or move -dist files on dist dir $dist_dir=ASTERISK_CONF_DIR ."/dist"; if (!is_dir($dist_dir)) mkdir($dist_dir,0755,TRUE); - $dist_files= scandir(ASTERISK_CONF_DIR); - foreach ($dist_files as $dist){ - if (preg_match("/-dist/",$dist)) - rename (ASTERISK_CONF_DIR."/$dist", ASTERISK_CONF_DIR."/dist/$dist"); - } + if(file_exists (ASTERISK_LOCALBASE."/etc/asterisk") && !is_link(ASTERISK_LOCALBASE."/etc/asterisk")){ + $dist_files= scandir(ASTERISK_LOCALBASE."/etc/asterisk"); + foreach ($dist_files as $dist){ + if (preg_match("/-dist/",$dist)) + rename (ASTERISK_LOCALBASE."/etc/asterisk"."/$dist", "$dist_dir/$dist"); + elseif (preg_match("/\w+/",$dist)) + rename (ASTERISK_LOCALBASE."/etc/asterisk"."/$dist", ASTERISK_CONF_DIR."/$dist"); + } + rmdir(ASTERISK_LOCALBASE. "/etc/asterisk"); + symlink (ASTERISK_CONF_DIR , ASTERISK_LOCALBASE. "/etc/asterisk"); + } //fix asterisk options for nanobsd: logging, db and calls log in /tmp -// if ($g['platform'] == "nanobsd"){ + // if ($g['platform'] == "nanobsd"){ $script='/conf/asterisk/logger.conf'; if (file_exists($script)){ $script_file=file_get_contents($script); @@ -91,17 +90,17 @@ function sync_package_asterisk() { if (file_exists($script)){ //point to the /var subdirs in the writable area in RAM $script_file=file_get_contents($script); - $pattern[0]='@[directories](!)@'; - $replace[0]='[directories]'; - $pattern[1]='@astetcdir => \S+@'; + $pattern[0]='/(\Wdirectories\W)\S+/'; + $replace[0]='$1'; + $pattern[1]='/astetcdir => \S+/'; $replace[1]='astetcdir => /conf/asterisk'; - $pattern[2]='@astdbdir => \S+@'; + $pattern[2]='/astdbdir => \S+/'; $replace[2]='astdbdir => /var/db/asterisk'; - $pattern[3]='@astspooldir => \S+@'; + $pattern[3]='/astspooldir => \S+/'; $replace[3]='astspooldir => /var/spool/asterisk'; - $pattern[4]='@astrundir => \S+@'; + $pattern[4]='/astrundir => \S+/'; $replace[4]='astrundir => /var/run/asterisk'; - $pattern[5]='@astlogdir => \S+@'; + $pattern[5]='/astlogdir => \S+/'; $replace[5]='astlogdir => /var/log/asterisk'; $script_file=preg_replace($pattern,$replace,$script_file); file_put_contents($script, $script_file, LOCK_EX); @@ -339,14 +338,14 @@ EOF; $script_file=file_get_contents($script); //strenghten a couple of security settings, and predefine codecs in the default SIP configuration if (strpos($script_file,'pfSense') === false) { //first check if already added... - $pattern[0]=';allowguest'; + $pattern[0]='/;allowguest\S+/'; $replace[0]='allowguest=no ;by pfSense ;'; - $pattern[1]=';alwaysauthreject'; + $pattern[1]='/;alwaysauthreject/'; $replace[1]='alwaysauthreject=yes ;by pfSense ;'; - $pattern[2]='; jbenable'; + $pattern[2]='/; jbenable/'; $replace[2]='jbenable=yes ;by pfSense ;'; - $pattern[3]='[general]'; - $replace[3]='[general]\n;The following general settings usually work on pfSense boxes (note: please do not remove this comment line).\ndisallow=all ;by pfSense\nallow=g729\nallow=ulaw\nallow=alaw\n\n'; + $pattern[3]='/(First disallow all codecs)/'; + $replace[3]="$1\n;The following general settings usually work on pfSense boxes (note: please do not remove this comment line).\ndisallow=all ;by pfSense\nallow=g729\nallow=gsm\nallow=ulaw\nallow=alaw\n\n"; $script_file=preg_replace($pattern,$replace,$script_file); file_put_contents($script, $script_file, LOCK_EX); } diff --git a/config/bind/bind.inc b/config/bind/bind.inc new file mode 100644 index 00000000..146632c9 --- /dev/null +++ b/config/bind/bind.inc @@ -0,0 +1,883 @@ +<?PHP +/* $Id$ */ +/* + bind.inc + part of the Bind package for pfSense + Copyright (C) 2013 Juliano Oliveira/Adriano Brancher + Copyright (C) 2013 Marcello Coutinho + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ +$shortcut_section = "bind"; +require_once('globals.inc'); +require_once('config.inc'); +require_once('util.inc'); +require_once('pfsense-utils.inc'); +require_once('pkg-utils.inc'); +require_once('service-utils.inc'); +if(!function_exists("filter_configure")) + require_once("filter.inc"); + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('BIND_LOCALBASE', '/usr/pbi/bind-' . php_uname("m")); +else + define('BIND_LOCALBASE','/usr/local'); + +define('CHROOT_LOCALBASE','/cf/named'); + +function bind_zone_validate($post, $input_errors){ + if (key_exists("mail",$_POST)) + $_POST['mail']=preg_replace("/@/",".",$post['mail']); + + switch ($_POST['type']){ + case 'slave': + if( $_POST['slaveip'] == "") + $input_errors[] = 'The field \'Master Zone IP\' is required for slave zones.'; + break; + case 'forward': + if( $_POST['forwarders'] == "") + $input_errors[] = 'The field \'Forwarders\' is required for forward zones.'; + break; + case 'redirect': + $_POST['tll']=300; + $_POST['refresh']=0; + $_POST['serial']=0; + $_POST['retry']=0; + $_POST['expire']=0; + $_POST['minimum']=0; + if($_POST['mail']=='') + $input_errors[] = "The field 'Mail Admin Zone' is required for {$_POST['type']} zones."; + + default: + if($_POST['nameserver']=='') + $input_errors[] = "The field 'Name server' is required for {$_POST['type']} zones."; + for ($i=0;$i < count($_POST);$i++){ + if (key_exists("hostname$i",$_POST)){ + if ($_POST['reverso']=="on"){ + $_POST["hostvalue$i"]=""; + if (!preg_match("/(PTR|NS)/",$_POST["hosttype$i"])) + $input_errors[] = 'On reverse zones, valid record types are NS or PTR'; + } + if (preg_match("/(MX|NS)/",$_POST["hosttype$i"])) + $_POST["hostname$i"]=""; + if (!preg_match("/(MX|NS)/",$_POST["hosttype$i"]) && $_POST["hostname$i"]=="") + $input_errors[] = 'Record cannot be empty for '.$_POST["hosttype$i"].' type '; + if ($_POST["hosttype$i"]=="MX" && $_POST["hostvalue$i"]=="") + $_POST["hostvalue$i"]="10"; + if ($_POST["hosttype$i"]!="MX" && $_POST["hostvalue$i"]!="") + $_POST["hostvalue$i"]=""; + if ($_POST["hostdst$i"]=="") + $input_errors[] = 'Alias or IP address cannot be empty.'; + } + } + } +} + + function bind_sync(){ + + global $config; + conf_mount_rw(); + //create rndc + $rndc_confgen="/usr/local/sbin/rndc-confgen"; + if (!file_exists(BIND_LOCALBASE."/etc/rndc-confgen.pfsense") && file_exists($rndc_confgen)){ + exec("$rndc_confgen ",$rndc_conf); + foreach($rndc_conf as $line) + $confgen_file.="$line\n"; + file_put_contents(BIND_LOCALBASE."/etc/rndc-confgen.pfsese",$confgen_file); + } + if (file_exists(BIND_LOCALBASE."/etc/rndc-confgen.pfsese")){ + $rndc_conf=file(BIND_LOCALBASE."/etc/rndc-confgen.pfsese"); + $confgen="rndc.conf"; + $rndc_bindconf=""; + foreach ($rndc_conf as $line){ + if ($confgen =="rndc.conf"){ + if (!preg_match ("/^#/",$line)) + $rndc_file.=$line; + } + else{ + if (!preg_match ("/named.conf/",$line)) + $rndc_bindconf.=preg_replace('/#/',"",$line); + } + if (preg_match("/named.conf/",$line)){ + $confgen="named.conf"; + file_put_contents(BIND_LOCALBASE."/etc/rndc.conf",$rndc_file); + } + } + } + + $bind = $config["installedpackages"]["bind"]["config"][0]; + $bind_enable = $bind['enable_bind']; + $bind_forwarder = $bind['bind_forwarder']; + $forwarder_ips = $bind['bind_forwarder_ips']; + $ram_limit = ($bind['bind_ram_limit']?$bind['bind_ram_limit']:"256M"); + $hide_version = $bind['bind_hide_version']; + $bind_notify = $bind['bind_notify']; + $custom_options = base64_decode($bind['bind_custom_options']); + $bind_logging = $bind['bind_logging']; + $bind_conf ="#Bind pfsense configuration\n"; + $bind_conf .="#Do not edit this file!!!\n\n"; + $bind_conf .= "$rndc_bindconf\n"; + $bind_conf .= <<<EOD + +options { + directory "/etc/namedb"; + pid-file "/var/run/named/pid"; + statistics-file "/var/log/named.stats"; + max-cache-size {$ram_limit}; + +EOD; + // check response rate limit option + //https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html + //http://ss.vix.su/~vjs/rl-arm.html + if ($bind['rate_enabled']=="on"){ + $rate_limit=($bind['rate_limit']?$bind['rate_limit']:"15"); + $log_only=($bind['log_only']=="no"?"no":"yes"); + $bind_conf .= <<<EOD + rate-limit { + responses-per-second {$rate_limit}; + log-only {$log_only}; + }; + +EOD; + } + //check ips to listen on + if (preg_match("/All/",$bind['listenon'])){ + $bind_listenonv6="Any;"; + $bind_listenon="Any;"; + } + else{ + $bind_listenonv6=""; + $bind_listenon =""; + foreach (explode(',',$bind['listenon']) as $listenon){ + if (is_ipaddrv6($listenon)) + $bind_listenonv6 .= $listenon."; "; + elseif (is_ipaddr($listenon)) + $bind_listenon .= $listenon."; "; + else{ + $listenon=(pfSense_get_interface_addresses(convert_friendly_interface_to_real_interface_name($listenon))); + if (is_ipaddr($listenon['ipaddr'])) + $bind_listenon .= $listenon['ipaddr']."; "; + if(is_ipaddrv6($listenon['ipaddr6'])) + $bind_listenonv6 .= $listenon['ipaddr6']."; "; + } + } + } + $bind_listenonv6=($bind_listenonv6==""?"none;":$bind_listenonv6); + $bind_listenon=($bind_listenon==""?"none;":$bind_listenon); + //print "<PRE>$bind_listenonv6 $bind_listenon"; + if (key_exists("ipv6allow",$config['system'])){ + $bind_conf .="\t\tlisten-on-v6 { $bind_listenonv6 };\n"; + } + $bind_conf .="\t\tlisten-on { $bind_listenon };\n"; + + #forwarder config + if ($bind_forwarder == on) + $bind_conf .="\t\tforwarders { $forwarder_ips };\n"; + if ($bind_notify == on) + $bind_conf .="\t\tnotify yes;\n"; + if ($hide_version == on) + $bind_conf .="\t\tversion \"N/A\";\n"; + + $bind_conf .="\t\t$custom_options\n"; + $bind_conf .= "\t};\n\n"; + + if ($bind_logging == on){ + //check if bind is included on syslog + $syslog_files=array("/etc/inc/system.inc","/var/etc/syslog.conf"); + $restart_syslog=0; + foreach ($syslog_files as $syslog_file){ + $syslog_file_data=file_get_contents($syslog_file); + if (!preg_match("/dnsmasq,named,filterdns/",$syslog_file_data)){ + $syslog_file_data=preg_replace("/dnsmasq,filterdns/","dnsmasq,named,filterdns",$syslog_file_data); + file_put_contents($syslog_file,$syslog_file_data); + $restart_syslog++; + } + } + if ($restart_syslog > 0){ + system("/usr/bin/killall -HUP syslogd"); + } + $log_categories=explode(",",$bind['log_options']); + $log_severity=($bind['log_severity']?$bind['log_severity']:'default'); + if (sizeof($log_categories) > 0 && $log_categories[0]!=""){ + $bind_conf .= <<<EOD + + logging { + channel custom { + syslog daemon; + print-time no; + print-severity yes; + print-category yes; + severity {$log_severity}; + }; + +EOD; + foreach ($log_categories as $category) + $bind_conf .="\t\t\tcategory $category\t{custom;};\n"; + $bind_conf .="\t\t};\n\n"; + } + } + else { + $bind_conf .="\t\tlogging { category default { null; }; };\n\n"; + } + + #Config Zone domain + if(!is_array($config["installedpackages"]["bindacls"]) || !is_array($config["installedpackages"]["bindacls"]["config"])){ + $config["installedpackages"]["bindacls"]["config"][] =array("name"=>"any","description"=>"Default Access list","row" => array("value"=> "","description"=>"")); + write_config("Create Default bind acl 'Any'"); + } + $bindacls = $config["installedpackages"]["bindacls"]["config"]; + for ($i=0; $i<sizeof($bindacls); $i++) + { + $aclname = $bindacls[$i]['name']; + $aclhost = $bindacls[$i]['row']; + if($aclname != "any"){ + $bind_conf .= "acl \"$aclname\" {\n"; + for ($u=0; $u<sizeof($aclhost); $u++) + { + $aclhostvalue = $aclhost[$u]['value']; + $bind_conf .= "\t$aclhostvalue;\n"; + } + $bind_conf .= "};\n\n"; + } + } + + if(is_array($config["installedpackages"]["bindviews"])) + $bindview = $config["installedpackages"]["bindviews"]["config"]; + else + $bindview =array(); + + for ($i=0; $i<sizeof($bindview); $i++) + { + $views = $config["installedpackages"]["bindviews"]["config"][$i]; + $viewname = $views['name']; + $viewrecursion = $views['recursion']; + if($views['match-clients'] == '') + $viewmatchclients = "none"; + else + $viewmatchclients = str_replace(',','; ',$views['match-clients']); + if($views['allow-recursion'] == '') + $viewallowrecursion = "none"; + else + $viewallowrecursion = str_replace(',','; ',$views['allow-recursion']); + $viewcustomoptions = base64_decode($views['bind_custom_options']); + + $bind_conf .= "view \"$viewname\" { \n\n"; + $bind_conf .= "\trecursion $viewrecursion;\n"; + $bind_conf .= "\tmatch-clients { $viewmatchclients;};\n"; + $bind_conf .= "\tallow-recursion { $viewallowrecursion;};\n"; + $bind_conf .= "\t$viewcustomoptions\n\n"; + + if(is_array($config["installedpackages"]["bindzone"])) + $bindzone = $config["installedpackages"]["bindzone"]["config"]; + else + $bindzone =array(); + + $write_config=0; + for ($x=0; $x<sizeof($bindzone); $x++) + { + $zone = $bindzone[$x]; + if ($zone['disabled']=="on"){ + continue; + } + $zonename = $zone['name']; + if ($zonename=="."){ + $custom_root_zone[$i]=true; + } + $zonetype = $zone['type']; + $zoneview = $zone['view']; + $zonecustom = base64_decode($zone['custom']); + $zoneipslave = $zone['slaveip']; + $zoneforwarders=$zone['forwarders']; + $zonereverso = $zone['reverso']; + + if (!(is_dir(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview"))) + mkdir(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview",0755,true); + + if($zone['allowupdate'] == '') + $zoneallowupdate = "none"; + else + $zoneallowupdate = str_replace(',','; ',$zone['allowupdate']); + if($zone['allowquery'] == '') + $zoneallowquery = "none"; + else + $zoneallowquery = str_replace(',','; ',$zone['allowquery']); + if($zone['allowtransfer'] == '') + $zoneallowtransfer = "none"; + else + $zoneallowtransfer = str_replace(',','; ',$zone['allowtransfer']); + + if ($zoneview == $viewname){ + if($zonereverso == "on") + $bind_conf .= "\tzone \"$zonename.in-addr.arpa\" {\n"; + else + $bind_conf .= "\tzone \"$zonename\" {\n"; + + $bind_conf .= "\t\ttype $zonetype;\n"; + if ($zonetype != "forward") + $bind_conf .= "\t\tfile \"/etc/namedb/$zonetype/$zoneview/$zonename.DB\";\n"; + switch ($zonetype){ + case "slave": + $bind_conf .= "\t\tmasters { $zoneipslave; };\n"; + $bind_conf .= "\t\tallow-transfer {none;};\n"; + $bind_conf .= "\t\tnotify no;\n"; + break; + case "forward": + $bind_conf .= "\t\tforward only;\n"; + $bind_conf .= "\t\tforwarders { $zoneforwarders; };\n"; + break; + case "redirect": + $bind_conf .= "\t\t# While using redirect zones,NXDOMAIN Redirection will not override DNSSEC\n"; + $bind_conf .= "\t\t# If the client has requested DNSSEC records (DO=1) and the NXDOMAIN response is signed then no substitution will occur\n"; + $bind_conf .= "\t\t# https://kb.isc.org/article/AA-00376/192/BIND-9.9-redirect-zones-for-NXDOMAIN-redirection.html\n"; + break; + default: + $bind_conf .= "\t\tallow-update { $zoneallowupdate;};\n"; + $bind_conf .= "\t\tallow-query { $zoneallowquery;};\n"; + $bind_conf .= "\t\tallow-transfer { $zoneallowtransfer;};\n"; + if ($zone['dnssec']=="on"){ + //https://kb.isc.org/article/AA-00626/ + $bind_conf .="\n\t\t# look for dnssec keys here:\n"; + $bind_conf .="\t\tkey-directory \"/etc/namedb/keys\";\n\n"; + $bind_conf .="\t\t# publish and activate dnssec keys:\n"; + $bind_conf .="\t\tauto-dnssec maintain;\n\n"; + $bind_conf .="\t\t# use inline signing:\n"; + $bind_conf .="\t\tinline-signing yes;\n\n"; + } + } + if ($zonecustom != '') + $bind_conf .= "\t\t$zonecustom\n"; + + $bind_conf .= "\t};\n\n"; + + switch($zonetype){ + case "redirect": + case "master": + //check/update slave dir permission + chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype","bind"); + chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview","bind"); + $zonetll = ($zone['tll']?$zone['tll']:"43200"); + $zonemail = ($zone['mail']?$zone['mail']:"zonemaster.{$zonename}"); + $zonemail = preg_replace("/@/",".",$zonemail); + $zoneserial = $zone['serial']; + $zonerefresh = ($zone['refresh']?$zone['refresh']:"3600"); + $zoneretry = ($zone['retry']?$zone['retry']:"600"); + $zoneexpire = ($zone['expire']?$zone['expire']:"86400"); + $zoneminimum = ($zone['minimum']?$zone['minimum']:"3600"); + $zonenameserver = $zone['nameserver']; + $zoneipns = $zone['ipns']; + $zonereverso = $zone['reverso']; + if($zone['allowupdate'] == '') + $zoneallowupdate = "none"; + else + $zoneallowupdate = str_replace(',','; ',$zone['allowupdate']); + if($zone['allowquery'] == '') + $zoneallowquery = "none"; + else + $zoneallowquery = str_replace(',','; ',$zone['allowquery']); + if($zone['allowtransfer'] == '') + $zoneallowtransfer = "none"; + else + $zoneallowtransfer = str_replace(',','; ',$zone['allowtransfer']); + $zone_conf = "\$TTL {$zonetll}\n;\n"; + if($zonereverso == "on") + $zone_conf .= "\$ORIGIN {$zonename}.in-addr.arpa.\n\n"; + else + $zone_conf .= "\$ORIGIN {$zonename}.\n\n"; + $zone_conf .= ";\tDatabase file {$zonename}.DB for {$zonename} zone.\n"; + $zone_conf .= ";\tDo not edit this file!!!\n"; + $zone_conf .= ";\tZone version {$zoneserial}\n;\n"; + if($zonereverso == "on" || $zonetype =="redirect") + $zone_conf .= "@\t IN SOA $zonenameserver. \t $zonemail. (\n"; + else + $zone_conf .= "$zonename.\t IN SOA $zonenameserver. \t $zonemail. (\n"; + + $zone_conf .= "\t\t$zoneserial ; serial\n"; + $zone_conf .= "\t\t$zonerefresh ; refresh\n"; + $zone_conf .= "\t\t$zoneretry ; retry\n"; + $zone_conf .= "\t\t$zoneexpire ; expire\n"; + $zone_conf .= "\t\t$zoneminimum ; default_ttl\n\t\t)\n\n"; + $zone_conf .= ";\n; Zone Records\n;\n"; + + if($zonereverso == "on") + $zone_conf .= "\t IN NS \t$zonenameserver.\n"; + else{ + $zone_conf .= "@ \t IN NS \t$zonenameserver.\n"; + if ($zoneipns !="") + $zone_conf .= "@ \t IN A \t$zoneipns\n"; + } + for ($y=0; $y<sizeof($zone['row']); $y++) + { + $hostname = (preg_match("/(MX|NS)/",$zone['row'][$y]['hosttype'])?"@":$zone['row'][$y]['hostname']); + $hosttype = $zone['row'][$y]['hosttype']; + $hostdst = $zone['row'][$y]['hostdst']; + if (preg_match("/[a-zA-Z]/",$hostdst) && !preg_match("/(TXT|SPF)/",$hosttype)) + $hostdst .= "."; + $hostvalue = $zone['row'][$y]['hostvalue']; + + $zone_conf .= "$hostname \t IN $hosttype $hostvalue \t$hostdst\n"; + } + if (($zone[regdhcpstatic] == 'on') && is_array($config['dhcpd'])) { + foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) + if(is_array($dhcpifconf['staticmap']) && isset($dhcpifconf['enable'])) + foreach ($dhcpifconf['staticmap'] as $host) + if ($host['ipaddr'] && $host['hostname']) { + $zone_conf .= "{$host['hostname']}\tIN A\t{$host['ipaddr']}\n"; + } + } + if ($zone['customzonerecords']!=""){ + $zone_conf .= "\n\n;\n;custom zone records\n;\n".base64_decode($zone['customzonerecords'])."\n"; + } + file_put_contents(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB", $zone_conf); + $config["installedpackages"]["bindzone"]["config"][$x][resultconfig]=base64_encode($zone_conf); + $write_config++; + //check dnssec keys creation for master zones + if($zone['dnssec']=="on"){ + $zone_found=0; + foreach (glob(CHROOT_LOCALBASE."/etc/namedb/keys/*{$zonename}*key",GLOB_NOSORT) as $filename){ + $zone_found++; + } + if ($zone_found==0){ + $key_restored=0; + if(is_array($config['installedpackages']['dnsseckeys']) && is_array($config['installedpackages']['dnsseckeys']['config'])){ + foreach ($config['installedpackages']['dnsseckeys']['config']as $filer) + if (preg_match ("/K$zonename\.+/",$filer['fullfile'])){ + file_put_contents($filer['fullfile'],base64_decode($filer['filedata']),LOCK_EX); + chmod($filer['fullfile'],0700); + chown($filer['fullfile'],"bind"); + $key_restored++; + } + } + if ($key_restored > 0){ + log_error("[bind] {$key_restored} DNSSEC keys restored from XML backup for {$zonename} zone."); + } + $dnssec_bin="/usr/local/sbin/dnssec-keygen"; + if (file_exists($dnssec_bin) && $key_restored==0){ + exec("{$dnssec_bin} -K ".CHROOT_LOCALBASE."/etc/namedb/keys {$zonename}",$kout); + exec("{$dnssec_bin} -K ".CHROOT_LOCALBASE."/etc/namedb/keys -fk {$zonename}",$kout); + foreach($kout as $filename){ + chown(CHROOT_LOCALBASE."/etc/namedb/keys/{$filename}.key","bind"); + chown(CHROOT_LOCALBASE."/etc/namedb/keys/{$filename}.private","bind"); + } + log_error("[bind] DNSSEC keys for {$zonename} created."); + } + } + //get ds keys + $dsfromkey="/usr/local/sbin/dnssec-dsfromkey"; + foreach (glob(CHROOT_LOCALBASE."/etc/namedb/keys/*{$zonename}*key",GLOB_NOSORT) as $filename) { + $zone_key=file_get_contents($filename); + if (preg_match("/IN DNSKEY 257 /",$zone_key) && file_exists($dsfromkey)){ + exec("$dsfromkey $filename",$dsset); + $config["installedpackages"]["bindzone"]["config"][$x]['dsset']=base64_encode(array_pop($dsset)."\n".array_pop($dsset)); + $write_config++; + } + } + //save dnssec keys to xml + + if($zone['backupkeys']=="on"){ + $dnssec_keys=0; + foreach (glob(CHROOT_LOCALBASE."/etc/namedb/keys/*{$zonename}*",GLOB_NOSORT) as $filename){ + $file_found=0; + if(is_array($config['installedpackages']['dnsseckeys']) && is_array($config['installedpackages']['dnsseckeys']['config'])){ + foreach ($config['installedpackages']['dnsseckeys']['config']as $filer){ + if ($filer['fullfile']==$filename) + $file_found++; + } + } + if ($file_found==0){ + $config['installedpackages']['dnsseckeys']['config'][]=array('fullfile'=> $filename, + 'description'=> "bind {$zonename} DNSSEC backup file", + 'filedata'=> base64_encode(file_get_contents($filename))); + $write_config++; + $dnssec_keys++; + } + } + if($dnssec_keys>0){ + log_error("[bind] {$dnssec_keys} DNSSEC keys for {$zonename} zone saved on XML config."); + } + } + } + break; + case "slave": + //check/update slave dir permission + chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype","bind"); + chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview","bind"); + //check if exists slave zone file + $rsconfig=""; + if ($zone['dnssec']=="on"){ + if (file_exists(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB.signed")) + exec("/usr/local/sbin/named-checkzone -D -f raw -o - {$zonename} ".CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB.signed",$slave_file); + } + else{ + if (file_exists(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB")) + $slave_file=file(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB"); + } + if (is_array($slave_file)){ + foreach ($slave_file as $zfile) + $rsconfig.= $zfile; + $config["installedpackages"]["bindzone"]["config"][$x][resultconfig]=base64_encode($rsconfig); + $write_config++; + } + break; + } + } + } + if (!$custom_root_zone[$i]){ + $bind_conf .="\tzone \".\" {\n"; + $bind_conf .="\t\ttype hint;\n"; + $bind_conf .="\t\tfile \"/etc/namedb/named.root\";\n"; + $bind_conf .= "\t};\n\n"; + } + if($write_config > 0){ + write_config("save result config file for zone on xml"); + } + $bind_conf .= "};\n"; + } + $dirs=array("/etc/namedb/keys","/var/run/named","/var/dump","/var/log","/var/stats","/dev"); + foreach ($dirs as $dir){ + if (!is_dir(CHROOT_LOCALBASE .$dir)) + mkdir(CHROOT_LOCALBASE .$dir,0755,true); + } + //dev dirs for chroot + $bind_dev_dir=CHROOT_LOCALBASE."/dev"; + if (!file_exists("$bind_dev_dir/random")){ + $dev_dirs=array("null","zero","random","urandom"); + exec("/sbin/mount -t devfs devfs {$bind_dev_dir}",$dout); + exec("/sbin/devfs -m {$bind_dev_dir} ruleset 1",$dout); + exec("/sbin/devfs -m {$bind_dev_dir} rule add hide",$dout); + foreach ($dev_dirs as $dev_dir) + exec("/sbin/devfs -m {$bind_dev_dir} rule add path $dev_dir unhide",$dout); + exec("/sbin/devfs -m {$bind_dev_dir} rule applyset",$dout); + } + //http://www.unixwiz.net/techtips/bind9-chroot.html + file_put_contents(CHROOT_LOCALBASE.'/etc/namedb/named.conf', $bind_conf); + file_put_contents(CHROOT_LOCALBASE.'/etc/namedb/rndc.conf', $rndc_file); + + if (!file_exists(CHROOT_LOCALBASE."/etc/namedb/named.root")){ + //dig +tcp @a.root-servers.net > CHROOT_LOCALBASE."/etc/namedb/named.root" + $named_root=file_get_contents("http://www.internic.net/domain/named.root"); + file_put_contents(CHROOT_LOCALBASE."/etc/namedb/named.root",$named_root,LOCK_EX); + } + if (!file_exists(CHROOT_LOCALBASE."/etc/localtime")){ + copy("/etc/localtime", CHROOT_LOCALBASE."/etc/localtime"); + } + + bind_write_rcfile(); + chown(CHROOT_LOCALBASE."/etc/namedb/keys","bind"); + chown(CHROOT_LOCALBASE."/etc/namedb","bind"); + chown(CHROOT_LOCALBASE."/var/log","bind"); + chown(CHROOT_LOCALBASE."/var/run/named","bind"); + chgrp(CHROOT_LOCALBASE."/var/log","bind"); + $bind_sh="/usr/local/etc/rc.d/named.sh"; + if($bind_enable == "on"){ + chmod ($bind_sh,0755); + mwexec("{$bind_sh} restart"); + } + elseif (is_service_running('named')){ + mwexec("{$bind_sh} stop"); + chmod ($bind_sh,0644); + } + //sync to backup servers + bind_sync_on_changes(); + conf_mount_ro(); +} + +function bind_print_javascript_type_zone(){ +?> + <script language="JavaScript"> + <!-- + function on_type_zone_changed() { + + var field = document.iform.type; + var tipo = field.options[field.selectedIndex].value; + switch (tipo){ + case 'master': + document.iform.slaveip.disabled = 1; + document.iform.tll.disabled = 0; + document.iform.nameserver.disabled = 0; + document.iform.reverso.disabled = 0; + document.iform.forwarders.disabled = 1; + document.iform.dnssec.disabled = 0; + document.iform.backupkeys.disabled = 0; + document.iform.regdhcpstatic.disabled = 0; + document.iform.ipns.disabled = 0; + document.iform.mail.disabled = 0; + document.iform.serial.disabled = 0; + document.iform.refresh.disabled = 0; + document.iform.retry.disabled = 0; + document.iform.expire.disabled = 0; + document.iform.minimum.disabled = 0; + break; + case 'slave': + document.iform.slaveip.disabled = 0; + document.iform.tll.disabled = 1; + document.iform.nameserver.disabled = 1; + document.iform.reverso.disabled = 0; + document.iform.forwarders.disabled = 1; + document.iform.dnssec.disabled = 0; + document.iform.backupkeys.disabled = 0; + document.iform.regdhcpstatic.disabled = 0; + document.iform.ipns.disabled = 1; + document.iform.mail.disabled = 1; + document.iform.serial.disabled = 1; + document.iform.refresh.disabled = 1; + document.iform.retry.disabled = 1; + document.iform.expire.disabled = 1; + document.iform.minimum.disabled = 1; + break; + case 'forward': + document.iform.slaveip.disabled = 1; + document.iform.tll.disabled = 1; + document.iform.nameserver.disabled = 1; + document.iform.reverso.disabled = 1; + document.iform.forwarders.disabled = 0; + document.iform.dnssec.disabled = 1; + document.iform.backupkeys.disabled = 1; + document.iform.regdhcpstatic.disabled = 1; + document.iform.ipns.disabled = 1; + document.iform.mail.disabled = 1; + document.iform.serial.disabled = 1; + document.iform.refresh.disabled = 1; + document.iform.retry.disabled = 1; + document.iform.expire.disabled = 1; + document.iform.minimum.disabled = 1; + break; + case 'redirect': + document.iform.slaveip.disabled = 1; + document.iform.tll.disabled = 1; + document.iform.nameserver.disabled = 0; + document.iform.reverso.disabled = 1; + document.iform.forwarders.disabled = 1; + document.iform.dnssec.disabled = 1; + document.iform.backupkeys.disabled = 1; + document.iform.regdhcpstatic.disabled = 1; + document.iform.ipns.disabled = 1; + document.iform.mail.disabled = 0; + document.iform.serial.disabled = 0; + document.iform.refresh.disabled = 0; + document.iform.retry.disabled = 0; + document.iform.expire.disabled = 0; + document.iform.minimum.disabled = 0; + break; + } + } + --> + </script> +<?php +} + +function bind_print_javascript_type_zone2(){ + print("<script language=\"JavaScript\">on_type_zone_changed();document.iform.resultconfig.disabled = 1;document.iform.dsset.disabled = 1;</script>\n"); +} + +function bind_write_rcfile() { + $rc = array(); + $BIND_LOCALBASE = "/usr/local"; + $rc['file'] = 'named.sh'; + $rc['start'] = <<<EOD +if [ -z "`ps auxw | grep "[n]amed -c /etc/namedb/named.conf"|awk '{print $2}'`" ];then + {$BIND_LOCALBASE}/sbin/named -c /etc/namedb/named.conf -u bind -t /cf/named/ +fi + +EOD; + $rc['stop'] = <<<EOD +killall -9 named 2>/dev/null +sleep 2 +EOD; + $rc['restart'] = <<<EOD +if [ -z "`ps auxw | grep "[n]amed -c /etc/namedb/named.conf"|awk '{print $2}'`" ];then + {$BIND_LOCALBASE}/sbin/named -c /etc/namedb/named.conf -u bind -t /cf/named/ + else + killall -9 named 2>/dev/null + sleep 3 + {$BIND_LOCALBASE}/sbin/named -c /etc/namedb/named.conf -u bind -t /cf/named/ + fi + +EOD; + conf_mount_rw(); + write_rcfile($rc); + conf_mount_ro(); +} + +/* Uses XMLRPC to synchronize the changes to a remote node */ +function bind_sync_on_changes() { + global $config, $g; + if (is_array($config['installedpackages']['bindsync']['config'])){ + $bind_sync=$config['installedpackages']['bindsync']['config'][0]; + $synconchanges = $bind_sync['synconchanges']; + $synctimeout = $bind_sync['synctimeout']; + $master_zone_ip=$bind_sync['masterip']; + switch ($synconchanges){ + case "manual": + if (is_array($bind_sync[row])){ + $rs=$bind_sync[row]; + } + else{ + log_error("[bind] xmlrpc sync is enabled but there is no hosts to push on bind config."); + return; + } + break; + case "auto": + if (is_array($config['hasync'])){ + $hasync=$config['hasync'][0]; + $rs[0]['ipaddress']=$hasync['synchronizetoip']; + $rs[0]['username']=$hasync['username']; + $rs[0]['password']=$hasync['password']; + } + else{ + log_error("[bind] xmlrpc sync is enabled but there is no system backup hosts to push bind config."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)){ + log_error("[bind] xmlrpc sync is starting."); + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if($password && $sync_to_ip) + bind_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout,$master_zone_ip); + } + log_error("[bind] xmlrpc sync is ending."); + } + } +} +/* Do the actual XMLRPC sync */ +function bind_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout,$master_zone_ip) { + global $config, $g; + + if(!$username) + return; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + if(!$synctimeout) + $synctimeout=25; + + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['bind'] = $config['installedpackages']['bind']; + $xml['bindacls'] = $config['installedpackages']['bindacls']; + $xml['bindviews'] = $config['installedpackages']['bindviews']; + $xml['bindzone'] = $config['installedpackages']['bindzone']; + if (is_array($config['installedpackages']['dnsseckeys'])) + $xml['dnsseckeys']=$config['installedpackages']['dnsseckeys']; + //change master zone to slave on backup servers + if(is_array($xml['bindzone']["config"])) + for ($x=0; $x<sizeof($xml['bindzone']["config"]); $x++){ + if ($xml['bindzone']["config"][$x]['type']=="master"){ + $xml['bindzone']["config"][$x]['type']="slave"; + $xml['bindzone']["config"][$x]['slaveip']=$master_zone_ip; + } + + } + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("[bind] Beginning bind XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after defined sync timeout value*/ + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting bind XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "bind Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting bind XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "bind Settings Sync", ""); + } else { + log_error("[bind] XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell bind to reload our settings on the destination sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/bind.inc');\n"; + $execcmd .= "bind_sync('yes');"; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("[bind] XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting bind XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "Bind Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "[Bind] An error code was received while attempting bind XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "bind Settings Sync", ""); + } else { + log_error("Bind XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + +} +?> diff --git a/config/bind/bind.widget.php b/config/bind/bind.widget.php new file mode 100644 index 00000000..490ded9b --- /dev/null +++ b/config/bind/bind.widget.php @@ -0,0 +1,86 @@ +<?php +/* + Copyright 2013 Marcello Coutinho + Part of bind package for pfSense(www.pfsense.com) + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +@require_once("guiconfig.inc"); +@require_once("pfsense-utils.inc"); +@require_once("functions.inc"); + +$uname=posix_uname(); +if ($uname['machine']=='amd64') + ini_set('memory_limit', '250M'); + +function open_table(){ + echo "<table style=\"padding-top:0px; padding-bottom:0px; padding-left:0px; padding-right:0px\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">"; + echo" <tr>"; +} +function close_table(){ + echo" </tr>"; + echo"</table>"; + +} + +$pfb_table=array(); +$img['Sick']="<img src ='/themes/{$g['theme']}/images/icons/icon_interface_down.gif'>"; +$img['Healthy']="<img src ='/themes/{$g['theme']}/images/icons/icon_interface_up.gif'>"; + + +#var_dump($pfb_table); +#exit; +?><div id='bind'><?php +global $config; +$rndc_bin="/usr/local/sbin/rndc"; + +if (file_exists($rndc_bin)) + exec("$rndc_bin status",$status); + +open_table(); +foreach($status as $line){ + $fields=explode(":",$line); + print "<tr><td class=\"vncellt\"width=50%><strong>".ucfirst($fields[0])."</strong></td>\n"; + print "<td class=\"listlr\">{$fields[1]}</td>\n</tr>"; + } +close_table(); +echo"</div>"; + +?> +<script type="text/javascript"> + function getstatus_bind() { + var url = "/widgets/widgets/bind.widget.php"; + var pars = 'getupdatestatus=yes'; + var myAjax = new Ajax.Request( + url, + { + method: 'get', + parameters: pars, + onComplete: activitycallback_bind + }); + } + function activitycallback_bind(transport) { + $('bind').innerHTML = transport.responseText; + setTimeout('getstatus_postfix()', 5000); + } + getstatus_bind(); +</script> diff --git a/config/bind/bind.xml b/config/bind/bind.xml new file mode 100644 index 00000000..76fdf523 --- /dev/null +++ b/config/bind/bind.xml @@ -0,0 +1,316 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + bind.xml + part of pfSense (http://www.pfSense.com) + part of the Bind package for pfSense + Copyright (C) 2013 Juliano Oliveira/Adriano Brancher + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>bind</name> + <version>1.0</version> + <title>Bind: Domain Named Settings</title> + <include_file>/usr/local/pkg/bind.inc</include_file> + <menu> + <name>Bind Server</name> + <tooltiptext>Modify Bind settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=bind.xml</url> + </menu> + <service> + <name>named</name> + <rcfile>named.sh</rcfile> + <executable>named</executable> + <description>Domain Name Service</description> + </service> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=bind.xml</url> + <active/> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=bind_acls.xml</url> + </tab> + <tab> + <text>Views</text> + <url>/pkg.php?xml=bind_views.xml</url> + </tab> + <tab> + <text>Zones</text> + <url>/pkg.php?xml=bind_zones.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=bind_sync.xml</url> + </tab> + + </tabs> + <!-- Installation --> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind_views.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind_zones.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind_acls.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind_sync.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/pkg_bind.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/widgets/widgets/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind.widget.php</item> + </additional_files_needed> + <fields> + <field> + <type>listtopic</type> + <name>Daemon Settings</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Enable Bind</fielddescr> + <fieldname>enable_bind</fieldname> + <description><![CDATA[Enable DNS Bind on Server<br> + Disable Dns forwarder service on selected interfaces before enabling bind.]]></description> + <type>checkbox</type> + <required/> + </field> + <field> + <fielddescr>Listen-on</fielddescr> + <fieldname>listenon</fieldname> + <description><![CDATA[Enable Named to listen on.]]></description> + <type>interfaces_selection</type> + <showlistenall/> + <showvirtualips/> + <multiple/> + </field> + <field> + <fielddescr>Enable Notify</fielddescr> + <fieldname>bind_notify</fieldname> + <description>Notify slave server after any update on master.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Hide Version</fielddescr> + <fieldname>bind_hide_version</fieldname> + <description>Hide the version of BIND, this prevents discover the version of our servers, use any exploit that exploits a vulnerability in Bind.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Limit Memory use</fielddescr> + <fieldname>bind_ram_limit</fieldname> + <description>Limits RAM use for DNS server, recommend 256M</description> + <type>input</type> + <size>10</size> + <default_value>256M</default_value> + </field> + <field> + <type>listtopic</type> + <name>Logging options</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Enable logging</fielddescr> + <fieldname>bind_logging</fieldname> + <description><![CDATA[Enable Bind logs on status-> system logs -> resolver menu.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Loggin serverity</fielddescr> + <fieldname>log_severity</fieldname> + <description><![CDATA[Select logging levels for selected categories.<BR> + use CTRL+click to select/unselect.<br> + The value 'dynamic' means assume the global level defined by either the command line parameter -d or by running rndc trace.]]></description> + <type>select</type> + <options> + <option><name>Critital</name><value>critical</value></option> + <option><name>Error</name><value>error</value></option> + <option><name>Warning</name><value>warning</value></option> + <option><name>Notice</name><value>Notice</value></option> + <option><name>info</name><value>info</value></option> + <option><name>Debug level 1</name><value>debug 1</value></option> + <option><name>Debug level 3</name><value>debug 3</value></option> + <option><name>Debug level 5</name><value>debug 5</value></option> + <option><name>Dynamic</name><value>dynamic</value></option> + </options> + </field> + <field> + <fielddescr>Loggin options</fielddescr> + <fieldname>log_options</fieldname> + <description><![CDATA[Select categories to log.<BR> + use CTRL+click to select/unselect.]]></description> + <type>select</type> + <options> + <option><name>Default-if this is the only category selected, it will log all categories except queries</name><value>default</value></option> + <option><name>General-Anything that is not classified as any other item in this list defaults to this category</name><value>general</value></option> + <option><name>Database-The value 'dynamic' means assume the global level defined by either the command line parameter -d or by running rndc trace</name><value>database</value></option> + <option><name>Security-Approval and denial of requests</name><value>security</value></option> + <option><name>Config-Configuration file parsing and processing</name><value>config</value></option> + <option><name>Resolver-Name resolution including recursive lookups</name><value>resolver</value></option> + <option><name>Xfer-in-Details of zone transfers the server is receiving.</name><value>xfer-in</value></option> + <option><name>Xfer-out-Details of zone transfers the server is sending.</name><value>xfer-out</value></option> + <option><name>Notify-Logs all NOTIFY operations.</name><value>notify</value></option> + <option><name>Client-Processing of client requests</name><value>client</value></option> + <option><name>Unmatched-No matching view clause or unrecognized class value.</name><value>unmatched</value></option> + <option><name>Queries-Logs all query transactions</name><value>queries</value></option> + <option><name>Network-Logs all network operations</name><value>network</value></option> + <option><name>Update-Logging of all dynamic update (DDNS) transactions</name><value>update</value></option> + <option><name>Dispatch-Dispatching of incoming packets to the server modules</name><value>dispatch</value></option> + <option><name>DNSSEC-DNSSEC and TSIG protocol processing</name><value>dnssec</value></option> + <option><name>lame-servers-Mis-configuration in the delegation of domains discovered by BIND</name><value>lame-servers</value></option> + </options> + <multiple/> + <size>18</size> + </field> + <field> + <type>listtopic</type> + <name>Response Rate Limit</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Rate limit</fielddescr> + <fieldname>rate_enabled</fieldname> + <description><![CDATA[<a target=_new href='https://kb.isc.org/article/AA-01000/189/A-Quick-Introduction-to-Response-Rate-Limiting.html?utm_source=isc&utm_medium=website&utm_term=rrl-kb&utm_content=kbarticle&utm_campaign=bind994_release_091913'> + Limit/rate response queries</a> to prevent DOS attack.]]></description> + <type>checkbox</type> + <enablefields>rate_limit,log_only</enablefields> + </field> + <field> + <fielddescr>Limit Action</fielddescr> + <fieldname>log_only</fieldname> + <description>Select what to do when a query reaches a limit.</description> + <type>select</type> + <options> + <option><name>Deny query</name><value>no</value></option> + <option><name>Log only</name><value>yes</value></option> + </options> + </field> + <field> + <fielddescr>limit</fielddescr> + <fieldname>rate_limit</fieldname> + <description>Set rate limit. Default to 15.</description> + <type>input</type> + <size>10</size> + </field> + + <field> + <type>listtopic</type> + <name>Forwarder Config</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Forwarder</fielddescr> + <fieldname>bind_forwarder</fieldname> + <description>Forwardes enable DNS Bind on Server.</description> + <type>checkbox</type> + <enablefields>bind_forwarder_ips</enablefields> + </field> + <field> + <fielddescr>Forwarder IPs</fielddescr> + <fieldname>bind_forwarder_ips</fieldname> + <description>Enter IPs to forward. Separate by semi-colons (;). [Applies only to Forwarder mode]</description> + <type>input</type> + <size>80</size> + </field> + <field> + <type>listtopic</type> + <name>custom Options</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Custom Options</fielddescr> + <fieldname>bind_custom_options</fieldname> + <description><![CDATA[You can put your own custom options here, one per line.<br> + They'll be added to the configuration. They need to be named.conf native options.]]> + </description> + <type>textarea</type> + <cols>65</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + </fields> + <custom_php_after_head_command> + </custom_php_after_head_command> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_add_php_command> + </custom_add_php_command> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + bind_sync(); + </custom_php_resync_config_command> + <custom_php_install_command> + bind_write_rcfile(); + </custom_php_install_command> + <custom_php_deinstall_command> + </custom_php_deinstall_command> + <filter_rules_needed></filter_rules_needed> +</packagegui> diff --git a/config/bind/bind_acls.xml b/config/bind/bind_acls.xml new file mode 100644 index 00000000..b8d10158 --- /dev/null +++ b/config/bind/bind_acls.xml @@ -0,0 +1,138 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + bind_acls.xml + part of pfSense (http://www.pfSense.com) + part of the Bind package for pfSense + Copyright (C) 2013 Juliano Oliveira/Adriano Brancher + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>bindacls</name> + <version>0.1.0</version> + <title>Bind: ACLs Settings</title> + <include_file>/usr/local/pkg/bind.inc</include_file> + <menu> + <name>Bind Server</name> + <tooltiptext></tooltiptext> + <section>Services</section> + <configfile>bind.xml</configfile> + </menu> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=bind.xml</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=bind_acls.xml</url> + <active/> + </tab> + <tab> + <text>Views</text> + <url>/pkg.php?xml=bind_views.xml</url> + </tab> + <tab> + <text>Zones</text> + <url>/pkg.php?xml=bind_zones.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=bind_sync.xml</url> + </tab> + </tabs> + <configpath>['installedpackages']['bindacls']['config']</configpath> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>ACL</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + <movable>on</movable> + </adddeleteeditpagefields> + <!-- fields gets invoked when the user adds or edits a item. the following items + will be parsed and rendered for the user as a gui with input, and selectboxes. --> + <fields> + <field> + <fielddescr>ACL Name</fielddescr> + <fieldname>name</fieldname> + <description>Enter name ACL.</description> + <type>input</type> + <required/> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter the description for this ACL.</description> + <type>input</type> + </field> + <field> + <fielddescr>Enter IP or range bloc network.</fielddescr> + <description>Leave blank to allow All</description> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>Value</fielddescr> + <fieldname>value</fieldname> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <type>input</type> + <size>20</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_delete_php_command> + </custom_delete_php_command> + <custom_php_resync_config_command> + bind_sync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/bind/bind_sync.xml b/config/bind/bind_sync.xml new file mode 100644 index 00000000..d2f9c95b --- /dev/null +++ b/config/bind/bind_sync.xml @@ -0,0 +1,143 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + bind_sync.xml + part of the Bind package for pfSense + Copyright (C) 2013 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>bindsync</name> + <version>1.0</version> + <title>Bind: XMLRPC Sync</title> + <include_file>/usr/local/pkg/bind.inc</include_file> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=bind.xml</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=bind_acls.xml</url> + </tab> + <tab> + <text>Views</text> + <url>/pkg.php?xml=bind_views.xml</url> + </tab> + <tab> + <text>Zones</text> + <url>/pkg.php?xml=bind_zones.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=bind_sync.xml</url> + <active/> + </tab> + </tabs> + <fields> + <field> + <name>XMLRPC Sync</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Automatically sync bind configuration changes</fielddescr> + <fieldname>synconchanges</fieldname> + <description>Select a sync method for bind.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>25</default_value> + <options> + <option><name>30 seconds(Default)</name><value>30</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>250 seconds</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + </options> + </field> + <field> + <fielddescr>Zone Master IP</fielddescr> + <fieldname>masterip</fieldname> + <description><![CDATA[Set master zone ip you want to use to sync backup server zones with master.<br> + <b>All master zones will be configured as backup on slave servers.<b>]]></description> + <type>input</type> + <size>20</size> + <required/> + </field> + <field> + <fielddescr>Remote Server</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <description><![CDATA[<b>Do not forget to:</b><br> + Create firewall rules to allow zone transfer between master and slave servers.<br> + Create a acls with these slave servers.<br> + Include created acl on allow-transfer option on zone config.]]></description> + <rowhelper> + <rowhelperfield> + <fielddescr>IP Address</fielddescr> + <fieldname>ipaddress</fieldname> + <description>IP Address of remote server</description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Password for remote server.</description> + <type>password</type> + <size>20</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + </custom_php_resync_config_command> +</packagegui> diff --git a/config/bind/bind_views.xml b/config/bind/bind_views.xml new file mode 100644 index 00000000..a6c42552 --- /dev/null +++ b/config/bind/bind_views.xml @@ -0,0 +1,162 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + bind_zone.xml + part of pfSense (http://www.pfSense.com) + part of the Bind package for pfSense + Copyright (C) 2013 Juliano Oliveira/Adriano Brancher + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>bindviews</name> + <version>0.1.0</version> + <title>Bind: Views Settings</title> + <include_file>/usr/local/pkg/bind.inc</include_file> + <menu> + <name>Bind Server</name> + <tooltiptext></tooltiptext> + <section>Services</section> + <configfile>bind.xml</configfile> + </menu> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=bind.xml</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=bind_acls.xml</url> + </tab> + <tab> + <text>Views</text> + <url>/pkg.php?xml=bind_views.xml</url> + <active/> + </tab> + <tab> + <text>Zones</text> + <url>/pkg.php?xml=bind_zones.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=bind_sync.xml</url> + </tab> + </tabs> + <configpath>['installedpackages']['bindviews']['config']</configpath> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>View</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + <movable>on</movable> + </adddeleteeditpagefields> + <fields> + <field> + <fielddescr>View Name</fielddescr> + <fieldname>name</fieldname> + <description>Enter the name of the View.</description> + <type>input</type> + <required/> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter a description of the View.</description> + <type>input</type> + </field> + <field> + <fielddescr>Recursion</fielddescr> + <fieldname>recursion</fieldname> + <description>A recursive query occurs when your DNS server is queried for a domain that it currently knows nothing about, in which case it will try to resolve the given host by performing further queries (eg by starting at the root servers and working out, or by simply passing the request to yet another DNS server).</description> + <type>select</type> + <options> + <option><name>No</name><value>no</value></option> + <option><name>Yes</name><value>yes</value></option> + </options> + </field> + <field> + <fielddescr>Match-clients</fielddescr> + <fieldname>match-clients</fieldname> + <description>If either or both of match-clients are missing they default to any (all hosts match). The match-clients statement defines the address_match_list for the source IP address of the incoming messages.</description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindacls']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>03</size> + </field> + <field> + <fielddescr>Allow-recursion</fielddescr> + <fieldname>allow-recursion</fieldname> + <description>For example, if you have one DNS server serving your local network, you may want all of your local computers to use your DNS server.</description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindacls']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>03</size> + </field> + <field> + <type>listtopic</type> + <name>Custom Views </name> + <fieldname>temp</fieldname> + </field> + <field> + <fielddescr>Custom Options</fielddescr> + <fieldname>bind_custom_options</fieldname> + <description>You can put your own custom options here, separated by semi-colons (;).</description> + <type>textarea</type> + <cols>65</cols> + <rows>8</rows> + <encoding>base64</encoding> + </field> + </fields> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_delete_php_command> + </custom_delete_php_command> + <custom_php_resync_config_command> + bind_sync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/bind/bind_zones.xml b/config/bind/bind_zones.xml new file mode 100644 index 00000000..be4da9cf --- /dev/null +++ b/config/bind/bind_zones.xml @@ -0,0 +1,445 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + bind_zone.xml + part of pfSense (http://www.pfSense.com) + part of the Bind package for pfSense + Copyright (C) 2013 Juliano Oliveira/Adriano Brancher + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>bindzone</name> + <version>none</version> + <title>Bind: Zones Settings</title> + <include_file>/usr/local/pkg/bind.inc</include_file> + <menu> + <name>Bind Server</name> + <tooltiptext></tooltiptext> + <section>Services</section> + <configfile>bind.xml</configfile> + </menu> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=bind.xml</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=bind_acls.xml</url> + </tab> + <tab> + <text>Views</text> + <url>/pkg.php?xml=bind_views.xml</url> + </tab> + <tab> + <text>Zones</text> + <url>/pkg.php?xml=bind_zones.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=bind_sync.xml</url> + </tab> + </tabs> + <configpath>['installedpackages']['bindzone']['config']</configpath> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>status</fielddescr> + <fieldname>disabled</fieldname> + <listmodeon>Disabled</listmodeon> + <listmodeoff>Enabled</listmodeoff> + </columnitem> + <columnitem> + <fielddescr>Zone Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Zone Type</fielddescr> + <fieldname>type</fieldname> + </columnitem> + <columnitem> + <fielddescr>View Name</fielddescr> + <fieldname>view</fieldname> + </columnitem> + <columnitem> + <fielddescr>Serial</fielddescr> + <fieldname>serial</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + <movable>on</movable> + </adddeleteeditpagefields> + <fields> + <field> + <type>listtopic</type> + <name>Domain Zone Configuration</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Disable this zone</fielddescr> + <fieldname>disabled</fieldname> + <description><![CDATA[Do not Include this zone on bind config files.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Zone Name</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[Enter the name for zone (ex:mydomain.com)<br> + For reverse zones, include zone ip in reverse order or following your provider instructions.(Ex: 1.168.192)<br> + IN-ADDR.ARPA will be automaticaly included on conf files when reveser zone option is checked.]]></description> + <type>input</type> + <required/> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter the description for this zone.</description> + <type>input</type> + <size>70</size> + </field> + <field> + <fielddescr>Zone Type</fielddescr> + <fieldname>type</fieldname> + <description><![CDATA[Select zone type.]]></description> + <type>select</type> + <options> + <option><name>Master</name><value>master</value><enablefields>description</enablefields></option> + <option><name>Slave</name><value>slave</value><enablefields>ttl</enablefields></option> + <option><name>Forward</name><value>forward</value><enablefields>forward</enablefields></option> + <option><name>Redirect</name><value>redirect</value><enablefields>redirect</enablefields></option> + </options> + <onchange>on_type_zone_changed()</onchange> + <required/> + </field> + <field> + <fielddescr>View</fielddescr> + <fieldname>view</fieldname> + <description><![CDATA[Select the View that this area will belong.]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindviews']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + </field> + <field> + <fielddescr>Reverse Zone</fielddescr> + <fieldname>reverso</fieldname> + <description>Enable if this is a reverse zone.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>custom Option</fielddescr> + <fieldname>custom</fieldname> + <description>You can put your own custom options here.</description> + <type>textarea</type> + <cols>75</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <type>listtopic</type> + <name>DNSSEC</name> + <fieldname>temp04</fieldname> + </field> + <field> + <fielddescr>Inline Signing</fielddescr> + <fieldname>dnssec</fieldname> + <enablefields>backupkeys</enablefields> + <description><![CDATA[<a target=_new href='https://kb.isc.org/article/AA-00626/109/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html'>Enable inline DNSSEC Signing</a> afor this zones.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>backup keys</fielddescr> + <fieldname>backupkeys</fieldname> + <description><![CDATA[Enable this option to include all DNSSEC key files on XML.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>DS set</fielddescr> + <fieldname>dsset</fieldname> + <description><![CDATA[Digest fingerprint of the Key Signing KeyResulting for this zone.<br> + Upload this ds set to your domain root server.]]></description> + <type>textarea</type> + <cols>75</cols> + <rows>3</rows> + <encoding>base64</encoding> + </field> + <field> + <type>listtopic</type> + <name>Slave Zone Configuration </name> + <fieldname>temp04</fieldname> + </field> + <field> + <fielddescr>Master Zone IP</fielddescr> + <fieldname>slaveip</fieldname> + <description>If zone is slave, enter the IP address of the master DNS zone.</description> + <type>input</type> + </field> + <field> + <type>listtopic</type> + <name>Forward Zone Configuration </name> + <fieldname>temp04</fieldname> + </field> + <field> + <fielddescr>Forwarders</fielddescr> + <fieldname>forwarders</fieldname> + <description>Enter forwarders IPs for this domain. Separate by semi-colons (;).</description> + <type>input</type> + <size>70</size> + </field> + + <field> + <type>listtopic</type> + <name>Master Zone Configuration </name> + <fieldname>temp03</fieldname> + </field> + <field> + <fielddescr>TLL</fielddescr> + <fieldname>tll</fieldname> + <description>Default expiration time of all resource records without their own TTL value</description> + <type>input</type> + </field> + <field> + <fielddescr>Name Server</fielddescr> + <fieldname>nameserver</fieldname> + <description>Enter nameserver for this zone</description> + <type>input</type> + </field> + <field> + <fielddescr>Base Domain ip</fielddescr> + <fieldname>ipns</fieldname> + <description>Enter ip address for base domain lookup. Ex: nslookup mydomain.com</description> + <type>input</type> + </field> + <field> + <fielddescr>Mail Admin Zone</fielddescr> + <fieldname>mail</fieldname> + <description>Enter mail admin zone.</description> + <type>input</type> + </field> + <field> + <fielddescr>Serial</fielddescr> + <fieldname>serial</fieldname> + <description>Parsed value for the slave to update the DNS Zone</description> + <type>input</type> + </field> + <field> + <fielddescr>Refresh</fielddescr> + <fieldname>refresh</fieldname> + <description>Slave refresh (1 day)</description> + <type>input</type> + <default_value>1d</default_value> + </field> + <field> + <fielddescr>Retry</fielddescr> + <fieldname>retry</fieldname> + <description>Slave retry time in case of a problem (2 hours)</description> + <type>input</type> + <default_value>2h</default_value> + </field> + <field> + <fielddescr>Expire</fielddescr> + <fieldname>expire</fieldname> + <description>Slave expiration time (4 weeks)</description> + <type>input</type> + <default_value>4w</default_value> + </field> + <field> + <fielddescr>Minimum</fielddescr> + <fieldname>minimum</fieldname> + <description>Maximum caching time in case of failed lookups (1 hour)</description> + <type>input</type> + <default_value>1h</default_value> + </field> + <field> + <fielddescr>Allow-update</fielddescr> + <fieldname>allowupdate</fieldname> + <description><![CDATA[Select(CTRL+click) who are allowed to send updates to this zone.<br> + Allow-update defines a match list eg IP address(es) that are allowed to submit dynamic updates for 'master' zones ie it enables Dynamic DNS (DDNS).]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindacls']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>03</size> + </field> + <field> + <fielddescr>Allow-query</fielddescr> + <fieldname>allowquery</fieldname> + <description><![CDATA[Select(CTRL+click) who are allowed to query this zone.<br> + Allow-query defines an match list of IP address(es) which are allowed to issue queries to the server.]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindacls']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>03</size> + </field> + <field> + <fielddescr>Allow-transfer</fielddescr> + <fieldname>allowtransfer</fieldname> + <description><![CDATA[Select(CTRL+click) who are allowed to copy this zone.<br> + Allow-transfer defines a match list eg IP address(es) that are allowed to transfer (copy) the zone information from the server (master or slave for the zone). While on its face this may seem an excessively friendly default, DNS data is essentially public (that's why its there) and the bad guys can get all of it anyway. However if the thought of anyone being able to transfer your precious zone file is repugnant, or (and this is far more significant) you are concerned about possible DoS attack initiated by XFER requests, then use the following policy.]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindacls']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>03</size> + </field> + <field> + <type>listtopic</type> + <name>Zone Domain records</name> + <fieldname>temp02</fieldname> + </field> + <field> + <fielddescr>Enter Domain records.</fielddescr> + <description><![CDATA[<b>"Record"</b> is the name or last octec of ip. Sample: www or pop<br> + <b>"Type"</b> is the type of the record Sample: A CNAME MX NS<br> + <b>"Priority"</b> in used only in mx records to define its priority<br> + <b>"Alias or IP address"</b> is the destination host or ip address.<br><br> + You can order elements on this list with drag and drop between columns.]]></description> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>Record</fielddescr> + <fieldname>hostname</fieldname> + <description>Enter the Host Name (ex: www)</description> + <type>input</type> + <size>10</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Type</fielddescr> + <fieldname>hosttype</fieldname> + <description>Select Type Host</description> + <type>select</type> + <options> + <option><name>A</name><value>A</value></option> + <option><name>AAAA</name><value>AAAA</value></option> + <option><name>DNAME</name><value>DNAME</value></option> + <option><name>MX</name><value>MX</value></option> + <option><name>CNAME</name><value>CNAME</value></option> + <option><name>NS</name><value>NS</value></option> + <option><name>LOC</name><value>LOC</value></option> + <option><name>SRV</name><value>SRV</value></option> + <option><name>PTR</name><value>PTR</value></option> + <option><name>TXT</name><value>TXT</value></option> + <option><name>SPF</name><value>SPF</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Priority</fielddescr> + <fieldname>hostvalue</fieldname> + <description>MX 10 or 20</description> + <type>input</type> + <size>3</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Alias or IP address</fielddescr> + <fieldname>hostdst</fieldname> + <description>Enter the IP address or CNAME destination for Domain (ex: 10.31.11.1 or mail.example.com)</description> + <type>input</type> + <size>35</size> + </rowhelperfield> + <movable>on</movable> + </rowhelper> + </field> + <field> + <fieldname>regdhcpstatic</fieldname> + <fielddescr>Register DHCP static mappings</fielddescr> + <description>If this option is set, then DHCP static mappings will be registered in DNS, so that their name can be resolved.</description> + <type>checkbox</type> + </field> + <field> + <type>listtopic</type> + <name>Custom Zone Domain records</name> + <fieldname>temp02</fieldname> + </field> + <field> + <fielddescr></fielddescr> + <fieldname>customzonerecords</fieldname> + <description><![CDATA[Paste any custom zone records to include on this zone.<br> + This can be used for a fast migration setup.]]></description> + <type>textarea</type> + <cols>84</cols> + <rows>10</rows> + <encoding>base64</encoding> + <dontdisplayname/> + <usecolspan2/> + </field> + <field> + <type>listtopic</type> + <name>Resulting Zone config file</name> + </field> + <field> + <fielddescr></fielddescr> + <fieldname>resultconfig</fieldname> + <description>Resulting bind config file for this zone.</description> + <type>textarea</type> + <cols>84</cols> + <rows>15</rows> + <encoding>base64</encoding> + <dontdisplayname/> + <usecolspan2/> + </field> + </fields> + <custom_php_after_form_command> + bind_print_javascript_type_zone2(); + </custom_php_after_form_command> + <custom_php_after_head_command> + bind_print_javascript_type_zone(); + </custom_php_after_head_command> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_php_validation_command> + if ($_POST['type']=="master") + $_POST['serial']=(date("U")+ 1000000000); + bind_zone_validate($_POST, &$input_errors); + </custom_php_validation_command> + <custom_delete_php_command> + bind_sync(); + </custom_delete_php_command> + <custom_php_resync_config_command> + bind_sync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/bind/pkg_bind.inc b/config/bind/pkg_bind.inc new file mode 100644 index 00000000..3ed3351d --- /dev/null +++ b/config/bind/pkg_bind.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['bind'] = array(); +$shortcuts['bind']['main'] = "pkg_edit.php?xml=bind.xml"; +$shortcuts['bind']['log'] = "diag_logs_resolver.php"; +$shortcuts['bind']['status'] = "status_services.php"; +$shortcuts['bind']['service'] = "named"; + +?> diff --git a/config/cron/cron.inc b/config/cron/cron.inc index 88388b3c..2fe9cf57 100644 --- a/config/cron/cron.inc +++ b/config/cron/cron.inc @@ -81,8 +81,8 @@ function cron_install_command() write_rcfile(array( "file" => "cron.sh", - "start" => "/usr/sbin/cron -s &", - "stop" => "[ -f \"/var/run/cron.pid\" ] && kill -9 `cat /var/run/cron.pid`; rm -f /var/run/cron.pid;" + "start" => "[ `/bin/pgrep -f 'cron -s' | wc -l` -eq 0 ] && /usr/sbin/cron -s &", + "stop" => "[ -f \"/var/run/cron.pid\" ] && kill -9 `cat /var/run/cron.pid`; rm -f /var/run/cron.pid; /bin/pkill -f 'cron -s'" ) ); diff --git a/config/dansguardian/dansguardian.conf.template b/config/dansguardian/dansguardian.conf.template index ed514eca..a6bcee1c 100755 --- a/config/dansguardian/dansguardian.conf.template +++ b/config/dansguardian/dansguardian.conf.template @@ -90,7 +90,7 @@ anonymizelogs = {$anonymizelogs} # # Use syslog for access logging instead of logging to the file # at the defined or built-in "loglocation" -#logsyslog = off +logsyslog = {$logsyslog} # Log file location # diff --git a/config/dansguardian/dansguardian.inc b/config/dansguardian/dansguardian.inc index 12c2af93..ad6e6482 100755 --- a/config/dansguardian/dansguardian.inc +++ b/config/dansguardian/dansguardian.inc @@ -185,6 +185,7 @@ function sync_package_dansguardian($via_rpc="no",$install_process=false) { $icapscan=(preg_match('/icapscan/',$dansguardian_config['content_scanners'])?"on":"off"); $contentscannertimeout=($dansguardian_config['contentscannertimeout']?$dansguardian_config['contentscannertimeout']:"60"); $contentscanexceptions=($dansguardian_config['contentscanexceptions']?"on":"off"); + $icapurl=($dansguardian_config['icapurl']?$dansguardian_config['icapurl']:"icap://icapserver:1344/avscan"); $recheckreplacedurls=(preg_match('/recheckreplacedurls/',$dansguardian_config['misc_options'])?"on":"off"); $forwardedfor=(preg_match('/forwardedfor/',$dansguardian_config['misc_options'])?"on":"off"); $recheckreplacedurls=(preg_match('/icapscan/',$dansguardian_config['misc_options'])?"on":"off"); @@ -231,6 +232,7 @@ function sync_package_dansguardian($via_rpc="no",$install_process=false) { $nologger=(preg_match('/nologger/',$dansguardian_log['logging_options'])?"on":"off"); $logadblocks=(preg_match('/logadblocks/',$dansguardian_log['logging_options'])?"on":"off"); $anonymizelogs=(preg_match('/anonymizelogs/',$dansguardian_log['logging_options'])?"on":"off"); + $logsyslog=(preg_match('/logsyslog/',$dansguardian_log['logging_options'])?"on":"off"); $loglevel=($dansguardian_log['loglevel']?$dansguardian_log['loglevel']:"2"); $logexceptionhits=($dansguardian_log['logexceptionhits']?$dansguardian_log['logexceptionhits']:"2"); @@ -974,6 +976,7 @@ EOF; $filterip=($filterip==""?"filterip = ":$filterip); $filterports=($filterports==""?"filterports = $filterport":$filterports); include("/usr/local/pkg/dansguardian.conf.template"); + include("/usr/local/pkg/icapscan.conf.template"); #check cron_tab $new_cron=array(); @@ -1111,6 +1114,7 @@ EOF; #create config files file_put_contents($dansguardian_dir."/dansguardian.conf", $dg, LOCK_EX); + file_put_contents($dansguardian_dir."/contentscanners/icapscan.conf", $icapconf, LOCK_EX); #check virus_scanner options $libexec_dir= DANSGUARDIAN_DIR."/libexec/dansguardian/"; diff --git a/config/dansguardian/dansguardian.xml b/config/dansguardian/dansguardian.xml index 34d4156c..e0cb58fd 100644 --- a/config/dansguardian/dansguardian.xml +++ b/config/dansguardian/dansguardian.xml @@ -184,6 +184,11 @@ <chmod>0755</chmod> </additional_files_needed> <additional_files_needed> + <item>http://www.pfsense.org/packages/config/dansguardian/icapscan.conf.template</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> <item>http://www.pfsense.org/packages/config/dansguardian/dansguardian_rc.template</item> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> diff --git a/config/dansguardian/dansguardian_config.xml b/config/dansguardian/dansguardian_config.xml index 35b0bf5b..342b52d7 100644 --- a/config/dansguardian/dansguardian_config.xml +++ b/config/dansguardian/dansguardian_config.xml @@ -274,7 +274,7 @@ </field> <field> <fielddescr>ICAP URL</fielddescr> - <fieldname>contentscannertimeout</fieldname> + <fieldname>icapurl</fieldname> <type>input</type> <size>40</size> <description><![CDATA[Enter ICAP URL in <strong>icap://icapserver:1344/avscan</strong> format<br> diff --git a/config/dansguardian/dansguardian_ips_header.template b/config/dansguardian/dansguardian_ips_header.template index 48eb3e68..be4f28de 100644 --- a/config/dansguardian/dansguardian_ips_header.template +++ b/config/dansguardian/dansguardian_ips_header.template @@ -63,8 +63,8 @@ <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> </tab> <tab> - <text>Access Lists</text> - <url>/pkg_edit.php?xml=dansguardian_site_acl.xml&id=0</url> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> </tab> <tab> <text>LDAP</text> @@ -111,4 +111,4 @@ <rows>12</rows> <encoding>base64</encoding> </field> -
\ No newline at end of file + diff --git a/config/dansguardian/dansguardian_log.xml b/config/dansguardian/dansguardian_log.xml index 88281dff..97cd5b0b 100644 --- a/config/dansguardian/dansguardian_log.xml +++ b/config/dansguardian/dansguardian_log.xml @@ -197,6 +197,7 @@ <option><name>nologger (off)</name><value>nologger</value></option> <option><name>logadblocks (off)</name><value>logadblocks</value></option> <option><name>Anonymize logs (off)</name><value>anonymizelogs</value></option> + <option><name>Log to syslog (off)</name><value>logsyslog</value></option> </options> <multiple/> <size>6</size> diff --git a/config/dansguardian/icapscan.conf.template b/config/dansguardian/icapscan.conf.template new file mode 100755 index 00000000..b4289dc1 --- /dev/null +++ b/config/dansguardian/icapscan.conf.template @@ -0,0 +1,16 @@ +<?php + $icapconf=<<<EOF +plugname = 'icapscan' + +# ICAP URL +# Use hostname rather than IP address +# Always specify the port +# +icapurl = '{$icapurl}' + +exceptionvirusmimetypelist = '/usr/pbi/dansguardian-amd64/etc/dansguardian/lists/contentscanners/exceptionvirusmimetypelist' +exceptionvirusextensionlist = '/usr/pbi/dansguardian-amd64/etc/dansguardian/lists/contentscanners/exceptionvirusextensionlist' +exceptionvirussitelist = '/usr/pbi/dansguardian-amd64/etc/dansguardian/lists/contentscanners/exceptionvirussitelist' +exceptionvirusurllist = '/usr/pbi/dansguardian-amd64/etc/dansguardian/lists/contentscanners/exceptionvirusurllist' +EOF; +?> diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 0f7010d6..a18872fc 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -2971,6 +2971,7 @@ function freeradius_modulesldap_resync() { // Variables for General Configuration ldap1 $varmodulesldapserver = ($arrmodulesldap['varmodulesldapserver']?$arrmodulesldap['varmodulesldapserver']:'ldap.your.domain'); + $varmodulesldapserverport = ($arrmodulesldap['varmodulesldapserverport']?$arrmodulesldap['varmodulesldapserverport']:'389'); $varmodulesldapidentity = ($arrmodulesldap['varmodulesldapidentity']?$arrmodulesldap['varmodulesldapidentity']:'cn=admin,o=My Org,c=UA'); $varmodulesldappassword = ($arrmodulesldap['varmodulesldappassword']?$arrmodulesldap['varmodulesldappassword']:'mypass'); $varmodulesldapbasedn = ($arrmodulesldap['varmodulesldapbasedn']?$arrmodulesldap['varmodulesldapbasedn']:'o=My Org,c=UA'); @@ -2983,6 +2984,7 @@ function freeradius_modulesldap_resync() { // Variables for General Configuration ldap2 $varmodulesldap2server = ($arrmodulesldap['varmodulesldap2server']?$arrmodulesldap['varmodulesldap2server']:'ldap.your.domain'); + $varmodulesldap2serverport = ($arrmodulesldap['varmodulesldap2serverport']?$arrmodulesldap['varmodulesldap2serverport']:'389'); $varmodulesldap2identity = ($arrmodulesldap['varmodulesldap2identity']?$arrmodulesldap['varmodulesldap2identity']:'cn=admin,o=My Org,c=UA'); $varmodulesldap2password = ($arrmodulesldap['varmodulesldap2password']?$arrmodulesldap['varmodulesldap2password']:'mypass'); $varmodulesldap2basedn = ($arrmodulesldap['varmodulesldap2basedn']?$arrmodulesldap['varmodulesldap2basedn']:'o=My Org,c=UA'); @@ -3237,6 +3239,7 @@ ldap { # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "$varmodulesldapserver" + port = "$varmodulesldapserverport" identity = "$varmodulesldapidentity" password = $varmodulesldappassword basedn = "$varmodulesldapbasedn" @@ -3396,6 +3399,7 @@ ldap ldap2{ # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "$varmodulesldap2server" + port = "$varmodulesldap2serverport" identity = "$varmodulesldap2identity" password = $varmodulesldap2password basedn = "$varmodulesldap2basedn" diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml index aec71697..5abe85cb 100644 --- a/config/freeradius2/freeradiusmodulesldap.xml +++ b/config/freeradius2/freeradiusmodulesldap.xml @@ -127,6 +127,14 @@ <default_value>ldap.your.domain</default_value> </field> <field> + <fielddescr>Port</fielddescr> + <fieldname>varmodulesldapserverport</fieldname> + <description><![CDATA[No description. (Default: 389 )]]></description> + <type>input</type> + <size>80</size> + <default_value>389</default_value> + </field> + <field> <fielddescr>Identity</fielddescr> <fieldname>varmodulesldapidentity</fieldname> <description><![CDATA[No description. (Default: cn=admin,o=My Org,c=UA )]]></description> @@ -438,6 +446,14 @@ <default_value>ldap.your.domain</default_value> </field> <field> + <fielddescr>Port</fielddescr> + <fieldname>varmodulesldap2serverport</fieldname> + <description><![CDATA[No description. (Default: 389 )]]></description> + <type>input</type> + <size>80</size> + <default_value>389</default_value> + </field> + <field> <fielddescr>Identity</fielddescr> <fieldname>varmodulesldap2identity</fieldname> <description><![CDATA[No description. (Default: cn=admin,o=My Org,c=UA )]]></description> diff --git a/config/lightsquid/lightsquid.xml b/config/lightsquid/lightsquid.xml index b8ce2bc8..53d074c5 100644 --- a/config/lightsquid/lightsquid.xml +++ b/config/lightsquid/lightsquid.xml @@ -186,7 +186,7 @@ <input type="submit" name="Submit" value="Refresh full"> <br> Press button for start background refresh (this take some time). <br> <span style="color: rgb(153, 51, 0);"> Note after installation: - <br> On the first - enable log in squid package with "/var/squid/log" path. + <br> On the first - enable log in squid package with "/var/squid/logs" path. <br> On the second - press Refresh button for create lightsquid reports, else you will have error diagnostic page.</span> </description> <type>select</type> diff --git a/config/lightsquid/sqstat.class.php b/config/lightsquid/sqstat.class.php index 228aecfe..03695a47 100644 --- a/config/lightsquid/sqstat.class.php +++ b/config/lightsquid/sqstat.class.php @@ -179,7 +179,8 @@ class squidstat{ } fclose($this->fp); - if ($raw[0]!="HTTP/1.0 200 OK") { $this->errorMsg(1, "Cannot get data. Server answered: $raw[0]"); + if (!preg_match("/^HTTP.* 200 OK$/", $raw[0])) { + $this->errorMsg(1, "Cannot get data. Server answered: $raw[0]"); return false; } diff --git a/config/mailreport/mail_reports.inc b/config/mailreport/mail_reports.inc index 85b67ddf..cf8c837c 100644 --- a/config/mailreport/mail_reports.inc +++ b/config/mailreport/mail_reports.inc @@ -229,8 +229,6 @@ function mail_report_send($headertext, $cmdtext, $logtext, $attachments) { if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; - } else { - echo "<strong>Message sent to {$address}!</strong>\n"; } } diff --git a/config/mailreport/mail_reports_generate.php b/config/mailreport/mail_reports_generate.php index a784c596..c31909c9 100644 --- a/config/mailreport/mail_reports_generate.php +++ b/config/mailreport/mail_reports_generate.php @@ -53,9 +53,21 @@ if (!$config['mailreports']['schedule'][$id]) exit; $thisreport = $config['mailreports']['schedule'][$id]; -$cmds = $thisreport['cmd']['row']; -$logs = $thisreport['log']['row']; -$graphs = $thisreport['row']; + +if (is_array($thisreport['cmd']) && is_array($thisreport['cmd']['row'])) + $cmds = $thisreport['cmd']['row']; +else + $cmds = array(); + +if (is_array($thisreport['log']) && is_array($thisreport['log']['row'])) + $logs = $thisreport['log']['row']; +else + $logs = array(); + +if (is_array($thisreport['row'])) + $graphs = $thisreport['row']; +else + $graphs = array(); // If there is nothing to do, bail! if ((!is_array($cmds) || !(count($cmds) > 0)) diff --git a/config/mailreport/mailreport.xml b/config/mailreport/mailreport.xml index d27d3a28..5a759984 100644 --- a/config/mailreport/mailreport.xml +++ b/config/mailreport/mailreport.xml @@ -37,7 +37,7 @@ ]]> </copyright> <name>mailreport</name> - <version>2.0.4</version> + <version>2.0.6</version> <title>Status: Mail Reports</title> <additional_files_needed> <prefix>/usr/local/bin/</prefix> diff --git a/config/mailscanner/mailscanner.conf.template b/config/mailscanner/mailscanner.conf.template index 06090be3..c801c5d6 100644 --- a/config/mailscanner/mailscanner.conf.template +++ b/config/mailscanner/mailscanner.conf.template @@ -3,17 +3,17 @@ $mc=<<<EOF {$info} # Configuration directory containing this file -%etc-dir% = /usr/local/etc/MailScanner +%etc-dir% = {$mlb}/etc/MailScanner # Set the directory containing all the reports in the required language -%report-dir% = /usr/local/share/MailScanner/reports/{$report_language} +%report-dir% = {$mlb}/share/MailScanner/reports/{$report_language} # Rulesets directory containing your ".rules" files -%rules-dir% = /usr/local/etc/MailScanner/rules +%rules-dir% = {$mlb}/etc/MailScanner/rules # Configuration directory containing files related to MCP # (Message Content Protection) -%mcp-dir% = /usr/local/etc/MailScanner/mcp +%mcp-dir% = {$mlb}/etc/MailScanner/mcp # # System settings @@ -417,7 +417,7 @@ Log SpamAssassin Rule Actions = {$log_sa_rule_action} SpamAssassin Temporary Dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin User State Dir = SpamAssassin Install Prefix = -SpamAssassin Site Rules Dir = /usr/local/etc/mail/spamassassin +SpamAssassin Site Rules Dir = {$mlb}/etc/mail/spamassassin SpamAssassin Local Rules Dir = SpamAssassin Local State Dir = # /var/lib/spamassassin SpamAssassin Default Rules Dir = @@ -469,7 +469,7 @@ Sender MCP Report = %report-dir%/sender.mcp.report.txt Use Default Rules With Multiple Recipients = {$default_rule_multiple} Read IP Address From Received Header = {$read_ipaddress} Spam Score Number Format = {$spam_score_format} -MailScanner Version Number = 4.83.5 +MailScanner Version Number = {$mailscanner_version} SpamAssassin Cache Timings = {$cache_timings} Debug = {$debug} Debug SpamAssassin = {$debug_spam} @@ -480,12 +480,12 @@ Deliver In Background = {$deliver_background} Delivery Method = {$mailscanner['deliver_method']} Split Exim Spool = {$split_exim_spool} Lockfile Dir = /var/spool/MailScanner/incoming/Locks -Custom Functions Dir = /usr/local/lib/MailScanner/MailScanner/CustomFunctions +Custom Functions Dir = {$mlb}/lib/MailScanner/MailScanner/CustomFunctions Lock Type = Syslog Socket Type = Automatic Syntax Check = {$syntax_check} Minimum Code Status = {$mailscanner['minimum_code']} -include /usr/local/etc/MailScanner/conf.d/* +include {$mlb}/etc/MailScanner/conf.d/* diff --git a/config/mailscanner/mailscanner.inc b/config/mailscanner/mailscanner.inc index 1ba0a4ca..0b638166 100644 --- a/config/mailscanner/mailscanner.inc +++ b/config/mailscanner/mailscanner.inc @@ -27,7 +27,7 @@ POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "mailscanner"; require_once("util.inc"); require("globals.inc"); #require("guiconfig.inc"); @@ -101,6 +101,7 @@ function sync_package_mailscanner($via_rpc=false) { $config['installedpackages']['mscontent']['config'][0]=array('checks'=>'DangerousContentScanning,UseStricterPhishingNet,HighlightPhishingFraud', 'iframe_tags'=>'disarm', 'form_tags'=>'disarm', + 'script_tags'=>'disarm', 'web_bugs'=>'disarm', 'codebase_tags'=>'disarm'); $load_samples++; @@ -116,7 +117,7 @@ function sync_package_mailscanner($via_rpc=false) { $report=$config['installedpackages']['msreport']['config'][0]; if (!is_array($config['installedpackages']['msantispam'])){ $config['installedpackages']['msantispam']['config'][0]=array( 'rblfeatures'=>'spam_checks', - 'safeatures'=>'use_sa,sa_auto_whitelist,check_sa_if_on_spam_list,spam_score,cache_spamassassin_results,use_pyzor,use_razor,use_dcc,use_bayes,use_auto_learn_bayes', + 'safeatures'=>'use_sa,sa_auto_whitelist,check_sa_if_on_spam_list,spam_score,cache_spamassassin_results,use_razor,use_dcc,use_bayes,use_auto_learn_bayes', 'sa_score'=>'6', 'spam_actions'=>'deliver', 'hi_score'=>'20', @@ -259,6 +260,7 @@ function sync_package_mailscanner($via_rpc=false) { /* Language Strings = %report-dir%/languages.conf */ + #check files $mailscanner_dir=MAILSCANNER_LOCALBASE ."/etc/MailScanner"; @@ -309,7 +311,8 @@ Language Strings = %report-dir%/languages.conf $load_samples++; } - $report_dir=MAILSCANNER_LOCALBASE."/share/MailScanner/reports/".strtolower($report['language']); + //$report_dir=MAILSCANNER_LOCALBASE."/share/MailScanner/reports/".strtolower($report['language']); + $report_dir="/usr/local/share/MailScanner/reports/".strtolower($report['language']); #CHECK REPORT FILES $report_files= array('deletedbadcontent' => 'deleted.content.message.txt', 'deletedbadfilename' => 'deleted.filename.message.txt', @@ -377,8 +380,18 @@ Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf Country Sub-Domains List = %etc-dir%/country.domains.conf */ - + #get mailscanner version + $msc_bin=MAILSCANNER_LOCALBASE. "/sbin/mailscanner"; + if (file_exists($msc_bin)){ + $msc_bin_file=file_get_contents($msc_bin); + if (preg_match("/MailScannerVersion = '(\S+)'/",$msc_bin_file,$msv_matches)) + $mailscanner_version=$msv_matches[1]; + else + $mailscanner_version='4.83.5'; + } #create MailScanner.conf + $mlb=MAILSCANNER_LOCALBASE; + include("mailscanner.conf.template"); #write files conf_mount_rw(); @@ -404,76 +417,77 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf #update spam.assassin.prefs.conf $sa_temp=ms_text_area_decode($config['installedpackages']['msantispam']['config'][0]['sa_pref_file']); - $pattern[0]='/#ifplugin/'; - $pattern[1]='/#pyzor_path/'; - $pattern[2]='/usr.bin.pyzor/'; - $pattern[3]='/#dcc_path/'; - $pattern[4]='/#endif/'; - $replacement[0]="ifplugin"; - $replacement[1]="pyzor_path"; - $replacement[2]="usr/local/bin/pyzor"; - $replacement[3]="dcc_path"; - $replacement[4]="endif"; + $pattern[]='/#ifplugin/'; + $pattern[]='/#dcc_path/'; + $pattern[]='/#endif/'; + + $replacement[]="ifplugin"; + $replacement[]="dcc_path"; + $replacement[]="endif"; if (preg_match('/use_razor/',$antispam['safeatures'])){ - $pattern[5]='/\nuse_razor2\s+0/'; - $replacement[5]="\n".'# use_razor2 0'; + $pattern[]='/\nuse_razor2\s+0/'; + $replacement[]="\n".'# use_razor2 0'; } else{ - $pattern[5]='/\n#\s+use_razor2\s+0/'; - $replacement[5]="\n".'use_razor2 0'; + $pattern[]='/\n#\s+use_razor2\s+0/'; + $replacement[]="\n".'use_razor2 0'; } if (preg_match('/use_dcc/',$antispam['safeatures'])){ - $pattern[6]='/\nuse_dcc\s+0/'; - $replacement[6]="\n".'# use_dcc 0'; + $pattern[]='/\nuse_dcc\s+0/'; + $replacement[]="\n".'# use_dcc 0'; } else{ - $pattern[6]='/\n#\s+use_dcc\s+0/'; - $replacement[6]="\n".'use_dcc 0'; + $pattern[]='/\n#\s+use_dcc\s+0/'; + $replacement[]="\n".'use_dcc 0'; } if (preg_match('/use_pyzor/',$antispam['safeatures'])){ - $pattern[7]='/\nuse_pyzor\s+0/'; - $replacement[7]="\n".'# use_pyzor 0'; + $pattern[]='/#pyzor_path/'; + $pattern[]='/usr.bin.pyzor/'; + $pattern[]='/\nuse_pyzor\s+0/'; + $replacement[]="pyzor_path"; + $replacement[]="usr/local/bin/pyzor"; + $replacement[]="\n".'# use_pyzor 0'; } else{ - $pattern[7]='/\n#\s+use_pyzor\s+0/'; - $replacement[7]="\n".'# use_pyzor 0'; + $pattern[]='/\n#\s+use_pyzor\s+0/'; + $replacement[]="\n".'# use_pyzor 0'; } if (preg_match('/use_auto_learn_bayes/',$antispam['safeatures'])){ - $pattern[8]='/\nbayes_auto_learn\s+0/'; - $replacement[8]="\n".'# bayes_auto_learn 0'; + $pattern[]='/\nbayes_auto_learn\s+0/'; + $replacement[]="\n".'# bayes_auto_learn 0'; } else{ - $pattern[8]='/\n#\s+bayes_auto_learn\s+0/'; - $replacement[8]="\n".'bayes_auto_learn 0'; + $pattern[]='/\n#\s+bayes_auto_learn\s+0/'; + $replacement[]="\n".'bayes_auto_learn 0'; } if (preg_match('/use_bayes/',$antispam['safeatures'])){ - $pattern[9]='/\nuse_bayes\s+0/'; - $replacement[9]="\n".'# use_bayes 0'; + $pattern[]='/\nuse_bayes\s+0/'; + $replacement[]="\n".'# use_bayes 0'; } else{ - $pattern[9]='/\n#\s+use_bayes\s+0/'; - $replacement[9]="\n".'use_bayes 0'; + $pattern[]='/\n#\s+use_bayes\s+0/'; + $replacement[]="\n".'use_bayes 0'; } if (preg_match('/sa_auto_whitelist/',$antispam['safeatures'])){ - $pattern[10]='/\nuse_auto_whitelist\s+0/'; - $replacement[10]="\n".'# use_auto_whitelist 0'; + $pattern[]='/\nuse_auto_whitelist\s+0/'; + $replacement[]="\n".'# use_auto_whitelist 0'; } else{ - $pattern[10]='/\n#\s*use_auto_whitelist 0/'; - $replacement[10]="\n".'use_auto_whitelist 0'; + $pattern[]='/\n#\s*use_auto_whitelist 0/'; + $replacement[]="\n".'use_auto_whitelist 0'; } if ($antispam['rblchecks']){ - $pattern[11]='/\nskip_rbl_checks\s+1/'; - $replacement[11]="\n".'# skip_rbl_checks 1'; + $pattern[]='/\nskip_rbl_checks\s+1/'; + $replacement[]="\n".'# skip_rbl_checks 1'; } else{ - $pattern[11]='/\n#\s+skip_rbl_checks\s+\d/'; - $replacement[11]="\n".'skip_rbl_checks 1'; + $pattern[]='/\n#\s+skip_rbl_checks\s+\d/'; + $replacement[]="\n".'skip_rbl_checks 1'; } - $pattern[12]='/bayes_ignore_header ([a-zA-Z0-9_.-]+)MailScanner/'; - $replacement[12]="bayes_ignore_header ".($mailscanner['orgname']!=""?$mailscanner['orgname']:"pfsense")."-MailScanner"; - $pattern[13]='/envelope_sender_header X([a-zA-Z0-9_.-]+)MailScanner-From/'; - $replacement[13]="envelope_sender_header X-".($mailscanner['orgname']!=""?$mailscanner['orgname']:"pfsense")."-MailScanner-From"; + $pattern[]='/bayes_ignore_header ([a-zA-Z0-9_.-]+)MailScanner/'; + $replacement[]="bayes_ignore_header ".($mailscanner['orgname']!=""?$mailscanner['orgname']:"Pfsense")."-MailScanner"; + $pattern[]='/envelope_sender_header X([a-zA-Z0-9_.-]+)MailScanner-From/'; + $replacement[]="envelope_sender_header X-".($mailscanner['orgname']!=""?$mailscanner['orgname']:"Pfsense")."-MailScanner-From"; $sa_temp=preg_replace($pattern,$replacement,$sa_temp); @@ -525,34 +539,24 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf unlink_if_exists($libexec_dir.'clamav-wrapper'); } else{ - if (file_exists('/var/run/clamav/')) - chown('/var/run/clamav/', 'postfix'); - if (file_exists('/var/log/clamav/')) - chown('/var/log/clamav/', 'postfix'); - if (file_exists('/var/db/clamav/')) - chown('/var/db/clamav/', 'postfix'); - if (file_exists('/var/db/clamav/bytecode.cld')) - chown('/var/db/clamav/bytecode.cld', 'postfix'); - if (file_exists('/var/db/clamav/daily.cld')) - chown('/var/db/clamav/daily.cld', 'postfix'); - if (file_exists('/var/db/clamav/main.cvd')) - chown('/var/db/clamav/main.cvd', 'postfix'); - if (file_exists('/var/db/clamav/mirrors.dat')) - chown('/var/db/clamav/mirrors.dat', 'postfix'); - if (file_exists('/var/log/clamav/clamd.log')) - chown('/var/log/clamav/clamd.log', 'postfix'); - if (file_exists('/var/log/clamav/freshclam.log')) - chown('/var/log/clamav/freshclam.log', 'postfix'); - + $av_dirs=array('run','log','db'); + foreach ($av_dirs as $av_dir){ + if (!is_dir("/var/$av_dir/clamav")) + mkdir("/var/$av_dir/clamav",0774,true); + chown("/var/$av_dir/clamav", 'postfix'); + chgrp("/var/$av_dir/clamav", 'wheel'); + } + $av_files=array('/var/db/clamav/daily.cld','/var/db/clamav/main.cvd','/var/db/clamav/mirrors.dat', + '/var/log/clamav/clamd.log','/var/log/clamav/freshclam.log','/var/db/clamav/bytecode.cld'); + foreach ($av_files as $av_file){ + if (file_exists($av_file)) + chown($av_file, 'postfix'); + } copy($libexec_dir.'clamav-autoupdate.sample',$libexec_dir.'clamav-autoupdate'); chmod ($libexec_dir.'clamav-autoupdate',0755); copy($libexec_dir.'clamav-wrapper.sample',$libexec_dir.'clamav-wrapper'); chmod ($libexec_dir.'clamav-autoupdate',0755); - if (!file_exists('/var/db/clamav/main.cvd')){ - log_error('No clamav database found, running freshclam in background.'); - mwexec_bg(MAILSCANNER_LOCALBASE. '/bin/freshclam'); - } - + #clamav-wrapper file $cconf=$libexec_dir."clamav-wrapper"; if (file_exists($cconf)){ @@ -565,7 +569,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf #freshclam conf file $cconf=MAILSCANNER_LOCALBASE. "/etc/freshclam.conf"; - if (file_exists($conf)){ + if (file_exists($cconf)){ $cconf_file=file_get_contents($cconf); if (preg_match('/DatabaseOwner clamav/',$cconf_file)){ $cconf_file=preg_replace("/DatabaseOwner clamav/","DatabaseOwner postfix",$cconf_file); @@ -575,7 +579,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf #clamd conf file $cconf=MAILSCANNER_LOCALBASE. "/etc/clamd.conf"; - if (file_exists($conf)){ + if (file_exists($cconf)){ $cconf_file=file_get_contents($cconf); if (preg_match('/User clamav/',$cconf_file)){ $cconf_file=preg_replace("/User clamav/","User postfix",$cconf_file); @@ -616,6 +620,13 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf } } } + + #check clamav database + if (!file_exists('/var/db/clamav/main.cvd')){ + log_error('No clamav database found, running freshclam in background.'); + mwexec_bg(MAILSCANNER_LOCALBASE. '/bin/freshclam --config-file='.MAILSCANNER_LOCALBASE.'/etc/freshclam.conf --user=root'); + } + } } else{ @@ -660,7 +671,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf } } } - + $script=MAILSCANNER_LOCALBASE. '/etc/rc.d/mailscanner'; #fix MIME::ToolUtils deprecated function and usecure dependency calls in /usr/local/sbin/mailscanner @@ -670,20 +681,35 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf exec('find '.MAILSCANNER_LOCALBASE. '/lib/perl5/site_perl -name Df.pm',$find_out); $perl_bin="perl"; foreach($find_out as $perl_dir){ - if (preg_match ('@usr/local/lib/perl5/site_perl/([.0-9]+)/mach/Filesys/Df.pm@',$perl_dir,$perl_match)) + if (preg_match ('@/usr\S+lib/perl5/site_perl/([.0-9]+)/mach/Filesys/Df.pm@',$perl_dir,$perl_match)) $perl_bin.=$perl_match[1]; } $cconf_file=file_get_contents($cconf); - $pattern2[0]='@#!/usr.*bin/perl.*I@'; + $pattern2[0]='@#!/usr\S+bin/perl.*I@'; $pattern2[1]='/\smy .current = config MIME::ToolUtils/'; $replacement2[0]='#!'.MAILSCANNER_LOCALBASE. "/bin/{$perl_bin} -U -I"; $replacement2[1]=' #my $current = config MIME::ToolUtils'; - if (preg_match('@#!/usr.*bin/perl.*I@',$cconf_file)){ + if (preg_match('@#!/usr\S+bin/perl.*I@',$cconf_file)){ $cconf_file=preg_replace($pattern2,$replacement2,$cconf_file); file_put_contents($cconf, $cconf_file, LOCK_EX); } } + + #check spam assassin rules + $saupdate="/usr/local/bin/sa-update"; + if (file_exists($saupdate)){ + $rules_found=0; + if (file_exists("/var/db/spamassassin")){ + foreach (glob("/var/db/spamassassin/*",GLOB_ONLYDIR) as $dirname) + $rules_found++; + } + if ($rules_found==0){ + log_error("Mailscanner- No spamassassin rules found, forcing sa-update."); + mwexec($saupdate); + } + } + if (file_exists($script)){ $script_file=file_get_contents($script); if (preg_match('/NO/',$script_file)){ diff --git a/config/mailscanner/mailscanner.xml b/config/mailscanner/mailscanner.xml index 0e644196..05798a1e 100644 --- a/config/mailscanner/mailscanner.xml +++ b/config/mailscanner/mailscanner.xml @@ -9,7 +9,7 @@ /* mailscanner.xml part of the mailscaner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -54,7 +54,7 @@ <service> <name>mailscanner</name> <rcfile>mailscanner</rcfile> - <executable>perl5.12.4</executable> + <executable>perl5.14.2</executable> <description>MailScanner</description> </service> <additional_files_needed> @@ -112,6 +112,11 @@ <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/mailscanner/pkg_mailscanner.inc</item> + </additional_files_needed> <tabs> <tab> <text>General</text> @@ -228,7 +233,7 @@ <fielddescr>Logging</fielddescr> <fieldname>syslog</fieldname> <description> - <![CDATA[Select virus scanner tests to enable. Mailscanner default options are in ( ).]]> + <![CDATA[Select logging options to enable. Mailscanner default options are in ( ).]]> </description> <type>select</type> <options> diff --git a/config/mailscanner/mailscanner_antispam.xml b/config/mailscanner/mailscanner_antispam.xml index 652935f5..7f989765 100644 --- a/config/mailscanner/mailscanner_antispam.xml +++ b/config/mailscanner/mailscanner_antispam.xml @@ -9,7 +9,7 @@ /* mailscanner_antispam.xml part of the mailscanner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -346,62 +346,93 @@ <size>5</size> </field> <field> - <name>Antispam Files</name> + <name>spam.assassin.prefs.conf</name> <type>listtopic</type> </field> <field> <fielddescr>spam.assassin.prefs.conf</fielddescr> <fieldname>sa_pref_file</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit spam.assassin.prefs.conf. Leave Blank to load sample file.]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> <field> + <name>spam.lists.conf</name> + <type>listtopic</type> + </field> + <field> <fielddescr>spam.lists.conf</fielddescr> <fieldname>rbl_file</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit spam.lists.conf. Leave Blank to load sample file.<br> <strong>Use this list only when not using postscreen RBL checks(postfix-forwareder package).</strong>]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> <field> + <name>bounce.rules</name> + <type>listtopic</type> + </field> + <field> <fielddescr>bounce.rules</fielddescr> <fieldname>bounce</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit spam.assassin.prefs.conf. Leave Blank to load sample file.]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> <field> + <name>max.message.size.rules</name> + <type>listtopic</type> + </field> + <field> <fielddescr>max.message.size.rules</fielddescr> <fieldname>max_message_size</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit spam.assassin.prefs.conf. Leave Blank to load sample file.]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> <field> + <name>spam.whitelist.rules</name> + <type>listtopic</type> + </field> + <field> <fielddescr>spam.whitelist.rules</fielddescr> <fieldname>spam_whitelist</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit spam.assassin.prefs.conf. Leave Blank to load sample file.]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - + <field> + <name>mcp.spam.assassin.prefs.conf</name> + <type>listtopic</type> + </field> <field> <fielddescr>mcp.spam.assassin.prefs.conf</fielddescr> <fieldname>mcp_pref_file</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit mcp.spam.assassin.prefs.conf. Leave Blank to load sample file.]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> diff --git a/config/mailscanner/mailscanner_antivirus.xml b/config/mailscanner/mailscanner_antivirus.xml index 4a3bfe6c..590a61f6 100644 --- a/config/mailscanner/mailscanner_antivirus.xml +++ b/config/mailscanner/mailscanner_antivirus.xml @@ -9,7 +9,7 @@ /* mailscanner_antivirus.xml part of the mailscaner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -159,11 +159,17 @@ <size>30</size> </field> <field> + <name>Custom antivirus options</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Custom antivirus options</fielddescr> <fieldname>custom</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Paste your custom mailscanner antivirus settings here.]]></description> <type>textarea</type> - <cols>60</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> diff --git a/config/mailscanner/mailscanner_attachments.xml b/config/mailscanner/mailscanner_attachments.xml index 1b031466..e89fbd46 100644 --- a/config/mailscanner/mailscanner_attachments.xml +++ b/config/mailscanner/mailscanner_attachments.xml @@ -9,7 +9,7 @@ /* mailscanner_attachments.xml part of the mailscaner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -174,24 +174,32 @@ <size>5</size> </field> <field> - <name>Fileset rules</name> + <name>filename.rules.conf</name> <type>listtopic</type> </field> <field> <fielddescr>filename.rules.conf</fielddescr> <fieldname>filename_rules</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit archives.filename.rules.conf file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> - <cols>85</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>filetypes.rules.conf</name> + <type>listtopic</type> + </field> + <field> <fielddescr>filetypes.rules.conf</fielddescr> <fieldname>filetype_rules</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit archives.filetype.rules.conf file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> - <cols>85</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> diff --git a/config/mailscanner/mailscanner_content.xml b/config/mailscanner/mailscanner_content.xml index ca79b07f..07342dce 100644 --- a/config/mailscanner/mailscanner_content.xml +++ b/config/mailscanner/mailscanner_content.xml @@ -9,7 +9,7 @@ /* mailscanner_contents.xml part of the mailscaner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -114,13 +114,13 @@ <multiple/> </field> <field> - <fielddescr>Allow IFrame Tags</fielddescr> + <fielddescr>IFrame Tags</fielddescr> <fieldname>iframe_tags</fieldname> <type>select</type> <options> - <option><name>disarm</name><value>disarm</value></option> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> + <option><name>Disarm</name><value>disarm</value></option> + <option><name>Allow</name><value>yes</value></option> + <option><name>Deny</name><value>no</value></option> </options> <description><![CDATA[Do you want to allow 'IFrame' tags in email messages?<br> This is not a good idea as it allows various Microsoft Outlook security vulnerabilities to remain unprotected, but if you have a load of mailing lists sending them, @@ -128,39 +128,39 @@ </description> </field> <field> - <fielddescr>Allow Form Tags</fielddescr> + <fielddescr>Form Tags</fielddescr> <fieldname>form_tags</fieldname> <type>select</type> <options> <option><name>disarm</name><value>disarm</value></option> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> + <option><name>Allow</name><value>yes</value></option> + <option><name>Deny</name><value>no</value></option> </options> <description><![CDATA[Do you want to allow 'Form' tags in email messages?<br> This is a bad idea as these are used as scams to pursuade people to part with credit card information and other personal data.]]> </description> </field> <field> - <fielddescr>Allow Script Tags</fielddescr> + <fielddescr>Script Tags</fielddescr> <fieldname>script_tags</fieldname> <type>select</type> <options> - <option><name>disarm</name><value>disarm</value></option> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> + <option><name>Disarm</name><value>disarm</value></option> + <option><name>Allow</name><value>yes</value></option> + <option><name>Deny</name><value>no</value></option> </options> <description><![CDATA[Do you want to allow 'Script' tags in email messages?<br> This is a bad idea as these are used to exploit vulnerabilities in email applications and web browsers.]]> </description> </field> <field> - <fielddescr>Allow web bugs</fielddescr> + <fielddescr>Web bugs</fielddescr> <fieldname>web_bugs</fieldname> <type>select</type> <options> - <option><name>disarm</name><value>disarm</value></option> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> + <option><name>Disarm</name><value>disarm</value></option> + <option><name>Allow</name><value>yes</value></option> + <option><name>Deny</name><value>no</value></option> </options> <description><![CDATA[Do you want to allow 'Img' tags with very small images in email messages?<br> This is a bad idea as these are used as 'web bugs' to find out if a message has been read.<br> @@ -168,13 +168,13 @@ </description> </field> <field> - <fielddescr>Allow Object Codebase Tags</fielddescr> + <fielddescr>Object Codebase Tags</fielddescr> <fieldname>codebase_tags</fieldname> <type>select</type> <options> <option><name>disarm</name><value>disarm</value></option> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> + <option><name>allow</name><value>yes</value></option> + <option><name>deny</name><value>no</value></option> </options> <description><![CDATA[Do you want to allow <strong>'Object Codebase=...' or 'Object Data=...'</strong> tags in email messages?<br> This is a bad idea as it leaves you unprotected against various Microsoft-specific security vulnerabilities.<br> @@ -182,33 +182,47 @@ </description> </field> <field> - <name>Phishing files</name> + <name>phishing.safe.sites.conf</name> <type>listtopic</type> </field> <field> <fielddescr>phishing.safe.sites.conf</fielddescr> <fieldname>phishing_safe</fieldname> - <description><![CDATA[edit phishing.safe.sites.conf file here.<br>If you leave this field blank, it will load sample file.]]></description> + <dontdisplayname/> + <usecolspan2/> + <description><![CDATA[phishing.safe.sites.conf config file.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> - <cols>70</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>phishing.bad.sites.conf</name> + <type>listtopic</type> + </field> + <field> <fielddescr>phishing.bad.sites.conf</fielddescr> <fieldname>phishing_bad</fieldname> - <description><![CDATA[edit phishing.bad.sites.conf file here.<br>If you leave this field blank, it will load sample file.]]></description> + <dontdisplayname/> + <usecolspan2/> + <description><![CDATA[phishing.bad.sites.conf config file.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> - <cols>70</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> <field> + <name>country.domains.conf</name> + <type>listtopic</type> + </field> + <field> <fielddescr>country.domains.conf</fielddescr> <fieldname>country_domains</fieldname> - <description><![CDATA[edit country.domains.conf file here.<br>If you leave this field blank, it will load sample file.]]></description> + <dontdisplayname/> + <usecolspan2/> + <description><![CDATA[country.domains.conf config file.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> - <cols>70</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> diff --git a/config/mailscanner/mailscanner_report.xml b/config/mailscanner/mailscanner_report.xml index 60e7385c..e12ed341 100644 --- a/config/mailscanner/mailscanner_report.xml +++ b/config/mailscanner/mailscanner_report.xml @@ -9,7 +9,7 @@ /* mailscanner_report.xml part of the mailscaner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -90,6 +90,31 @@ <type>listtopic</type> </field> <field> + <fielddescr>Language</fielddescr> + <fieldname>language</fieldname> + <description> + <![CDATA[Select report language.]]> + </description> + <type>select</type> + <options> + <option><name>EN (Default)</name><value>en</value></option> + <option><name>CA</name><value>ca</value></option> + <option><name>CY+EN</name><value>cy+en</value></option> + <option><name>CZ</name><value>cz</value></option> + <option><name>DE</name><value>de</value></option> + <option><name>DK</name><value>dk</value></option> + <option><name>ES</name><value>es</value></option> + <option><name>FR</name><value>fr</value></option> + <option><name>HU</name><value>hu</value></option> + <option><name>IT</name><value>it</value></option> + <option><name>NL</name><value>nl</value></option> + <option><name>PT_BR</name><value>pt_br</value></option> + <option><name>RO</name><value>ro</value></option> + <option><name>SE</name><value>se</value></option> + <option><name>SK</name><value>sk</value></option> + </options> + </field> + <field> <fielddescr>Reports</fielddescr> <fieldname>features</fieldname> <description> @@ -177,46 +202,29 @@ <size>20</size> </field> <field> - <name>Message Reports</name> + <name>Deleted Bad Content</name> <type>listtopic</type> </field> <field> - <fielddescr>Language</fielddescr> - <fieldname>language</fieldname> - <description> - <![CDATA[Select report language.]]> - </description> - <type>select</type> - <options> - <option><name>EN (Default)</name><value>en</value></option> - <option><name>CA</name><value>ca</value></option> - <option><name>CY+EN</name><value>cy+en</value></option> - <option><name>CZ</name><value>cz</value></option> - <option><name>DE</name><value>de</value></option> - <option><name>DK</name><value>dk</value></option> - <option><name>ES</name><value>es</value></option> - <option><name>FR</name><value>fr</value></option> - <option><name>HU</name><value>hu</value></option> - <option><name>IT</name><value>it</value></option> - <option><name>NL</name><value>nl</value></option> - <option><name>PT_BR</name><value>pt_br</value></option> - <option><name>RO</name><value>ro</value></option> - <option><name>SE</name><value>se</value></option> - <option><name>SK</name><value>sk</value></option> - </options> - </field> - <field> <fielddescr>Deleted Bad Content</fielddescr> <fieldname>deletedbadcontent</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit deleted.content.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>Deleted Bad Filename</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Deleted Bad Filename</fielddescr> <fieldname>deletedbadfilename</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit deleted.filename.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -224,8 +232,14 @@ <encoding>base64</encoding> </field> <field> + <name>Deleted Virus</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Deleted Virus</fielddescr> <fieldname>deletedvirus</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit deleted.virus.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -233,35 +247,59 @@ <encoding>base64</encoding> </field> <field> + <name>Deleted Size</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Deleted Size</fielddescr> <fieldname>deletedsize</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit deleted.size.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>Stored Bad Content</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Stored Bad Content</fielddescr> <fieldname>storedbadcontent</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit stored.content.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>Stored Bad Filename</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Stored Bad Filename</fielddescr> <fieldname>storedbadfilename</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit stored.filename.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>Stored Virus</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Stored Virus</fielddescr> <fieldname>storedvirus</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit stored.virus.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -269,8 +307,14 @@ <encoding>base64</encoding> </field> <field> + <name>Disinfected Report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Disinfected Report</fielddescr> <fieldname>disinfected</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit stored.size.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -278,8 +322,14 @@ <encoding>base64</encoding> </field> <field> + <name>Stored Size</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Stored Size</fielddescr> <fieldname>storedsize</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit disinfected.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -287,8 +337,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender content</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender content</fielddescr> <fieldname>sendercontent</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.content.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -296,8 +352,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Error</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Error</fielddescr> <fieldname>sendererror</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.error.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -305,8 +367,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Bad Filename</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Bad Filename</fielddescr> <fieldname>senderbadfilename</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.filename.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -314,8 +382,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Virus Report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Virus Report</fielddescr> <fieldname>sendervirus</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.virus.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -323,8 +397,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Size Report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Size Report</fielddescr> <fieldname>sendersize</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.size.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -332,8 +412,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Spam report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Spam report</fielddescr> <fieldname>senderspam</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.spam.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -341,8 +427,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender SPam RBL report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender SPam RBL report</fielddescr> <fieldname>senderrbl</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.spam.rbl.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -350,8 +442,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Spam SA report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Spam SA report</fielddescr> <fieldname>sendersa</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.spam.sa.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -359,18 +457,29 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Spam MCP report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Spam MCP report</fielddescr> <fieldname>sendermcp</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.mcp.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - + <field> + <name>Recipients Spam report</name> + <type>listtopic</type> + </field> <field> <fielddescr>Recipients Spam report</fielddescr> <fieldname>recipientspam</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit recipient.spam.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -378,8 +487,14 @@ <encoding>base64</encoding> </field> <field> + <name>Recipients MCP report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Recipients MCP report</fielddescr> <fieldname>recipientmcp</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit recipient.mcp.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -387,16 +502,20 @@ <encoding>base64</encoding> </field> <field> + <name>Rejection Report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Rejection Report</fielddescr> <fieldname>rejection</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit rejection.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - - </fields> <custom_php_install_command> mailscanner_php_install_command(); diff --git a/config/mailscanner/pkg_mailscanner.inc b/config/mailscanner/pkg_mailscanner.inc new file mode 100755 index 00000000..cbd83cf5 --- /dev/null +++ b/config/mailscanner/pkg_mailscanner.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['mailscanner'] = array(); +$shortcuts['mailscanner']['main'] = "pkg_edit.php?xml=mailscanner.xml"; +$shortcuts['mailscanner']['log'] = "diag_logs.php"; +$shortcuts['mailscanner']['status'] = "status_services.php"; +$shortcuts['mailscanner']['service'] = "mailscanner"; + +?> diff --git a/config/nut/nut.inc b/config/nut/nut.inc index 0c1235dd..46c5741e 100644 --- a/config/nut/nut.inc +++ b/config/nut/nut.inc @@ -272,7 +272,7 @@ EOD; $upsd_users = "[monuser]\n"; $upsd_users .= "password = {$password}\n"; $upsd_users .= "upsmon master\n"; - if($allowaddr && $allowuser) { + if($allowuser && $allowpass) { $upsd_users .= "\n[$allowuser]\n"; $upsd_users .= "password = $allowpass\n"; $upsd_users .= "upsmon master\n"; @@ -356,7 +356,6 @@ EOD; $snmpcommunity = nut_config('snmpcommunity'); $snmpfreq = nut_config('snmpfreq'); $snmpdisabletransfer = (nut_config('snmpdisabletransfer') == 'on'); - $allowaddr = nut_config('allowaddr'); $allowuser = nut_config('allowuser'); $allowpass = nut_config('allowpass'); @@ -389,7 +388,7 @@ EOD; $upsd_users = "[monuser]\n"; $upsd_users .= "password = {$password}\n"; $upsd_users .= "upsmon master\n"; - if($allowaddr && $allowuser) { + if($allowuser && $allowpass) { $upsd_users .= "\n[$allowuser]\n"; $upsd_users .= "password = $allowpass\n"; $upsd_users .= "upsmon master\n"; diff --git a/config/nut/nut.xml b/config/nut/nut.xml index 4a9c3d46..fcfbdfe6 100644 --- a/config/nut/nut.xml +++ b/config/nut/nut.xml @@ -299,6 +299,10 @@ <value>upscode204</value> </option> <option> + <name>Generic USB UPS (Blazer)</name> + <value>blazer_usb01</value> + </option> + <option> <name>Inform GUARD Line Interactive</name> <value>powercom00</value> </option> @@ -653,4 +657,4 @@ <custom_php_deinstall_command> deinstall_package_nut(); </custom_php_deinstall_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index 1d1609ed..e6351686 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -33,6 +33,10 @@ require_once("globals.inc"); require_once("openvpn.inc"); +require_once("filter.inc"); +require_once("shaper.inc"); +require_once("util.inc"); +require_once("pfsense-utils.inc"); function openvpn_client_export_install() { conf_mount_rw(); @@ -166,8 +170,9 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) { return array($settings, $server_cert, $server_ca, $servercn, $user, $cert, $nokeys); } -function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $nokeys = false, $proxy, $expformat = "baseconf", $outpass = "", $skiptls=false, $doslines=false, $openvpnmanager, $advancedoptions = "") { +function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $nokeys = false, $proxy, $expformat = "baseconf", $outpass = "", $skiptls=false, $doslines=false, $openvpnmanager, $advancedoptions = "") { global $config, $input_errors, $g; + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); $nl = ($doslines) ? "\r\n" : "\n"; $conf = ""; @@ -180,27 +185,10 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese } // determine basic variables - if ($useaddr == "serveraddr") { - $interface = $settings['interface']; - if (!empty($settings['ipaddr']) && is_ipaddr($settings['ipaddr'])) { - $server_host = $settings['ipaddr']; - } else { - if (!$interface || ($interface == "any")) - $interface = "wan"; - $server_host = get_interface_ip($interface); - } - } else if ($useaddr == "serverhostname" || empty($useaddr)) { - $server_host = empty($config['system']['hostname']) ? "" : "{$config['system']['hostname']}."; - $server_host .= "{$config['system']['domain']}"; - } else - $server_host = $useaddr; - + $remotes = openvpn_client_export_build_remote_lines($settings, $useaddr, $interface, $expformat, $nl); $server_port = $settings['local_port']; - $proto = (strtoupper($settings['protocol']) == 'UDP' ? 'udp' : "tcp"); - if (($expformat == "inlineios") && ($proto == "tcp-client")) - $proto = "tcp"; - $cipher = $settings['crypto']; + $digest = !empty($settings['digest']) ? $settings['digest'] : "SHA1"; // add basic settings $devmode = empty($settings['dev_mode']) ? "tun" : $settings['dev_mode']; @@ -215,14 +203,29 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese // if ((($expformat != "inlinedroid") && ($expformat != "inlineios")) && ($proto == "tcp")) // $conf .= "proto tcp-client{$nl}"; $conf .= "cipher {$cipher}{$nl}"; + $conf .= "auth {$digest}{$nl}"; $conf .= "tls-client{$nl}"; $conf .= "client{$nl}"; if (($expformat != "inlinedroid") && ($expformat != "inlineios")) $conf .= "resolv-retry infinite{$nl}"; - $conf .= "remote {$server_host} {$server_port} {$proto}{$nl}"; - if (!empty($servercn) && ($expformat != "inlineios")) { - $qw = ($quoteservercn) ? "\"" : ""; - $conf .= "tls-remote {$qw}{$servercn}{$qw}{$nl}"; + $conf .= "$remotes{$nl}"; + /* This line can cause problems with auth-only setups and also with Yealink/Snom phones + since they are stuck on an older OpenVPN version that does not support this feature. */ + if (!empty($servercn) && !$nokeys) { + switch ($verifyservercn) { + case "none": + break; + case "tls-remote": + $conf .= "tls-remote {$servercn}{$nl}"; + break; + case "tls-remote-quote": + $conf .= "tls-remote \"{$servercn}\"{$nl}"; + break; + default: + if ((substr($expformat, 0, 7) != "yealink") && ($expformat != "snom")) { + $conf .= "verify-x509-name \"{$servercn}\" name{$nl}"; + } + } } if (!empty($proxy)) { @@ -309,8 +312,13 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese } // add optional settings - if ($settings['compression']) - $conf .= "comp-lzo{$nl}"; + if (!empty($settings['compression'])) { + if ($pfs_version > 2.1) + $conf .= "comp-lzo {$settings['compression']}{$nl}"; + else + $conf .= "comp-lzo{$nl}"; + } + if ($settings['passtos']) $conf .= "passtos{$nl}"; @@ -463,7 +471,7 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese } } -function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions, $openvpn_version = "2.1") { +function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions, $openvpn_version = "2.1") { global $config, $g, $input_errors; $uname_p = trim(exec("uname -p")); @@ -475,7 +483,7 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quot $client_install_exe = "openvpn-install-2.3-x86_64.exe"; break; default: - $client_install_exe = "openvpn-install-2.2.exe"; + $client_install_exe = "openvpn-install-2.3-i686.exe"; } $ovpndir = "/usr/local/share/openvpn"; @@ -503,6 +511,8 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quot exec("cp -r {$workdir}/template/* {$tempdir}"); // and put the required installer exe in place exec("/bin/cp {$tempdir}/{$client_install_exe} {$tempdir}/openvpn-install.exe"); + if (stristr($openvpn_version, "x64")) + rename("{$tempdir}/openvpn-postinstall64.exe", "{$tempdir}/openvpn-postinstall.exe"); // write configuration file $prefix = openvpn_client_export_prefix($srvid, $usrid, $crtid); @@ -513,7 +523,7 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quot $pwdfle .= "{$proxy['password']}\r\n"; file_put_contents("{$confdir}/{$proxy['passwdfile']}", $pwdfle); } - $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $nokeys, $proxy, "", "baseconf", false, true, $openvpnmanager, $advancedoptions); + $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $nokeys, $proxy, "", "baseconf", false, true, $openvpnmanager, $advancedoptions); if (!$conf) { $input_errors[] = "Could not create a config to export."; return false; @@ -548,8 +558,6 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quot if ($openvpnmanager) $files .= "openvpnmanager "; - unlink("openvpn-postinstall.exe"); - rename("openvpnmanager/openvpn-postinstall.exe","openvpn-postinstall.exe"); $files .= "openvpn-install.exe "; $files .= "openvpn-postinstall.exe "; if ($usetoken) @@ -580,7 +588,7 @@ RunProgram="openvpn-postinstall.exe" return $outfile; } -function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions) { +function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions) { global $config, $g; $uname_p = trim(exec("uname -p")); @@ -615,14 +623,14 @@ function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $usead file_put_contents("{$tempdir}/{$proxy['passwdfile']}", $pwdfle); } - $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, true, $proxy, "baseconf", "", true, $openvpnmanager, $advancedoptions); + $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, true, $proxy, "baseconf", "", true, $openvpnmanager, $advancedoptions); if (!$conf) return false; // We need to nuke the ca line from the above config if it exists. $conf = explode("\n", $conf); for ($i=0; $i < count($conf); $i++) { - if (substr($conf[$i], 0, 3) == "ca ") + if ((substr($conf[$i], 0, 3) == "ca ") || (substr($conf[$i], 0, 7) == "pkcs12 ")) unset($conf[$i]); } $conf = implode("\n", $conf); @@ -731,6 +739,7 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco $proto = (strtoupper($settings['protocol']) == 'UDP' ? 'udp' : "tcp-client"); $cipher = $settings['crypto']; + $digest = !empty($settings['digest']) ? $settings['digest'] : "SHA1"; // add basic settings $conf = "dev tun\n"; @@ -741,6 +750,7 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco $conf .= "persist-key\n"; $conf .= "proto {$proto}\n"; $conf .= "cipher {$cipher}\n"; + $conf .= "auth {$digest}\n"; $conf .= "pull\n"; $conf .= "resolv-retry infinite\n"; $conf .= "remote {$server_host} {$server_port}\n"; @@ -811,4 +821,111 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco return $conf; } +function openvpn_client_export_build_remote_lines($settings, $useaddr, $interface, $expformat, $nl) { + global $config; + $remotes = array(); + if (($useaddr == "serveraddr") || ($useaddr == "servermagic") || ($useaddr == "servermagichost")) { + $interface = $settings['interface']; + if (!empty($settings['ipaddr']) && is_ipaddr($settings['ipaddr'])) { + $server_host = $settings['ipaddr']; + } else { + if (!$interface || ($interface == "any")) + $interface = "wan"; + $server_host = get_interface_ip($interface); + } + } else if ($useaddr == "serverhostname" || empty($useaddr)) { + $server_host = empty($config['system']['hostname']) ? "" : "{$config['system']['hostname']}."; + $server_host .= "{$config['system']['domain']}"; + } else + $server_host = $useaddr; + + $proto = (strtoupper($settings['protocol']) == 'UDP' ? 'udp' : "tcp"); + if (($expformat == "inlineios") && ($proto == "tcp-client")) + $proto = "tcp"; + + if (($useaddr == "servermagic") || ($useaddr == "servermagichost")) { + $destinations = openvpn_client_export_find_port_forwards($server_host, $settings['local_port'], $proto, true, ($useaddr == "servermagichost")); + foreach ($destinations as $dest) { + $remotes[] = "remote {$dest['host']} {$dest['port']} {$dest['proto']}"; + } + } else { + $remotes[] = "remote {$server_host} {$settings['local_port']} {$proto}"; + } + + return implode($nl, $remotes); +} + +function openvpn_client_export_find_port_forwards($targetip, $targetport, $targetproto, $skipprivate, $findhostname=false) { + global $config, $FilterIflist; + if (empty($FilterIflist)) + filter_generate_optcfg_array(); + $destinations = array(); + + foreach ($config['nat']['rule'] as $natent) { + $dest = array(); + if (!isset($natent['disabled']) + && ($natent['target'] == $targetip) + && ($natent['local-port'] == $targetport) + && ($natent['protocol'] == $targetproto)) { + $dest['proto'] = $natent['protocol']; + + // Could be multiple ports... But we can only use one. + $dports = is_port($natent['destination']['port']) ? array($natent['destination']['port']) : filter_expand_alias_array($natent['destination']['port']); + $dest['port'] = $dports[0]; + + // Could be network or address ... + $natif = (!$natent['interface']) ? "wan" : $natent['interface']; + + if (!isset($FilterIflist[$natif])) + continue; // Skip if there is no interface + + $dstaddr = trim(filter_generate_address($natent, 'destination', true)); + if(!$dstaddr) + $dstaddr = $FilterIflist[$natif]['ip']; + + $dstaddr_port = explode(" ", $dstaddr); + + if(empty($dstaddr_port[0]) || strtolower(trim($dstaddr_port[0])) == "port") + continue; // Skip port forward if no destination address found + + + if (!is_ipaddr($dstaddr_port[0])) + continue; // We can only work with single IPs, not subnets! + + + if ($skipprivate && is_private_ip($dstaddr_port[0])) + continue; // Skipping a private IP destination! + + $dest['host'] = $dstaddr_port[0]; + + if ($findhostname) { + $hostname = openvpn_client_export_find_hostname($natif); + if (!empty($hostname)) + $dest['host'] = $hostname; + } + + $destinations[] = $dest; + } + } + + return $destinations; +} + +function openvpn_client_export_find_hostname($interface) { + global $config; + $hostname = ""; + if (is_array($config['dyndnses']['dyndns'])) { + foreach ($config['dyndnses']['dyndns'] as $ddns) { + if (($ddns['interface'] == $interface) && isset($ddns['enable']) && !empty($ddns['host']) && !is_numeric($ddns['host']) && is_hostname($ddns['host'])) + return $ddns['host']; + } + } + if (is_array($config['dnsupdates']['dnsupdate'])) { + foreach ($config['dnsupdates']['dnsupdate'] as $ddns) { + if (($ddns['interface'] == $interface) && isset($ddns['enable']) && !empty($ddns['host']) && !is_numeric($ddns['host']) && is_hostname($ddns['host'])) + return $ddns['host']; + } + } + +} ?> diff --git a/config/openvpn-client-export/openvpn-client-export.xml b/config/openvpn-client-export/openvpn-client-export.xml index f90ac2cf..4c0518b2 100755 --- a/config/openvpn-client-export/openvpn-client-export.xml +++ b/config/openvpn-client-export/openvpn-client-export.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="utf-8" ?> <packagegui> <name>OpenVPN Client Export</name> - <version>1.0.11</version> + <version>1.2.2</version> <title>OpenVPN Client Export</title> <include_file>/usr/local/pkg/openvpn-client-export.inc</include_file> <backup_file></backup_file> diff --git a/config/openvpn-client-export/source/openvpn-postinstall64.nsi b/config/openvpn-client-export/source/openvpn-postinstall64.nsi new file mode 100644 index 00000000..b962ddff --- /dev/null +++ b/config/openvpn-client-export/source/openvpn-postinstall64.nsi @@ -0,0 +1,215 @@ +;-------------------------------- +; OpenVPN NSIS Post-Installer +;-------------------------------- + +;-------------------------------- +;Include Modern UI + +Var /GLOBAL mui.FinishPage.Run +!define MUI_FINISHPAGE_RUN_VARIABLES + + !include "MUI2.nsh" + !include "FileFunc.nsh" + !include "LogicLib.nsh" + +;-------------------------------- +; General +;-------------------------------- + + Name "OpenVPN Configuration" + OutFile "openvpn-postinstall64.exe" + SetCompressor /SOLID lzma + + ShowInstDetails show + + !include "dotnet2.nsh" + !include "x64.nsh" +;-------------------------------- +;Include Settings +;-------------------------------- + + !define MUI_ICON "openvpn-postinstall.ico" + !define MUI_ABORTWARNING + +;-------------------------------- +;Pages +;-------------------------------- + +!define WELCOME_TITLE 'Welcome to OpenVPN installer.' + +!define WELCOME_TEXT "This wizard will guide you through the installation of the OpenVPN client and configuration.$\r$\n$\r$\n\ +This wil automaticaly install the configuration files needed for your connection. \ +And if needed install the required DotNet2 framework." + !define MUI_WELCOMEPAGE_TITLE '${WELCOME_TITLE}' + ;!define MUI_WELCOMEPAGE_TITLE_3LINES + !define MUI_WELCOMEPAGE_TEXT '${WELCOME_TEXT}' + !insertmacro MUI_PAGE_WELCOME + + !insertmacro MUI_PAGE_INSTFILES + + + !define MUI_FINISHPAGE_RUN "C:\User\test.lnk" + !define MUI_FINISHPAGE_RUN_TEXT "Start OpenVPNManager." + !define MUI_FINISHPAGE_RUN_FUNCTION "LaunchLink" + !define MUI_PAGE_CUSTOMFUNCTION_SHOW finish_show + !insertmacro MUI_PAGE_FINISH + + !insertmacro Locate + !insertmacro GetParameters + !insertmacro GetOptions + +;-------------------------------- +;Languages +;-------------------------------- + + !insertmacro MUI_LANGUAGE "English" + +;-------------------------------- +;Functions +;-------------------------------- + +Function .onInit + Var /GLOBAL BINPATH + Var /GLOBAL CONFPATH + Var /GLOBAL OpenVPNManager + + ; If we are running on a 64-bit OS with a 64-bit payload then we must operate in the 64-bit registry + ; This should not be done if the payload is a 32-bit OpenVPN even on a 64-bit OS. + ${If} ${RunningX64} + SetRegView 64 + ${EndIf} + IfFileExists ".\OpenVPNManager" InstallOpenVPNManager1 DontInstallOpenVPNManager1 + InstallOpenVPNManager1: + strcpy $OpenVPNManager true + !insertmacro CheckForDotNET2 + Goto OpenVPNManagerDone1 + DontInstallOpenVPNManager1: + strcpy $OpenVPNManager false + OpenVPNManagerDone1: +FunctionEnd + +Function CopyConfFile + CopyFiles $R9 $CONFPATH\$R7 + Push $0 +FunctionEnd + +Function ImportConfFile + ExecWait "rundll32.exe cryptext.dll,CryptExtAddPFX $R9" + Push $0 +FunctionEnd + +Function CopyOpenVPNManager + DetailPrint "Installing OpenVPNManager..." + DetailPrint "Installing in: $BINPATH\OpenVPNManager\" + CreateDirectory "$BINPATH\OpenVPNManager" + CreateDirectory "$BINPATH\OpenVPNManager\config" + CopyFiles ".\OpenVPNManager\*.*" "$BINPATH\OpenVPNManager" + CreateShortcut "$desktop\OpenVPNManager.lnk" "$BINPATH\OpenVPNManager\OpenVPNManager.exe" + Push $0 +FunctionEnd + +Function finish_show + ${If} $OpenVPNManager != "true" + ;If OpenVPNManager is not installed then dont give the option to run it. (hide and uncheck the checkbox) + ShowWindow $mui.FinishPage.Run 0 + ${NSD_Uncheck} $mui.FinishPage.Run + ${EndIf} +FunctionEnd + +Function LaunchLink + ExecShell "" "$desktop\OpenVPNManager.lnk" +FunctionEnd +;-------------------------------- +;Installer Sections +;-------------------------------- + +Section "Import Configuration" SectionImport + ${If} $OpenVPNManager == "true" + ; OpenVPNManager needs dotnet2 + !insertmacro InstallDotNet2 + ${Endif} + + ClearErrors + ReadRegStr $BINPATH HKLM "Software\OpenVPN" "" + IfErrors OpenVPNInstall OpenVPNAlreadyInstalled + OpenVPNInstall: + DetailPrint "Pausing installation while OpenVPN installer runs." + ExecWait '".\openvpn-install.exe"' $1 + ${if} $OpenVPNManager == "true" + SetShellVarContext all + Delete "$desktop\OpenVPN GUI.lnk" + SetShellVarContext current + ${Endif} + Pop $0 + OpenVPNAlreadyInstalled: + + ClearErrors + ReadRegStr $BINPATH HKLM "Software\OpenVPN" "" + IfErrors OpenVPNnotFound OpenVPNok + OpenVPNnotFound: + Abort "OpenVPN installation not found, installation aborted." + OpenVPNok: + DetailPrint "Completed OpenVPN installation." + + ${If} $OpenVPNManager == "true" + strcpy $OpenVPNManager true + StrCpy $CONFPATH "$BINPATH\OpenVPNManager\config" + call "CopyOpenVPNManager" + ${Else} + strcpy $OpenVPNManager false + ClearErrors + ReadRegStr $CONFPATH HKLM "Software\OpenVPN" "config_dir" + IfErrors configNotFound configFound + configNotFound: + ReadRegStr $CONFPATH HKLM "Software\OpenVPN" "" + StrCpy $CONFPATH "$CONFPATH\config" + configFound: + + ${Endif} + + DetailPrint "Installing configuration files ..." + ${Locate} ".\config" "/L=F /M=*.ovpn" "CopyConfFile" + + DetailPrint "Installing certificate and key files ..." + ${Locate} ".\config" "/L=F /M=*.crt" "CopyConfFile" + ${Locate} ".\config" "/L=F /M=*.key" "CopyConfFile" + + ${If} $OpenVPNManager == "true" + DetailPrint "Registering OpenVPNManager service..." + ExecWait '"$BINPATH\OpenVPNManager\OpenVPNManager.exe" /install' + DetailPrint "Starting OpenVPNManager service..." + SimpleSC::StartService "OpenVPNManager" "" 30 + Pop $0 + ${Else} + ;DetailPrint "Starting OpenVPN Service..." + ;SimpleSC::StartService "OpenVPNService" "" 30 + ;Pop $0 + ${Endif} + + ${GetParameters} $R0 + ${GetOptions} $R0 "/Import" $R1 + IfErrors p12_copy p12_import + p12_copy: + ${Locate} ".\config" "/L=F /M=*.p12" "CopyConfFile" + Goto p12_done + p12_import: + ${Locate} ".\config" "/L=F /M=*.p12" "ImportConfFile" + Goto p12_done + p12_done: + +SectionEnd +;-------------------------------- +;Descriptions +;-------------------------------- + + ;Language strings + LangString DESC_SectionImport ${LANG_ENGLISH} "Import OpenVPN Configurations and Key Files." + + ;Assign language strings to sections + !insertmacro MUI_FUNCTION_DESCRIPTION_BEGIN + !insertmacro MUI_DESCRIPTION_TEXT ${SectionImport} $(DESC_SectionImport) + !insertmacro MUI_FUNCTION_DESCRIPTION_END + +;-------------------------------- +; END +;-------------------------------- diff --git a/config/openvpn-client-export/vpn_openvpn_export.php b/config/openvpn-client-export/vpn_openvpn_export.php index c2a54432..44744832 100755 --- a/config/openvpn-client-export/vpn_openvpn_export.php +++ b/config/openvpn-client-export/vpn_openvpn_export.php @@ -138,7 +138,7 @@ if (!empty($act)) { $advancedoptions = $_GET['advancedoptions']; $openvpnmanager = $_GET['openvpnmanager']; - $quoteservercn = $_GET['quoteservercn']; + $verifyservercn = $_GET['verifyservercn']; $usetoken = $_GET['usetoken']; if ($usetoken && (substr($act, 0, 10) == "confinline")) $input_errors[] = "You cannot use Microsoft Certificate Storage with an Inline configuration."; @@ -213,17 +213,17 @@ if (!empty($act)) { $exp_name = urlencode($exp_name."-config.ovpn"); $expformat = "baseconf"; } - $exp_path = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $nokeys, $proxy, $expformat, $password, false, false, $openvpnmanager, $advancedoptions); + $exp_path = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $nokeys, $proxy, $expformat, $password, false, false, $openvpnmanager, $advancedoptions); } if($act == "visc") { $exp_name = urlencode($exp_name."-Viscosity.visc.zip"); - $exp_path = viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $password, $proxy, $openvpnmanager, $advancedoptions); + $exp_path = viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $password, $proxy, $openvpnmanager, $advancedoptions); } if(substr($act, 0, 4) == "inst") { $exp_name = urlencode($exp_name."-install.exe"); - $exp_path = openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $password, $proxy, $openvpnmanager, $advancedoptions, substr($act, 5)); + $exp_path = openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $password, $proxy, $openvpnmanager, $advancedoptions, substr($act, 5)); } if (!$exp_path) { @@ -304,9 +304,9 @@ function download_begin(act, i, j) { advancedoptions = document.getElementById("advancedoptions").value; - var quoteservercn = 0; - if (document.getElementById("quoteservercn").checked) - quoteservercn = 1; + var verifyservercn; + verifyservercn = document.getElementById("verifyservercn").value; + var usetoken = 0; if (document.getElementById("usetoken").checked) usetoken = 1; @@ -380,7 +380,7 @@ function download_begin(act, i, j) { dlurl += "&crtid=" + escape(certs[j][0]); } dlurl += "&useaddr=" + escape(useaddr); - dlurl += ""eservercn=" + escape(quoteservercn); + dlurl += "&verifyservercn=" + escape(verifyservercn); dlurl += "&openvpnmanager=" + escape(openvpnmanager); dlurl += "&usetoken=" + escape(usetoken); if (usepass) @@ -434,11 +434,9 @@ function server_changed() { cell2.innerHTML += "<a href='javascript:download_begin(\"confinline\"," + i + ", -1)'>Others<\/a>"; cell2.innerHTML += "<br\/>- Windows Installers:<br\/>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ", -1)'>2.2<\/a>"; - cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x86\"," + i + ", -1)'>2.3-x86<\/a>"; -// cell2.innerHTML += " "; -// cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\"," + i + ", -1)'>2.3-x64<\/a>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\"," + i + ", -1)'>2.3-x64<\/a>"; cell2.innerHTML += "<br\/>- Mac OSX:<br\/>"; cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ", -1)'>Viscosity Bundle<\/a>"; @@ -471,11 +469,9 @@ function server_changed() { cell2.innerHTML += "<a href='javascript:download_begin(\"confinline\", -1," + j + ")'>Others<\/a>"; cell2.innerHTML += "<br\/>- Windows Installers:<br\/>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"inst\", -1," + j + ")'>2.2<\/a>"; - cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x86\", -1," + j + ")'>2.3-x86<\/a>"; -// cell2.innerHTML += " "; -// cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\", -1," + j + ")'>2.3-x64<\/a>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\", -1," + j + ")'>2.3-x64<\/a>"; cell2.innerHTML += "<br\/>- Mac OSX:<br\/>"; cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"visc\", -1," + j + ")'>Viscosity Bundle<\/a>"; @@ -515,11 +511,9 @@ function server_changed() { cell2.innerHTML += "<a href='javascript:download_begin(\"confinline\"," + i + ")'>Others<\/a>"; cell2.innerHTML += "<br\/>- Windows Installers:<br\/>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ")'>2.2<\/a>"; - cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x86\"," + i + ")'>2.3-x86<\/a>"; -// cell2.innerHTML += " "; -// cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\"," + i + ")'>2.3-x64<\/a>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\"," + i + ")'>2.3-x64<\/a>"; cell2.innerHTML += "<br\/>- Mac OSX:<br\/>"; cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ")'>Viscosity Bundle<\/a>"; @@ -597,6 +591,8 @@ function useproxy_changed(obj) { <td> <select name="useaddr" id="useaddr" class="formselect" onchange="useaddr_changed(this)"> <option value="serveraddr" >Interface IP Address</option> + <option value="servermagic" >Automagic Multi-WAN IPs (port forward targets)</option> + <option value="servermagichost" >Automagic Multi-WAN DDNS Hostnames (port forward targets)</option> <option value="serverhostname" >Installation hostname</option> <?php if (is_array($config['dyndnses']['dyndns'])): ?> <?php foreach ($config['dyndnses']['dyndns'] as $ddns): ?> @@ -623,16 +619,22 @@ function useproxy_changed(obj) { </td> </tr> <tr> - <td width="22%" valign="top" class="vncell">Quote Server CN</td> + <td width="22%" valign="top" class="vncell">Verify Server CN</td> <td width="78%" class="vtable"> - <table border="0" cellpadding="2" cellspacing="0" summary="quote server cn"> + <table border="0" cellpadding="2" cellspacing="0" summary="verify server cn"> <tr> <td> - <input name="quoteservercn" id="quoteservercn" type="checkbox" value="yes" /> - </td> - <td> + <select name="verifyservercn" id="verifyservercn" class="formselect"> + <option value="auto">Automatic - Use verify-x509-name (OpenVPN 2.3+) where possible</option> + <option value="tls-remote">Use tls-remote (Deprecated, use only on old clients <= OpenVPN 2.2.x)</option> + <option value="tls-remote-quote">Use tls-remote and quote the server CN</option> + <option value="none">Do not verify the server CN</option> + </select> + <br/> <span class="vexpl"> - Enclose the server CN in quotes. Can help if your server CN contains spaces and certain clients cannot parse the server CN. Some clients have problems parsing the CN with quotes. Use only as needed. + Optionally verify the server certificate Common Name (CN) when the client connects. Current clients, including the most recent versions of Windows, Viscosity, Tunnelblick, OpenVPN on iOS and Android and so on should all work at the default automatic setting. + <br/><br/>Only use tls-remote if you must use an older client that you cannot control. The option has been deprecated by OpenVPN and will be removed in the next major version. + <br/><br/>With tls-remote the server CN may optionally be enclosed in quotes. This can help if the server CN contains spaces and certain clients cannot parse the server CN. Some clients have problems parsing the CN with quotes. Use only as needed. </span> </td> </tr> @@ -804,6 +806,7 @@ function useproxy_changed(obj) { This will change the generated .ovpn configuration to allow for usage of the management interface. And include the OpenVPNManager program in the "Windows Installers". With this OpenVPN can be used also by non-administrator users. This is also useful for Windows Vista/7/8 systems where elevated permissions are needed to add routes to the system. + <br/><br/>NOTE: This is not currently compatible with the 64-bit OpenVPN installer. It will work with the 32-bit installer on a 64-bit system. </span> </td> </tr> diff --git a/config/postfix/pkg_postfix.inc b/config/postfix/pkg_postfix.inc new file mode 100755 index 00000000..18da1c11 --- /dev/null +++ b/config/postfix/pkg_postfix.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['postfix'] = array(); +$shortcuts['postfix']['main'] = "pkg_edit.php?xml=postfix.xml"; +$shortcuts['postfix']['log'] = "diag_logs_resolver.php"; +$shortcuts['postfix']['status'] = "status_services.php"; +$shortcuts['postfix']['service'] = "postfix"; + +?> diff --git a/config/postfix/postfix.inc b/config/postfix/postfix.inc index 193ec6c7..cf7cd786 100755 --- a/config/postfix/postfix.inc +++ b/config/postfix/postfix.inc @@ -29,6 +29,7 @@ POSSIBILITY OF SUCH DAMAGE. */ +$shortcut_section = "postfix"; require_once("util.inc"); require_once("functions.inc"); require_once("pkg-utils.inc"); diff --git a/config/postfix/postfix.xml b/config/postfix/postfix.xml index 25f7a81d..c3b3664f 100644 --- a/config/postfix/postfix.xml +++ b/config/postfix/postfix.xml @@ -145,6 +145,11 @@ <prefix>/usr/local/bin/</prefix> <chmod>0755</chmod> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/postfix/pkg_postfix.inc</item> + </additional_files_needed> <tabs> <tab> <text>General</text> diff --git a/config/postfix/postfix_acl.xml b/config/postfix/postfix_acl.xml index 4eeda7a4..d704c189 100644 --- a/config/postfix/postfix_acl.xml +++ b/config/postfix/postfix_acl.xml @@ -110,7 +110,7 @@ See http://www.postfix.org/header_checks.5.html for more help]]> </description> <type>textarea</type> - <cols>83</cols> + <cols>80</cols> <rows>15</rows> <encoding>base64</encoding> </field> @@ -124,7 +124,7 @@ See http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions for more help]]> </description> <type>textarea</type> - <cols>83</cols> + <cols>80</cols> <rows>15</rows> <encoding>base64</encoding> </field> @@ -142,7 +142,7 @@ <strong>Note: a result of "OK" in this field is not allowed/wanted for safety reasons(it may accept forged senders as it will not do other spam checks). Instead, use DUNNO in order to exclude specific hosts from blacklists.</strong>]]> </description> <type>textarea</type> - <cols>83</cols> + <cols>80</cols> <rows>15</rows> <encoding>base64</encoding> </field> @@ -154,7 +154,7 @@ /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|drv|em(ai)?l|ex[_e]|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed]]> </description> <type>textarea</type> - <cols>83</cols> + <cols>80</cols> <rows>15</rows> <encoding>base64</encoding> </field> @@ -166,7 +166,7 @@ ~^[[:alnum:]+/]{60,}$~ OK]]> </description> <type>textarea</type> - <cols>83</cols> + <cols>80</cols> <rows>15</rows> <encoding>base64</encoding> </field> diff --git a/config/postfix/postfix_recipients.xml b/config/postfix/postfix_recipients.xml index 97e39fb2..2b07bae8 100644 --- a/config/postfix/postfix_recipients.xml +++ b/config/postfix/postfix_recipients.xml @@ -9,7 +9,7 @@ /* postfix_recipients.xml part of the Postfix package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -119,33 +119,38 @@ Before using LDAP fetch you must install p5-perl-ldap package(hint: <strong>/usr/sbin/pkg_add -r p5-perl-ldap</strong>)]]></description> </field> <field> - <fielddescr><![CDATA[<strong>HINTS</strong><br>Hostname:<br>dc1.mysite.com<br><br>Domain:<br>dc=mysite,dc=com<br><br>Username:<br>cn=antispam,cn=Users<br>]]></fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> + <dontdisplayname/> + <usecolspan2/> + <movable>on</movable> <rowhelper> <rowhelperfield> <fielddescr>Hostname</fielddescr> + <description><![CDATA[<strong>Hostname Hint:</strong><br>dc1.mysite.com]]></description> <fieldname>dc</fieldname> <type>input</type> - <size>20</size> + <size>23</size> </rowhelperfield> <rowhelperfield> <fielddescr>Domain</fielddescr> + <description><![CDATA[<strong>Domain Hint:</strong><br>dc=mysite,dc=com]]></description> <fieldname>cn</fieldname> <type>input</type> - <size>22</size> + <size>25</size> </rowhelperfield> <rowhelperfield> <fielddescr>Username</fielddescr> + <description><![CDATA[<strong>Username Hint:</strong><br>Username:cn=antispam,cn=Users]]></description> <fieldname>username</fieldname> <type>input</type> - <size>20</size> + <size>24</size> </rowhelperfield> <rowhelperfield> <fielddescr>Password</fielddescr> <fieldname>password</fieldname> <type>password</type> - <size>10</size> + <size>12</size> </rowhelperfield> </rowhelper> </field> diff --git a/config/quagga_ospfd/quagga_ospfd.inc b/config/quagga_ospfd/quagga_ospfd.inc index aabd27a8..782baf0f 100644 --- a/config/quagga_ospfd/quagga_ospfd.inc +++ b/config/quagga_ospfd/quagga_ospfd.inc @@ -73,6 +73,8 @@ function quagga_ospfd_install_conf() { // Since we need to embed this in a string, copy to a var. Can't embed constnats. $quagga_config_base = PKG_QUAGGA_CONFIG_BASE; + $noaccept = ""; + if ($config['installedpackages']['quaggaospfd']['rawconfig'] && $config['installedpackages']['quaggaospfd']['rawconfig']['item']) { // if there is a raw config specifyed in tthe config.xml use that instead of the assisted config $conffile = implode("\n",$config['installedpackages']['quaggaospfd']['rawconfig']['item']); @@ -132,6 +134,9 @@ function quagga_ospfd_install_conf() { if ($interface_subnet == 32) $interface_subnet = 30; $subnet = gen_subnet($interface_ip, $interface_subnet); + if (!empty($conf['acceptfilter'])) { + $noaccept .= "ip prefix-list ACCEPTFILTER deny {$subnet}/{$interface_subnet}\n"; + } if (!empty($conf['interfacearea'])) { $interface_networks[] = array( "subnet" => "{$subnet}/{$interface_subnet}", "area" => $conf['interfacearea']); } @@ -151,6 +156,9 @@ function quagga_ospfd_install_conf() { foreach ($ospfd_conf['row'] as $redistr) { if (empty($redistr['routevalue'])) continue; + if (isset($redistr['acceptfilter'])) { + $noaccept .= "ip prefix-list ACCEPTFILTER deny {$redistr['routevalue']}\n"; + } if (isset($redistr['redistribute'])) { $noredist .= " access-list dnr-list deny {$redistr['routevalue']}\n"; } else { @@ -239,6 +247,13 @@ function quagga_ospfd_install_conf() { $zebraconffile .= "password {$ospfd_conf['password']}\n"; if ($ospfd_conf['logging']) $zebraconffile .= "log syslog\n"; + if (!empty($noaccept)) { + $zebraconffile .= $noaccept; + $zebraconffile .= "ip prefix-list ACCEPTFILTER permit any\n"; + $zebraconffile .= "route-map ACCEPTFILTER permit 10\n"; + $zebraconffile .= "match ip address prefix-list ACCEPTFILTER\n"; + $zebraconffile .= "ip protocol ospf route-map ACCEPTFILTER\n"; + } $fd = fopen("{$quagga_config_base}/zebra.conf", "w"); fwrite($fd, $zebraconffile); fclose($fd); diff --git a/config/quagga_ospfd/quagga_ospfd.xml b/config/quagga_ospfd/quagga_ospfd.xml index 61bf3e94..c975961b 100644 --- a/config/quagga_ospfd/quagga_ospfd.xml +++ b/config/quagga_ospfd/quagga_ospfd.xml @@ -1,6 +1,6 @@ <packagegui> <name>quagga_ospfd</name> - <version>0.5.4</version> + <version>0.6.1</version> <title>Services: Quagga OSPFd</title> <include_file>/usr/local/pkg/quagga_ospfd.inc</include_file> <aftersaveredirect>pkg_edit.php?xml=quagga_ospfd.xml&id=0</aftersaveredirect> @@ -165,6 +165,13 @@ <size>20</size> </rowhelperfield> <rowhelperfield> + <fielddescr>Disable <br/>Acceptance</fielddescr> + <fieldname>acceptfilter</fieldname> + <description>Accept Filter</description> + <type>checkbox</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> <fielddescr>Subnet to Route</fielddescr> <fieldname>routevalue</fieldname> <type>input</type> diff --git a/config/quagga_ospfd/quagga_ospfd_interfaces.xml b/config/quagga_ospfd/quagga_ospfd_interfaces.xml index 21bc877f..beb6f2b0 100644 --- a/config/quagga_ospfd/quagga_ospfd_interfaces.xml +++ b/config/quagga_ospfd/quagga_ospfd_interfaces.xml @@ -87,6 +87,12 @@ <type>checkbox</type> </field> <field> + <fielddescr>Accept Filter</fielddescr> + <fieldname>acceptfilter</fieldname> + <description>Do not add routes for this interface subnet from OSPF into the routing table. (Suggested for Multi-WAN environments).</description> + <type>checkbox</type> + </field> + <field> <fielddescr>Enable MD5 password for this Quagga OSPFd interface (default no)</fielddescr> <fieldname>md5password</fieldname> <description>Enables the use of an MD5 password to on this instance</description> diff --git a/config/sarg/sarg.inc b/config/sarg/sarg.inc index 97abc138..1a4db315 100644 --- a/config/sarg/sarg.inc +++ b/config/sarg/sarg.inc @@ -33,8 +33,20 @@ /* ========================================================================== */ $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version > 2.0){ + + // Function to get squidGuard directory + // each squidGuard version has a different directory + function getsqGuardDir() { + foreach (glob("/usr/pbi/*",GLOB_ONLYDIR) as $dirname) { + if (preg_match("/squidguard-/i", $dirname)) { + return trim($dirname); + break; + } + } + } + define('SARG_DIR', '/usr/pbi/sarg-' . php_uname("m")); - define('SQGARD_DIR','/usr/pbi/squidguard-' . php_uname("m")); + define('SQGARD_DIR', getsqGuardDir()); define('SQUID_DIR', '/usr/pbi/squid-' . php_uname("m")); define('DANSG_DIR', '/usr/pbi/dansguardian-' . php_uname("m")); } @@ -142,7 +154,7 @@ EOF; } #create a new file to speedup find search file_put_contents("/root/sarg_run_{$id}.sh",$gzip_script,LOCK_EX); - mwexec($cmd. " ".$args); + mwexec("export LC_ALL=C && " .$cmd. " ".$args); #check if there is a script to run after file save if (is_array($config['installedpackages']['sarg'])) switch ($config['installedpackages']['sarg']['config'][0]['proxy_server']){ @@ -248,7 +260,7 @@ function sync_package_sarg() { $anonymous_output_files=(preg_match('/anonymous_output_files/',$sarg['report_options'])?"yes":"no"); $resolve_ip=(preg_match('/resolve_ip/',$sarg['report_options'])?"yes":"no"); $user_ip=(preg_match('/user_ip/',$sarg['report_options'])?"yes":"no"); - $sort_order=(preg_match('/user_sort_field_order/',$sarg['report_options'])?"REVERSE":"NORMAL"); + $sort_order=(preg_match('/user_sort_field_order/',$sarg['report_options'])?"reverse":"normal"); $remove_temp_files=(preg_match('/remove_temp_files/',$sarg['report_options'])?"yes":"no"); $main_index=(preg_match('/main_index/',$sarg['report_options'])?"yes":"no"); $index_tree=(preg_match('/index_tree/',$sarg['report_options'])?"file":"date"); @@ -260,6 +272,8 @@ function sync_package_sarg() { $bytes_in_sites_users_report=(preg_match('/bytes_in_sites_users_report/',$sarg['report_options'])?"yes":"no"); $date_time_by=(preg_match('/date_time_by_bytes/',$sarg['report_options'])?"bytes":""); $date_time_by.=(preg_match('/date_time_by_elap/',$sarg['report_options'])?" elap":""); + if(empty($date_time_by)) + $date_time_by="bytes"; $date_format=(preg_match("/\w/",$sarg['report_date_format'])?$sarg['report_date_format']:"u"); $report_type=preg_replace('/,/',' ',$sarg['report_type']); $report_charset=(empty($sarg['report_charset'])?"UTF-8":$sarg['report_charset']); diff --git a/config/sarg/sarg_frame.php b/config/sarg/sarg_frame.php index 4d3421ab..21638247 100755 --- a/config/sarg/sarg_frame.php +++ b/config/sarg/sarg_frame.php @@ -68,9 +68,11 @@ if ($report != "" ) #look for graph files inside reports. if (preg_match_all('/img src="([a-zA-Z0-9._-]+).png/',$report,$images)){ + conf_mount_rw(); for ($x=0;$x<count($images[1]);$x++){ copy("{$dir}/{$prefix}/{$images[1][$x]}.png","/usr/local/www/sarg-images/temp/{$images[1][$x]}.{$rand}.png"); } + conf_mount_ro(); } print preg_replace($pattern,$replace,$report); } diff --git a/config/sarg/sarg_reports.php b/config/sarg/sarg_reports.php index b1792312..b156a4d7 100755 --- a/config/sarg/sarg_reports.php +++ b/config/sarg/sarg_reports.php @@ -61,7 +61,9 @@ require("guiconfig.inc"); $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=sarg_sync.xml&id=0"); $tab_array[] = array(gettext("Help"), false, "/pkg_edit.php?xml=sarg_about.php"); display_top_tabs($tab_array); + conf_mount_rw(); exec('rm -f /usr/local/www/sarg-images/temp/*'); + conf_mount_ro(); ?> </td></tr> <tr> diff --git a/config/sarg/sarg_schedule.xml b/config/sarg/sarg_schedule.xml index 0c452335..9e1ad709 100644 --- a/config/sarg/sarg_schedule.xml +++ b/config/sarg/sarg_schedule.xml @@ -141,8 +141,11 @@ <fielddescr>Sarg args</fielddescr> <fieldname>args</fieldname> <description><![CDATA[Enter sarg extra args to run on this schedule.<br> - To force sarg to create a report only from current day, use:<br> - <strong>-d `date +%d/%m/%Y`-`date +%d/%m/%Y`</strong>]]></description> + To force sarg to create a report only for specific days, use:<br> + <b>TODAY:</b> -d `date +%d/%m/%Y`<br> + <b>YESTERDAY:</b> -d `date -v-1d +%d/%m/%Y`<br> + <b>WEEKAGO:</b> -d `date -v-1w +%d/%m/%Y`- `date -v-1d +%d/%m/%Y`<br> + <b>MONTHAGO:</b> -d `date -v-1m +01/%m/%Y`-`date -v-1m +31/%m/%Y`]]></description> <type>input</type> <size>50</size> </field> diff --git a/config/sm.php b/config/sm.php new file mode 100644 index 00000000..2e1cc4a0 --- /dev/null +++ b/config/sm.php @@ -0,0 +1,42 @@ +#!/usr/local/bin/php -q +<?php +require_once("config.inc"); +require_once("globals.inc"); +require_once("notices.inc"); + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if (($pf_version < 2.1)) { + $error = "Sending e-mail on this version of pfSense is not supported. Please use pfSense 2.1 or later"; + log_error($error); + echo "{$error}\n"; + return; +} + +$options = getopt("s::"); + +$message = ""; + +if($options['s'] <> "") { + $subject = $options['s']; +} + + +$in = file("php://stdin"); +foreach($in as $line){ + $line = trim($line); + if ( (substr($line, 0, 6) == "From: ") + || (substr($line, 0, 6) == "Date: ") + || (substr($line, 0, 4) == "To: ")) + continue; + if (empty($subject) && (substr($line, 0, 9) == "Subject: ")) { + $subject = substr($line, 9); + continue; + } + $message .= "$line\n"; +} + +if (!empty($subject)) + send_smtp_message($message, $subject); +else + send_smtp_message($message); +?>
\ No newline at end of file diff --git a/config/snort/snort.inc b/config/snort/snort.inc index d69f6237..98b80d66 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -47,7 +47,7 @@ global $rebuild_rules; /* package version */ $snort_version = "2.9.4.6"; -$pfSense_snort_version = "2.6.0"; +$pfSense_snort_version = "2.6.1"; $snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}"; // Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI) @@ -67,12 +67,9 @@ else { /* Define some useful constants for Snort */ define("SNORTLOGDIR", "/var/log/snort"); -define("VRT_DNLD_FILENAME", "snortrules-snapshot-2946.tar.gz"); -define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); -define("ET_VERSION", "2.9.0"); define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); +define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz"); define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); -define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/"); define("FLOWBITS_FILENAME", "flowbit-required.rules"); define("ENFORCING_RULES_FILENAME", "snort.rules"); define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); @@ -83,81 +80,6 @@ $rebuild_rules = false; if (!is_array($config['installedpackages']['snortglobal'])) $config['installedpackages']['snortglobal'] = array(); -function snort_get_alias_value($alias) { - /***************************************************/ - /* This function returns the value of the passed */ - /* Alias, or an empty string if the value cannot */ - /* be determined. */ - /* */ - /* On Entry: $alias ==> Alias to be evaluated */ - /* Returns: Alias value as a string or an empty */ - /* string */ - /***************************************************/ - - global $config; - - $entries = array(); - $tmp = ""; - - // If no Aliases are defined in the configuration, - // return an empty string. - if (empty($config['aliases'])) - return $tmp; - - // See if we were passed a valid Alias and return - // an empty string if not. - if (!is_alias($alias)) - return $tmp; - - // We have a valid Alias, so find its value or - // values and return as a string. - return snort_unpack_alias($alias); -} - -function snort_unpack_alias($alias) { - - /**************************************************/ - /* This function unpacks an Alias to determine */ - /* the actual values it represents. Any nested */ - /* Aliases encountered are also unpacked via */ - /* recursive calls to this function. */ - /* */ - /* Fully-qualified-domain-name (FQDN) aliases */ - /* are detected and resolved via a pfctl() call. */ - /**************************************************/ - - global $config; - $value = ""; - - // Find the matching Alias entry in config - foreach ($config['aliases']['alias'] as $aliased) { - if($aliased['name'] == $alias) { - $addr = array(); - $addr = explode(" ", trim($aliased['address'])); - foreach ($addr as $a) { - if (!is_alias($a) && !empty($a)) { - if (is_ipaddr($a) || is_subnet($a) || is_port($a)) - // If address, subnet or port, we found the final value - $value .= $a . " "; - elseif (is_hostname($a)) { - // Found a FQDN value for this Alias, so resolve it - $entries = array(); - exec("/sbin/pfctl -t " . escapeshellarg($alias) . " -T show", $entries); - $value .= trim(implode(" ", $entries)); - } - else - continue; - } - elseif (is_alias($a)) - // Found a nested Alias, so recursively resolve it - $value .= snort_unpack_alias($a) . " "; - } - return trim($value); - } - } - return $value; -} - function snort_is_single_addr_alias($alias) { /***************************************************/ /* This function evaluates the passed Alias to */ @@ -172,12 +94,50 @@ function snort_is_single_addr_alias($alias) { /***************************************************/ /* If spaces in expanded Alias, it's not a single entity */ - if (strpos(snort_get_alias_value($alias), " ") !== false) + if (strpos(trim(filter_expand_alias($alias)), " ") !== false) return false; else return true; } +function snort_expand_port_range($ports) { + /**************************************************/ + /* This function examines the passed ports string */ + /* and expands any embedded port ranges into the */ + /* individual ports separated by commas. A port */ + /* range is indicated by a colon in the string. */ + /* */ + /* On Entry: $ports ==> string to be evaluated */ + /* with commas separating */ + /* the port values. */ + /* Returns: string with any encountered port */ + /* ranges expanded. */ + /**************************************************/ + + $value = ""; + + // Split the incoming string on the commas + $tmp = explode(",", $ports); + + // Look for any included port range and expand it + foreach ($tmp as $val) { + if (is_portrange($val)) { + $start = strtok($val, ":"); + $end = strtok(":"); + if ($end !== false) { + $val = $start . ","; + for ($i = intval($start) + 1; $i < intval($end); $i++) + $val .= strval($i) . ","; + $val .= $end; + } + } + $value .= $val . ","; + } + + // Remove any trailing comma in return value + return trim($value, ","); +} + function snort_get_blocked_ips() { $blocked_ips = ""; exec('/sbin/pfctl -t snort2c -T show', $blocked_ips); @@ -359,7 +319,7 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { $vips = $list['vips']; $vpns = $list['vpnips']; if (!empty($list['address']) && is_alias($list['address'])) { - $home_net = explode(" ", trim(snort_get_alias_value($list['address']))); + $home_net = explode(" ", trim(filter_expand_alias($list['address']))); } } @@ -2701,7 +2661,7 @@ function snort_generate_conf($snortcfg) { $portvardef = ""; foreach ($snort_ports as $alias => $avalue) { if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) - $snort_ports[$alias] = snort_get_alias_value($snortcfg["def_{$alias}"]); + $snort_ports[$alias] = trim(filter_expand_alias($snortcfg["def_{$alias}"])); $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias])); $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; } @@ -2749,7 +2709,7 @@ EOD; $http_inspect_server_opts .= " \\\n\tlog_hostname"; } - $http_ports = str_replace(",", " ", $snort_ports['http_ports']); + $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); /* def http_inspect */ $http_inspect = <<<EOD @@ -2766,8 +2726,8 @@ preprocessor http_inspect_server: server default profile {$http_server_profile} EOD; /* def ftp_preprocessor */ - $telnet_ports = str_replace(",", " ", $snort_ports['telnet_ports']); - $ftp_ports = str_replace(",", " ", $snort_ports['ftp_ports']); + $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports'])); + $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports'])); $ftp_preprocessor = <<<EOD # ftp_telnet preprocessor # preprocessor ftp_telnet: global \ @@ -2818,7 +2778,7 @@ preprocessor ftp_telnet_protocol: ftp client default \ EOD; - $pop_ports = str_replace(",", " ", $snort_ports['pop3_ports']); + $pop_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['pop3_ports'])); $pop_preproc = <<<EOD # POP preprocessor # preprocessor pop: \ @@ -2830,7 +2790,7 @@ preprocessor pop: \ EOD; - $imap_ports = str_replace(",", " ", $snort_ports['imap_ports']); + $imap_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['imap_ports'])); $imap_preproc = <<<EOD # IMAP preprocessor # preprocessor imap: \ @@ -2842,7 +2802,7 @@ preprocessor imap: \ EOD; - $smtp_ports = str_replace(",", " ", $snort_ports['mail_ports']); + $smtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['mail_ports'])); /* def smtp_preprocessor */ $smtp_preprocessor = <<<EOD # SMTP preprocessor # @@ -2894,7 +2854,7 @@ EOD; $sf_pscan_sense_level = $snortcfg['pscan_sense_level']; $sf_pscan_ignore_scanners = "\$HOME_NET"; if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) { - $sf_pscan_ignore_scanners = snort_get_alias_value($snortcfg['pscan_ignore_scanners']); + $sf_pscan_ignore_scanners = trim(filter_expand_alias($snortcfg['pscan_ignore_scanners'])); $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners)); } @@ -2909,7 +2869,7 @@ preprocessor sfportscan: scan_type { {$sf_pscan_type} } \ EOD; /* def ssh_preproc */ - $ssh_ports = str_replace(",", " ", $snort_ports['ssh_ports']); + $ssh_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssh_ports'])); $ssh_preproc = <<<EOD # SSH preprocessor # preprocessor ssh: server_ports { {$ssh_ports} } \ @@ -2923,7 +2883,7 @@ preprocessor ssh: server_ports { {$ssh_ports} } \ EOD; /* def other_preprocs */ - $sun_rpc_ports = str_replace(",", " ", $snort_ports['sun_rpc_ports']); + $sun_rpc_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sun_rpc_ports'])); $other_preprocs = <<<EOD # Other preprocs # preprocessor rpc_decode: {$sun_rpc_ports} no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete @@ -2944,7 +2904,7 @@ preprocessor dcerpc2_server: default, policy WinXP, \ EOD; - $sip_ports = str_replace(",", " ", $snort_ports['sip_ports']); + $sip_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sip_ports'])); $sip_preproc = <<<EOD # SIP preprocessor # preprocessor sip: max_sessions 40000, \ @@ -2982,7 +2942,7 @@ preprocessor sip: max_sessions 40000, \ EOD; - $dns_ports = str_replace(",", " ", $snort_ports['dns_ports']); + $dns_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['dns_ports'])); /* def dns_preprocessor */ $dns_preprocessor = <<<EOD # DNS preprocessor # @@ -2993,7 +2953,7 @@ preprocessor dns: \ EOD; /* def dnp3_preprocessor */ - $dnp3_ports = str_replace(",", " ", $snort_ports['DNP3_PORTS']); + $dnp3_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['DNP3_PORTS'])); $dnp3_preproc = <<<EOD # DNP3 preprocessor # preprocessor dnp3: \ @@ -3004,7 +2964,7 @@ preprocessor dnp3: \ EOD; /* def modbus_preprocessor */ - $modbus_ports = str_replace(",", " ", $snort_ports['MODBUS_PORTS']); + $modbus_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['MODBUS_PORTS'])); $modbus_preproc = <<<EOD # Modbus preprocessor # preprocessor modbus: \ @@ -3013,7 +2973,7 @@ preprocessor modbus: \ EOD; /* def gtp_preprocessor */ - $gtp_ports = str_replace(",", " ", $snort_ports['GTP_PORTS']); + $gtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['GTP_PORTS'])); $gtp_preproc = <<<EOD # GTP preprocessor # preprocessor gtp: ports { {$gtp_ports} } @@ -3021,7 +2981,7 @@ preprocessor gtp: ports { {$gtp_ports} } EOD; /* def ssl_preprocessor */ - $ssl_ports = str_replace(",", " ", $snort_ports['ssl_ports']); + $ssl_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssl_ports'])); $ssl_preproc = <<<EOD # SSL preprocessor # preprocessor ssl: \ @@ -3058,8 +3018,8 @@ EOD; $vardef = ""; foreach ($snort_servers as $alias => $avalue) { if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) { - $avalue = snort_get_alias_value($snortcfg["def_{$alias}"]); - $avalue = str_replace(" ", ",", trim($avalue)); + $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"])); + $avalue = preg_replace('/\s+/', ',', trim($avalue)); } $vardef .= "var " . strtoupper($alias) . " [{$avalue}]\n"; } diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 3d4c8016..49bec61c 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -47,7 +47,7 @@ <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> <version>2.9.4.6</version> - <title>Services:2.9.4.6 pkg v. 2.6.0</title> + <title>Services:2.9.4.6 pkg v. 2.6.1</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 0295ed2f..728de751 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -171,7 +171,7 @@ if ($_POST['todelete'] || $_GET['todelete']) { $ip = $_GET['todelete']; if (is_ipaddr($ip)) { exec("/sbin/pfctl -t snort2c -T delete {$ip}"); - $savemsg = "Host IP address {$ip} has been removed from the Blocked Table."; + $savemsg = gettext("Host IP address {$ip} has been removed from the Blocked Table."); } } @@ -183,7 +183,7 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ /* Add the new entry to the Suppress List */ if (snort_add_supplist_entry($suppress)) - $savemsg = "An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List."; + $savemsg = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List."); else $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); } @@ -208,7 +208,7 @@ if (($_GET['act'] == "addsuppress_srcip" || $_GET['act'] == "addsuppress_dstip") /* Add the new entry to the Suppress List */ if (snort_add_supplist_entry($suppress)) - $savemsg = "An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}' has been added to the Suppress List."; + $savemsg = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}' has been added to the Suppress List."); else /* We did not find the defined list, so notify the user with an error */ $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); @@ -221,8 +221,7 @@ if ($_GET['action'] == "clear" || $_POST['delete']) { if ($fd) fclose($fd); conf_mount_ro(); - /* XXX: This is needed is snort is run as snort user */ - //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); + /* XXX: This is needed if snort is run as snort user */ mwexec('/bin/chmod 660 /var/log/snort/*', true); if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); @@ -233,22 +232,28 @@ if ($_GET['action'] == "clear" || $_POST['delete']) { if ($_POST['download']) { $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); $file_name = "snort_logs_{$save_date}_{$if_real}.tar.gz"; - exec("/usr/bin/tar cfz /tmp/{$file_name} /var/log/snort/snort_{$if_real}{$snort_uuid}"); + exec("cd /var/log/snort/snort_{$if_real}{$snort_uuid} && /usr/bin/tar -czf /tmp/{$file_name} *"); if (file_exists("/tmp/{$file_name}")) { - $file = "/tmp/snort_logs_{$save_date}.tar.gz"; - header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); - header("Pragma: private"); // needed for IE - header("Cache-Control: private, must-revalidate"); // needed for IE - header('Content-type: application/force-download'); - header('Content-Transfer-Encoding: Binary'); - header("Content-length: ".filesize($file)); + ob_start(); //important or other posts will fail + if (isset($_SERVER['HTTPS'])) { + header('Pragma: '); + header('Cache-Control: '); + } else { + header("Pragma: private"); + header("Cache-Control: private, must-revalidate"); + } + header("Content-Type: application/octet-stream"); + header("Content-length: " . filesize("/tmp/{$file_name}")); header("Content-disposition: attachment; filename = {$file_name}"); - readfile("$file"); + ob_end_clean(); //important or other post will fail + readfile("/tmp/{$file_name}"); + + // Clean up the temp file @unlink("/tmp/{$file_name}"); } - header("Location: /snort/snort_alerts.php?instance={$instanceid}"); - exit; + else + $savemsg = gettext("An error occurred while creating archive"); } /* Load up an array with the current Suppression List GID,SID values */ diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index a81b03d7..983e8905 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -67,7 +67,6 @@ if ($_POST['download']) exec('/sbin/pfctl -t snort2c -T show', $blocked_ips_array_save); /* build the list */ if (is_array($blocked_ips_array_save) && count($blocked_ips_array_save) > 0) { - ob_start(); //important or other posts will fail $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); $file_name = "snort_blocked_{$save_date}.tar.gz"; exec('/bin/mkdir -p /tmp/snort_blocked'); @@ -79,24 +78,32 @@ if ($_POST['download']) file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline}\n", FILE_APPEND); } - exec("/usr/bin/tar cf /tmp/{$file_name} /tmp/snort_blocked"); + // Create a tar gzip archive of blocked host IP addresses + exec("/usr/bin/tar -czf /tmp/{$file_name} -C/tmp/snort_blocked snort_block.pf"); + // If we successfully created the archive, send it to the browser. if(file_exists("/tmp/{$file_name}")) { - header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); - header("Pragma: private"); // needed for IE - header("Cache-Control: private, must-revalidate"); // needed for IE - header('Content-type: application/force-download'); - header('Content-Transfer-Encoding: Binary'); + ob_start(); //important or other posts will fail + if (isset($_SERVER['HTTPS'])) { + header('Pragma: '); + header('Cache-Control: '); + } else { + header("Pragma: private"); + header("Cache-Control: private, must-revalidate"); + } + header("Content-Type: application/octet-stream"); header("Content-length: " . filesize("/tmp/{$file_name}")); header("Content-disposition: attachment; filename = {$file_name}"); + ob_end_clean(); //important or other post will fail readfile("/tmp/{$file_name}"); - ob_end_clean(); //importanr or other post will fail + + // Clean up the temp files and directory @unlink("/tmp/{$file_name}"); exec("/bin/rm -fr /tmp/snort_blocked"); } else - $savemsg = "An error occurred while creating archive"; + $savemsg = gettext("An error occurred while creating archive"); } else - $savemsg = "No content on snort block list"; + $savemsg = gettext("No content on snort block list"); } if ($_POST['save']) diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 30da4b74..e7263330 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -35,29 +35,25 @@ require_once "/usr/local/pkg/snort/snort.inc"; global $g, $pkg_interface, $snort_gui_include, $rebuild_rules; - -if (!defined("VRT_DNLD_FILENAME")) - define("VRT_DNLD_FILENAME", "snortrules-snapshot-2946.tar.gz"); if (!defined("VRT_DNLD_URL")) define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); if (!defined("ET_VERSION")) define("ET_VERSION", "2.9.0"); if (!defined("ET_BASE_DNLD_URL")) define("ET_BASE_DNLD_URL", "http://rules.emergingthreats.net/"); +if (!defined("ETPRO_BASE_DNLD_URL")) + define("ETPRO_BASE_DNLD_URL", "https://rules.emergingthreatspro.com/"); if (!defined("ET_DNLD_FILENAME")) define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); +if (!defined("ETPRO_DNLD_FILENAME")) + define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz"); if (!defined("GPLV2_DNLD_FILENAME")) define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); if (!defined("GPLV2_DNLD_URL")) define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/"); -if (!defined("FLOWBITS_FILENAME")) - define("FLOWBITS_FILENAME", "flowbit-required.rules"); -if (!defined("ENFORCING_RULES_FILENAME")) - define("ENFORCING_RULES_FILENAME", "snort.rules"); if (!defined("RULES_UPD_LOGFILE")) define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); - $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; @@ -72,8 +68,10 @@ else /* define checks */ $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; +$etproid = $config['installedpackages']['snortglobal']['etpro_code']; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; $vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; $et_enabled = $config['installedpackages']['snortglobal']['emergingthreats']; @@ -81,19 +79,39 @@ $et_enabled = $config['installedpackages']['snortglobal']['emergingthreats']; /* Working directory for downloaded rules tarballs */ $tmpfname = "{$snortdir}/tmp/snort_rules_up"; -/* Snort VRT rules filenames and URL */ -$snort_filename = VRT_DNLD_FILENAME; -$snort_filename_md5 = VRT_DNLD_FILENAME . ".md5"; +/* Grab the Snort binary version programmatically and use it to construct */ +/* the proper Snort VRT rules tarball and md5 filenames. */ +exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); +// Save the version with decimal delimiters for use in extracting the rules +$snort_version = $snortver[0]; +// Create a collapsed version string for use in the tarball filename +$snortver[0] = str_replace(".", "", $snortver[0]); +$snort_filename = "snortrules-snapshot-{$snortver[0]}.tar.gz"; +$snort_filename_md5 = "{$snort_filename}.md5"; $snort_rule_url = VRT_DNLD_URL; -/* Emerging Threats rules filenames and URL */ -$emergingthreats_filename = ET_DNLD_FILENAME; -$emergingthreats_filename_md5 = ET_DNLD_FILENAME . ".md5"; -$emerging_threats_version = ET_VERSION; -$emergingthreats_url = ET_BASE_DNLD_URL; -// If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules -$emergingthreats_url .= $vrt_enabled == "on" ? "open-nogpl/" : "open/"; -$emergingthreats_url .= "snort-" . ET_VERSION . "/"; +/* Set up Emerging Threats rules filenames and URL */ +if ($etpro == "on") { + $emergingthreats_filename = ETPRO_DNLD_FILENAME; + $emergingthreats_filename_md5 = ETPRO_DNLD_FILENAME . ".md5"; + $emergingthreats_url = ETPRO_BASE_DNLD_URL; + $emergingthreats_url .= "{$etproid}/snort-" . ET_VERSION . "/"; + $emergingthreats = "on"; + $et_name = "Emerging Threats Pro"; + $et_md5_remove = ET_DNLD_FILENAME . ".md5"; + @unlink("{$snortdir}/{$et_md5_remove}"); +} +else { + $emergingthreats_filename = ET_DNLD_FILENAME; + $emergingthreats_filename_md5 = ET_DNLD_FILENAME . ".md5"; + $emergingthreats_url = ET_BASE_DNLD_URL; + // If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules + $emergingthreats_url .= $vrt_enabled == "on" ? "open-nogpl/" : "open/"; + $emergingthreats_url .= "snort-" . ET_VERSION . "/"; + $et_name = "Emerging Threats Open"; + $et_md5_remove = ETPRO_DNLD_FILENAME . ".md5"; + @unlink("{$snortdir}/{$et_md5_remove}"); +} /* Snort GPLv2 Community Rules filenames and URL */ $snort_community_rules_filename = GPLV2_DNLD_FILENAME; @@ -112,7 +130,13 @@ function snort_download_file_url($url, $file_out) { /* It provides logging of returned CURL errors. */ /************************************************/ - global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded; + global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update; + + // Initialize required variables for pfSense "read_body()" function + $file_size = 1; + $downloaded = 1; + $first_progress_update = TRUE; + /* Array of message strings for HTTP Response Codes */ $http_resp_msg = array( 200 => "OK", 202 => "Accepted", 204 => "No Content", 205 => "Reset Content", @@ -418,34 +442,34 @@ if ($snortcommunityrules == 'on') { /* download md5 sig from emergingthreats.net */ if ($emergingthreats == 'on') { if ($pkg_interface <> "console") - update_status(gettext("Downloading EmergingThreats md5 file...")); - error_log(gettext("\tDownloading EmergingThreats md5 file '{$emergingthreats_filename_md5}'...\n"), 3, $snort_rules_upd_log); + update_status(gettext("Downloading {$et_name} md5 file...")); + error_log(gettext("\tDownloading {$et_name} md5 file '{$emergingthreats_filename_md5}'...\n"), 3, $snort_rules_upd_log); $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}"); if ($rc === true) { if ($pkg_interface <> "console") - update_status(gettext("Done downloading EmergingThreats md5 file {$emergingthreats_filename_md5}")); - error_log(gettext("\tChecking EmergingThreats md5.\n"), 3, $snort_rules_upd_log); + update_status(gettext("Done downloading {$et_name} md5 file {$emergingthreats_filename_md5}")); + error_log(gettext("\tChecking {$et_name} md5.\n"), 3, $snort_rules_upd_log); if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") { /* Check if were up to date emergingthreats.net */ $emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); $emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); if ($emerg_md5_check_new == $emerg_md5_check_old) { if ($pkg_interface <> "console") - update_status(gettext("Emerging Threats rules are up to date...")); - log_error(gettext("[Snort] Emerging Threat rules are up to date...")); - error_log(gettext("\tEmerging Threats rules are up to date.\n"), 3, $snort_rules_upd_log); + update_status(gettext("{$et_name} rules are up to date...")); + log_error(gettext("[Snort] {$et_name} rules are up to date...")); + error_log(gettext("\t{$et_name} rules are up to date.\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; } } } else { if ($pkg_interface <> "console") - update_output_window(gettext("EmergingThreats md5 file download failed. EmergingThreats rules will not be updated.")); - log_error(gettext("[Snort] EmergingThreats md5 file download failed. Server returned error code '{$rc}'.")); - error_log(gettext("\tEmergingThreats md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); + update_output_window(gettext("{$et_name} md5 file download failed. {$et_name} rules will not be updated.")); + log_error(gettext("[Snort] {$et_name} md5 file download failed. Server returned error code '{$rc}'.")); + error_log(gettext("\t{$et_name} md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); if ($pkg_interface == "console") error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tEmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$et_name} rules will not be updated.\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; } } @@ -453,9 +477,9 @@ if ($emergingthreats == 'on') { /* download emergingthreats rules file */ if ($emergingthreats == "on") { if ($pkg_interface <> "console") - update_status(gettext("There is a new set of EmergingThreats rules posted. Downloading {$emergingthreats_filename}...")); - log_error(gettext("[Snort] There is a new set of EmergingThreats rules posted. Downloading...")); - error_log(gettext("\tThere is a new set of EmergingThreats rules posted.\n"), 3, $snort_rules_upd_log); + update_status(gettext("There is a new set of {$et_name} rules posted. Downloading {$emergingthreats_filename}...")); + log_error(gettext("[Snort] There is a new set of {$et_name} rules posted. Downloading...")); + error_log(gettext("\tThere is a new set of {$et_name} rules posted.\n"), 3, $snort_rules_upd_log); error_log(gettext("\tDownloading file '{$emergingthreats_filename}'...\n"), 3, $snort_rules_upd_log); $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}"); @@ -463,29 +487,29 @@ if ($emergingthreats == "on") { if ($rc === true) { if (trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")) != trim(md5_file("{$tmpfname}/{$emergingthreats_filename}"))){ if ($pkg_interface <> "console") - update_output_window(gettext("EmergingThreats rules file MD5 checksum failed...")); - log_error(gettext("[Snort] EmergingThreats rules file download failed. Bad MD5 checksum...")); + update_output_window(gettext("{$et_name} rules file MD5 checksum failed...")); + log_error(gettext("[Snort] {$et_name} rules file download failed. Bad MD5 checksum...")); log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}"))); log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"))); - error_log(gettext("\tEmergingThreats rules file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$et_name} rules file download failed. {$et_name} rules will not be updated.\n"), 3, $snort_rules_upd_log); error_log(gettext("\tDownloaded ET file MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}") . "\n"), 3, $snort_rules_upd_log); error_log(gettext("\tExpected ET file MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}") . "\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; } else { if ($pkg_interface <> "console") - update_status(gettext('Done downloading EmergingThreats rules file.')); - log_error("[Snort] EmergingThreats rules file update downloaded successfully"); - error_log(gettext("\tDone downloading EmergingThreats rules file.\n"), 3, $snort_rules_upd_log); + update_status(gettext('Done downloading {$et_name} rules file.')); + log_error("[Snort] {$et_name} rules file update downloaded successfully"); + error_log(gettext("\tDone downloading {$et_name} rules file.\n"), 3, $snort_rules_upd_log); } } else { if ($pkg_interface <> "console") { - update_status(gettext("The server returned error code {$rc} ... skipping EmergingThreats update...")); - update_output_window(gettext("EmergingThreats rules file download failed...")); + update_status(gettext("The server returned error code {$rc} ... skipping {$et_name} update...")); + update_output_window(gettext("{$et_name} rules file download failed...")); } - log_error(gettext("[Snort] EmergingThreats rules file download failed. Server returned error '{$rc}'...")); - error_log(gettext("\tEmergingThreats rules file download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); + log_error(gettext("[Snort] {$et_name} rules file download failed. Server returned error '{$rc}'...")); + error_log(gettext("\t{$et_name} rules file download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); if ($pkg_interface == "console") error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; @@ -497,22 +521,34 @@ if ($emergingthreats == 'on') { safe_mkdir("{$snortdir}/tmp/emerging"); if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { if ($pkg_interface <> "console") { - update_status(gettext("Extracting EmergingThreats.org rules...")); - update_output_window(gettext("Installing EmergingThreats rules...")); + update_status(gettext("Extracting {$et_name} rules...")); + update_output_window(gettext("Installing {$et_name} rules...")); } - error_log(gettext("\tExtracting and installing EmergingThreats.org rules...\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, $snort_rules_upd_log); exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/"); + /* Remove the old Emerging Threats rules files */ + array_map('unlink', glob("{$snortdir}/rules/emerging-*.rules")); + array_map('unlink', glob("{$snortdir}/rules/etpro-*.rules")); + array_map('unlink', glob("{$snortdir}/rules/emerging-*ips.txt")); + array_map('unlink', glob("{$snortdir}/rules/etpro-*ips.txt")); + $files = glob("{$snortdir}/tmp/emerging/rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/rules/{$newfile}"); + if ($etpro == "on") + @copy($file, "{$snortdir}/rules/etpro-{$newfile}"); + else + @copy($file, "{$snortdir}/rules/{$newfile}"); } /* IP lists for Emerging Threats rules */ $files = glob("{$snortdir}/tmp/emerging/rules/*ips.txt"); foreach ($files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/rules/{$newfile}"); + if ($etpro == "on") + @copy($file, "{$snortdir}/rules/etpro-{$newfile}"); + else + @copy($file, "{$snortdir}/rules/emerging-{$newfile}"); } /* base etc files for Emerging Threats rules */ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { @@ -527,10 +563,10 @@ if ($emergingthreats == 'on') { @copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$snortdir}/{$emergingthreats_filename_md5}"); } if ($pkg_interface <> "console") { - update_status(gettext("Extraction of EmergingThreats.org rules completed...")); - update_output_window(gettext("Installation of EmergingThreats rules completed...")); + update_status(gettext("Extraction of {$et_name} rules completed...")); + update_output_window(gettext("Installation of {$et_name} rules completed...")); } - error_log(gettext("\tInstallation of EmergingThreats.org rules completed.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, $snort_rules_upd_log); exec("rm -r {$snortdir}/tmp/emerging"); } } @@ -544,6 +580,9 @@ if ($snortdownload == 'on') { if (substr(php_uname("r"), 0, 1) == '9') $freebsd_version_so = 'FreeBSD-9-0'; + /* Remove the old Snort rules files */ + array_map('unlink', glob("{$snortdir}/rules/snort_*.rules")); + if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort VRT rules...")); update_output_window(gettext("Installing Sourcefire VRT rules...")); diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 2a6d47ff..ca549820 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -203,15 +203,18 @@ if ($savemsg) $server = substr($server, 0, 40) . "..."; $label = strtoupper($key); $value = ""; - if (!empty($pconfig["def_{$key}"])) + $title = ""; + if (!empty($pconfig["def_{$key}"])) { $value = htmlspecialchars($pconfig["def_{$key}"]); + $title = trim(filter_expand_alias($pconfig["def_{$key}"])); + } ?> <tr> <td width='22%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td> <td width="78%" class="vtable"> <input name="def_<?=$key;?>" size="40" type="text" autocomplete="off" class="formfldalias" id="def_<?=$key;?>" - value="<?=$value;?>"> <br/> + value="<?=$value;?>" title="<?=$title;?>"> <br/> <span class="vexpl"><?php echo gettext("Default value:"); ?> "<?=$server;?>" <br/><?php echo gettext("Leave " . "blank for default value."); ?></span> </td> @@ -226,14 +229,17 @@ if ($savemsg) $server = substr($server, 0, 40) . "..."; $label = strtoupper($key); $value = ""; - if (!empty($pconfig["def_{$key}"])) + $title = ""; + if (!empty($pconfig["def_{$key}"])) { $value = htmlspecialchars($pconfig["def_{$key}"]); + $title = trim(filter_expand_alias($pconfig["def_{$key}"])); + } ?> <tr> <td width='22%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td> <td width="78%" class="vtable"> <input name="def_<?=$key;?>" type="text" size="40" autocomplete="off" class="formfldalias" id="def_<?=$key;?>" - value="<?=$value;?>"> <br/> + value="<?=$value;?>" title="<?=$title;?>"> <br/> <span class="vexpl"><?php echo gettext("Default value:"); ?> "<?=$server;?>" <br/> <?php echo gettext("Leave " . "blank for default value."); ?></span> </td> @@ -262,6 +268,9 @@ if ($savemsg) if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + // Skip any Aliases that resolve to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; if($addrisfirst == 1) $aliasesaddr .= ","; $aliasesaddr .= "'" . $alias_name['name'] . "'"; $addrisfirst = 1; diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 1f87fbbc..09ab646a 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -40,8 +40,14 @@ require_once("/usr/local/pkg/snort/snort.inc"); $snortdir = SNORTDIR; $snort_rules_upd_log = RULES_UPD_LOGFILE; $log = $snort_rules_upd_log; -$snort_rules_file = VRT_DNLD_FILENAME; -$emergingthreats_filename = ET_DNLD_FILENAME; + +/* Grab the Snort binary version programmatically and */ +/* use it to construct the proper Snort VRT rules */ +/* tarball filename. */ +exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); +$snortver[0] = str_replace(".", "", $snortver[0]); +$snort_rules_file = "snortrules-snapshot-{$snortver[0]}.tar.gz"; +//$snort_rules_file = VRT_DNLD_FILENAME; $snort_community_rules_filename = GPLV2_DNLD_FILENAME; /* load only javascript that is needed */ @@ -49,8 +55,18 @@ $snort_load_jquery = 'yes'; $snort_load_jquery_colorbox = 'yes'; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; +if ($etpro == "on") { + $emergingthreats_filename = ETPRO_DNLD_FILENAME; + $et_name = "EMERGING THREATS PRO RULES"; +} +else { + $emergingthreats_filename = ET_DNLD_FILENAME; + $et_name = "EMERGING THREATS RULES"; +} + /* quick md5s chk */ $snort_org_sig_chk_local = 'N/A'; if (file_exists("{$snortdir}/{$snort_rules_file}.md5")) @@ -138,9 +154,9 @@ h += 96; <p style="text-align: left; margin-left: 225px;"> <font color="#777777" size="2.5px"> <b><?php echo gettext("INSTALLED RULESET SIGNATURES"); ?></b></font><br/><br/> - <font color="#FF850A" size="1px"><b>SNORT.ORG --></b></font> + <font color="#FF850A" size="1px"><b>SNORT VRT RULES --></b></font> <font size="1px" color="#000000"> <? echo $snort_org_sig_chk_local; ?></font><br/> - <font color="#FF850A" size="1px"><b>EMERGINGTHREATS.NET --></b></font> + <font color="#FF850A" size="1px"><b><?=$et_name;?> --></b></font> <font size="1px" color="#000000"> <? echo $emergingt_net_sig_chk_local; ?></font><br/> <font color="#FF850A" size="1px"><b>SNORT GPLv2 COMMUNITY RULES --></b></font> <font size="1px" color="#000000"> <? echo $snort_community_sig_chk_local; ?></font><br/> @@ -160,7 +176,7 @@ h += 96; <?php - if ($snortdownload != 'on' && $emergingthreats != 'on') { + if ($snortdownload != 'on' && $emergingthreats != 'on' && $etpro != 'on') { echo ' <button disabled="disabled"><span class="download">' . gettext("Update Rules") . '</span></button><br/> <p style="text-align:left; margin-left:150px;"> diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index d28ec2b4..089255b6 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -44,7 +44,9 @@ $snortdir = SNORTDIR; /* make things short */ $pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload']; $pconfig['oinkmastercode'] = $config['installedpackages']['snortglobal']['oinkmastercode']; +$pconfig['etpro_code'] = $config['installedpackages']['snortglobal']['etpro_code']; $pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats']; +$pconfig['emergingthreats_pro'] = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked']; $pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortloglimit']; $pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize']; @@ -63,14 +65,22 @@ if ($_POST['rule_update_starttime']) { $input_errors[] = "Invalid Rule Update Start Time! Please supply a value in 24-hour format as 'HH:MM'."; } +if ($_POST['snortdownload'] == "on" && empty($_POST['oinkmastercode'])) + $input_errors[] = "You must supply an Oinkmaster code in the box provided in order to enable Snort VRT rules!"; + +if ($_POST['emergingthreats_pro'] == "on" && empty($_POST['etpro_code'])) + $input_errors[] = "You must supply a subscription code in the box provided in order to enable Emerging Threats Pro rules!"; + /* if no errors move foward */ if (!$input_errors) { if ($_POST["Submit"]) { - $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload']; + $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; $config['installedpackages']['snortglobal']['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['emergingthreats_pro'] = $_POST['emergingthreats_pro'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['etpro_code'] = $_POST['etpro_code']; $config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked']; if ($_POST['snortloglimitsize']) { @@ -160,19 +170,14 @@ if ($input_errors) <td width="78%" class="vtable"> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td><input name="snortdownload" type="radio" id="snortdownload" value="off" onclick="enable_snort_vrt('off')" - <?php if($pconfig['snortdownload']=='off' || $pconfig['snortdownload']=='') echo 'checked'; ?> > </td> - <td><span class="vexpl"><?php printf(gettext("Do %sNOT%s Install"), '<strong>', '</strong>'); ?></span></td> - </tr> - <tr> - <td><input name="snortdownload" type="radio" id="snortdownload" value="on" onclick="enable_snort_vrt('on')" + <td><input name="snortdownload" type="checkbox" id="snortdownload" value="on" onclick="enable_snort_vrt();" <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?>></td> - <td><span class="vexpl"><?php echo gettext("Install Basic Rules or Premium rules"); ?></span></td> + <td><span class="vexpl"><?php echo gettext("Snort VRT free Registered User or paid Subscriber rules"); ?></span></td> <tr> <td> </td> - <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a Basic Rule Account"); ?> </a><br> + <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a free Registered User Rule Account"); ?> </a><br> <a href="http://www.snort.org/vrt/buy-a-subscription" target="_blank"> - <?php echo gettext("Sign Up for Sourcefire VRT Certified Premium Rules. This Is Highly Recommended"); ?></a></td> + <?php echo gettext("Sign Up for paid Sourcefire VRT Certified Subscriber Rules"); ?></a></td> </tr> <tr> <td colspan="2"> </td> @@ -180,17 +185,17 @@ if ($input_errors) </table> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("Oinkmaster Configuration"); ?></span></b></td> + <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("Snort VRT Oinkmaster Configuration"); ?></span></b></td> </tr> <tr> - <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code"); ?></strong></span></td> + <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td> <td><input name="oinkmastercode" type="text" class="formfld" id="oinkmastercode" size="52" value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>" <?php if($pconfig['snortdownload']<>'on') echo 'disabled'; ?>><br> <?php echo gettext("Obtain a snort.org Oinkmaster code and paste it here."); ?></td> </tr> - </table> + </table> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort Community%s " . @@ -198,7 +203,7 @@ if ($input_errors) <td width="78%" class="vtable"> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="yes" + <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked"; ?> ></td> <td><span class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " . "without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset."); ?> @@ -212,11 +217,41 @@ if ($input_errors) <td width="78%" class="vtable"> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td valign="top" width="8%"><input name="emergingthreats" type="checkbox" value="yes" - <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?>> - <td><span class="vexpl"><?php echo gettext("Emerging Threats is an open source community that produces fast " . - "moving and diverse Snort Rules."); ?></span></td> + <td valign="top" width="8%"><input name="emergingthreats" type="checkbox" value="on" onclick="enable_et_rules();" + <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?>></td> + <td><span class="vexpl"><?php echo gettext("ETOpen is an open source set of Snort rules whose coverage " . + "is more limited than ETPro."); ?></span></td> + </tr> + <tr> + <td valign="top" width="8%"><input name="emergingthreats_pro" type="checkbox" value="on" onclick="enable_etpro_rules();" + <?php if ($config['installedpackages']['snortglobal']['emergingthreats_pro']=="on") echo "checked"; ?>></td> + <td><span class="vexpl"><?php echo gettext("ETPro for Snort offers daily updates and extensive coverage of current malware threats."); ?></span></td> </tr> + <tr> + <td> </td> + <td><a href="http://www.emergingthreats.net/solutions/etpro-ruleset/" target="_blank"><?php echo gettext("Sign Up for an ETPro Account"); ?> </a></td> + </tr> + <tr> + <td> </td> + <td class="vexpl"><?php echo "<span class='red'><strong>" . gettext("Note:") . "</strong></span>" . " " . + gettext("The ETPro rules contain all of the ETOpen rules, so the ETOpen rules are not required and are disabled when the ETPro rules are selected."); ?></td> + </tr> + <tr> + <td colspan="2"> </td> + </tr> + </table> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("ETPro Subscription Configuration"); ?></span></b></td> + </tr> + <tr> + <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td> + <td><input name="etpro_code" type="text" + class="formfld" id="etpro_code" size="52" + value="<?=htmlspecialchars($pconfig['etpro_code']);?>" + <?php if($pconfig['emergingthreats_pro']<>'on') echo 'disabled'; ?>><br> + <?php echo gettext("Obtain an ETPro subscription code and paste it here."); ?></td> + </tr> </table> </td> </tr> @@ -330,13 +365,28 @@ if ($input_errors) <script language="JavaScript"> <!-- -function enable_snort_vrt(btn) { - if (btn == 'off') { - document.iform.oinkmastercode.disabled = "true"; +function enable_snort_vrt() { + var endis = !(document.iform.snortdownload.checked); + document.iform.oinkmastercode.disabled = endis; + document.iform.etpro_code.disabled = endis; +} + +function enable_et_rules() { + var endis = document.iform.emergingthreats.checked; + if (endis) { + document.iform.emergingthreats_pro.checked = !(endis); + document.iform.etpro_code.disabled = "true"; } - if (btn == 'on') { - document.iform.oinkmastercode.disabled = ""; - } +} + +function enable_etpro_rules() { + var endis = document.iform.emergingthreats_pro.checked; + if (endis) { + document.iform.emergingthreats.checked = !(endis); + document.iform.etpro_code.disabled = ""; + } + else + document.iform.etpro_code.disabled = "true"; } function enable_change_rules_upd() { diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php index fc157375..671fa4e5 100644 --- a/config/snort/snort_interfaces_whitelist_edit.php +++ b/config/snort/snort_interfaces_whitelist_edit.php @@ -261,7 +261,7 @@ if ($savemsg) <div id="addressnetworkport"><?php echo gettext("Alias Name:"); ?></div> </td> <td width="78%" class="vtable"> - <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" /> + <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" title="<?=trim(filter_expand_alias($pconfig['address']));?>"/> </td> </tr> <tr> @@ -287,6 +287,9 @@ if ($savemsg) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] != "host" && $alias_name['type'] != "network") continue; + // Skip any Alias that resolves to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; if($addrisfirst == 1) $aliasesaddr .= ","; $aliasesaddr .= "'" . $alias_name['name'] . "'"; $addrisfirst = 1; diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 6c839846..95d5a10e 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -1161,8 +1161,8 @@ include_once("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Scanners"); ?></td> <td width="78%" class="vtable"> - <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners" - value="<?=$pconfig['pscan_ignore_scanners'];?>"> <?php echo gettext("Leave blank for default. ") . + <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners" + value="<?=$pconfig['pscan_ignore_scanners'];?>" title="<?=trim(filter_expand_alias($pconfig['pscan_ignore_scanners']));?>"> <?php echo gettext("Leave blank for default. ") . gettext("Default value is ") . "<strong>" . gettext("\$HOME_NET") . "</strong>"; ?>.<br/> <?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias."); ?><br/> </td> @@ -1315,6 +1315,8 @@ include_once("head.inc"); if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; if($addrisfirst == 1) $aliasesaddr .= ","; $aliasesaddr .= "'" . $alias_name['name'] . "'"; $addrisfirst = 1; diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index c9d90597..c9852597 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -33,7 +33,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g, $flowbit_rules_file, $rebuild_rules; +global $g, $rebuild_rules; $snortdir = SNORTDIR; $rules_map = array(); @@ -106,6 +106,7 @@ function add_title_attribute($tag, $title) { /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_rule[$id]['uuid']; +$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; $categories = explode("||", $pconfig['rulesets']); @@ -117,7 +118,7 @@ else if ($_POST['openruleset']) else $currentruleset = $categories[0]; -if (empty($categories[0]) && ($currentruleset != "custom.rules")) { +if (empty($categories[0]) && ($currentruleset != "custom.rules") && ($currentruleset != "Auto-Flowbit Rules")) { if (!empty($a_rule[$id]['ips_policy'])) $currentruleset = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); else @@ -133,6 +134,9 @@ $ruledir = "{$snortdir}/rules"; $rulefile = "{$ruledir}/{$currentruleset}"; if ($currentruleset != 'custom.rules') { // Read the current rules file into our rules map array. + // If it is the auto-flowbits file, set the full path. + if ($currentruleset == "Auto-Flowbit Rules") + $rulefile = "{$snortcfgdir}/rules/" . FLOWBITS_FILENAME; // Test for the special case of an IPS Policy file. if (substr($currentruleset, 0, 10) == "IPS Policy") $rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']); @@ -193,8 +197,6 @@ if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($rules_map)) { write_config(); $_GET['openruleset'] = $currentruleset; -// header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); -// exit; $anchor = "rule_{$sid}"; } @@ -334,7 +336,7 @@ if ($_POST['customrules']) { $rebuild_rules = false; $output = ""; $retcode = ""; - exec("snort -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -T 2>&1", $output, $retcode); + exec("/usr/local/bin/snort -T -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf 2>&1", $output, $retcode); if (intval($retcode) != 0) { $error = ""; $start = count($output); @@ -436,6 +438,8 @@ if ($savemsg) { $files = explode("||", $pconfig['rulesets']); if ($a_rule[$id]['ips_policy_enable'] == 'on') $files[] = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); + if ($a_rule[$id]['autoflowbitrules'] == 'on') + $files[] = "Auto-Flowbit Rules"; natcasesort($files); foreach ($files as $value) { if ($snortdownload != 'on' && substr($value, 0, 6) == "snort_") @@ -517,6 +521,17 @@ if ($savemsg) { title='" . gettext("Click to enable all rules in the selected category") . "'></a>"?> <?php echo gettext("Enable all rules in the current Category"); ?></td> </tr> + <?php if ($currentruleset == 'Auto-Flowbit Rules'): ?> + <tr> + <td colspan="3"> </td> + </tr> + <tr> + <td colspan="3" class="vexpl" align="center"><?php echo "<span class=\"red\"><b>" . gettext("WARNING: ") . "</b></span>" . + gettext("You should not disable flowbit rules! Add Suppress List entries for them instead by ") . + "<a href='snort_rules_flowbits.php?id={$id}' title=\"" . gettext("Add Suppress List entry for Flowbit Rule") . "\">" . + gettext("clicking here") . ".</a>";?></td> + </tr> + <?php endif;?> </table> </td> </tr> @@ -564,27 +579,32 @@ if ($savemsg) { foreach ($rulem as $k2 => $v) { $sid = snort_get_sid($v['rule']); $gid = snort_get_gid($v['rule']); + if (isset($disablesid[$sid])) { $textss = "<span class=\"gray\">"; $textse = "</span>"; $iconb = "icon_reject_d.gif"; $disable_cnt++; + $title = gettext("Disabled by user. Click to toggle to enabled state"); } elseif (($v['disabled'] == 1) && (!isset($enablesid[$sid]))) { $textss = "<span class=\"gray\">"; $textse = "</span>"; $iconb = "icon_block_d.gif"; $disable_cnt++; + $title = gettext("Disabled by default. Click to toggle to enabled state"); } elseif (isset($enablesid[$sid])) { $textss = $textse = ""; $iconb = "icon_reject.gif"; $enable_cnt++; + $title = gettext("Enabled by user. Click to toggle to disabled state"); } else { $textss = $textse = ""; $iconb = "icon_block.gif"; $enable_cnt++; + $title = gettext("Enabled by default. Click to toggle to disabled state"); } // Pick off the first section of the rule (prior to the start of the MSG field), @@ -611,7 +631,7 @@ if ($savemsg) { <a id=\"rule_{$sid}\" href='?id={$id}&openruleset={$currentruleset}&act=toggle&ids={$sid}'> <img src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\" - title='" . gettext("Click to toggle enabled/disabled state") . "'></a> + title='{$title}'></a> $textse </td> <td class=\"listlr\" align=\"center\"> @@ -638,8 +658,8 @@ if ($savemsg) { ?> <td align="right" valign="middle" nowrap class="listt"> <a href="javascript: void(0)" - onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>','FileViewer',800,600)"><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" + onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>','FileViewer',800,600)"> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" title="<?php echo gettext("Click to view the entire rule text"); ?>" width="17" height="17" border="0"></a> </td> </tr> diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index a1f45c07..c0087464 100755 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -37,7 +37,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $flowbit_rules_file; +$flowbit_rules_file = FLOWBITS_FILENAME; $snortdir = SNORTDIR; if (!is_array($config['installedpackages']['snortglobal']['rule'])) { @@ -60,10 +60,17 @@ if (isset($id) && $a_rule[$id]) { /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_rule[$id]['uuid']; +$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; $file = $_GET['openruleset']; $contents = ''; $wrap_flag = "off"; +// Correct displayed file title if necessary +if ($file == "Auto-Flowbit Rules") + $displayfile = FLOWBITS_FILENAME; +else + $displayfile = $file; + // Read the contents of the argument passed to us. // It may be an IPS policy string, an individual SID, // a standard rules file, or a complete file name. @@ -87,13 +94,18 @@ if (substr($file, 0, 10) == "IPS Policy") { } // Is it a SID to load the rule text from? elseif (isset($_GET['ids'])) { - $rules_map = snort_load_rules_map("{$snortdir}/rules/{$file}"); + // If flowbit rule, point to interface-specific file + if ($file == "Auto-Flowbit Rules") + $rules_map = snort_load_rules_map("{$snortcfgdir}/rules/" . FLOWBITS_FILENAME); + else + $rules_map = snort_load_rules_map("{$snortdir}/rules/{$file}"); $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule']; $wrap_flag = "soft"; } + // Is it our special flowbit rules file? -elseif ($file == $flowbit_rules_file) - $contents = file_get_contents("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}"); +elseif ($file == "Auto-Flowbit Rules") + $contents = file_get_contents("{$snortcfgdir}/rules/{$flowbit_rules_file}"); // Is it a rules file in the ../rules/ directory? elseif (file_exists("{$snortdir}/rules/{$file}")) $contents = file_get_contents("{$snortdir}/rules/{$file}"); @@ -101,10 +113,8 @@ elseif (file_exists("{$snortdir}/rules/{$file}")) elseif (file_exists($file)) $contents = file_get_contents($file); // It is not something we can display, so exit. -else { - header("Location: /snort/snort_rules.php?id={$id}&openruleset={$file}"); - exit; -} +else + $input_errors[] = gettext("Unable to open file: {$displayfile}"); $pgtitle = array(gettext("Snort"), gettext("File Viewer")); ?> @@ -128,7 +138,7 @@ $pgtitle = array(gettext("Snort"), gettext("File Viewer")); <input type="button" class="formbtn" value="Return" onclick="window.close()"> </td> <td align="right"> - <b><?php echo gettext("Rules File: ") . '</b> ' . $file; ?> + <b><?php echo gettext("Rules File: ") . '</b> ' . $displayfile; ?> </td> </tr> <tr> diff --git a/config/snort/snort_rules_flowbits.php b/config/snort/snort_rules_flowbits.php index 7a653af8..92330ebf 100644 --- a/config/snort/snort_rules_flowbits.php +++ b/config/snort/snort_rules_flowbits.php @@ -50,6 +50,21 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) { } $a_nat = &$config['installedpackages']['snortglobal']['rule']; +// Set who called us so we can return to the correct page with +// the RETURN button. We will just trust this User-Agent supplied +// string for now. +session_start(); +if(!isset($_SESSION['org_referer'])) + $_SESSION['org_referer'] = $_SERVER['HTTP_REFERER']; +$referrer = $_SESSION['org_referer']; + +if ($_POST['cancel']) { + unset($_SESSION['org_referer']); + session_write_close(); + header("Location: {$referrer}"); + exit; +} + $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; @@ -88,14 +103,15 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ if (empty($a_nat[$id]['suppresslistname']) || $a_nat[$id]['suppresslistname'] == 'default') { $s_list = array(); - $s_list['name'] = $a_nat[$id]['interface'] . "suppress"; $s_list['uuid'] = uniqid(); - $s_list['descr'] = "Auto-generated list for alert suppression"; + $s_list['name'] = $a_nat[$id]['interface'] . "suppress" . "_" . $s_list['uuid']; + $s_list['descr'] = "Auto-generated list for Alert suppression"; $s_list['suppresspassthru'] = base64_encode($suppress); $a_suppress[] = $s_list; $a_nat[$id]['suppresslistname'] = $s_list['name']; $found_list = true; } else { + /* If we get here, a Suppress List is defined for the interface so see if we can find it */ foreach ($a_suppress as $a_id => $alist) { if ($alist['name'] == $a_nat[$id]['suppresslistname']) { $found_list = true; @@ -105,6 +121,10 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ $alist['suppresspassthru'] = base64_encode($tmplist); $a_suppress[$a_id] = $alist; } + else { + $alist['suppresspassthru'] = base64_encode($suppress); + $a_suppress[$a_id] = $alist; + } } } } @@ -112,7 +132,8 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ write_config(); $rebuild_rules = false; sync_snort_package_config(); - $savemsg = gettext("Wrote suppress rule for 'gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' to the '{$a_nat[$id]['suppresslistname']}' Suppression List."); + snort_reload_config($a_nat[$id]); + $savemsg = gettext("An entry to suppress the Alert for 'gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to Suppress List '{$a_nat[$id]['suppresslistname']}'."); } else { /* We did not find the defined list, so notify the user with an error */ @@ -179,8 +200,9 @@ if ($savemsg) <tr> <td width="17px"><img src="../themes/<?=$g['theme']?>/images/icons/icon_plus.gif" width='12' height='12' border='0'/></td> <td><span class="vexpl"><?php echo gettext("Alert is Not Suppressed"); ?></span></td> - <td rowspan="3" align="right"><input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" onclick="parent.location='snort_rulesets.php?id=<?=$id;?>'" <?php - echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/></td> + <td rowspan="3" align="right"><input id="cancel" name="cancel" type="submit" class="formbtn" <?php + echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/> + <input name="id" type="hidden" value="<?=$id;?>" /></td> </tr> <tr> <td width="17px"><img src="../themes/<?=$g['theme']?>/images/icons/icon_plus_d.gif" width='12' height='12' border='0'/></td> @@ -272,7 +294,7 @@ if ($savemsg) <?php if ($count > 20): ?> <tr> <td align="center" valign="middle"> - <input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" onclick="parent.location='snort_rulesets.php?id=<?=$id;?>'" <?php + <input id="cancel" name="cancel" type="submit" class="formbtn" <?php echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/> <input name="id" type="hidden" value="<?=$id;?>" /> </td> diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 7ec0edbd..3c613f84 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -63,6 +63,7 @@ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_nat[$id]['uuid']; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $snortcommunitydownload = $config['installedpackages']['snortglobal']['snortcommunityrules']; $no_emerging_files = false; @@ -70,10 +71,13 @@ $no_snort_files = false; $no_community_files = false; /* Test rule categories currently downloaded to $SNORTDIR/rules and set appropriate flags */ -$test = glob("{$snortdir}/rules/emerging-*.rules"); +if (($etpro == 'off' || empty($etpro)) && $emergingdownload == 'on') + $test = glob("{$snortdir}/rules/emerging-*.rules"); +elseif ($etpro == 'on' && ($emergingdownload == 'off' || empty($emergingdownload))) + $test = glob("{$snortdir}/rules/etpro-*.rules"); if (empty($test)) $no_emerging_files = true; -$test = glob("{$snortdir}/rules/snort_*.rules"); +$test = glob("{$snortdir}/rules/snort*.rules"); if (empty($test)) $no_snort_files = true; if (!file_exists("{$snortdir}/rules/GPLv2_community.rules")) @@ -184,10 +188,16 @@ if ($_POST['selectall']) { } if ($emergingdownload == 'on') { - $files = glob("{$snortdir}/rules/emerging*.rules"); + $files = glob("{$snortdir}/rules/emerging-*.rules"); foreach ($files as $file) $rulesets[] = basename($file); } + elseif ($etpro == 'on') { + $files = glob("{$snortdir}/rules/etpro-*.rules"); + foreach ($files as $file) + $rulesets[] = basename($file); + } + if ($snortcommunitydownload == 'on') { $files = glob("{$snortdir}/rules/*_community.rules"); foreach ($files as $file) @@ -421,7 +431,10 @@ if ($savemsg) { <tr id="frheader"> <?php if ($emergingdownload == 'on' && !$no_emerging_files): ?> <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> - <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Emerging Threats');?></td> + <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: ET Open Rules');?></td> + <?php elseif ($etpro == 'on' && !$no_emerging_files): ?> + <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> + <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: ET Pro Rules');?></td> <?php else: ?> <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("Emerging Threats rules not {$msg_emerging}"); ?></td> <?php endif; ?> @@ -446,7 +459,9 @@ if ($savemsg) { $filename = basename($filename); if (substr($filename, -5) != "rules") continue; - if (strstr($filename, "emerging") && $emergingdownload == 'on') + if (strstr($filename, "emerging-") && $emergingdownload == 'on') + $emergingrules[] = $filename; + else if (strstr($filename, "etpro-") && $etpro == 'on') $emergingrules[] = $filename; else if (strstr($filename, "snort") && $snortdownload == 'on') { if (strstr($filename, ".so.rules")) diff --git a/config/softflowd/softflowd.xml b/config/softflowd/softflowd.xml new file mode 100644 index 00000000..149631b8 --- /dev/null +++ b/config/softflowd/softflowd.xml @@ -0,0 +1,137 @@ +<packagegui> + <name>softflowd</name> + <version>0.9.8</version> + <title>softflowd: Settings</title> + <aftersaveredirect>pkg_edit.php?xml=softflowd.xml&id=0</aftersaveredirect> + <menu> + <name>softflowd</name> + <tooltiptext>Modify softflowd settings.</tooltiptext> + <section>Services</section> + <configfile>softflowd.xml</configfile> + <url>/pkg_edit.php?xml=softflowd.xml&id=0</url> + </menu> + <service> + <name>softflowd</name> + <rcfile>softflowd.sh</rcfile> + <executable>softflowd</executable> + <description>Netflow export daemon</description> + </service> + <configpath>installedpackages->package->$packagename->configuration->settings</configpath> + <fields> + <field> + <fielddescr>Interface</fielddescr> + <fieldname>interface</fieldname> + <type>interfaces_selection</type> + <description>Pick an interface from which to collect netflow data. A separate instance of softflowd will be launched for each interface.</description> + <multiple/> + </field> + <field> + <fielddescr>Host</fielddescr> + <fieldname>host</fieldname> + <description>Specify the host to which datagrams will be sent.</description> + <type>input</type> + </field> + <field> + <fielddescr>Port</fielddescr> + <fieldname>port</fieldname> + <description>Enter the port to which datagrams will be sent.</description> + <type>input</type> + </field> + <field> + <fielddescr>Max Flows</fielddescr> + <fieldname>maxflows</fieldname> + <description>Specify the maximum number of flows to concurrently track before older flows are expired. Default: 8192.</description> + <type>input</type> + </field> + <field> + <fielddescr>Netflow version</fielddescr> + <fieldname>version</fieldname> + <description>Select the desired version of the NetFlow protocol.</description> + <type>select</type> + <options> + <option> + <name>9</name> + <value>9</value> + </option> + <option> + <name>5</name> + <value>5</value> + </option> + <option> + <name>1</name> + <value>1</value> + </option> + </options> + </field> + </fields> + <custom_php_global_functions> + <![CDATA[ + function sync_package_softflowd() { + conf_mount_rw(); + config_lock(); + global $config; + $cf = $config['installedpackages']['softflowd']['config'][0]; + $interface_list = explode(",", $cf['interface']); + if (!empty($cf['host']) && !empty($interface_list)) { + $cf['host'] = is_ipaddrv6($cf['host']) ? "[{$cf['host']}]" : $cf['host']; + $start = "/usr/bin/killall -9 softflowd"; + foreach ($interface_list as $interface_friendly) { + if (empty($interface_friendly)) + continue; + $interface = get_real_interface($interface_friendly); + if (empty($interface)) + continue; + $start .= "\n\t/usr/local/sbin/softflowd "; + $start .= " -i {$interface}"; + $start .= " -n {$cf['host']}:{$cf['port']}"; + if (is_numeric($cf['maxflows'])) + $start .= " -m {$cf['maxflows']}"; + if ($cf['version'] != "") + $start .= " -v {$cf['version']}"; + $start .= " -p /var/run/softflowd.{$interface}.pid"; + $start .= " -c /var/run/softflowd.{$interface}.ctl"; + } + write_rcfile(array( + "file" => "softflowd.sh", + "start" => $start, + "stop" => "/usr/bin/killall -9 softflowd" + ) + ); + restart_service("softflowd"); + } + conf_mount_ro(); + config_unlock(); + } + + function validate_form_softflowd($post, $input_errors) { + if (($post['host'] == "") || !is_ipaddr($post['host'])) + $input_errors[] = 'You must specify a valid ip address in the \'Host\' field'; + if (($post['port'] == "") || !is_port($post['port'])) + $input_errors[] = 'You must specify a valid port number in the \'Port\' field'; + } + + function cleanup_config_softflowd() { + global $a_pkg; + $pffconf = array(); + if (is_array($a_pkg)) { + foreach($a_pkg as $cf) { + if ($cf['host'] != "") { + $pffconf = $cf; + } + } + } + $a_pkg = array(); + $a_pkg[0] = $pffconf; + } + ]]> + </custom_php_global_functions> + <custom_php_resync_config_command> + sync_package_softflowd(); + </custom_php_resync_config_command> + <custom_php_validation_command> + validate_form_softflowd($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_command_before_form> + cleanup_config_softflowd(); + </custom_php_command_before_form> +</packagegui> diff --git a/config/squid/squid.inc b/config/squid/squid.inc index 34186407..e136d9f8 100644 --- a/config/squid/squid.inc +++ b/config/squid/squid.inc @@ -447,12 +447,13 @@ function squid_validate_nac($post, $input_errors) { $input_errors[] = "The time range '$time' is not a valid time range"; } - if(!empty($post['ext_cachemanager'])) { - $extmgr = explode(";", ($post['ext_cachemanager'])); - foreach ($extmgr as $mgr) { - if (!is_ipaddr($mgr)) - $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; - }} + if(!empty($post['ext_cachemanager'])) { + $extmgr = explode(";", ($post['ext_cachemanager'])); + foreach ($extmgr as $mgr) { + if (!empty($mgr) && !is_ipaddr($mgr)) + $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; + } + } } function squid_validate_traffic($post, $input_errors) { diff --git a/config/squid3/31/squid_reverse.xml b/config/squid3/31/squid_reverse.xml index ce09f8e7..7c25c371 100644 --- a/config/squid3/31/squid_reverse.xml +++ b/config/squid3/31/squid_reverse.xml @@ -48,7 +48,7 @@ <name>squidreverse</name> <version>none</version> <title>Proxy server: Reverse Proxy</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> <tab> <text>General</text> @@ -354,4 +354,4 @@ <custom_php_resync_config_command> squid_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/squid3/33/pkg_squid.inc b/config/squid3/33/pkg_squid.inc new file mode 100644 index 00000000..47b64e2d --- /dev/null +++ b/config/squid3/33/pkg_squid.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['squid'] = array(); +$shortcuts['squid']['main'] = "pkg_edit.php?xml=squid.xml"; +$shortcuts['squid']['log'] = "squid_monitor.php"; +$shortcuts['squid']['status'] = "status_services.php"; +$shortcuts['squid']['service'] = "squid"; + +?>
\ No newline at end of file diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc index 1da86847..c55160bc 100755 --- a/config/squid3/33/squid.inc +++ b/config/squid3/33/squid.inc @@ -40,7 +40,8 @@ require_once('service-utils.inc'); if(!function_exists("filter_configure")) require_once("filter.inc"); - + +$shortcut_section = "squid"; $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version > 2.0) define('SQUID_LOCALBASE', '/usr/pbi/squid-' . php_uname("m")); @@ -155,7 +156,9 @@ function squid_install_command() { $settingsnac = $config['installedpackages']['squidnac']['config'][0]; if (is_array($config['installedpackages']['squid']['config'])) $settingsgen = $config['installedpackages']['squid']['config'][0]; - + + if (file_exists("/usr/local/pkg/check_ip.php")) + rename("/usr/local/pkg/check_ip.php",SQUID_LOCALBASE . "/libexec/squid/check_ip.php"); /* Set storage system */ if ($g['platform'] == "nanobsd") { $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_system'] = 'null'; @@ -659,7 +662,7 @@ function squid_validate_auth($post, $input_errors) { } $auth_method = $post['auth_method']; - if (($auth_method != 'none') && ($auth_method != 'local')) { + if (($auth_method != 'none') && ($auth_method != 'local') && ($auth_method != 'cp')) { $server = trim($post['auth_server']); if (empty($server)) $input_errors[] = 'The field \'Authentication server\' is required'; @@ -1633,13 +1636,22 @@ function squid_resync_auth() { $conf .= "acl sglog url_regex -i sgr=ACCESSDENIED\n"; $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); - $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); + if ($transparent_proxy){ + if (preg_match ("/(none|cp)/",$settings['auth_method'])) + $auth_method=$settings['auth_method']; + else + $auth_method="none"; + } + else{ + $auth_method=$settings['auth_method']; + } // Allow the remaining ACLs if no authentication is set - if ($auth_method == 'none') { + if ($auth_method == 'none' || $auth_method == 'cp') { // Include squidguard denied acl log in squid if ($settingsconfig['log_sqd']) $conf .="http_access deny sglog\n"; - + } + if ($auth_method == 'none' ) { $conf .="# Setup allowed acls\n"; $allowed = array('allowed_subnets'); if ($settingsconfig['allow_interface'] == 'on') { @@ -1658,7 +1670,7 @@ function squid_resync_auth() { } // Set up the external authentication programs - $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 60); + $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 5); $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); switch ($auth_method) { @@ -1674,11 +1686,17 @@ function squid_resync_auth() { $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; break; + case 'cp': + $conf .= "external_acl_type check_filter children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_LOCALBASE . "/libexec/squid/check_ip.php\n"; + $conf .= "acl dgfilter external check_filter\n"; + $conf .= "http_access allow dgfilter\n"; + break; case 'msnt': $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; squid_resync_msnt(); break; } + if ($auth_method != 'cp'){ $conf .= <<< EOD auth_param basic children $processes auth_param basic realm $prompt @@ -1686,7 +1704,7 @@ auth_param basic credentialsttl $auth_ttl minutes acl password proxy_auth REQUIRED EOD; - + } // Onto the ACLs $password = array('localnet', 'allowed_subnets'); $passwordless = array('unrestricted_hosts'); @@ -1703,13 +1721,15 @@ EOD; foreach ($passwordless as $acl) $conf .= "http_access allow $acl\n"; - // Include squidguard denied acl log in squid - if ($settingsconfig['log_sqd']) - $conf .="http_access deny password sglog\n"; + if ($auth_method != 'cp'){ + // Include squidguard denied acl log in squid + if ($settingsconfig['log_sqd']) + $conf .="http_access deny password sglog\n"; - // Allow the other ACLs as long as they authenticate - foreach ($password as $acl) - $conf .= "http_access allow password $acl\n"; + // Allow the other ACLs as long as they authenticate + foreach ($password as $acl) + $conf .= "http_access allow password $acl\n"; + } } $conf .= "# Default block all to be sure\n"; @@ -1844,7 +1864,7 @@ function squid_print_javascript_auth() { $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); // No authentication for transparent proxy - if ($transparent_proxy) { + if ($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) { $javascript = <<< EOD <script language="JavaScript"> <!-- @@ -1959,6 +1979,24 @@ function on_auth_method_changed() { document.iform.radius_secret.disabled = 1; document.iform.msnt_secondary.disabled = 0; break; + case 'cp': + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_prompt.disabled = 1; + document.iform.auth_processes.disabled = 0; + document.iform.auth_ttl.disabled = 0; + document.iform.unrestricted_auth.disabled = 1; + document.iform.no_auth_hosts.disabled = 1; + break; } } --> @@ -1975,43 +2013,51 @@ function squid_print_javascript_auth2() { } function squid_generate_rules($type) { - global $config; + global $config,$pf_version; $squid_conf = $config['installedpackages']['squid']['config'][0]; - //check captive portal option $cp_file='/etc/inc/captiveportal.inc'; $pfsense_version=preg_replace("/\s/","",file_get_contents("/etc/version")); $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $cp_inc = file($cp_file); - $new_cp_inc=""; - $found_rule=0; - foreach ($cp_inc as $line){ - $new_line=$line; - //remove applied squid patch - if (preg_match('/} set 1 skipto 65314/',$line)){ - $found_rule++; - $new_line =""; + $cp_inc = file($cp_file); + $new_cp_inc=""; + $found_rule=0; + foreach ($cp_inc as $line){ + $new_line=$line; + //remove applied squid patch + if (preg_match('/skipto 65314 ip/',$line)){ + $found_rule++; + $new_line =""; + } + + if (substr($pfsense_version,0,3) > 2.0){ + if (preg_match('/255.255.255.255/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line .= "\n\t".'$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; + } + } + else{ + //add squid patch option based on current config + if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= $line; + } + if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; + $new_line .= $line; + } + } + $new_cp_inc .= $new_line; } - //add squid patch option based on current config - if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; - $new_line .= $line; + if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { + copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); } - if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; - $new_line .= $line; + if($found_rule > 0){ + file_put_contents($cp_file,$new_cp_inc, LOCK_EX); } - $new_cp_inc .= $new_line; - } - if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { - copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); - } - if($found_rule > 0){ - file_put_contents($cp_file,$new_cp_inc, LOCK_EX); - } - //normal squid rule check if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { return; diff --git a/config/squid3/33/squid.xml b/config/squid3/33/squid.xml index d64aabb9..a8bc0530 100644 --- a/config/squid3/33/squid.xml +++ b/config/squid3/33/squid.xml @@ -238,7 +238,16 @@ <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/squid3/33/squid_log_parser.php</item> </additional_files_needed> - + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/pkg_squid.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/check_ip.php</item> + </additional_files_needed> <fields> <field> <name>Squid General Settings</name> diff --git a/config/squid3/33/squid_auth.xml b/config/squid3/33/squid_auth.xml index 111085a8..e71a7e8d 100755 --- a/config/squid3/33/squid_auth.xml +++ b/config/squid3/33/squid_auth.xml @@ -110,6 +110,7 @@ <option><name>Local</name><value>local</value></option> <option><name>LDAP</name><value>ldap</value></option> <option><name>RADIUS</name><value>radius</value></option> + <option><name>Captive Portal</name><value>cp</value></option> <option><name>NT domain</name><value>msnt</value></option> </options> <onchange>on_auth_method_changed()</onchange> @@ -140,16 +141,16 @@ <fieldname>auth_processes</fieldname> <description>The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly.</description> <type>input</type> - <size>60</size> + <size>5</size> <default_value>5</default_value> </field> <field> <fielddescr>Authentication TTL</fielddescr> <fieldname>auth_ttl</fieldname> - <description>This specifies for how long (in minutes) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.</description> + <description>This specifies for how long (in seconds) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.Default value is 5.</description> <type>input</type> - <size>60</size> - <default_value>60</default_value> + <size>5</size> + <default_value>5</default_value> </field> <field> <fielddescr>Requiere authentication for unrestricted hosts</fielddescr> @@ -193,7 +194,7 @@ <fieldname>ldap_pass</fieldname> <description>Enter here the password to use to connect to the LDAP server.</description> <type>password</type> - <size>60</size> + <size>20</size> </field> <field> <fielddescr>LDAP base domain</fielddescr> @@ -207,7 +208,7 @@ <fieldname>ldap_userattribute</fieldname> <description>Enter LDAP username DN attibute.</description> <type>input</type> - <size>60</size> + <size>20</size> <default_value>uid</default_value> </field> <field> @@ -215,7 +216,7 @@ <fieldname>ldap_filter</fieldname> <description>Enter LDAP search filter.</description> <type>input</type> - <size>60</size> + <size>40</size> <default_value>(&(objectClass=person)(uid=%s))</default_value> </field> <field> @@ -245,7 +246,7 @@ <fieldname>radius_secret</fieldname> <description>The RADIUS secret for RADIUS authentication.</description> <type>password</type> - <size>60</size> + <size>20</size> </field> </fields> <custom_php_validation_command> @@ -262,7 +263,7 @@ </custom_php_before_form_command> <custom_php_after_head_command> $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); - if($transparent_proxy) + if($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) $input_errors[] = "Authentication cannot be enabled while transparent proxy mode is enabled"; squid_print_javascript_auth(); </custom_php_after_head_command> diff --git a/config/squid3/33/squid_monitor.php b/config/squid3/33/squid_monitor.php index 3a7b1d01..272cc9c4 100755 --- a/config/squid3/33/squid_monitor.php +++ b/config/squid3/33/squid_monitor.php @@ -43,6 +43,7 @@ if(strstr($pfSversion, "1.2")) $one_two = true; $pgtitle = "Status: Proxy Monitor"; +$shortcut_section = "squid"; include("head.inc"); ?> diff --git a/config/squid3/33/squid_reverse.xml b/config/squid3/33/squid_reverse.xml index ce09f8e7..7c25c371 100755 --- a/config/squid3/33/squid_reverse.xml +++ b/config/squid3/33/squid_reverse.xml @@ -48,7 +48,7 @@ <name>squidreverse</name> <version>none</version> <title>Proxy server: Reverse Proxy</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> <tab> <text>General</text> @@ -354,4 +354,4 @@ <custom_php_resync_config_command> squid_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/squidGuard/squidguard_configurator.inc b/config/squidGuard/squidguard_configurator.inc index ab44ae8d..5dbfcc43 100644 --- a/config/squidGuard/squidguard_configurator.inc +++ b/config/squidGuard/squidguard_configurator.inc @@ -205,6 +205,7 @@ define('SQUIDGUARD_GUILOG_LEVEL', SQUIDGUARD_INFO); # log level define('SQUIDGUARD_GUILOG_MAXCOUNT', 500); # log max lines define('SQUIDGUARD_GUILOG_ENABLE', true); # on/off gui log - option override GUI settings define('SQUIDGUARD_LOG_ENABLE', true); # on/off SG log - option override GUI settings +define('SQUIDGUARD_LOGROTATE_MAXCOUNT', 1000); # logrotate max lines # define('FLT_DEFAULT_ALL', 'all'); @@ -1920,7 +1921,8 @@ function acl_remove_blacklist_items($items) # ----------------------------------------------------------------------------- function sg_script_logrotate() { - + $lines = SQUIDGUARD_LOGROTATE_MAXCOUNT; + global $squidguard_config; $sglogname = $squidguard_config[F_LOGDIR] . "/" . SQUIDGUARD_LOGFILE; diff --git a/config/syslog-ng/syslog-ng.inc b/config/syslog-ng/syslog-ng.inc index 75d5bb4d..e1b4d35e 100644 --- a/config/syslog-ng/syslog-ng.inc +++ b/config/syslog-ng/syslog-ng.inc @@ -235,7 +235,7 @@ function syslogng_get_log_files($objects) { foreach($objects as $object) { if($object['objecttype'] == 'destination') { - preg_match("/file\(['\"]([^'\"]*)['\"]/", base64_decode($object['objectparameters']), $match); + preg_match("/\bfile\b\(['\"]([^'\"]*)['\"]/", base64_decode($object['objectparameters']), $match); if($match) { $log_file = $match[1]; array_push($log_files, $log_file); @@ -433,4 +433,4 @@ EOD; conf_mount_rw(); write_rcfile($rc); } -?>
\ No newline at end of file +?> diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc index d013608c..6e55d577 100644 --- a/config/unbound/unbound.inc +++ b/config/unbound/unbound.inc @@ -118,7 +118,6 @@ function unbound_keys_setup() { function unbound_rc_setup() { global $config; - // Startup process and idea taken from TinyDNS package (author sullrich@gmail.com) $filename = "unbound.sh"; $start = "/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDPHP @@ -198,7 +197,7 @@ function unbound_control($action) { case "start": //Start unbound - if($unbound_config['unbound_status'] == "on") { + if($unbound_config['enable'] == "on") { if(!is_service_running("unbound")) unbound_ctl_exec("start"); /* Link dnsmasq.pid to prevent dhcpleases logging error */ @@ -213,7 +212,7 @@ function unbound_control($action) { case "stop": //Stop unbound and unmount the file system - if($unbound_config['unbound_status'] == "on") { + if($unbound_config['enable'] == "on") { mwexec_bg("/usr/local/bin/unbound_monitor.sh stop"); unbound_ctl_exec("stop"); } @@ -240,7 +239,9 @@ function unbound_control($action) { break; case "anchor_update": //Update the Root Trust Anchor + conf_mount_rw(); mwexec(UNBOUND_BASE . "/sbin/unbound-anchor -a " . UNBOUND_BASE . "/etc/unbound/root-trust-anchor", true); + conf_mount_ro(); break; default: break; @@ -461,15 +462,14 @@ function unbound_resync_config() { private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 -private-address: 192.254.0.0/16 +private-address: 169.254.0.0/16 private-address: fd00::/8 private-address: fe80::/10 # Set private domains in case authorative name server returns a RFC1918 IP address EOF; - // Add private-domain options - $private_domains = unbound_add_domain_overrides(true); - + // Add private-domain options + $private_domains = unbound_add_domain_overrides(true); } //Setup optimization @@ -547,6 +547,7 @@ harden-dnssec-stripped: {$harden_dnssec_stripped} {$optimization['rrset_cache_size']} outgoing-range: 8192 {$optimization['so_rcvbuf']} +{$optimization['so_sndbuf']} # Interface IP(s) to bind to {$unbound_bind_interfaces} @@ -649,18 +650,21 @@ function unbound_optimization() { // Check that it is set to 4MB (by default the OS has it configured to 4MB) foreach ($config['sysctl']['item'] as $tunable) { if ($tunable['tunable'] == 'kern.ipc.maxsockbuf') { - $so = floor(($tunable['value']/1024/1024)-1); + if ($tunable['value'] == 'default') + $maxsockbuf = '4262144'; + else + $maxsockbuf = $tunable['value']; + $so = floor(($maxsockbuf/1024/1024)-1); // Check to ensure that the number is not a negative - if ($so > 0) + if ($so > 0) { $optimization['so_rcvbuf'] = "so-rcvbuf: {$so}m"; - else - unset($optimization['so_rcvbuf']); - + $optimization['so_sndbuf'] = "so-sndbuf: {$so}m"; + } else { + $optimization['so_rcvbuf'] = "#so-rcvbuf: 4m"; + $optimization['so_sndbuf'] = "#so-sndbuf: 4m"; + } } } - // Safety check in case kern.ipc.maxsockbuf is deleted. - if(!isset($optimization['so_rcvbuf'])) - $optimization['so_rcvbuf'] = "#so-rcvbuf: 4m"; return $optimization; } @@ -694,7 +698,7 @@ function fetch_root_hints() { function unbound_validate($post, $type=null) { global $config, $input_errors; - if($post['unbound_status'] == "on" && isset($config['dnsmasq']['enable'])) + if($post['enable'] == "on" && isset($config['dnsmasq']['enable'])) $input_errors[] = "The system dns-forwarder is still active. Disable it before enabling the Unbound service."; /* Validate the access lists */ @@ -741,7 +745,7 @@ function unbound_reconfigure() { $unbound_config = $config['installedpackages']['unbound']['config'][0]; - if ($unbound_config['unbound_status'] != "on") { + if ($unbound_config['enable'] != "on") { if(is_service_running("unbound")) unbound_control("termstop"); } else { @@ -820,30 +824,49 @@ function unbound_add_host_entries() { $unbound_entries .= "local-data: \"localhost.{$syscfg['domain']} AAAA ::1\"\n"; } + $added_item_v4 = array(); + $added_item_v6 = array(); if ($config['interfaces']['lan']) { + $current_host = $syscfg['hostname'].".".$syscfg['domain']; $cfgip = get_interface_ip("lan"); if (is_ipaddr($cfgip)) { - $unbound_entries .= "local-data-ptr: \"{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']}\"\n"; - $unbound_entries .= "local-data: \"{$syscfg['hostname']}.{$syscfg['domain']} A {$cfgip}\"\n"; + $unbound_entries .= "local-data-ptr: \"{$cfgip} {$current_host}\"\n"; + $unbound_entries .= "local-data: \"{$current_host} A {$cfgip}\"\n"; $unbound_entries .= "local-data: \"{$syscfg['hostname']} A {$cfgip}\"\n"; + $added_item_v4[$current_host] = true; + } + $cfgip6 = get_interface_ipv6("lan"); + if (is_ipaddrv6($cfgip6)) { + $unbound_entries .= "local-data-ptr: \"{$cfgip6} {$current_host}\"\n"; + $unbound_entries .= "local-data: \"{$current_host} AAAA {$cfgip6}\"\n"; + $unbound_entries .= "local-data: \"{$syscfg['hostname']} AAAA {$cfgip6}\"\n"; + $added_item_v6[$current_host] = true; } } else { $sysiflist = get_configured_interface_list(); foreach ($sysiflist as $sysif) { if (!interface_has_gateway($sysif)) { + $current_host = $syscfg['hostname'].".".$syscfg['domain']; $cfgip = get_interface_ip($sysif); if (is_ipaddr($cfgip)) { - $unbound_entries .= "local-data-ptr: \"{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']}\"\n"; - $unbound_entries .= "local-data: \"{$syscfg['hostname']}.{$syscfg['domain']} A {$cfgip}\"\n"; + $unbound_entries .= "local-data-ptr: \"{$cfgip} {$current_host}\"\n"; + $unbound_entries .= "local-data: \"{$current_host} A {$cfgip}\"\n"; $unbound_entries .= "local-data: \"{$syscfg['hostname']} A {$cfgip}\"\n"; - break; + $added_item_v4[$current_host] = true; + } + $cfgip6 = get_interface_ipv6($sysif); + if (is_ipaddr($cfgip6)) { + $unbound_entries .= "local-data-ptr: \"{$cfgip6} {$current_host}\"\n"; + $unbound_entries .= "local-data: \"{$current_host} AAAA {$cfgip6}\"\n"; + $unbound_entries .= "local-data: \"{$syscfg['hostname']} AAAA {$cfgip6}\"\n"; + $added_item_v6[$current_host] = true; } + if (is_ipaddr($cfgip) || is_ipaddr($cfgip6)) + break; } } } - $added_item_v4 = array(); - $added_item_v6 = array(); // DNSMasq entries static host entries if (isset($dnsmasqcfg['hosts'])) { $hosts = $dnsmasqcfg['hosts']; @@ -852,7 +875,7 @@ function unbound_add_host_entries() { foreach ($hosts as $host) { $current_host = ($host['host'] != "") ? $host['host'].".".$host['domain'] : $host['domain']; if (function_exists("is_ipaddrv6") && is_ipaddrv6($host['ip'])) { - if (!$added_item_v6[$curent_host]) { + if (!$added_item_v6[$current_host]) { $host_entries .= "local-data-ptr: \"{$host['ip']} {$current_host}\"\n"; $host_entries .= "local-data: \"{$current_host} IN AAAA {$host['ip']}\"\n"; $added_item_v6[$current_host] = true; diff --git a/config/unbound/unbound.xml b/config/unbound/unbound.xml index 10de1f97..20f3d250 100644 --- a/config/unbound/unbound.xml +++ b/config/unbound/unbound.xml @@ -80,6 +80,9 @@ <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/unbound/unbound_monitor.sh</item> </additional_files_needed> + <system_services> + <dns/> + </system_services> <tabs> <tab> <text>Unbound DNS Settings</text> @@ -106,7 +109,7 @@ <type>listtopic</type> </field> <field> - <fieldname>unbound_status</fieldname> + <fieldname>enable</fieldname> <fielddescr>Enable Unbound</fielddescr> <description>Enable the use of Unbound as your DNS forwarder.</description> <type>checkbox</type> diff --git a/config/varnish3/pkg_varnish.inc b/config/varnish3/pkg_varnish.inc new file mode 100755 index 00000000..509f24e5 --- /dev/null +++ b/config/varnish3/pkg_varnish.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['varnish'] = array(); +$shortcuts['varnish']['main'] = "pkg.php?xml=varnish_backends.xml"; +$shortcuts['varnish']['log'] = "diag_logs.php"; +$shortcuts['varnish']['status'] = "status_services.php"; +$shortcuts['varnish']['service'] = "varnish"; + +?>
\ No newline at end of file diff --git a/config/varnish3/varnish.inc b/config/varnish3/varnish.inc index 4adf0575..983804c9 100644 --- a/config/varnish3/varnish.inc +++ b/config/varnish3/varnish.inc @@ -4,7 +4,7 @@ varnish.inc part of pfSense (http://www.pfSense.com) Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho Copyright (C) 2012 Marcio Carlos Antao All rights reserved. */ @@ -32,6 +32,14 @@ POSSIBILITY OF SUCH DAMAGE. */ /* ========================================================================== */ +$shortcut_section = "varnish"; + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('VARNISH_LOCALBASE', '/usr/pbi/varnish-' . php_uname("m")); +else + define('VARNISH_LOCALBASE','/usr/local'); + function varnish_settings_post_validate($post, $input_errors) { if( !is_numeric($post['storagesize'])) @@ -244,7 +252,6 @@ mkdir -p /var/varnish rm /var/varnish/storage.bin 2>/dev/null killall varnishd 2>/dev/null sleep 1 -sysctl kern.ipc.nmbclusters=65536 sysctl kern.ipc.somaxconn=16384 sysctl kern.maxfiles=131072 sysctl kern.maxfilesperproc=104856 @@ -641,7 +648,15 @@ sub vcl_fini { } EOF; - + file_put_contents("/var/etc/default.vcl",$varnish_config_file,LOCK_EX); + $cc_file="/usr/local/bin/cc"; + foreach (glob(VARNISH_LOCALBASE."/bin/gcc*") as $bin_file) { + $gcc_file=$bin_file; + } + if (!file_exists($cc_file) && file_exists($gcc_file)){ + symlink($gcc_file,$cc_file); + } + $fd = fopen("/var/etc/default.vcl", "w"); fwrite($fd, $varnish_config_file); fclose($fd); @@ -652,29 +667,67 @@ EOF; /* Uses XMLRPC to synchronize the changes to a remote node */ function varnish_sync_on_changes() { global $config, $g; - log_error("[varnish] varnish_xmlrpc_sync.php is starting."); - $synconchanges = $config['installedpackages']['varnishsync']['config'][0]['synconchanges']; - if(!$synconchanges) - return; - foreach ($config['installedpackages']['varnishsync']['config'] as $rs ){ - foreach($rs['row'] as $sh){ - $sync_to_ip = $sh['ipaddress']; - $password = $sh['password']; - if($password && $sync_to_ip) - varnish_do_xmlrpc_sync($sync_to_ip, $password); + if (is_array($config['installedpackages']['varnishsync']['config'])){ + $varnish_sync=$config['installedpackages']['varnishsync']['config'][0]; + $synconchanges = $varnish_sync['synconchanges']; + $synctimeout = $varnish_sync['synctimeout']; + switch ($synconchanges){ + case "manual": + if (is_array($varnish_sync[row])){ + $rs=$varnish_sync[row]; + } + else{ + log_error("[varnish] xmlrpc sync is enabled but there is no hosts to push on varnish config."); + return; + } + break; + case "auto": + if (is_array($config['hasync'])){ + $hasync=$config['hasync'][0]; + $rs[0]['ipaddress']=$hasync['synchronizetoip']; + $rs[0]['username']=$hasync['username']; + $rs[0]['password']=$hasync['password']; + } + else{ + log_error("[varnish] xmlrpc sync is enabled but there is no system backup hosts to push varnish config."); + return; + } + break; + default: + return; + break; } - } - log_error("[varnish] varnish_xmlrpc_sync.php is ending."); + if (is_array($rs)){ + log_error("[varnish] xmlrpc sync is starting."); + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if($password && $sync_to_ip) + varnish_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout); + } + log_error("[varnish] xmlrpc sync is ending."); + } + } } /* Do the actual XMLRPC sync */ -function varnish_do_xmlrpc_sync($sync_to_ip, $password) { +function varnish_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout) { global $config, $g; - + + if(!$username) + return; + if(!$password) return; if(!$sync_to_ip) return; + + if(!$synctimeout) + $synctimeout=25; $xmlrpc_sync_neighbor = $sync_to_ip; if($config['system']['webgui']['protocol'] != "") { @@ -710,18 +763,18 @@ function varnish_do_xmlrpc_sync($sync_to_ip, $password) { $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); + $cli->setCredentials($username, $password); if($g['debug']) $cli->setDebug(1); - /* send our XMLRPC message and timeout after 250 seconds */ - $resp = $cli->send($msg, "250"); + /* send our XMLRPC message and timeout after $synctimeout seconds */ + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting varnish XMLRPC sync with {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "varnish Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting varnish XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "varnish Settings Sync", ""); @@ -742,15 +795,15 @@ function varnish_do_xmlrpc_sync($sync_to_ip, $password) { log_error("varnish XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - $resp = $cli->send($msg, "250"); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting varnish XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "varnish Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting varnish XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "varnish Settings Sync", ""); diff --git a/config/varnish3/varnish_backends.xml b/config/varnish3/varnish_backends.xml index e480a8d6..28e7caca 100644 --- a/config/varnish3/varnish_backends.xml +++ b/config/varnish3/varnish_backends.xml @@ -9,7 +9,7 @@ varnish_backends.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. /*/ /* ========================================================================== */ @@ -85,6 +85,11 @@ <chmod>0755</chmod> <item>http://www.pfsense.com/packages/config/varnish3/varnishstat.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/varnish3/pkg_varnish.inc</item> + </additional_files_needed> <menu> <name>Varnish</name> <tooltiptext>Varnish</tooltiptext> @@ -129,14 +134,23 @@ </tab> </tabs> <adddeleteeditpagefields> + <movable>on</movable> <columnitem> <fielddescr>IPAddress</fielddescr> <fieldname>ipaddress</fieldname> </columnitem> <columnitem> + <fielddescr>Port</fielddescr> + <fieldname>port</fieldname> + </columnitem> + <columnitem> <fielddescr>Name</fielddescr> <fieldname>backendname</fieldname> - </columnitem> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> </adddeleteeditpagefields> <fields> <field> @@ -163,9 +177,17 @@ <fieldname>port</fieldname> <description>Enter the TCP/IP port of the webserver.</description> <type>input</type> + <size>6</size> <validate>^[0-9]+$</validate> </field> <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter the description for this Backend.</description> + <type>input</type> + <size>40</size> + </field> + <field> <fielddescr>PerformanceMetrics</fielddescr> <fieldname>PerformanceMetrics</fieldname> <type>listtopic</type> diff --git a/config/varnish3/varnish_custom_vcl.xml b/config/varnish3/varnish_custom_vcl.xml index 86a9cdca..c0bb0e80 100644 --- a/config/varnish3/varnish_custom_vcl.xml +++ b/config/varnish3/varnish_custom_vcl.xml @@ -9,6 +9,7 @@ varnish_settings.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> + Copyright (C) 2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -78,56 +79,92 @@ </tabs> <fields> <field> + <type>listtopic</type> + <name>vcl_recv_early</name> + </field> + <field> <fielddescr>vcl_recv_early</fielddescr> <fieldname>vcl_recv_early</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_recv</a>]]> code here. This code will be included at the beginning of the vcl_recv function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> <field> + <type>listtopic</type> + <name>vcl_recv_late</name> + </field> + <field> <fielddescr>vcl_recv_late</fielddescr> <fieldname>vcl_recv_late</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_recv</a>]]> code here. This code will be included at the end of the vcl_recv function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> <field> + <type>listtopic</type> + <name>vcl_fetch_early</name> + </field> + <field> <fielddescr>vcl_fetch_early</fielddescr> <fieldname>vcl_fetch_early</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_fetch</a>]]> code here. This code will be included at the beginning of the vcl_fetch function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> <field> + <type>listtopic</type> + <name>vcl_fetch_late</name> + </field> + <field> <fielddescr>vcl_fetch_late</fielddescr> <fieldname>vcl_fetch_late</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_fetch</a>]]> code here. This code will be included at the end of the vcl_fetch function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> <field> + <type>listtopic</type> + <name>vcl_pipe_early</name> + </field> + <field> <fielddescr>vcl_pipe_early</fielddescr> <fieldname>vcl_pipe_early</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_pipe</a>]]> code here. This code will be included at the beginning of the vcl_pipe function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> <field> + <type>listtopic</type> + <name>vcl_pipe_late</name> + </field> + <field> <fielddescr>vcl_pipe_late</fielddescr> <fieldname>vcl_pipe_late</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_pipe</a>]]> code here. This code will be included at the end of the vcl_pipe function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> diff --git a/config/varnish3/varnish_lb_directors.xml b/config/varnish3/varnish_lb_directors.xml index 0912e267..b9d8cc24 100644 --- a/config/varnish3/varnish_lb_directors.xml +++ b/config/varnish3/varnish_lb_directors.xml @@ -9,7 +9,7 @@ varnish_lb_directors.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ @@ -99,6 +99,7 @@ </tab> </tabs> <adddeleteeditpagefields> + <movable>on</movable> <columnitem> <fielddescr>Director name</fielddescr> <fieldname>directorname</fieldname> diff --git a/config/varnish3/varnish_sync.xml b/config/varnish3/varnish_sync.xml index 02434389..fd387fdb 100644 --- a/config/varnish3/varnish_sync.xml +++ b/config/varnish3/varnish_sync.xml @@ -9,7 +9,7 @@ varnish_sync.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2008 Scott Ullrich <sullrich@gmail.com> - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -82,12 +82,34 @@ <type>listtopic</type> <fieldname>temp</fieldname> <name>Enable Varnish configuration sync</name> - </field> + </field> <field> <fielddescr>Automatically sync Varnish configuration changes</fielddescr> <fieldname>synconchanges</fieldname> - <description>pfSense will automatically sync changes to the hosts defined below.</description> - <type>checkbox</type> + <description>Select a sync method for bind.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>25</default_value> + <options> + <option><name>30 seconds(Default)</name><value>30</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>250 seconds</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + </options> </field> <field> <fielddescr>Remote Server</fielddescr> @@ -111,8 +133,7 @@ </rowhelper> </field> </fields> - <custom_php_resync_config_command> - varnish_sync_on_changes(); + <custom_php_resync_config_command> </custom_php_resync_config_command> <custom_php_command_before_form> unset($_POST['temp']); diff --git a/config/widget-snort/snort_alerts.widget.php b/config/widget-snort/snort_alerts.widget.php index e488bc49..f4eaa140 100644 --- a/config/widget-snort/snort_alerts.widget.php +++ b/config/widget-snort/snort_alerts.widget.php @@ -25,6 +25,9 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +require_once("/usr/local/www/widgets/include/widget-snort.inc"); + global $config, $g; /* array sorting */ diff --git a/config/widget-snort/widget-snort.inc b/config/widget-snort/widget-snort.inc index 105dd1e7..b9cfbeac 100644 --- a/config/widget-snort/widget-snort.inc +++ b/config/widget-snort/widget-snort.inc @@ -1,5 +1,10 @@ <?php require_once("config.inc"); + +//set variable for custom title +$snort_alerts_title = "Snort Alerts"; +$snort_alerts_title_link = "snort/snort_alerts.php"; + function widget_snort_uninstall() { global $config; diff --git a/config/widget-snort/widget-snort.xml b/config/widget-snort/widget-snort.xml index a6ea7f88..29edcc3f 100644 --- a/config/widget-snort/widget-snort.xml +++ b/config/widget-snort/widget-snort.xml @@ -46,7 +46,7 @@ <requirements>Dashboard package and Snort</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>widget-snort</name> - <version>0.3.4</version> + <version>0.3.5</version> <title>Widget - Snort</title> <include_file>/usr/local/www/widgets/include/widget-snort.inc</include_file> <additional_files_needed> diff --git a/config/zabbix2/zabbix2-agent.xml b/config/zabbix2/zabbix2-agent.xml index 55273a81..0169e11f 100644 --- a/config/zabbix2/zabbix2-agent.xml +++ b/config/zabbix2/zabbix2-agent.xml @@ -41,7 +41,7 @@ <name>zabbixagent</name> <title>Services: Zabbix-2 Agent</title> <category>Monitoring</category> - <version>0.7</version> + <version>0.7_1</version> <include_file>/usr/local/pkg/zabbix2.inc</include_file> <addedit_string>Zabbix Agent has been created/modified.</addedit_string> <delete_string>Zabbix Agent has been deleted.</delete_string> @@ -85,7 +85,6 @@ <fielddescr>Server</fielddescr> <fieldname>server</fieldname> <description>List of comma delimited IP addresses (or hostnames) of ZABBIX servers</description> - <value>127.0.0.1</value> <type>input</type> <size>60</size> </field> @@ -93,7 +92,6 @@ <fielddescr>Server Active</fielddescr> <fieldname>serveractive</fieldname> <description>List of comma delimited IP:port (or hostname:port) pairs of Zabbix servers for active checks</description> - <value></value> <type>input</type> <size>60</size> </field> @@ -101,30 +99,29 @@ <fielddescr>Hostname</fielddescr> <fieldname>hostname</fieldname> <description>Unique hostname. Required for active checks and must match hostname as configured on the Zabbix server (case sensitive).</description> - <value>localhost</value> <type>input</type> <size>60</size> </field> <field> <fielddescr>Listen IP</fielddescr> <fieldname>listenip</fieldname> - <value>0.0.0.0</value> + <default_value>0.0.0.0</default_value> <type>input</type> <size>60</size> - <description>Listen IP for connections from the server (generally 0.0.0.0 for all interfaces)</description> + <description>Listen IP for connections from the server (default 0.0.0.0 for all interfaces)</description> </field> <field> <fielddescr>Listen Port</fielddescr> <fieldname>listenport</fieldname> - <value>10050</value> + <default_value>10050</default_value> <type>input</type> <size>5</size> - <description>Listen port for connections from the server (generally 10050)</description> + <description>Listen port for connections from the server (default 10050)</description> </field> <field> <fielddescr>Refresh Active Checks</fielddescr> <fieldname>refreshactchecks</fieldname> - <value>120</value> + <default_value>120</default_value> <type>input</type> <size>5</size> <description>The agent will refresh list of active checks once per 120 (default) seconds.</description> @@ -132,15 +129,15 @@ <field> <fielddescr>Timeout</fielddescr> <fieldname>timeout</fieldname> - <value>3</value> + <default_value>3</default_value> <type>input</type> <size>5</size> - <description>Timeout (default 3). Do not spend more that Timeout seconds on getting requested value (1-255). The agent does not kill timeouted User Parameters processes!</description> + <description>Timeout (default 3). Do not spend more that Timeout seconds on getting requested value (1-30). The agent does not kill timeouted User Parameters processes!</description> </field> <field> <fielddescr>Buffer Send</fielddescr> <fieldname>buffersend</fieldname> - <value>5</value> + <default_value>5</default_value> <type>input</type> <size>5</size> <description>Buffer Send (default 5). Do not keep data longer than N seconds in buffer (1-3600).</description> @@ -148,7 +145,7 @@ <field> <fielddescr>Buffer Size</fielddescr> <fieldname>buffersize</fieldname> - <value>100</value> + <default_value>100</default_value> <type>input</type> <size>5</size> <description>Buffer Size (default 100). Maximum number of values in a memory buffer (2-65535). The agent will send all collected data to Zabbix server or proxy if the buffer is full.</description> @@ -156,7 +153,7 @@ <field> <fielddescr>Start Agents</fielddescr> <fieldname>startagents</fieldname> - <value>3</value> + <default_value>3</default_value> <type>input</type> <size>5</size> <description>Start Agents (default 3). Number of pre-forked instances of zabbix_agentd that process passive checks (0-100).If set to 0, disables passive checks and the agent will not listen on any TCP port.</description> @@ -165,7 +162,6 @@ <fielddescr>User Parameters</fielddescr> <fieldname>userparams</fieldname> <encoding>base64</encoding> - <value></value> <type>textarea</type> <rows>5</rows> <cols>50</cols> @@ -179,5 +175,5 @@ <custom_php_validation_command>validate_input_zabbix2($_POST, &$input_errors);</custom_php_validation_command> <custom_add_php_command></custom_add_php_command> <custom_php_resync_config_command>sync_package_zabbix2();</custom_php_resync_config_command> - <custom_php_deinstall_command>php_deinstall_zabbix2();</custom_php_deinstall_command> + <custom_php_deinstall_command>php_deinstall_zabbix2_agent();</custom_php_deinstall_command> </packagegui> diff --git a/config/zabbix2/zabbix2-proxy.xml b/config/zabbix2/zabbix2-proxy.xml index fcabedd9..c687c5ba 100644 --- a/config/zabbix2/zabbix2-proxy.xml +++ b/config/zabbix2/zabbix2-proxy.xml @@ -41,7 +41,7 @@ <name>zabbixproxy</name> <title>Services: Zabbix-2 Proxy</title> <category>Monitoring</category> - <version>0.7</version> + <version>0.7_1</version> <include_file>/usr/local/pkg/zabbix2.inc</include_file> <addedit_string>Zabbix Proxy has been created/modified.</addedit_string> <delete_string>Zabbix Proxy has been deleted.</delete_string> @@ -58,7 +58,7 @@ <url>/pkg_edit.php?xml=zabbix2-proxy.xml&id=0</url> </menu> <service> - <name>zabbix-proxy</name> + <name>zabbix_proxy</name> <rcfile>zabbix2_proxy.sh</rcfile> <executable>zabbix_proxy</executable> <description>Zabbix proxy collection daemon</description> @@ -137,5 +137,5 @@ <custom_php_validation_command>validate_input_zabbix2($_POST, &$input_errors);</custom_php_validation_command> <custom_add_php_command></custom_add_php_command> <custom_php_resync_config_command>sync_package_zabbix2();</custom_php_resync_config_command> - <custom_php_deinstall_command>php_deinstall_zabbix2();</custom_php_deinstall_command> + <custom_php_deinstall_command>php_deinstall_zabbix2_proxy();</custom_php_deinstall_command> </packagegui> diff --git a/config/zabbix2/zabbix2.inc b/config/zabbix2/zabbix2.inc index 730ef873..0a1c12be 100644 --- a/config/zabbix2/zabbix2.inc +++ b/config/zabbix2/zabbix2.inc @@ -42,38 +42,61 @@ function php_install_zabbix2(){ sync_package_zabbix2(); } -function php_deinstall_zabbix2(){ - global $config, $g; +function php_deinstall_zabbix2_agent(){ + global $config, $g; - conf_mount_rw(); - $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); - if ($pfs_version > 2.0){ - define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix2-agent-' . php_uname("m")); - define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix2-proxy-' . php_uname("m")); - } else { - define('ZABBIX_AGENT_BASE', '/usr/local'); - define('ZABBIX_PROXY_BASE', '/usr/local'); - } - - exec("/usr/bin/killall zabbix_proxy"); - unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/rc.d/zabbix2_proxy.sh"); - unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix2/zabbix_proxy.conf"); - unlink_if_exists("/var/log/zabbix2/zabbix_proxy.log"); - unlink_if_exists("/var/run/zabbix2/zabbix2_proxy.pid"); - - exec("/usr/bin/killall zabbix_agentd"); - unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/rc.d/zabbix2_agentd.sh"); - unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix2/zabbix_agentd.conf"); - unlink_if_exists("/var/log/zabbix2/zabbix2_agentd.log"); - unlink_if_exists("/var/run/zabbix2/zabbix2_agentd.pid"); - - if (is_dir("/var/log/zabbix2")) - exec("/bin/rm -r /var/log/zabbix2/"); - if (is_dir("/var/run/zabbix2")) - exec("/bin/rm -r /var/run/zabbix2/"); - if (is_dir("/var/db/zabbix2")) - exec("/bin/rm -r /var/db/zabbix2/"); - conf_mount_ro(); + conf_mount_rw(); + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); + if ($pfs_version > 2.0){ + define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix2-agent-' . php_uname("m")); + } else { + define('ZABBIX_AGENT_BASE', '/usr/local'); + } + + exec("/usr/bin/killall zabbix_agentd"); + unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/rc.d/zabbix2_agentd.sh"); + unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix2/zabbix_agentd.conf"); + unlink_if_exists("/var/log/zabbix2/zabbix2_agentd.log"); + unlink_if_exists("/var/run/zabbix2/zabbix2_agentd.pid"); + + if (!is_array($config['installedpackages']['zabbixproxy'])){ + if (is_dir("/var/log/zabbix2")) + exec("/bin/rm -r /var/log/zabbix2/"); + if (is_dir("/var/run/zabbix2")) + exec("/bin/rm -r /var/run/zabbix2/"); + } + + conf_mount_ro(); +} + +function php_deinstall_zabbix2_proxy(){ + global $config, $g; + + conf_mount_rw(); + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); + if ($pfs_version > 2.0){ + define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix2-proxy-' . php_uname("m")); + } else { + define('ZABBIX_PROXY_BASE', '/usr/local'); + } + + exec("/usr/bin/killall zabbix_proxy"); + unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/rc.d/zabbix2_proxy.sh"); + unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix2/zabbix_proxy.conf"); + unlink_if_exists("/var/log/zabbix2/zabbix_proxy.log"); + unlink_if_exists("/var/run/zabbix2/zabbix2_proxy.pid"); + + if (!is_array($config['installedpackages']['zabbixagent'])){ + if (is_dir("/var/log/zabbix2")) + exec("/bin/rm -r /var/log/zabbix2/"); + if (is_dir("/var/run/zabbix2")) + exec("/bin/rm -r /var/run/zabbix2/"); + } + + if (is_dir("/var/db/zabbix2")) + exec("/bin/rm -r /var/db/zabbix2/"); + + conf_mount_ro(); } function validate_input_zabbix2($post,&$input_errors){ @@ -95,14 +118,18 @@ function validate_input_zabbix2($post,&$input_errors){ if (!preg_match("/\w+/", $post['hostname'])) { $input_errors[]='Hostname field is required.'; } - - if (!is_ipaddr_configured($post['listenip']) && !preg_match("/(127.0.0.1|0.0.0.0)/",$post['listenip'])) { - $input_errors[]='Listen IP is not a configured IP address.'; + + if ($post['listenip'] != '') { + if (!is_ipaddr_configured($post['listenip']) && !preg_match("/(127.0.0.1|0.0.0.0)/",$post['listenip'])) { + $input_errors[]='Listen IP is not a configured IP address.'; } + } - if (!preg_match("/^\d+$/", $post['listenport'])) { - $input_errors[]='Listen Port is not numeric.'; + if ($post['listenport'] != '') { + if (!preg_match("/^\d+$/", $post['listenport'])) { + $input_errors[]='Listen Port is not numeric.'; } + } if ($post['refreshactchecks'] != '') { if (!preg_match("/^\d+$/", $post['refreshactchecks'])) { @@ -111,11 +138,13 @@ function validate_input_zabbix2($post,&$input_errors){ $input_errors[]='You must enter a valid value for \'Refresh Active Checks\''; } } - - if (!is_numericint($post['timeout'])) { - $input_errors[]='Timeout is not numeric.'; - } elseif ( $post['timeout'] < 1 || $post['timeout'] > 255 ) { - $input_errors[]='You must enter a valid value for \'Timeout\''; + + if ($post['timeout'] != '') { + if (!is_numericint($post['timeout'])) { + $input_errors[]='Timeout is not numeric.'; + } elseif ( $post['timeout'] < 1 || $post['timeout'] > 30 ) { + $input_errors[]='You must enter a valid value for \'Timeout\''; + } } if ($post['buffersend'] != '') { @@ -191,19 +220,22 @@ EOF; $BufferSize=(preg_match("/(\d+)/",$zbagent_config['buffersize'],$matches)? $matches[1] : "100"); $StartAgents=(preg_match("/(\d+)/",$zbagent_config['startagents'],$matches)? $matches[1] :"3" ); $UserParams=base64_decode($zbagent_config['userparams']); - + $ListenIp=($zbagent_config['listenip'] != ''? $zbagent_config['listenip'] : "0.0.0.0"); + $ListenPort=($zbagent_config['listenport'] != ''? $zbagent_config['listenport'] : "10050"); + $TimeOut=($zbagent_config['timeout'] != ''? $zbagent_config['timeout'] : "3"); + $zbagent_conf_file = <<< EOF Server={$zbagent_config['server']} ServerActive={$zbagent_config['serveractive']} Hostname={$zbagent_config['hostname']} -ListenIP={$zbagent_config['listenip']} -ListenPort={$zbagent_config['listenport']} +ListenIP={$ListenIp} +ListenPort={$ListenPort} RefreshActiveChecks={$RefreshActChecks} DebugLevel=3 PidFile=/var/run/zabbix2/zabbix2_agentd.pid LogFile=/var/log/zabbix2/zabbix2_agentd.log LogFileSize=1 -Timeout={$zbagent_config['timeout']} +Timeout={$TimeOut} BufferSend={$BufferSend} BufferSize={$BufferSize} StartAgents={$StartAgents} |