From 1779c971e3cb252e76605be334ad05c23d2f0ba9 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 21:20:28 -0400 Subject: pfBlockerNG v2.0.5 * Bump to version 2.0.5 * Improve 'Max daily download failure threshold' feature --- config/pfblockerng/pfblockerng.xml | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/config/pfblockerng/pfblockerng.xml b/config/pfblockerng/pfblockerng.xml index 6c590213..8db57b1e 100644 --- a/config/pfblockerng/pfblockerng.xml +++ b/config/pfblockerng/pfblockerng.xml @@ -48,7 +48,7 @@ Describe your package requirements here Currently there are no FAQ items provided. pfblockerng - 2.0.4 + 2.0.5 pfBlockerNG: General Settings /usr/local/pkg/pfblockerng/pfblockerng.inc pfBlockerNG: Save General Settings @@ -386,12 +386,13 @@ Max daily download failure threshold skipfeed - 0 (Disabled)
- Select max daily download failure threshold via CRON. Clear widget 'failed downloads' to reset.]]> + No limit
+ Select max daily download failure threshold via CRON. Clear widget 'failed downloads' to reset.
+ On a download failure, the previously downloaded list is reloaded.]]>
select - + @@ -401,15 +402,6 @@ 0
- - Restore previous download on failure - restore_feed - checkbox - Enabled
- When 'selected', on a download failure, the previously downloaded list is restored.]]> -
- on -
Logfile Size log_maxlines -- cgit v1.2.3 From b7a85ac999f97e4d91a1e2ef951e36506e024361 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:10:10 -0400 Subject: Update pfblockerng.inc * Add TLSv1.1 to cURL SSL Options * Improve 'Max daily download failure threshold' feature * Improve function pfbng_text_area_decode() - add $mode variable to account for '#' comment lines in DNSBL Suppression Alias * Improve dnsbl_suppression() function * Implement 'Advanced Outbound Firewall Rules' customization options. * Implement 'Advanced In/Outbound Firewall Rules' - Invert Source/Destination options * Implement 'Advanced In/Outbound Firewall Rules' - Gateway options * 'Advanced In/Outbound Firewall Rules' - Force any Invert Source/Destination Alias to use 'Alias Native' settings * Allow Loopback and RFC1918 addresses in any Alias Custom List. * Improve GZIP archive extraction function * Re-factor Tracker IDs. (Convert all unique Alias details (via ascii table number) and return a 10 digit tracker ID) If a duplicate Tracker ID is found, default to a pre-determined Tracker ID format starting with '1700000010' * When DNSBL is enabled, but all Aliases/Feeds are 'Disabled', clear existing DNSBL Unbound Database properly. * Improve Proofpoint/Emerging Threats IQRisk integrations * Improve DNSBL domain name parser * Force all DNSBL domains to lowercase * Check for Firewall Rules 'created' tag, before attempting to unset * Improve 'Kill States' feature - Collect all 'pfB_' Rules that are 'Block/Reject' and do not have bypass states enabled * Improve 'Kill States' feature - Collect any 'Permit' Customlist IPs to suppress * Add Input Validation for Header/Label field - Whitespace, special or International characters not allowed --- config/pfblockerng/pfblockerng.inc | 560 ++++++++++++++++++++++++++----------- 1 file changed, 389 insertions(+), 171 deletions(-) diff --git a/config/pfblockerng/pfblockerng.inc b/config/pfblockerng/pfblockerng.inc index 4ec46d85..903c73be 100644 --- a/config/pfblockerng/pfblockerng.inc +++ b/config/pfblockerng/pfblockerng.inc @@ -131,7 +131,7 @@ foreach (array('existing', 'actual') as $pftype) { // Default cURL options $pfb['curl_defaults'] = array( CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 Chrome/43.0.2357.65 Safari/537.36', - CURLOPT_SSL_CIPHER_LIST => 'TLSv1.2, TLSv1', + CURLOPT_SSL_CIPHER_LIST => 'TLSv1.2, TLSv1.1, TLSv1', CURLOPT_FOLLOWLOCATION => true, CURLOPT_SSL_VERIFYPEER => true, CURLOPT_SSL_VERIFYHOST => true, @@ -202,9 +202,7 @@ function pfb_global() { $pfb['dnsbl_port_ssl'] = $pfb['dnsblconfig']['pfb_dnsport_ssl']; // Lighttpd web server https port setting $pfb['dnsbl_alexa'] = $pfb['dnsblconfig']['alexa_enable']; // Alexa whitelist - // Restore previous download on failure (default to 'on') - $pfb['restore'] = $pfb['config']['restore_feed'] != '' ? $pfb['config']['restore_feed'] : 'on'; - // Max daily download failure threshold (default to '0') + // Max daily download failure threshold (default to '0' unlimited failures) $pfb['skipfeed'] = $pfb['config']['skipfeed'] != '' ? $pfb['config']['skipfeed'] : 0; if (isset($config['unbound']['enable'])) { @@ -249,15 +247,29 @@ if ($uname['machine'] == 'amd64') { // Function to decode alias custom entry box. -function pfbng_text_area_decode($text) { +function pfbng_text_area_decode($text, $mode=FALSE) { + + if ($mode) { + // Return customlist as an array (Split any '#' comment text) + $custom = array(); + } + $customlist = explode("\r\n", base64_decode($text)); if (!empty($customlist)) { foreach ($customlist as $line) { if (substr(trim($line), 0, 1) != '#' && !empty($line)) { if (strpos($line, '#') !== FALSE) { - $custom .= trim(strstr($line, '#', TRUE)) . "\n"; + if ($mode) { + $custom[] = preg_split('/(?=#)/', $line); + } else { + $custom .= trim(strstr($line, '#', TRUE)) . "\n"; + } } else { - $custom .= $line . "\n"; + if ($mode) { + $custom[][0] = $line; + } else { + $custom .= $line . "\n"; + } } } } @@ -363,21 +375,31 @@ function pfb_determine_list_detail($list='', $header='', $confconfig='', $key='' if (!empty($confconfig)) { // Configure autoports/protocol and auto destination if required. - $autotype = array( 'autoports' => 'aliasports', 'autodest' => 'aliasdest'); - $aports = ''; $adest = ''; - $pfbarr['aproto'] = $config['installedpackages'][$confconfig]['config'][$key]['autoproto']; - foreach ($autotype as $akey => $atype) { - if ($config['installedpackages'][$confconfig]['config'][$key][$akey] == 'on' && isset($config['aliases']['alias'])) { - foreach ($config['aliases']['alias'] as $palias) { - if ($palias['name'] == $config['installedpackages'][$confconfig]['config'][$key][$atype]) { - if (!empty($palias['address'])) { - switch($akey) { - case 'autoports': - $pfbarr['aports'] = $config['installedpackages'][$confconfig]['config'][$key][$atype]; - break; - case 'autodest': - $pfbarr['adest'] = $config['installedpackages'][$confconfig]['config'][$key][$atype]; - break; + $conf_config = $config['installedpackages'][$confconfig]['config'][$key]; + $autotype = array( 'autoports' => 'aliasports', 'autoaddr' => 'aliasaddr'); + foreach (array('_out', '_in') as $dir) { + + $pfbarr['aproto' . $dir] = $conf_config['autoproto' . $dir]; + $pfbarr['anot' . $dir] = $conf_config['autonot' . $dir]; + $pfbarr['aaddrnot' . $dir] = $conf_config['autoaddrnot' . $dir]; + $pfbarr['agateway' . $dir] = $conf_config['agateway' . $dir]; + + foreach ($autotype as $akey => $atype) { + if ($conf_config[$akey . $dir] == 'on' && isset($config['aliases']['alias'])) { + foreach ($config['aliases']['alias'] as $palias) { + if ($palias['name'] == $conf_config[$atype . $dir]) { + if (!empty($palias['address'])) { + $dalias = "{$atype}{$dir}"; + switch($akey) { + case 'autoports': + $ctype = "aports{$dir}"; + $pfbarr[$ctype] = $conf_config[$dalias]; + break; + case 'autoaddr': + $ctype = "aaddr{$dir}"; + $pfbarr[$ctype] = $conf_config[$dalias]; + break; + } } } } @@ -385,10 +407,17 @@ function pfb_determine_list_detail($list='', $header='', $confconfig='', $key='' } } } + + // Force 'Alias Native' setting to any Alias with 'Advanced Inbound/Outbound -Invert src/dst' settings. + // This will bypass Deduplication and Reputation features. + if ($pfbarr['aaddrnot_in'] == 'on' || $pfbarr['aaddrnot_out'] == 'on') { + $pfbarr['adv'] = FALSE; + $pfbarr['folder'] = "{$pfb['nativedir']}"; + } + return $pfbarr; } - // Determine if cron task requires updating function pfblockerng_cron_exists($crontask, $pfb_min, $pfb_hour) { global $config; @@ -522,6 +551,21 @@ function pfb_create_suppression_file() { } +// Collect existing suppression list (without '# comment' text details) +function dnsbl_suppression() { + global $pfb; + + $dnssupp_ex = array(); + $suppression = pfbng_text_area_decode($pfb['dnsblconfig']['suppression'], TRUE); + if (isset($suppression)) { + foreach ($suppression as $dnssupp) { + $dnssupp_ex[] = $dnssupp[0]; + } + } + return $dnssupp_ex; +} + + // Create DNSBL VIP and NAT rules, lighttpd conf and services function pfb_create_dnsbl($mode) { global $config, $pfb; @@ -708,7 +752,7 @@ EOF; exec("/usr/bin/openssl req -new -x509 -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes"); } - if ($pfbupdate || !is_service_running ('dnsbl')) { + if ($pfbupdate || !is_service_running('dnsbl')) { $log = "Restarting Service DNSBL...\n"; pfb_logger("{$log}", 1); restart_service('dnsbl'); @@ -939,11 +983,6 @@ function sanitize_ipaddr($ipaddr, $custom) { $ip[$key] = ltrim($octet, '0'); } - // Remove 'loopback', '0.0.0.0', and IPs ending with '255' - if ($ip[0] == 127 || $ip[0] == 0 || empty($ip[0]) || $ip[3] == 255) { - return; - } - if ($key == 3) { // If mask is not defined and 4th octet is '0', set mask to '24' if ($octet == 0 && empty($mask)) { @@ -962,6 +1001,12 @@ function sanitize_ipaddr($ipaddr, $custom) { // Exclude private/reserved IPs when suppression is enabled (bypass exclusion for custom lists) if ($pfb['supp'] == 'on' && !$custom) { + + // Remove 'loopback', '0.0.0.0', and IPs ending with '255' + if ($ip[0] == 127 || $ip[0] == 0 || empty($ip[0]) || $ip[3] == 255) { + return; + } + if (!filter_var($ip_final, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== FALSE) { return; } @@ -1086,6 +1131,7 @@ function find_reported_header($ip, $pfbfolder, $exclude=FALSE) { function pfb_download($list_url, $file_dwn, $pflex=FALSE, $header, $format, $logtype, $vtype, $timeout=300) { global $pfb; $http_status = ''; + $elog = ">> {$pfb['log']} 2>&1"; // Download RSYNC format if ($format == 'rsync') { @@ -1163,7 +1209,7 @@ function pfb_download($list_url, $file_dwn, $pflex=FALSE, $header, $format, $log if ($retries == 1 && $pflex && in_array($curl_error, array( '35', '51', '60'))) { curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); - curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'TLSv1.2, TLSv1, SSLv3'); + curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'TLSv1.2, TLSv1.1, TLSv1, SSLv3'); $log = "\n[ ! ] Downgrading SSL settings (Flex) "; pfb_logger("{$log}", 1); } @@ -1212,17 +1258,7 @@ function pfb_download($list_url, $file_dwn, $pflex=FALSE, $header, $format, $log } else { pfb_logger('.', 1); - $pfb_output = fopen("{$file_dwn}.orig", 'w'); - if (($fhandle = gzopen("{$file_dwn}.raw", 'r')) !== FALSE) { - if (($fhandle = gzopen("{$file_dwn}.raw", 'r')) !== FALSE) { - while (($line = gzgets($fhandle, 1024)) !== FALSE) { - fwrite($pfb_output, $line); - } - } - $retval = 0; - } - gzclose($fhandle); - fclose($pfb_output); + exec("/usr/bin/gunzip -c {$file_dwn}.raw > {$file_dwn}.orig", $output, $retval); } } elseif ($file_type == 'application/x-bzip2') { @@ -1357,15 +1393,13 @@ function pfb_download_failure($alias, $header, $pfbfolder, $vtype, $list_url) { } } - // On download failure, create file marker for subsequent download attempts - if ($pfb['restore'] == 'on' && $pfb['skipfeed'] != 0) { - // Call function to get all previous download fails - pfb_failures(); + // Call function to get all previous download fails + pfb_failures(); - if ($pfb['failed'][$header] <= $pfb['skipfeed']) { - touch("{$pfbfolder}/{$header}.fail"); - return; - } + // On download failure, create file marker for subsequent download attempts. ('0' no download failure threshold) + if ($pfb['skipfeed'] == 0 || $pfb['failed'][$header] <= $pfb['skipfeed']) { + touch("{$pfbfolder}/{$header}.fail"); + return; } unlink_if_exists("{$pfbfolder}/{$header}.fail"); @@ -1391,17 +1425,51 @@ function pfb_failures() { } -// Convert alias name (via ascii table number) and return a 10 digit tracker id -function pfb_tracker($alias) { - for ($i = 0; $i < strlen($alias); $i++) { - $pfbtracker += @ord($alias[$i]); +// Convert unique Alias details (via ascii table number) and return a 10 digit tracker ID +function pfb_tracker($alias, $int, $text) { + + global $config, $pfb; + + $pfbtracker = 0; + $real_int = get_real_interface($int); + $ipaddr = get_interface_ip($int); + + if (is_ipaddrv4($ipaddr)) { + $ipaddr = ip2long32($ipaddr); + $subnet = find_interface_subnet($real_int); + } + else { + $ipaddr = get_interface_ipv6($real_int); + $subnet = find_interface_subnetv6($real_int); + } + + $search = array( '1', '2', '3', '4', '5', '6', '7', '8', '9', '0' ); + $replace = array( 'one', 'two', 'three', 'four', 'five', 'six', 'seven', 'eight', 'nine', 'zero' ); + $line = "{$alias}{$int}{$text}{$real_int}{$ipaddr}{$subnet}"; + $line = str_replace($search, $replace, $line); + + for ($i = 0; $i < strlen($line); $i++) { + $pfbtracker += @ord($line[$i]); + } + + // If duplicate Tracker ID found, pre-define a Tracker ID (Starts at 1770000010) + if (in_array($pfbtracker, $pfb['trackerids'])) { + $pfbtracker = ($pfb['last_trackerid'] + 1); + $pfb['last_trackerid'] = $pfbtracker; + return $pfbtracker; + } + else { + $pfb['trackerids'][] = $pfbtracker; + return '177' . str_pad($pfbtracker, 7, '0', STR_PAD_LEFT); } - return '177' . str_pad($pfbtracker, 7, '0', STR_PAD_LEFT); } // Define firewall rule settings -function pfb_firewall_rule($action, $pfb_alias, $vtype='', $pfb_log, $adest='', $aports='', $aproto='', $anot='') { +function pfb_firewall_rule($action, $pfb_alias, $vtype='', $pfb_log, $agateway_in='default', $agateway_out='default', + $aaddrnot_in='', $adest_in='', $aports_in='', $aproto_in='', $anot_in='', + $aaddrnot_out='', $asrc_out='', $aports_out='', $aproto_out='', $anot_out='') { + global $pfb; $rule = array(); @@ -1409,7 +1477,6 @@ function pfb_firewall_rule($action, $pfb_alias, $vtype='', $pfb_log, $adest='', case 'Deny_Both': case 'Deny_Outbound': $rule = $pfb['base_rule']; - $rule['tracker'] = pfb_tracker("{$pfb_alias}{$vtype}deny_out"); $rule['type'] = "{$pfb['deny_action_outbound']}"; if ($vtype == '_v6') { $rule['ipprotocol'] = 'inet6'; @@ -1418,11 +1485,28 @@ function pfb_firewall_rule($action, $pfb_alias, $vtype='', $pfb_log, $adest='', $rule['direction'] = 'any'; } $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; - $rule['source'] = array('any' => ''); + if (!empty($asrc_out) && !empty($aports_out)) { + $rule['source'] = array('address' => "{$asrc_out}", 'port' => "{$aports_out}"); + } elseif (!empty($asrc_out) && empty($aports_out)) { + $rule['source'] = array('address' => "{$asrc_out}"); + } elseif (empty($asrc_out) && !empty($aports_out)) { + $rule['source'] = array('any' => '', 'port' => "{$aports_out}"); + } else { + $rule['source'] = array('any' => ''); + } + if (!empty($asrc_out) && $anot_out == 'on') { + $rule['source']['not'] = ''; + } $rule['destination'] = array('address' => "{$pfb_alias}{$vtype}"); + if ($aaddrnot_out == 'on') { + $rule['destination']['not'] = ''; + } if ($pfb['config']['enable_log'] == 'on' || $pfb_log == 'enabled') { $rule['log'] = ''; } + if ($agateway_out != 'default') { + $rule['gateway'] = "{$agateway_out}"; + } $rule['created'] = array('time' => (int)microtime(true), 'username' => 'Auto'); $pfb['deny_outbound'][] = $rule; if ($action != 'Deny_Both') { @@ -1430,7 +1514,6 @@ function pfb_firewall_rule($action, $pfb_alias, $vtype='', $pfb_log, $adest='', } case 'Deny_Inbound': $rule = $pfb['base_rule']; - $rule['tracker'] = pfb_tracker("{$pfb_alias}{$vtype}deny_in"); $rule['type'] = "{$pfb['deny_action_inbound']}"; if ($vtype == '_v6') { $rule['ipprotocol'] = 'inet6'; @@ -1440,24 +1523,30 @@ function pfb_firewall_rule($action, $pfb_alias, $vtype='', $pfb_log, $adest='', } $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; $rule['source'] = array('address' => "{$pfb_alias}{$vtype}"); - if (!empty($adest) && !empty($aports)) { - $rule['destination'] = array('address' => "{$adest}", 'port' => "{$aports}"); - } elseif (!empty($adest) && empty($aports)) { - $rule['destination'] = array('address' => "{$adest}"); - } elseif (empty($adest) && !empty($aports)) { - $rule['destination'] = array('any' => '', 'port' => "{$aports}"); + if ($aaddrnot_in == 'on') { + $rule['source']['not'] = ''; + } + if (!empty($adest_in) && !empty($aports_in)) { + $rule['destination'] = array('address' => "{$adest_in}", 'port' => "{$aports_in}"); + } elseif (!empty($adest_in) && empty($aports_in)) { + $rule['destination'] = array('address' => "{$adest_in}"); + } elseif (empty($adest_in) && !empty($aports_in)) { + $rule['destination'] = array('any' => '', 'port' => "{$aports_in}"); } else { $rule['destination'] = array('any' => ''); } - if (!empty($adest) && $anot == 'on') { + if (!empty($adest_in) && $anot_in == 'on') { $rule['destination']['not'] = ''; } - if (!empty($aproto)) { - $rule['protocol'] = "{$aproto}"; + if (!empty($aproto_in)) { + $rule['protocol'] = "{$aproto_in}"; } if ($pfb['config']['enable_log'] == 'on' || $pfb_log == 'enabled') { $rule['log'] = ''; } + if ($agateway_in != 'default') { + $rule['gateway'] = "{$agateway_in}"; + } $rule['created'] = array('time' => (int)microtime(true), 'username' => 'Auto'); $pfb['deny_inbound'][] = $rule; break; @@ -1465,7 +1554,6 @@ function pfb_firewall_rule($action, $pfb_alias, $vtype='', $pfb_log, $adest='', case 'Permit_Outbound': $rule = $pfb['base_rule']; $rule['type'] = 'pass'; - $rule['tracker'] = pfb_tracker("{$pfb_alias}{$vtype}permit_out"); if ($vtype == '_v6') { $rule['ipprotocol'] = 'inet6'; } @@ -1473,11 +1561,28 @@ function pfb_firewall_rule($action, $pfb_alias, $vtype='', $pfb_log, $adest='', $rule['direction'] = 'any'; } $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; - $rule['source'] = array('any' => ''); + if (!empty($asrc_out) && !empty($aports_out)) { + $rule['source'] = array('address' => "{$asrc_out}", 'port' => "{$aports_out}"); + } elseif (!empty($asrc_out) && empty($aports_out)) { + $rule['source'] = array('address' => "{$asrc_out}"); + } elseif (empty($asrc_out) && !empty($aports_out)) { + $rule['source'] = array('any' => '', 'port' => "{$aports_out}"); + } else { + $rule['source'] = array('any' => ''); + } + if (!empty($asrc_out) && $anot_out == 'on') { + $rule['source']['not'] = ''; + } $rule['destination'] = array('address' => "{$pfb_alias}{$vtype}"); + if ($aaddrnot_out == 'on') { + $rule['destination']['not'] = ''; + } if ($pfb['config']['enable_log'] == 'on' || $pfb_log == 'enabled') { $rule['log'] = ''; } + if ($agateway_out != 'default') { + $rule['gateway'] = "{$agateway_out}"; + } $rule['created'] = array('time' => (int)microtime(true), 'username' => 'Auto'); $pfb['permit_outbound'][] = $rule; if ($action != 'Permit_Both') { @@ -1485,7 +1590,6 @@ function pfb_firewall_rule($action, $pfb_alias, $vtype='', $pfb_log, $adest='', } case 'Permit_Inbound': $rule = $pfb['base_rule']; - $rule['tracker'] = pfb_tracker("{$pfb_alias}{$vtype}permit_in"); $rule['type'] = 'pass'; if ($vtype == '_v6') { $rule['ipprotocol'] = 'inet6'; @@ -1495,42 +1599,64 @@ function pfb_firewall_rule($action, $pfb_alias, $vtype='', $pfb_log, $adest='', } $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; $rule['source'] = array('address' => "{$pfb_alias}{$vtype}"); - if (!empty($adest) && !empty($aports)) { - $rule['destination'] = array('address' => "{$adest}", 'port' => "{$aports}"); - } elseif (!empty($adest) && empty($aports)) { - $rule['destination'] = array('address' => "{$adest}"); - } elseif (empty($adest) && !empty($aports)) { - $rule['destination'] = array('any' => '', 'port' => "{$aports}"); + if ($aaddrnot_in == 'on') { + $rule['source']['not'] = ''; + } + if (!empty($adest_in) && !empty($aports_in)) { + $rule['destination'] = array('address' => "{$adest_in}", 'port' => "{$aports_in}"); + } elseif (!empty($adest_in) && empty($aports_in)) { + $rule['destination'] = array('address' => "{$adest_in}"); + } elseif (empty($adest_in) && !empty($aports_in)) { + $rule['destination'] = array('any' => '', 'port' => "{$aports_in}"); } else { $rule['destination'] = array('any' => ''); } - if (!empty($adest) && $anot == 'on') { + if (!empty($adest_in) && $anot_in == 'on') { $rule['destination']['not'] = ''; } - if (!empty($aproto)) { - $rule['protocol'] = "{$aproto}"; + if (!empty($aproto_in)) { + $rule['protocol'] = "{$aproto_in}"; } if ($pfb['config']['enable_log'] == 'on' || $pfb_log == 'enabled') { $rule['log'] = ''; } + if ($agateway_in != 'default') { + $rule['gateway'] = "{$agateway_in}"; + } $rule['created'] = array('time' => (int)microtime(true), 'username' => 'Auto'); $pfb['permit_inbound'][] = $rule; break; case 'Match_Both': case 'Match_Outbound': $rule = $pfb['base_rule_float']; - $rule['tracker'] = pfb_tracker("{$pfb_alias}{$vtype}match_out"); $rule['type'] = 'match'; if ($vtype == '_v6') { $rule['ipprotocol'] = 'inet6'; } $rule['direction'] = 'any'; $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; - $rule['source'] = array('any' => ''); + if (!empty($asrc_out) && !empty($aports_out)) { + $rule['source'] = array('address' => "{$asrc_out}", 'port' => "{$aports_out}"); + } elseif (!empty($asrc_out) && empty($aports_out)) { + $rule['source'] = array('address' => "{$asrc_out}"); + } elseif (empty($asrc_out) && !empty($aports_out)) { + $rule['source'] = array('any' => '', 'port' => "{$aports_out}"); + } else { + $rule['source'] = array('any' => ''); + } + if (!empty($asrc_out) && $anot_out == 'on') { + $rule['source']['not'] = ''; + } $rule['destination'] = array('address' => "{$pfb_alias}{$vtype}"); + if ($aaddrnot_out == 'on') { + $rule['destination']['not'] = ''; + } if ($pfb['config']['enable_log'] == 'on' || $pfb_log == 'enabled') { $rule['log'] = ''; } + if ($agateway_out != 'default') { + $rule['gateway'] = "{$agateway_out}"; + } $rule['created'] = array('time' => (int)microtime(true), 'username' => 'Auto'); $pfb['match_outbound'][] = $rule; if ($action != 'Match_Both') { @@ -1538,7 +1664,6 @@ function pfb_firewall_rule($action, $pfb_alias, $vtype='', $pfb_log, $adest='', } case 'Match_Inbound': $rule = $pfb['base_rule_float']; - $rule['tracker'] = pfb_tracker("{$pfb_alias}{$vtype}match_in"); $rule['type'] = 'match'; if ($vtype == '_v6') { $rule['ipprotocol'] = 'inet6'; @@ -1546,24 +1671,30 @@ function pfb_firewall_rule($action, $pfb_alias, $vtype='', $pfb_log, $adest='', $rule['direction'] = 'any'; $rule['descr'] = "{$pfb_alias}{$vtype}{$pfb['suffix']}"; $rule['source'] = array('address' => "{$pfb_alias}{$vtype}"); - if (!empty($adest) && !empty($aports)) { - $rule['destination'] = array('address' => "{$adest}", 'port' => "{$aports}"); - } elseif (!empty($adest) && empty($aports)) { - $rule['destination'] = array('address' => "{$adest}"); - } elseif (empty($adest) && !empty($aports)) { - $rule['destination'] = array('any' => '', 'port' => "{$aports}"); + if ($aaddrnot_in == 'on') { + $rule['source']['not'] = ''; + } + if (!empty($adest_in) && !empty($aports_in)) { + $rule['destination'] = array('address' => "{$adest_in}", 'port' => "{$aports_in}"); + } elseif (!empty($adest_in) && empty($aports_in)) { + $rule['destination'] = array('address' => "{$adest_in}"); + } elseif (empty($adest_in) && !empty($aports_in)) { + $rule['destination'] = array('any' => '', 'port' => "{$aports_in}"); } else { $rule['destination'] = array('any' => ''); } - if (!empty($adest) && $anot == 'on') { + if (!empty($adest_in) && $anot_in == 'on') { $rule['destination']['not'] = ''; } - if (!empty($aproto)) { - $rule['protocol'] = "{$aproto}"; + if (!empty($aproto_in)) { + $rule['protocol'] = "{$aproto_in}"; } if ($pfb['config']['enable_log'] == 'on' || $pfb_log == 'enabled') { $rule['log'] = ''; } + if ($agateway_in != 'default') { + $rule['gateway'] = "{$agateway_in}"; + } $rule['created'] = array('time' => (int)microtime(true), 'username' => 'Auto'); $pfb['match_inbound'][] = $rule; break; @@ -1768,6 +1899,7 @@ function pfb_livetail($logfile, $mode) { function sync_package_pfblockerng($cron='') { global $g, $config, $pfb, $pfbarr; pfb_global(); + $pfb['conf_mod'] = FALSE; // Flag to check for mods to the config.xml file. ('$pfb_config' array to hold changes) // Detect boot process or package installation @@ -1900,6 +2032,14 @@ function sync_package_pfblockerng($cron='') { $pfb_alias_lists_all = array(); // An array of all active aliases. ('Reputation' enabled) + ################################# + # Tracker IDs # + ################################# + + $pfb['trackerids'] = array(); // An array of pfBlockerNG Firewall rule Tracker IDs. + $pfb['last_trackerid'] = 1700000009; // Pre-defined 'starting' Tracker ID (Only used if duplicates found) + + ######################################### # Configure Rule Suffix # ######################################### @@ -2079,6 +2219,13 @@ function sync_package_pfblockerng($cron='') { if (!empty($config['installedpackages'][$ip_type]['config']) && $pfb['enable'] == 'on') { foreach ($config['installedpackages'][$ip_type]['config'] as $key => $list) { if (isset($list['row']) && $list['action'] != 'Disabled') { + + // Force 'Alias Native' setting to any Alias with 'Advanced Inbound/Outbound -Invert src/dst' settings. + // This will bypass Deduplication and Reputation features. + if ($list['autoaddrnot_in'] == 'on' || $list['autoaddrnot_out'] == 'on') { + $list['action'] = 'Alias_Native'; + } + foreach ($list['row'] as $row) { if ($vtype == '_v4') { $header = "{$row['header']}"; @@ -2164,8 +2311,8 @@ function sync_package_pfblockerng($cron='') { } } - $pfb['remove'] = FALSE; // Flag to execute pfctl and rules ordering or reload of DNSBL domains - $pfb['summary'] = FALSE; // Execute final summary as a list was removed + $pfb['remove'] = FALSE; // Flag to execute pfctl and rules ordering or reload of DNSBL domains + $pfb['summary'] = FALSE; // Execute final summary as a list was removed // Process to remove lists from Masterfile/DB folder if they do not exist if (isset($pfb['existing'])) { @@ -2340,10 +2487,7 @@ function sync_package_pfblockerng($cron='') { } // Collect suppression list - $pfb_dnssupp = array(); - if (!empty($pfb['dnsblconfig']['suppression'])) { - $pfb_dnssupp = explode("\n", pfbng_text_area_decode($pfb['dnsblconfig']['suppression'])); - } + $pfb_dnssupp = dnsbl_suppression(); // Call Alexa whitelist process if ($pfb['dnsbl_alexa'] == 'on') { @@ -2404,6 +2548,7 @@ function sync_package_pfblockerng($cron='') { $lists_dnsbl_current = array(); // Array of all active Lists in current alias $pfb['aliasupdate'] = FALSE; // Flag to signal changes to alias $pfb['updateip'] = FALSE; // Flag to signal updates to DNSBL IP lists + $pfb['domain_clear'] = FALSE; // Flag to signal no Aliases defined or all Aliases disabled. $alias_cnt = 0; if ($list['action'] != 'Disabled' && isset($list['row'])) { @@ -2436,9 +2581,6 @@ function sync_package_pfblockerng($cron='') { $pfborig = $pfbarr['orig']; $pfbreuse = $pfbarr['reuse']; $logtab = $pfbarr['logtab']; - $aports = $pfbarr['aports']; - $adest = $pfbarr['adest']; - $aproto = $pfbarr['aproto']; // Empty header field validation check if (empty($header)) { @@ -2517,6 +2659,7 @@ function sync_package_pfblockerng($cron='') { // Parse downloaded file for Domain names $e_skip = $e_found = FALSE; // Variables for Easylists + $iqrisk = FALSE; // Variable for ET IQRisk $fail_list = ''; $csvfail = $ipcount = $ip_cnt = 0; if (($fhandle = fopen("{$file_dwn}.orig", 'r')) !== FALSE) { while (($line = fgets($fhandle, 3072)) !== FALSE) { @@ -2619,12 +2762,14 @@ function sync_package_pfblockerng($cron='') { } // Parse ET IQRisk IPRep domain list - elseif (!strpos($csvline[2], 'www.phishtank.com/phish_detail.php')){ - if (strpos($csvline[1], '.') !== FALSE && - (int)$csvline[1] != 0 && count($csvline) == 3) { - $liteparser = TRUE; - $line = $csvline[0]; - } + elseif ($iqrisk) { + $liteparser = TRUE; + $line = $csvline[0]; + } + + // Set flag to process ET IQRisk feed + if (!$iqrisk && $line == 'domain, category, score') { + $iqrisk = TRUE; } } $line = trim($line); @@ -2695,11 +2840,6 @@ function sync_package_pfblockerng($cron='') { // Parser for all other domain feeds (Initial line preparation) if (!$liteparser) { - // If 'space' character found, remove characters before space - if (strpos($line, ' ') !== FALSE) { - $line = strstr($line, ' ', FALSE); - } - // If '#' character found, remove characters after '#' if (strpos($line, '#') !== FALSE) { $line = strstr($line, '#', TRUE); @@ -2708,6 +2848,14 @@ function sync_package_pfblockerng($cron='') { // Remove any leading/trailing whitespaces $line = trim($line); + // If 'space' character found, remove characters before space + if (strpos($line, ' ') !== FALSE) { + $line = strstr($line, ' ', FALSE); + } + + // Remove any leading/trailing whitespaces + $line = trim($line); + // If 'space' character found, remove characters after space if (strpos($line, ' ') !== FALSE) { $line = strstr($line, ' ', TRUE); @@ -2753,6 +2901,8 @@ function sync_package_pfblockerng($cron='') { continue; } + $line = strtolower($line); + // Remove suppressed domain names if (!in_array($line, $pfb_dnssupp)) { $domain_data .= "local-data: \"" . $line . " 60 IN A {$pfb['dnsbl_vip']}\"\n"; @@ -2927,8 +3077,9 @@ function sync_package_pfblockerng($cron='') { // Define DNSBL_IP firewall rule settings if ($pfb['dnsbl_ip'] != 'Alias_Deny') { - pfb_firewall_rule($pfb['dnsbl_ip'], 'pfB_DNSBLIP', '', $pfb['dnsblconfig']['aliaslog'], - $pfbarr['adest'], $pfbarr['aports'], $pfbarr['aproto'], $pfb['dnsblconfig']['autonot']); + pfb_firewall_rule($pfb['dnsbl_ip'], 'pfB_DNSBLIP', '', $pfb['dnsblconfig']['aliaslog'], $pfbarr['agateway_in'], $pfbarr['agateway_out'], + $pfbarr['aaddrnot_in'], $pfbarr['aaddr_in'], $pfbarr['aports_in'], $pfbarr['aproto_in'], $pfbarr['anot_in'], + $pfbarr['aaddrnot_out'], $pfbarr['aaddr_out'], $pfbarr['aports_out'], $pfbarr['aproto_out'], $pfbarr['anot_out']); } // Collect DNSBL IP addresses into 'pfB_DNSBLIP' aliastable @@ -3000,7 +3151,16 @@ function sync_package_pfblockerng($cron='') { pfb_logger("{$log}", 1); } } - + else { + // When DNSBL is enabled and no Aliases are defined, or all Aliases are Disabled. Set flag to clear out Unbound pfb_dnsbl.conf file. + if (empty($lists_dnsbl_all)) { + pfb_logger("\nClearing all DNSBL Feeds... ", 1); + $pfb['domain_clear'] = TRUE; + $pfb_output = @fopen("{$pfb['dnsbl_file']}.conf", 'w'); + fwrite($pfb_output, ''); + @fclose($pfb_output); + } + } ################################# # UNBOUND INTEGRATION # @@ -3013,7 +3173,7 @@ function sync_package_pfblockerng($cron='') { if ($pfb['enable'] == 'on' && $pfb['dnsbl'] == 'on' && $pfb['unbound_state'] == 'on') { // If new domain updates found, backup existing DNSBL domain feed - if ($pfb['domain_update']) { + if ($pfb['domain_update'] || $pfb['domain_clear']) { if (file_exists ("{$pfb['dnsbl_file']}.conf")) { @copy("{$pfb['dnsbl_file']}.conf", "{$pfb['dnsbl_file']}.bk"); } @@ -3024,7 +3184,7 @@ function sync_package_pfblockerng($cron='') { // Add 'include:' line in Unbound conf file if not found if (isset($conf) && !strstr(implode($conf), 'pfb_dnsbl.conf')) { if (file_exists("{$pfb['dnsbl_file']}.conf")) { - $log = " Adding Unbound Server:Include line..."; + $log = "\nAdding Unbound Server:Include line..."; pfb_logger("{$log}", 1); $pfbupdate = TRUE; @@ -3034,7 +3194,7 @@ function sync_package_pfblockerng($cron='') { } // Validate new Unbound conf file before use. - if ($pfb['domain_update'] || $pfbupdate) { + if ($pfb['domain_update'] || $pfbupdate || $pfb['domain_clear']) { pfb_validate_unbound('enabled'); } @@ -3110,9 +3270,6 @@ function sync_package_pfblockerng($cron='') { $pfbfolder = $pfbarr['folder']; $pfborig = $pfbarr['orig']; $logtab = $pfbarr['logtab']; - $aports = $pfbarr['aports']; - $adest = $pfbarr['adest']; - $aproto = $pfbarr['aproto']; $continent_ex = array(); // An array of existing Continent IPs $continent = array(); // An array of updated Continent IPs @@ -3218,9 +3375,10 @@ function sync_package_pfblockerng($cron='') { 'detail' => 'DO NOT EDIT THIS ALIAS' ); - // Define firewall rule settings pfb_firewall_rule($continent_config['action'], $pfb_alias, $vtype, $continent_config['aliaslog'], - $adest, $aports, $aproto, $continent_config['autonot']); + $pfbarr['agateway_in'], $pfbarr['agateway_out'], $pfbarr['aaddrnot_in'], $pfbarr['aaddr_in'], + $pfbarr['aports_in'], $pfbarr['aproto_in'], $pfbarr['anot_in'], $pfbarr['aaddrnot_out'], + $pfbarr['aaddr_out'], $pfbarr['aports_out'], $pfbarr['aproto_out'], $pfbarr['anot_out']); } else { // unlink Continent list @@ -3255,13 +3413,16 @@ function sync_package_pfblockerng($cron='') { // Collect lists and custom list configuration and format into one array ($lists). foreach ($list_type as $ip_type => $vtype) { if (!empty($config['installedpackages'][$ip_type]['config'])) { - foreach ($config['installedpackages'][$ip_type]['config'] as $list) { + foreach ($config['installedpackages'][$ip_type]['config'] as $key => $list) { if ($vtype == '_v4') { $list['vtype'] = '_v4'; } else { $list['vtype'] = '_v6'; } + // Collect list array key location + $list['key'] = "{$key}"; + // If only the 'customlist' is defined. Remove the 'List row' data. if (empty($list['row'][0]['url'])) { unset($list['row']); @@ -3311,7 +3472,8 @@ function sync_package_pfblockerng($cron='') { } // Determine 'list' details (return array $pfbarr) - pfb_determine_list_detail($list['action'], $header, '', ''); + $list_type = 'pfblockernglists' . str_replace('_', '', $list['vtype']); + pfb_determine_list_detail($list['action'], $header, $list_type, $list['key']); $pfbadv = $pfbarr['adv']; $pfbfolder = $pfbarr['folder']; $pfborig = $pfbarr['orig']; @@ -3337,6 +3499,12 @@ function sync_package_pfblockerng($cron='') { pfb_logger("{$log}", 1); $file_dwn = "{$pfborig}/{$header}"; + // Force 'Alias Native' setting to any Alias with 'Advanced Inbound/Outbound -Invert src/dst' settings. + // This will bypass Deduplication and Reputation features. + if ($pfbarr['aaddrnot_in'] == 'on' || $pfbarr['aaddrnot_out'] == 'on') { + pfb_logger("Using Alias Native\n", 1); + } + if (!$custom) { pfb_logger(' .', 1); @@ -3352,6 +3520,9 @@ function sync_package_pfblockerng($cron='') { // Process Emerging Threats IQRisk if required if (strpos($row['url'], 'iprepdata.txt') !== FALSE) { + if (file_exists("{$file_dwn}.raw")) { + exec("/usr/bin/gunzip -c {$file_dwn}.raw > {$file_dwn}.orig"); + } exec("{$pfb['script']} et {$header} x x x x x {$pfb['etblock']} {$pfb['etmatch']} {$elog}"); } } else { @@ -3684,10 +3855,6 @@ function sync_package_pfblockerng($cron='') { $pfbadv = $pfbarr['adv']; $pfbdescr = $pfbarr['descr']; $pfbfolder = $pfbarr['folder']; - $aports = $pfbarr['aports']; - $adest = $pfbarr['adest']; - $aproto = $pfbarr['aproto']; - // Only Save aliases that have been updated. // When 'Reputation' is used, all aliases need to be updated. @@ -3745,9 +3912,9 @@ function sync_package_pfblockerng($cron='') { // check custom network list if ($vtype == '_v4') { - $aliasname = "{$list['aliasname']}_custom"; + $aliasname = preg_replace("/\W/", '', $list['aliasname']) . '_custom'; } else { - $aliasname = "{$list['aliasname']}_custom_v6"; + $aliasname = preg_replace("/\W/", '', $list['aliasname']) . '_custom_v6'; } // Update alias if list file exists and its been updated or if the alias URL table is empty. @@ -3787,7 +3954,9 @@ function sync_package_pfblockerng($cron='') { ); // Define firewall rule settings - pfb_firewall_rule($list['action'], $alias, '', $list['aliaslog'], $adest, $aports, $aproto, $list['autonot']); + pfb_firewall_rule($list['action'], $alias, '', $list['aliaslog'], $pfbarr['agateway_in'], $pfbarr['agateway_out'], + $pfbarr['aaddrnot_in'], $pfbarr['aaddr_in'], $pfbarr['aports_in'], $pfbarr['aproto_in'], $pfbarr['anot_in'], + $pfbarr['aaddrnot_out'], $pfbarr['aaddr_out'], $pfbarr['aports_out'], $pfbarr['aproto_out'], $pfbarr['anot_out']); } } else { // unlink previous pfblockerNG alias list @@ -3868,12 +4037,14 @@ function sync_package_pfblockerng($cron='') { // Collect existing pfSense rules 'pass', 'match' and 'other' pfSense rules into new arrays. if (!empty($rules)) { - foreach ($rules as $key => $rule) { + foreach ($rules as $rule) { // Remove DNSBL floating rule if ($rule['descr'] == 'pfB_DNSBL_Allow_access_to_VIP') { // Remove 'created' tag + if (isset($rule['created'])) { + unset($rule['created']); + } $orig_rules_nocreated[] = $rule; - unset($orig_rules_nocreated[$key]['created']); continue; } @@ -3917,8 +4088,10 @@ function sync_package_pfblockerng($cron='') { } // Remove 'created' tag + if (isset($rule['created'])) { + unset($rule['created']); + } $orig_rules_nocreated[] = $rule; - unset($orig_rules_nocreated[$key]['created']); } } @@ -3953,7 +4126,7 @@ function sync_package_pfblockerng($cron='') { if ($pfb['enable'] == 'on' && $pfb['dnsbl'] == 'on' && $pfb['dnsbl_rule'] != 'Disabled' && !empty($pfb['dnsblconfig']['dnsbl_allow_int'])) { if (isset($implode_interfaces) && isset($pfb['dnsbl_vip'])) { $rule = $pfb['base_rule_float']; - $rule['tracker'] = pfb_tracker('pfB_DNSBL_Allow_access_to_VIP'); + $rule['tracker'] = pfb_tracker('pfB_DNSBL_Allow_access_to_VIP', '', ''); $rule['type'] = 'pass'; $rule['direction'] = 'any'; $rule['interface'] = $implode_interfaces; @@ -3980,6 +4153,7 @@ function sync_package_pfblockerng($cron='') { if ($pfbrunonce && !empty($pfb['match_inbound'])) { foreach ($pfb['match_inbound'] as $cb_rules) { $cb_rules['interface'] = $pfb['inbound_floating']; + $cb_rules['tracker'] = pfb_tracker($cb_rules['descr'], $inbound_interface, 'match_in'); $new_rules[] = $cb_rules; $pfbrunonce = FALSE; } @@ -3987,6 +4161,7 @@ function sync_package_pfblockerng($cron='') { if ($pfb['order'] != 'order_0' && !empty($pfb['permit_inbound'])) { foreach ($pfb['permit_inbound'] as $cb_rules) { $cb_rules['interface'] = $inbound_interface; + $cb_rules['tracker'] = pfb_tracker($cb_rules['descr'], $inbound_interface, 'permit_in'); $new_rules[] = $cb_rules; } } @@ -4009,12 +4184,14 @@ function sync_package_pfblockerng($cron='') { if (!empty($pfb['deny_inbound'])) { foreach ($pfb['deny_inbound'] as $cb_rules) { $cb_rules['interface'] = $inbound_interface; + $cb_rules['tracker'] = pfb_tracker($cb_rules['descr'], $inbound_interface, 'deny_in'); $new_rules[] = $cb_rules; } } if ($pfb['order'] == 'order_0' && !empty($pfb['permit_inbound'])) { foreach ($pfb['permit_inbound'] as $cb_rules) { $cb_rules['interface'] = $inbound_interface; + $cb_rules['tracker'] = pfb_tracker($cb_rules['descr'], $inbound_interface, 'permit_in'); $new_rules[] = $cb_rules; } } @@ -4036,6 +4213,7 @@ function sync_package_pfblockerng($cron='') { if ($pfbrunonce && !empty($pfb['match_outbound'])) { foreach ($pfb['match_outbound'] as $cb_rules) { $cb_rules['interface'] = $pfb['outbound_floating']; + $cb_rules['tracker'] = pfb_tracker($cb_rules['descr'], $outbound_interface, 'match_out'); $new_rules[] = $cb_rules; $pfbrunonce = FALSE; } @@ -4043,6 +4221,7 @@ function sync_package_pfblockerng($cron='') { if ($pfb['order'] != 'order_0' && !empty($pfb['permit_outbound'])) { foreach ($pfb['permit_outbound'] as $cb_rules) { $cb_rules['interface'] = $outbound_interface; + $cb_rules['tracker'] = pfb_tracker($cb_rules['descr'], $outbound_interface, 'permit_out'); $new_rules[] = $cb_rules; } } @@ -4056,12 +4235,14 @@ function sync_package_pfblockerng($cron='') { if (!empty($pfb['deny_outbound'])) { foreach ($pfb['deny_outbound'] as $cb_rules) { $cb_rules['interface'] = $outbound_interface; + $cb_rules['tracker'] = pfb_tracker($cb_rules['descr'], $outbound_interface, 'deny_out'); $new_rules[] = $cb_rules; } } if ($pfb['order'] == 'order_0' && !empty($pfb['permit_outbound'])) { foreach ($pfb['permit_outbound'] as $cb_rules) { $cb_rules['interface'] = $outbound_interface; + $cb_rules['tracker'] = pfb_tracker($cb_rules['descr'], $outbound_interface, 'permit_out'); $new_rules[] = $cb_rules; } } @@ -4181,8 +4362,7 @@ function sync_package_pfblockerng($cron='') { if (file_exists("{$pfb['aliasdir']}/{$final}.txt")) { exec("{$pfb['pfctl']} -t {$final} -T replace -f {$pfb['aliasdir']}/{$final}.txt 2>&1", $result); $log = implode($result); - } - else { + } else { $log = "Aliastable file not found\n"; } pfb_logger("{$log}", 1); @@ -4230,17 +4410,20 @@ function sync_package_pfblockerng($cron='') { pfb_logger("{$log}", 1); $tablesin = $tablesout = array(); - if (!empty($config['filter']['rule'])) { - foreach ($config['filter']['rule'] as $rule) { - - // Collect all 'pfB_' Rules that are 'Block/Reject' and do not have bypass states enabled - if (strpos($rule['descr'], '[s]') === FALSE && ($rule['type'] == 'block' || $rule['type'] == 'reject') && - (strpos($rule['source']['address'], 'pfB_') !== FALSE || strpos($rule['destination']['address'], 'pfB_') !== FALSE)) { - - if (isset($rule['source']['address'])) { - $tablesin[] = $rule['source']['address']; - } else { - $tablesout[] = $rule['destination']['address']; + // Collect all 'pfB_' Rules that are 'Block/Reject' and do not have bypass states enabled + if (isset($config['aliases']['alias'])) { + foreach ($config['aliases']['alias'] as $alias) { + if ($alias['type'] == 'urltable' && strpos($alias['name'], 'pfB_') !== FALSE && strpos($alias['descr'], '[s]') === FALSE) { + if (isset($config['filter']['rule'])) { + foreach ($config['filter']['rule'] as $rule) { + if ($alias['name'] === $rule['source']['address'] || $alias['name'] === $rule['destination']['address']) { + if (isset($rule['source']['address'])) { + $tablesin[] = $rule['source']['address']; + } else { + $tablesout[] = $rule['destination']['address']; + } + } + } } } } @@ -4292,6 +4475,26 @@ function sync_package_pfblockerng($cron='') { // Remove any duplicate IPs $pfb_supp = array_unique($pfb_supp); + // Collect any 'Permit' Customlist IPs to suppress + $custom_supp = array(); + foreach (array('pfblockernglistsv4', 'pfblockernglistsv6') as $ip_type) { + if (!empty($config['installedpackages'][$ip_type]['config'])) { + foreach ($config['installedpackages'][$ip_type]['config'] as $list) { + if (!empty($list['custom']) && strpos($list['action'], 'Permit_') !== FALSE) { + $custom = explode(PHP_EOL, pfbng_text_area_decode($list['custom'])); + $custom_supp = array_merge($custom_supp, $custom); + } + } + } + } + $custom_supp = array_unique(array_filter($custom_supp)); + // Append '/32' CIDR as required + foreach ($custom_supp as &$custom) { + if (strpos($custom, '/') === FALSE) { + $custom = $custom . '/32'; + } + } + $statesin = $statesout = array(); exec("{$pfb['pfctl']} -s state", $s_matches); if (!empty($s_matches)) { @@ -4353,33 +4556,45 @@ function sync_package_pfblockerng($cron='') { foreach (array('<-' => $statesin, '->' => $statesout) as $s_type => $s_state_ips) { foreach ($s_state_ips as $s_ip) { if (!in_array($s_ip, $pfb_supp)) { - if ($s_type == '<-') { - $type = '-Inbound'; - $s_tables = $tablesin; - } else { - $type = '-Outbound'; - $s_tables = $tablesout; + + // Bypass any 'Permit' Customlist IPs + $pfb_suppress = FALSE; + foreach ($custom_supp as $custom) { + if (ip_in_subnet($s_ip, $custom)) { + $pfb_suppress = TRUE; + break; + } } - foreach ($s_tables as $s_table) { - $result = substr(exec("{$pfb['pfctl']} -t {$s_table} -T test {$s_ip} 2>&1"), 0, 1); - if ($result > 0) { - $pfbfound = TRUE; - $log = " [ {$s_table}{$type} ] Removed state(s) for [ {$s_ip} ]\n"; - pfb_logger("{$log}", 1); - foreach ($s_matches as $s_line) { - if (strpos($s_line, $s_type) !== FALSE && strpos($s_line, $s_ip) !== FALSE) { - pfb_logger(" {$s_line}\n", 1); + if (!$pfb_suppress) { + if ($s_type == '<-') { + $type = '-Inbound'; + $s_tables = $tablesin; + } else { + $type = '-Outbound'; + $s_tables = $tablesout; + } + + foreach ($s_tables as $s_table) { + $result = substr(exec("{$pfb['pfctl']} -t {$s_table} -T test {$s_ip} 2>&1"), 0, 1); + if ($result > 0) { + $pfbfound = TRUE; + $log = " [ {$s_table}{$type} ] Removed state(s) for [ {$s_ip} ]\n"; + pfb_logger("{$log}", 1); + foreach ($s_matches as $s_line) { + if (strpos($s_line, $s_type) !== FALSE && strpos($s_line, $s_ip) !== FALSE) { + pfb_logger(" {$s_line}\n", 1); + } } - } - // Remove states - if ($s_type == '<-') { - // Kill all state entries originating from $s_ip - exec("{$pfb['pfctl']} -k {$s_ip}"); - } else { - // Kill all state entries to the target $s_ip - exec("{$pfb['pfctl']} -k 0.0.0.0/0 -k {$s_ip}"); + // Remove states + if ($s_type == '<-') { + // Kill all state entries originating from $s_ip + exec("{$pfb['pfctl']} -k {$s_ip}"); + } else { + // Kill all state entries to the target $s_ip + exec("{$pfb['pfctl']} -k 0.0.0.0/0 -k {$s_ip}"); + } } } } @@ -4501,6 +4716,9 @@ function pfblockerng_validate_input($post, &$input_errors) { if (substr($value, 0, 1) == ' ' || empty($value)) { $input_errors[] = 'Header field must be defined.'; } + if (preg_match("/\W/", $value)) { + $input_errors[] = 'Header field cannot contain special or international characters.'; + } } if ($key == 'pfb_dnsbl' && $value == 'on') { -- cgit v1.2.3 From 4230277cb8480d00b2664f0e333816f3ac5e32cd Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:14:55 -0400 Subject: Update pfblockerng.php * Improve 'Max daily download failure threshold' feature * Implement 'Advanced Outbound Firewall Rules' customization options. * Fix broken URL for Proofpoint/Emerging Threats IQRisk --- config/pfblockerng/pfblockerng.php | 183 +++++++++++++++++++++++++++++-------- 1 file changed, 147 insertions(+), 36 deletions(-) diff --git a/config/pfblockerng/pfblockerng.php b/config/pfblockerng/pfblockerng.php index c88e85a5..bb4964c7 100644 --- a/config/pfblockerng/pfblockerng.php +++ b/config/pfblockerng/pfblockerng.php @@ -142,31 +142,26 @@ function pfb_update_check($header, $list_url, $pfbfolder, $pfborig, $pflex, $for pfb_logger("{$log}", 1); $pfb['cron_update'] = FALSE; - // Determine if previous download fails have exceeded threshold. - if ($pfb['restore'] == 'on') { - if ($pfb['skipfeed'] != 0) { - // Call function to get all previous download fails - pfb_failures(); - - if ($pfb['failed'][$header] >= $pfb['skipfeed']) { - $log = " Max daily download failure attempts exceeded. Clear widget 'failed downloads' to reset.\n\n"; - pfb_logger("{$log}", 1); - unlink_if_exists("{$pfbfolder}/{$header}.fail"); - return; - } - } + // Call function to get all previous download fails + pfb_failures(); - // Attempt download, when a previous 'fail' file marker is found. - if (file_exists("{$pfbfolder}/{$header}.fail")) { - $log = "\t\t\tPrevious download failed.\tRe-attempt download\n"; + if ($pfb['skipfeed'] != 0) { + // Determine if previous download fails have exceeded threshold. ('0' no download failure threshold) + if ($pfb['failed'][$header] >= $pfb['skipfeed']) { + $log = " Max daily download failure attempts exceeded. Clear widget 'failed downloads' to reset.\n\n"; pfb_logger("{$log}", 1); - $pfb['update_cron'] = TRUE; - unlink_if_exists("{$pfbfolder}/{$header}.txt"); + unlink_if_exists("{$pfbfolder}/{$header}.fail"); return; } } - else { - unlink_if_exists("{$pfbfolder}/{$header}.fail"); + + // Attempt download, when a previous 'fail' file marker is found. + if (file_exists("{$pfbfolder}/{$header}.fail")) { + $log = "\t\t\tPrevious download failed.\tRe-attempt download\n"; + pfb_logger("{$log}", 1); + $pfb['update_cron'] = TRUE; + unlink_if_exists("{$pfbfolder}/{$header}.txt"); + return; } // Check if List file doesn't exist or Format is 'whois'. @@ -969,26 +964,32 @@ $xml .= << info - Note: In general, Auto-Rules are created as follows:
-
    Inbound  - 'any' port, 'any' protocol and 'any' destination
    - Outbound - 'any' port, 'any' protocol and 'any' destination address in the lists
- Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.
- Select the pfSense 'Port' and/or 'Destination' Alias below:]]> + Note:  In general, Auto-Rules are created as follows:
+
    Inbound  - 'any' port, 'any' protocol, 'any' destination and 'any' gateway
+ Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.]]>
- autoports + Invert Source + autoaddrnot_in + Invert - Option to invert the sense of the match. + ie - Not (!) Source Address(es)]]> + + checkbox + + Enable Custom Port + autoports_in checkbox - aliasports + aliasports_in begin Define Alias - aliasports + aliasports_in Click Here to add/edit Aliases - Do not manually enter port numbers.
Do not use 'pfB_' in the Port Alias name.]]> + Do not manually enter port numbers.
Do not use 'pfB_' in the Port Alias name.]]>
21 aliases @@ -998,17 +999,17 @@ $xml .= <<end
- autodest Enable Custom Destination + autoaddr_in checkbox - aliasdest,autonot + aliasaddr_in,autonot_in begin - aliasdest + aliasaddr_in Click Here to add/edit Aliases - Do not manually enter Addresses(es).
Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> + Do not manually enter Addresses(es).
Do not use 'pfB_' in the 'IP Network Type' Alias name.]]>
21 aliases @@ -1019,7 +1020,7 @@ $xml .= << Invert - autonot + autonot_in Invert - Option to invert the sense of the match.
ie - Not (!) Destination Address(es)]]>
@@ -1030,7 +1031,7 @@ $xml .= << Custom Protocol - autoproto + autoproto_in Default: any
Select the Protocol used for Inbound Firewall Rule(s).
Do not use 'any' with Adv. Inbound Rules as it will bypass these settings!]]>
select @@ -1043,6 +1044,116 @@ $xml .= <<4
+ + Custom Gateway + agateway_in + + 1 + select_source + + name + name + default + default + + + Advanced Outbound Firewall Rule Settings + listtopic + + + info + Note:  In general, Auto-Rules are created as follows:
+
    Outbound  - 'any' port, 'any' protocol, 'any' destination and 'any' gateway
+ Configuring the Adv. Outbound Rule settings, will allow for more customization of the Outbound Auto-Rules.]]> +
+
+ + Invert Destination + autoaddrnot_out + Invert - Option to invert the sense of the match. + ie - Not (!) Destination Address(es)]]> + + checkbox + + + Enable Custom Port + autoports_out + checkbox + aliasports_out + + begin + + + Define Alias + aliasports_out + Click Here to add/edit Aliases + Do not manually enter port numbers.
Do not use 'pfB_' in the Port Alias name.]]> +
+ 21 + aliases + port + + + end +
+ + Enable Custom Source + autoaddr_out + checkbox + aliasaddr_out,autonot_out + + begin + + + aliasaddr_out + Click Here to add/edit Aliases + Do not manually enter Addresses(es).
Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> +
+ 21 + aliases + network + + + +
+ + Invert + autonot_out + Invert - Option to invert the sense of the match.
+ ie - Not (!) Destination Address(es)]]> +
+ checkbox + + + end +
+ + Custom Protocol + autoproto_out + Default: any
Select the Protocol used for Outbound Firewall Rule(s).
+ Do not use 'any' with Adv. Outbound Rules as it will bypass these settings!]]>
+ select + + + + + + + 4 + +
+ + Custom Gateway + agateway_out + + 1 + select_source + + name + name + default + default + Click to SAVE Settings and/or Rule Edits.   Changes are Applied via CRON or 'Force Update']]> @@ -1384,7 +1495,7 @@ $xmlrep = <<https://rules.emergingthreatspro.com/XXXXXXXXXXXXXXXX/reputation/iprepdata.txt.gz Select the ET IQRisk' format. The URL should use the .gz File Type.
Enter your "ETPRO" code in URL. Further information can be found @ - ET IQRisk IP Reputation

+ Proofpoint IQRisk

To use 'Match' Lists, Create a new 'Alias' and select one of the Action 'Match' Formats and
enter the 'Localfile' as:
    /var/db/pfblockerng/match/ETMatch.txt
-- cgit v1.2.3 From c797fe60e4758f61780ee77b4b5d2a73b1b7bca3 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:18:28 -0400 Subject: Update pfblockerng.sh * Improve Proofpoint/Emerging Threats IQRisk integrations --- config/pfblockerng/pfblockerng.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/config/pfblockerng/pfblockerng.sh b/config/pfblockerng/pfblockerng.sh index ace6dbfe..9d2ccf02 100644 --- a/config/pfblockerng/pfblockerng.sh +++ b/config/pfblockerng/pfblockerng.sh @@ -779,7 +779,7 @@ processet() { *) echo "${i}" >> "${etdir}/ET_Unknown.txt";; esac done < "${pfborig}${alias}.orig" - data="$(ls ${etdir})" + data="$(ls ${etdir} | sed 's/\.txt//')" printf "%-10s %-25s\n" ' Action' 'Category' echo '-------------------------------------------' @@ -787,13 +787,13 @@ processet() { case "${etblock}" in *$list*) printf "%-10s %-25s\n" ' Block: ' "${list}" - cat "${etdir}/${list}" >> "${tempfile}" + cat "${etdir}/${list}.txt" >> "${tempfile}" ;; esac case "${etmatch}" in *$list*) printf "%-10s %-25s\n" ' Match: ' "${list}" - cat "${etdir}/${list}" >> "${tempfile2}" + cat "${etdir}/${list}.txt" >> "${tempfile2}" ;; esac done @@ -978,4 +978,4 @@ case "${1}" in *) ;; esac -exitnow \ No newline at end of file +exitnow -- cgit v1.2.3 From a57408e6eafbc85309a7f62bd949d350523e140b Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:19:33 -0400 Subject: Update pfblockerng.widget.php --- config/pfblockerng/pfblockerng.widget.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/pfblockerng/pfblockerng.widget.php b/config/pfblockerng/pfblockerng.widget.php index c70bd05b..b7e19f7a 100644 --- a/config/pfblockerng/pfblockerng.widget.php +++ b/config/pfblockerng/pfblockerng.widget.php @@ -300,8 +300,8 @@ function pfBlockerNG_get_table($mode='') { $aentries = $values['packets']; } - $packets = "{$values['packets']}"; } else { $packets = $values['packets']; @@ -548,4 +548,4 @@ if (!empty($results)) { textlink = document.getElementById(selectIntLink); textlink.style.display = "inline"; //]]> - \ No newline at end of file + -- cgit v1.2.3 From d476a2c4d0d5bd8108aed44bfe91dc14015a3b66 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:29:16 -0400 Subject: Update pfblockerng_alerts.php * Improve dnsbl_suppression() function to account for '#' Comment lines in custom list * Improve DNSBL Suppression to also suppress any CNAMES associated with domain name Hardcode drill command with @8.8.8.8 (May have to add option in future to allow user to override DNS server entry) * Improve Proofpoint/Emerging Threats IQRisk integrations --- config/pfblockerng/pfblockerng_alerts.php | 105 ++++++++++++++++++++---------- 1 file changed, 71 insertions(+), 34 deletions(-) diff --git a/config/pfblockerng/pfblockerng_alerts.php b/config/pfblockerng/pfblockerng_alerts.php index 79cd0d62..13fb64f6 100644 --- a/config/pfblockerng/pfblockerng_alerts.php +++ b/config/pfblockerng/pfblockerng_alerts.php @@ -80,6 +80,18 @@ foreach ($aglobal_array as $type => $value) { ${"$type"} = $pfb['aglobal'][$type] != '' ? $pfb['aglobal'][$type] : $value; } +// Collect DNSBL suppression list +$pfb['dsupp'] = &$config['installedpackages']['pfblockerngdnsblsettings']['config'][0]['suppression']; +$dnssupp_ex = array(); +$suppression = pfbng_text_area_decode($pfb['dnsblconfig']['suppression'], TRUE); +if (isset($suppression)) { + foreach ($suppression as $dnssupp) { + // Create 1) array for the suppressed domains 2) A string with the domain and comment text + $dnssupp_ex[] = $dnssupp[0]; + $dnssupp_dat .= "{$dnssupp[0]}{$dnssupp[1]}\r\n"; + } +} + // Save Alerts tab customizations if (isset($_POST['save'])) { $pfb['aglobal']['alertrefresh'] = htmlspecialchars($_POST['alertrefresh']) ?: 'off'; @@ -250,21 +262,46 @@ if (isset($_POST['addsuppress'])) { if (isset($_POST['addsuppressdom'])) { $domain = htmlspecialchars($_POST['domain']); $domainparse = str_replace('.', '\.', $domain); - $pfb['dsupp'] = &$config['installedpackages']['pfblockerngdnsblsettings']['config'][0]['suppression']; - // Collect existing suppression list - $dnssupp_ex = collectsuppression(); + // Query for Domain in Unbound DNSBL file. + $dnsbl_query = exec("/usr/bin/grep -Hm1 ' \"{$domainparse} 60 IN A' {$pfb['dnsbl_file']}.conf"); - // Query for domain in Unbound DNSBL file. - $dnsbl_query = exec("/usr/bin/grep -Hm1 ' \"{$domain} 60 IN A' {$pfb['dnsbl_file']}.conf"); + // Query Domain for CNAME(s) + exec("/usr/bin/drill {$domain} @8.8.8.8 | /usr/bin/awk '/CNAME/ {sub(\"\.$\", \"\", $5); print $5;}'", $cname_list); + if (!empty($cname_list)) { + $cname = array(); + $dnsbl_query = 'Found'; + + foreach ($cname_list as $query) { + $cname[] = $query; + } + } // Save new suppress domain to suppress list. if (empty($dnsbl_query)) { - $savemsg = gettext("Domain: [ {$domain} ] does not exist in the Unbound Resolver DNSBL"); + $savemsg = gettext("Domain: [ ") . "{$domain}" . gettext(" ] does not exist in the Unbound Resolver DNSBL"); exec("/usr/local/sbin/unbound-control -c {$pfb['dnsbldir']}/unbound.conf flush {$domain}."); - } else { - // Remove domain from Unbound resolver pfb_dnsbl.conf file - exec("{$pfb['sed']} -i '' '/ \"{$domain} 60 IN A/d' {$pfb['dnsbl_file']}.conf"); + } + else { + if (is_array($cname)) { + // Remove Domain and CNAME(s) in Unbound resolver pfb_dnsbl.conf file + $removed = "{$domain} | "; + $supp_string = "{$domain}\r\n"; + exec("{$pfb['sed']} -i '' '/ \"{$domain} 60 IN A/d' {$pfb['dnsbl_file']}.conf"); + + foreach ($cname as $name) { + $removed .= "{$name} | "; + $supp_string .= "{$name} # CNAME for ({$domain})\r\n"; + exec("{$pfb['sed']} -i '' '/ \"{$name} 60 IN A/d' {$pfb['dnsbl_file']}.conf"); + } + $savemsg = gettext("Removed - Domain|CNAME(s) | ") . "{$removed}" + . gettext("from Unbound Resolver DNSBL. You may need to flush your browsers DNS Cache"); + } + else { + // Remove domain from Unbound resolver pfb_dnsbl.conf file + exec("{$pfb['sed']} -i '' '/ \"{$domain} 60 IN A/d' {$pfb['dnsbl_file']}.conf"); + $savemsg = gettext("Removed Domain: [ ") . "{$domain}" . gettext(" ] from Resolver DNSBL. You may need to flush your browsers DNS Cache"); + } $cache_dumpfile = '/var/tmp/unbound_cache'; unlink_if_exists("{$cache_dumpfile}"); @@ -278,14 +315,21 @@ if (isset($_POST['addsuppressdom'])) { } exec("/usr/local/sbin/unbound-control -c {$pfb['dnsbldir']}/unbound.conf flush {$domain}"); + if (is_array($cname)) { + foreach ($cname as $name) { + exec("/usr/local/sbin/unbound-control -c {$pfb['dnsbldir']}/unbound.conf flush {$name}"); + } + } if (!in_array($domain, $dnssupp_ex)) { - $dnssupp_ex[] = $domain; - $dnssupp_new = base64_encode(implode("\n", $dnssupp_ex)); - $pfb['dsupp'] = "{$dnssupp_new}"; + if (is_array($cname)) { + $dnssupp_dat .= "{$supp_string}"; + } else { + $dnssupp_dat .= "{$domain}"; + } + $pfb['dsupp'] = base64_encode($dnssupp_dat); write_config("pfBlockerNG: Added {$domain} to DNSBL suppress list"); } - $savemsg = gettext("Removed Domain: [ {$domain} ] from Unbound Resolver DNSBL. You may need to flush your browsers DNS Cache"); } } @@ -387,7 +431,7 @@ if (isset($config['interfaces'])) { } // Collect DNSBL Interfaces - $dnsbl_int[] = array("{$int['ipaddr']}/{$int['subnet']}", "{$int['descr']}"); + $dnsbl_int[] = array("{$int['ipaddr']}/{$int['subnet']}", "{$int['descr']}"); } } @@ -458,20 +502,8 @@ if (isset($pf_int)) { $local_hosts = array_merge($local_hosts, array_flip(array_filter($pf_int))); } -// FUNCTION DEFINITIONS - - -// Collect existing suppression list -function collectsuppression() { - global $pfb; - $dnssupp_ex = array(); - $custom_list = pfbng_text_area_decode($pfb['dnsblconfig']['suppression']); - if (!empty($custom_list)) { - $dnssupp_ex = array_filter( explode("\n", pfbng_text_area_decode($pfb['dnsblconfig']['suppression']))); - } - return ($dnssupp_ex); -} +// FUNCTION DEFINITIONS // Host resolve function lookup @@ -1000,8 +1032,6 @@ if ($pfb['dnsbl'] == 'on' && $type == 'DNSBL') { $alert_dom .= "\"> "; - // Collect existing suppression list - $dnssupp_ex = collectsuppression(); if (!in_array($pfbalertdnsbl[8], $dnssupp_ex)) { $supp_dom = " - \ No newline at end of file + -- cgit v1.2.3 From 65ca269b35e0bd54c50fa6d9ff6fa4593273814b Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:32:13 -0400 Subject: Update pfblockerng_dnsbl.xml * Implement 'Advanced Outbound Firewall Rules' customization options (Used when IPs are found in DNSBL Feeds) --- config/pfblockerng/pfblockerng_dnsbl.xml | 148 ++++++++++++++++++++++++++++--- 1 file changed, 134 insertions(+), 14 deletions(-) diff --git a/config/pfblockerng/pfblockerng_dnsbl.xml b/config/pfblockerng/pfblockerng_dnsbl.xml index 250d2e12..4d5b9ca9 100644 --- a/config/pfblockerng/pfblockerng_dnsbl.xml +++ b/config/pfblockerng/pfblockerng_dnsbl.xml @@ -270,26 +270,33 @@
info - Note: In general, Auto-Rules are created as follows:
-
    Inbound  - 'any' port, 'any' protocol and 'any' destination
    - Outbound - 'any' port, 'any' protocol and 'any' destination address in the lists
+ Note:  In general, Auto-Rules are created as follows:
+
    Inbound  - 'any' port, 'any' protocol, 'any' destination and 'any' gateway
Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.
Select the pfSense 'Port' and/or 'Destination' Alias below:]]>
- autoports + Invert Source + autoaddrnot_in + Invert - Option to invert the sense of the match. + ie - Not (!) Source Address(es)]]> + + checkbox + + Enable Custom Port + autoports_in checkbox - aliasports + aliasports_in begin Define Alias - aliasports + aliasports_in Click Here to add/edit Aliases - Do not manually enter port numbers.
Do not use 'pfB_' in the Port Alias name.]]> + Do not manually enter port numbers.
Do not use 'pfB_' in the Port Alias name.]]>
21 aliases @@ -299,17 +306,17 @@ end
- autodest Enable Custom Destination + autoaddr_in checkbox - aliasdest,autonot + aliasaddr_in,autonot_in begin - aliasdest + aliasaddr_in Click Here to add/edit Aliases - Do not manually enter Addresses(es).
Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> + Do not manually enter Addresses(es).
Do not use 'pfB_' in the 'IP Network Type' Alias name.]]>
21 aliases @@ -320,7 +327,7 @@
Invert - autonot + autonot_in Invert - Option to invert the sense of the match.
ie - Not (!) Destination Address(es)]]>
@@ -331,7 +338,7 @@
Custom Protocol - autoproto + autoproto_in Default: any
Select the Protocol used for Inbound Firewall Rule(s).
Do not use 'any' with Adv. Inbound Rules as it will bypass these settings!]]>
select @@ -344,6 +351,119 @@ 4
+ + Custom Gateway + agateway_in + + + 1 + select_source + + name + name + default + default + + + Advanced Outbound Firewall Rule Settings + listtopic + + + info + Note:  In general, Auto-Rules are created as follows:
+
    Outbound  - 'any' port, 'any' protocol, 'any' destination and 'any' gateway
+ Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.
+ Select the pfSense 'Port' and/or 'Destination' Alias below:]]> +
+
+ + Invert Destination + autoaddrnot_out + Invert - Option to invert the sense of the match. + ie - Not (!) Destination Address(es)]]> + + checkbox + + + Enable Custom Port + autoports_out + checkbox + aliasports_out + + begin + + + Define Alias + aliasports_out + Click Here to add/edit Aliases + Do not manually enter port numbers.
Do not use 'pfB_' in the Port Alias name.]]> +
+ 21 + aliases + port + + + end +
+ + Enable Custom Source + autoaddr_out + checkbox + aliasaddr_out,autonot_out + + begin + + + aliasaddr_out + Click Here to add/edit Aliases + Do not manually enter Addresses(es).
Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> +
+ 21 + aliases + network + + + +
+ + Invert + autonot_out + Invert - Option to invert the sense of the match.
+ ie - Not (!) Destination Address(es)]]> +
+ checkbox + + + end +
+ + Custom Protocol + autoproto_out + Default: any
Select the Protocol used for Inbound Firewall Rule(s).
+ Do not use 'any' with Adv. Inbound Rules as it will bypass these settings!]]>
+ select + + + + + + + 4 + +
+ + Custom Gateway + agateway_out + + + 1 + select_source + + name + name + default + default + listtopic @@ -594,4 +714,4 @@ sync_package_pfblockerng(); ]]> - \ No newline at end of file + -- cgit v1.2.3 From 1b11e80090776ad4e870d280d8bea4ba305699df Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:36:40 -0400 Subject: Update pfblockerng_install.inc * Add TLSv1.1 to cURL SSL Options * Upgrade existing 'Advanced Outbound Firewall Rules' variables to new variable format --- config/pfblockerng/pfblockerng_install.inc | 55 +++++++++++++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng_install.inc b/config/pfblockerng/pfblockerng_install.inc index 93599821..5fa23782 100644 --- a/config/pfblockerng/pfblockerng_install.inc +++ b/config/pfblockerng/pfblockerng_install.inc @@ -101,7 +101,7 @@ if (!file_exists("{$pfb['geoipshare']}/{$pfb['maxmind'][0]['file']}") || } curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 Chrome/43.0.2357.65 Safari/537.36'); - curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'TLSv1.2, TLSv1'); + curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'TLSv1.2, TLSv1.1, TLSv1'); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true); @@ -279,6 +279,59 @@ EOF; update_static_output(" done.\n"); } + +// Upgrade - Adv. Inbound settings to new variable names. +update_static_output("Upgrading Adv. Inbound firewall rule settings ..."); +$ufound = FALSE; +$upgrade_type = array('pfblockernglistsv4', 'pfblockernglistsv6', 'pfblockerngdnsblsettings', 'pfblockerngafrica', 'pfblockerngantartica', + 'pfblockerngasia', 'pfblockerngeurope', 'pfblockerngnorthamerica', 'pfblockerngoceania', 'pfblockerngsouthamerica', + 'pfblockerngtopspammers', 'pfblockerngproxyandsatellite'); + +foreach ($upgrade_type as $type) { + $conf_config = &$config['installedpackages'][$type]['config']; + if (isset($conf_config)) { + foreach ($conf_config as $key => $utype) { + if (isset($utype['autoports'])) { + $ufound = TRUE; + if ($utype['autoports'] == 'on' && !empty($utype['aliasports']) && !isset($conf_config[$key]['autoports_in'])) { + $conf_config[$key]['autoports_in'] = 'on'; + $conf_config[$key]['aliasports_in'] = $utype['aliasports']; + } + unset($conf_config[$key]['autoports']); + unset($conf_config[$key]['aliasports']); + } + if (isset($utype['autodest'])) { + $ufound = TRUE; + if ($utype['autodest'] == 'on' && !empty($utype['aliasdest']) && !isset($conf_config[$key]['autoaddr_in'])) { + $conf_config[$key]['autoaddr_in'] = 'on'; + $conf_config[$key]['aliasaddr_in'] = $utype['aliasdest']; + } + unset($conf_config[$key]['autodest']); + unset($conf_config[$key]['aliasdest']); + } + if (isset($utype['autonot'])) { + $ufound = TRUE; + if ($utype['autonot'] == 'on' && !isset($conf_config[$key]['autonot_in'])) { + $conf_config[$key]['autonot_in'] = $utype['autonot']; + } + unset($conf_config[$key]['autonot']); + } + if (isset($utype['autoproto'])) { + $ufound = TRUE; + $conf_config[$key]['autoproto_in'] = $utype['autoproto']; + unset($conf_config[$key]['autoproto']); + } + } + } +} + +if ($ufound) { + write_config('pfBlockerNG: Upgrade Adv. Inbound Settings.'); + update_static_output(" saving new changes ... done.\n"); +} else { + update_static_output(" no changes required ... done.\n"); +} + unset($g['pfblockerng_install']); // Remove 'Install flag' update_static_output("Custom commands completed ... "); return TRUE; -- cgit v1.2.3 From a1d4f30e8bcf4c569f6aff2148b473d96dfba665 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:39:34 -0400 Subject: Update pfblockerng_threats.php * Add Threat IOC lookups to 'safeweb.norton.com' and 'Google SafeBrowsing' --- config/pfblockerng/pfblockerng_threats.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng_threats.php b/config/pfblockerng/pfblockerng_threats.php index d1411ea8..ce5c5a54 100644 --- a/config/pfblockerng/pfblockerng_threats.php +++ b/config/pfblockerng/pfblockerng_threats.php @@ -122,13 +122,16 @@ include('fbegin.inc');

+ +


- + + -- cgit v1.2.3 From e4317adb0ef5ce25e57008f917bdcd6a11a83ba5 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:40:55 -0400 Subject: Update pfblockerng_top20.xml * Implement 'Advanced Outbound Firewall Rules' customization options --- config/pfblockerng/pfblockerng_top20.xml | 146 +++++++++++++++++++++++++++---- 1 file changed, 131 insertions(+), 15 deletions(-) diff --git a/config/pfblockerng/pfblockerng_top20.xml b/config/pfblockerng/pfblockerng_top20.xml index ed3354f1..98e385aa 100644 --- a/config/pfblockerng/pfblockerng_top20.xml +++ b/config/pfblockerng/pfblockerng_top20.xml @@ -303,26 +303,32 @@
info - Note: In general, Auto-Rules are created as follows:
-
    Inbound  - 'any' port, 'any' protocol and 'any' destination
    - Outbound - 'any' port, 'any' protocol and 'any' destination address in the lists
- Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.
- Select the pfSense 'Port' and/or 'Destination' Alias below:]]> + Note:  In general, Auto-Rules are created as follows:
+
    Inbound  - 'any' port, 'any' protocol, 'any' destination and 'any' gateway
+ Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.]]>
- autoports + Invert Source + autoaddrnot_in + Invert - Option to invert the sense of the match. + ie - Not (!) Source Address(es)]]> + + checkbox + + Enable Custom Port + autoports_in checkbox - aliasports + aliasports_in begin Define Alias - aliasports + aliasports_in Click Here to add/edit Aliases - Do not manually enter port numbers.
Do not use 'pfB_' in the Port Alias name.]]> + Do not manually enter port numbers.
Do not use 'pfB_' in the Port Alias name.]]>
21 aliases @@ -332,17 +338,17 @@ end
- autodest Enable Custom Destination + autoaddr_in checkbox - aliasdest,autonot + aliasaddr_in,autonot_in begin - aliasdest + aliasaddr_in Click Here to add/edit Aliases - Do not manually enter Addresses(es).
Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> + Do not manually enter Addresses(es).
Do not use 'pfB_' in the 'IP Network Type' Alias name.]]>
21 aliases @@ -353,7 +359,7 @@
Invert - autonot + autonot_in Invert - Option to invert the sense of the match.
ie - Not (!) Destination Address(es)]]>
@@ -364,7 +370,7 @@
Custom Protocol - autoproto + autoproto_in Default: any
Select the Protocol used for Inbound Firewall Rule(s).
Do not use 'any' with Adv. Inbound Rules as it will bypass these settings!]]>
select @@ -377,6 +383,116 @@ 4
+ + Custom Gateway + agateway_in + + 1 + select_source + + name + name + default + default + + + Advanced Outbound Firewall Rule Settings + listtopic + + + info + Note:  In general, Auto-Rules are created as follows:
+
    Outbound  - 'any' port, 'any' protocol, 'any' destination and 'any' gateway
+ Configuring the Adv. Outbound Rule settings, will allow for more customization of the Outbound Auto-Rules.]]> +
+
+ + Invert Destination + autoaddrnot_out + Invert - Option to invert the sense of the match. + ie - Not (!) Destination Address(es)]]> + + checkbox + + + Enable Custom Port + autoports_out + checkbox + aliasports_out + + begin + + + Define Alias + aliasports_out + Click Here to add/edit Aliases + Do not manually enter port numbers.
Do not use 'pfB_' in the Port Alias name.]]> +
+ 21 + aliases + port + + + end +
+ + Enable Custom Source + autoaddr_out + checkbox + aliasaddr_out,autonot_out + + begin + + + aliasaddr_out + Click Here to add/edit Aliases + Do not manually enter Addresses(es).
Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> +
+ 21 + aliases + network + + + +
+ + Invert + autonot_out + Invert - Option to invert the sense of the match.
+ ie - Not (!) Destination Address(es)]]> +
+ checkbox + + + end +
+ + Custom Protocol + autoproto_out + Default: any
Select the Protocol used for Outbound Firewall Rule(s).
+ Do not use 'any' with Adv. Outbound Rules as it will bypass these settings!]]>
+ select + + + + + + + 4 + +
+ + Custom Gateway + agateway_out + + 1 + select_source + + name + name + default + default + Click to SAVE Settings and/or Rule Edits.   Changes are Applied via CRON or 'Force Update']]> -- cgit v1.2.3 From 617d670d190722446fd65ed75da9c655da20a50e Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:43:48 -0400 Subject: Update pfblockerng_v4lists.xml * Implement 'Advanced Outbound Firewall Rules' customization options --- config/pfblockerng/pfblockerng_v4lists.xml | 150 +++++++++++++++++++++++++---- 1 file changed, 133 insertions(+), 17 deletions(-) diff --git a/config/pfblockerng/pfblockerng_v4lists.xml b/config/pfblockerng/pfblockerng_v4lists.xml index 24c8b279..aa458af1 100644 --- a/config/pfblockerng/pfblockerng_v4lists.xml +++ b/config/pfblockerng/pfblockerng_v4lists.xml @@ -173,7 +173,7 @@  or  /var/db/pfblockerng/filename
  • 'Country code': /usr/pbi/pfblockerng-amd64/share/GeoIP/cc/US_v4.txt  (Change 'US' to required code)
-
  • 'Whois': Domain name or AS (ie: facebook.com or AS13414) + 'Header/Label': This field must be unique. This names the file and is referenced in the widget.  (ie: Spamhaus_drop, Spamhaus_edrop)

    ]]> @@ -342,8 +342,8 @@ - stateremoval States Removal + stateremoval With the 'Kill States' option (General Tab), you can disable States removal for this Alias. select @@ -359,25 +359,31 @@ info Note:  In general, Auto-Rules are created as follows:
    -
      Inbound  - 'any' port, 'any' protocol and 'any' destination
      - Outbound - 'any' port, 'any' protocol and 'any' destination address in the lists
    - Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.
    - Select the pfSense 'Port' and/or 'Destination' Alias below:]]> +
      Inbound  - 'any' port, 'any' protocol, 'any' destination and 'any' gateway
    + Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.]]> +
    +
    + + Invert Source + autoaddrnot_in + Invert - Option to invert the sense of the match. + ie - Not (!) Source Address(es)]]> + checkbox - autoports Enable Custom Port + autoports_in checkbox - aliasports + aliasports_in begin Define Alias - aliasports + aliasports_in Click Here to add/edit Aliases - Do not manually enter port numbers.
    Do not use 'pfB_' in the Port Alias name.]]> + Do not manually enter port numbers.
    Do not use 'pfB_' in the Port Alias name.]]>
    21 aliases @@ -387,17 +393,17 @@ end
    - autodest Enable Custom Destination + autoaddr_in checkbox - aliasdest,autonot + aliasaddr_in,autonot_in begin - aliasdest + aliasaddr_in Click Here to add/edit Aliases - Do not manually enter Addresses(es).
    Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> + Do not manually enter Addresses(es).
    Do not use 'pfB_' in the 'IP Network Type' Alias name.]]>
    21 aliases @@ -408,7 +414,7 @@
    Invert - autonot + autonot_in Invert - Option to invert the sense of the match.
    ie - Not (!) Destination Address(es)]]>
    @@ -419,7 +425,7 @@
    Custom Protocol - autoproto + autoproto_in Default: any
    Select the Protocol used for Inbound Firewall Rule(s).
    Do not use 'any' with Adv. Inbound Rules as it will bypass these settings!]]>
    select @@ -432,6 +438,116 @@ 4
    + + Custom Gateway + agateway_in + + 1 + select_source + + name + name + default + default + + + Advanced Outbound Firewall Rule Settings + listtopic + + + info + Note:  In general, Auto-Rules are created as follows:
    +
      Outbound  - 'any' port, 'any' protocol, 'any' destination and 'any' gateway
    + Configuring the Adv. Outbound Rule settings, will allow for more customization of the Outbound Auto-Rules.]]> +
    +
    + + Invert Destination + autoaddrnot_out + Invert - Option to invert the sense of the match. + ie - Not (!) Destination Address(es)]]> + + checkbox + + + Enable Custom Port + autoports_out + checkbox + aliasports_out + + begin + + + Define Alias + aliasports_out + Click Here to add/edit Aliases + Do not manually enter port numbers.
    Do not use 'pfB_' in the Port Alias name.]]> +
    + 21 + aliases + port + + + end +
    + + Enable Custom Source + autoaddr_out + checkbox + aliasaddr_out,autonot_out + + begin + + + aliasaddr_out + Click Here to add/edit Aliases + Do not manually enter Addresses(es).
    Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> +
    + 21 + aliases + network + + + +
    + + Invert + autonot_out + Invert - Option to invert the sense of the match.
    + ie - Not (!) Destination Address(es)]]> +
    + checkbox + + + end +
    + + Custom Protocol + autoproto_out + Default: any
    Select the Protocol used for Outbound Firewall Rule(s).
    + Do not use 'any' with Adv. Outbound Rules as it will bypass these settings!]]>
    + select + + + + + + + 4 + +
    + + Custom Gateway + agateway_out + + 1 + select_source + + name + name + default + default + IPv4 Custom list listtopic @@ -506,4 +622,4 @@ sync_package_pfblockerng(); ]]> - \ No newline at end of file + -- cgit v1.2.3 From a334449b975420e8e007fdc28ac17ff8d99393d0 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:45:10 -0400 Subject: Update pfblockerng_v6lists.xml * Implement 'Advanced Outbound Firewall Rules' customization options --- config/pfblockerng/pfblockerng_v6lists.xml | 148 +++++++++++++++++++++++++---- 1 file changed, 132 insertions(+), 16 deletions(-) diff --git a/config/pfblockerng/pfblockerng_v6lists.xml b/config/pfblockerng/pfblockerng_v6lists.xml index bc4c6bfa..4a1f879a 100644 --- a/config/pfblockerng/pfblockerng_v6lists.xml +++ b/config/pfblockerng/pfblockerng_v6lists.xml @@ -170,7 +170,7 @@  or  /var/db/pfblockerng/filename
  • 'Country code': /usr/pbi/pfblockerng-amd64/share/GeoIP/cc/US_v6.txt  (Change 'US' to required code)
-
  • 'Whois': Domain name or AS (ie: facebook.com or AS13414) + 'Header/Label': This field must be unique. This names the file and is referenced in the widget.  (ie: Spamhaus_drop, Spamhaus_edrop)

    ]]> @@ -353,25 +353,31 @@ info Note:  In general, Auto-Rules are created as follows:
    -
      Inbound  - 'any' port, 'any' protocol and 'any' destination
      - Outbound - 'any' port, 'any' protocol and 'any' destination address in the lists
    - Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.
    - Select the pfSense 'Port' and/or 'Destination' Alias below:]]> +
      Inbound  - 'any' port, 'any' protocol, 'any' destination and 'any' gateway
    + Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.]]>
    - autoports + Invert Source + autoaddrnot_in + Invert - Option to invert the sense of the match. + ie - Not (!) Source Address(es)]]> + + checkbox + + Enable Custom Port + autoports_in checkbox - aliasports + aliasports_in begin Define Alias - aliasports + aliasports_in Click Here to add/edit Aliases - Do not manually enter port numbers.
    Do not use 'pfB_' in the Port Alias name.]]> + Do not manually enter port numbers.
    Do not use 'pfB_' in the Port Alias name.]]>
    21 aliases @@ -381,17 +387,17 @@ end
    - autodest Enable Custom Destination + autoaddr_in checkbox - aliasdest,autonot + aliasaddr_in,autonot_in begin - aliasdest + aliasaddr_in Click Here to add/edit Aliases - Do not manually enter Addresses(es).
    Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> + Do not manually enter Addresses(es).
    Do not use 'pfB_' in the 'IP Network Type' Alias name.]]>
    21 aliases @@ -402,7 +408,7 @@
    Invert - autonot + autonot_in Invert - Option to invert the sense of the match.
    ie - Not (!) Destination Address(es)]]>
    @@ -413,7 +419,7 @@
    Custom Protocol - autoproto + autoproto_in Default: any
    Select the Protocol used for Inbound Firewall Rule(s).
    Do not use 'any' with Adv. Inbound Rules as it will bypass these settings!]]>
    select @@ -426,6 +432,116 @@ 4
    + + Custom Gateway + agateway_in + + 1 + select_source + + name + name + default + default + + + Advanced Outbound Firewall Rule Settings + listtopic + + + info + Note:  In general, Auto-Rules are created as follows:
    +
      Outbound  - 'any' port, 'any' protocol, 'any' destination and 'any' gateway
    + Configuring the Adv. Outbound Rule settings, will allow for more customization of the Outbound Auto-Rules.]]> +
    +
    + + Invert Destination + autoaddrnot_out + Invert - Option to invert the sense of the match. + ie - Not (!) Destination Address(es)]]> + + checkbox + + + Enable Custom Port + autoports_out + checkbox + aliasports_out + + begin + + + Define Alias + aliasports_out + Click Here to add/edit Aliases + Do not manually enter port numbers.
    Do not use 'pfB_' in the Port Alias name.]]> +
    + 21 + aliases + port + + + end +
    + + Enable Custom Source + autoaddr_out + checkbox + aliasaddr_out,autonot_out + + begin + + + aliasaddr_out + Click Here to add/edit Aliases + Do not manually enter Addresses(es).
    Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> +
    + 21 + aliases + network + + + +
    + + Invert + autonot_out + Invert - Option to invert the sense of the match.
    + ie - Not (!) Destination Address(es)]]> +
    + checkbox + + + end +
    + + Custom Protocol + autoproto_out + Default: any
    Select the Protocol used for Outbound Firewall Rule(s).
    + Do not use 'any' with Adv. Outbound Rules as it will bypass these settings!]]>
    + select + + + + + + + 4 + +
    + + Custom Gateway + agateway_out + + 1 + select_source + + name + name + default + default + IPv6 Custom list listtopic @@ -513,4 +629,4 @@ sync_package_pfblockerng(); ]]> - \ No newline at end of file + -- cgit v1.2.3 From 9bb1bea04d0f3c45c0d13936700a676347e57eeb Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:47:54 -0400 Subject: Update index.php * Mod copyright --- config/pfblockerng/index.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/pfblockerng/index.php b/config/pfblockerng/index.php index 804932d2..7705cfe1 100644 --- a/config/pfblockerng/index.php +++ b/config/pfblockerng/index.php @@ -3,7 +3,7 @@ index.php pfBlockerNG (DNSBL) - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. */ header("Cache-Control: private, no-store, no-cache, must-revalidate, max-age=0"); @@ -47,4 +47,4 @@ if (!empty($pfb_query)) { @rename("{$dnsbl_info}.bk", "{$dnsbl_info}"); } } -?> \ No newline at end of file +?> -- cgit v1.2.3 From 595e0485aa425b6107259fa4e9d4465322376413 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:48:14 -0400 Subject: Update pfblockerng.inc * Mod copyright --- config/pfblockerng/pfblockerng.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng.inc b/config/pfblockerng/pfblockerng.inc index 903c73be..e5d3c867 100644 --- a/config/pfblockerng/pfblockerng.inc +++ b/config/pfblockerng/pfblockerng.inc @@ -3,7 +3,7 @@ pfBlockerNG.inc pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. Based upon pfBlocker by -- cgit v1.2.3 From d304c12ab49cf8eaa469deeee7b085551e0ee67b Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:48:47 -0400 Subject: Update pfblockerng.js * Mod copyright --- config/pfblockerng/pfblockerng.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/pfblockerng/pfblockerng.js b/config/pfblockerng/pfblockerng.js index e1c1ca20..d4bd3a07 100644 --- a/config/pfblockerng/pfblockerng.js +++ b/config/pfblockerng/pfblockerng.js @@ -1,6 +1,6 @@ /* pfBlockerNG update engine */ -// Part of pfBlockerNG by BBCan177@gmail.com (c) 2015 +// Part of pfBlockerNG by BBCan177@gmail.com (c) 2015-2016 // // Javascript and Integration modifications by J. Nieuwenhuizen @@ -76,4 +76,4 @@ function fetch_new_pfBlockerNGcounts() { } /* start local AJAX engine */ -pfBlockerNGtimer = setInterval('fetch_new_pfBlockerNGcounts()', pfBlockerNGupdateDelay); \ No newline at end of file +pfBlockerNGtimer = setInterval('fetch_new_pfBlockerNGcounts()', pfBlockerNGupdateDelay); -- cgit v1.2.3 From 6d840537bb84eee4cda904487ec0d38606c879bc Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:49:04 -0400 Subject: Update pfblockerng.php * Mod copyright --- config/pfblockerng/pfblockerng.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng.php b/config/pfblockerng/pfblockerng.php index bb4964c7..075c93cd 100644 --- a/config/pfblockerng/pfblockerng.php +++ b/config/pfblockerng/pfblockerng.php @@ -3,7 +3,7 @@ pfBlockerNG.php pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. Based upon pfBlocker by -- cgit v1.2.3 From 9ae8e63f322010276709e1f6430c8c3bbf893ea5 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:49:39 -0400 Subject: Update pfblockerng.sh * Mod copyright --- config/pfblockerng/pfblockerng.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng.sh b/config/pfblockerng/pfblockerng.sh index 9d2ccf02..c0b4433f 100644 --- a/config/pfblockerng/pfblockerng.sh +++ b/config/pfblockerng/pfblockerng.sh @@ -1,6 +1,6 @@ #!/bin/sh # pfBlockerNG IP Reputation Script - By BBcan177@gmail.com - 04-12-14 -# Copyright (c) 2015 BBcan177@gmail.com +# Copyright (c) 2015-2016 BBcan177@gmail.com # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as -- cgit v1.2.3 From 9096992c551740a5a0a60e7232226507b8e54fae Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:49:53 -0400 Subject: Update pfblockerng.widget.php * Mod copyright --- config/pfblockerng/pfblockerng.widget.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng.widget.php b/config/pfblockerng/pfblockerng.widget.php index b7e19f7a..0d563db7 100644 --- a/config/pfblockerng/pfblockerng.widget.php +++ b/config/pfblockerng/pfblockerng.widget.php @@ -3,7 +3,7 @@ pfBlockerNG.widget.php pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. Based Upon pfblocker : -- cgit v1.2.3 From 80d5101e1066645a7da2122587e02a18c5ca8609 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:50:13 -0400 Subject: Update pfblockerng.xml * Mod copyright --- config/pfblockerng/pfblockerng.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng.xml b/config/pfblockerng/pfblockerng.xml index 8db57b1e..a6873922 100644 --- a/config/pfblockerng/pfblockerng.xml +++ b/config/pfblockerng/pfblockerng.xml @@ -9,7 +9,7 @@ pfBlockerNG.xml pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. Based upon pfblocker for pfSense -- cgit v1.2.3 From f6dc05c49ebe2edc9addc757696645e2b23e8c36 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:50:31 -0400 Subject: Update pfblockerng_alerts.php * Mod copyright --- config/pfblockerng/pfblockerng_alerts.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng_alerts.php b/config/pfblockerng/pfblockerng_alerts.php index 13fb64f6..a0a1960e 100644 --- a/config/pfblockerng/pfblockerng_alerts.php +++ b/config/pfblockerng/pfblockerng_alerts.php @@ -3,7 +3,7 @@ pfBlockerNG_Alerts.php pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. Portions of this code are based on original work done for -- cgit v1.2.3 From b1bf8cb6c05a312a876670bd664580b6faeba973 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:50:47 -0400 Subject: Update pfblockerng_alerts_ar.php * Mod copyright --- config/pfblockerng/pfblockerng_alerts_ar.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng_alerts_ar.php b/config/pfblockerng/pfblockerng_alerts_ar.php index 8de850f3..51285353 100644 --- a/config/pfblockerng/pfblockerng_alerts_ar.php +++ b/config/pfblockerng/pfblockerng_alerts_ar.php @@ -3,7 +3,7 @@ pfBlockerNG_Alerts_AR.php pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. Portions of this code are based on original work done for -- cgit v1.2.3 From e7380876dadf3f89fca2b9fd7338fa8074af185d Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:51:03 -0400 Subject: Update pfblockerng_dnsbl.xml * Mod copyright --- config/pfblockerng/pfblockerng_dnsbl.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng_dnsbl.xml b/config/pfblockerng/pfblockerng_dnsbl.xml index 4d5b9ca9..c820a2a6 100644 --- a/config/pfblockerng/pfblockerng_dnsbl.xml +++ b/config/pfblockerng/pfblockerng_dnsbl.xml @@ -9,7 +9,7 @@ pfBlockerNG_dnsbl.xml pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. */ -- cgit v1.2.3 From 02f929f0ef02b9b9bfa36811f205e6db02faa711 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:51:27 -0400 Subject: Update pfblockerng_dnsbl_easylist.xml * Mod copyright --- config/pfblockerng/pfblockerng_dnsbl_easylist.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/pfblockerng/pfblockerng_dnsbl_easylist.xml b/config/pfblockerng/pfblockerng_dnsbl_easylist.xml index f416e7d8..ebecf07d 100644 --- a/config/pfblockerng/pfblockerng_dnsbl_easylist.xml +++ b/config/pfblockerng/pfblockerng_dnsbl_easylist.xml @@ -9,7 +9,7 @@ pfBlockerNG_dnsbl_easylist.xml pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. */ @@ -281,4 +281,4 @@ sync_package_pfblockerng(); ]]> - \ No newline at end of file + -- cgit v1.2.3 From f9f273f168a12da2dda346d3930d63bb6a894f52 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:51:43 -0400 Subject: Update pfblockerng_dnsbl_lists.xml * Mod copyright --- config/pfblockerng/pfblockerng_dnsbl_lists.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng_dnsbl_lists.xml b/config/pfblockerng/pfblockerng_dnsbl_lists.xml index 0b94eaab..1ba0a4f3 100644 --- a/config/pfblockerng/pfblockerng_dnsbl_lists.xml +++ b/config/pfblockerng/pfblockerng_dnsbl_lists.xml @@ -9,7 +9,7 @@ pfBlockerNG_dnsbl_lists.xml pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. */ -- cgit v1.2.3 From 4db23cf354ab5c1e03c5cc5c5fcda0d79b3be82d Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:52:12 -0400 Subject: Update pfblockerng_extra.inc * Mod copyright --- config/pfblockerng/pfblockerng_extra.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/pfblockerng/pfblockerng_extra.inc b/config/pfblockerng/pfblockerng_extra.inc index 576f1bc8..577a80a5 100644 --- a/config/pfblockerng/pfblockerng_extra.inc +++ b/config/pfblockerng/pfblockerng_extra.inc @@ -3,7 +3,7 @@ pfBlockerNG_extra.inc pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. Redistribution and use in source and binary forms, with or without @@ -128,4 +128,4 @@ function ip_range_to_subnet_array_temp($ip1, $ip2) { return $out; } -?> \ No newline at end of file +?> -- cgit v1.2.3 From 5e78fa21dccebc5790c44ba97f705b01cf7071ea Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:52:30 -0400 Subject: Update pfblockerng_install.inc * Mod copyright --- config/pfblockerng/pfblockerng_install.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng_install.inc b/config/pfblockerng/pfblockerng_install.inc index 5fa23782..3ad266fc 100644 --- a/config/pfblockerng/pfblockerng_install.inc +++ b/config/pfblockerng/pfblockerng_install.inc @@ -3,7 +3,7 @@ pfBlockerNG_install.inc pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. Redistribution and use in source and binary forms, with or without -- cgit v1.2.3 From ba7a1df3386c99e45f274a9471e5a9592fb875d0 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:52:42 -0400 Subject: Update pfblockerng_log.php * Mod copyright --- config/pfblockerng/pfblockerng_log.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/pfblockerng/pfblockerng_log.php b/config/pfblockerng/pfblockerng_log.php index 9d823038..35c9846f 100644 --- a/config/pfblockerng/pfblockerng_log.php +++ b/config/pfblockerng/pfblockerng_log.php @@ -3,7 +3,7 @@ pfBlockerNG_Log.php pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. Portions of this code are based on original work done for the @@ -441,4 +441,4 @@ if ($savemsg) { - \ No newline at end of file + -- cgit v1.2.3 From 678bc61ce2df30e8b80a2bef72f5d6d65f8aabb5 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:53:11 -0400 Subject: Update pfblockerng_sync.xml * Mod copyright --- config/pfblockerng/pfblockerng_sync.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/pfblockerng/pfblockerng_sync.xml b/config/pfblockerng/pfblockerng_sync.xml index b5faa4ef..d368c45f 100644 --- a/config/pfblockerng/pfblockerng_sync.xml +++ b/config/pfblockerng/pfblockerng_sync.xml @@ -9,7 +9,7 @@ pfBlockerNG_sync.xml pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. Based upon pfblocker for pfSense @@ -216,4 +216,4 @@ pfblockerng_sync_on_changes(); ]]> - \ No newline at end of file + -- cgit v1.2.3 From 3ef30fa541615115bfa28f140ab2ef964a2140f4 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:53:54 -0400 Subject: Update pfblockerng_threats.php * Mod copyright --- config/pfblockerng/pfblockerng_threats.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng_threats.php b/config/pfblockerng/pfblockerng_threats.php index ce5c5a54..98e11cad 100644 --- a/config/pfblockerng/pfblockerng_threats.php +++ b/config/pfblockerng/pfblockerng_threats.php @@ -3,7 +3,7 @@ pfBlockerNG_threats.php pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. Redistribution and use in source and binary forms, with or without -- cgit v1.2.3 From c6f60f3cad7ce1725c6376d5a74821a2d8ca52c2 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:54:08 -0400 Subject: Update pfblockerng_top20.xml * Mod copyright --- config/pfblockerng/pfblockerng_top20.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng_top20.xml b/config/pfblockerng/pfblockerng_top20.xml index 98e385aa..2e209035 100644 --- a/config/pfblockerng/pfblockerng_top20.xml +++ b/config/pfblockerng/pfblockerng_top20.xml @@ -9,7 +9,7 @@ pfBlockerNG_Top20.xml pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. Based upon pfblocker for pfSense -- cgit v1.2.3 From 5b833f8cf0855e3d7b18d4585b42c1044ac5add1 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:54:31 -0400 Subject: Update pfblockerng_update.php * Mod copyright --- config/pfblockerng/pfblockerng_update.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng_update.php b/config/pfblockerng/pfblockerng_update.php index a723dd5b..3d10a7a6 100644 --- a/config/pfblockerng/pfblockerng_update.php +++ b/config/pfblockerng/pfblockerng_update.php @@ -3,7 +3,7 @@ /* pfBlockerNG_Update.php pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. Portions of this code are based on original work done for -- cgit v1.2.3 From d08186e71d315f5b52252b205fefe6742726f939 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:54:48 -0400 Subject: Update pfblockerng_v4lists.xml * Mod copyright --- config/pfblockerng/pfblockerng_v4lists.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng_v4lists.xml b/config/pfblockerng/pfblockerng_v4lists.xml index aa458af1..e52d107c 100644 --- a/config/pfblockerng/pfblockerng_v4lists.xml +++ b/config/pfblockerng/pfblockerng_v4lists.xml @@ -9,7 +9,7 @@ pfBlockerNG_v4lists.xml pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. Based upon pfblocker for pfSense -- cgit v1.2.3 From 557cce345f52f44e9bf8747bcba68bd70e2fa5e0 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 22:55:01 -0400 Subject: Update pfblockerng_v6lists.xml * Mod copyright --- config/pfblockerng/pfblockerng_v6lists.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pfblockerng/pfblockerng_v6lists.xml b/config/pfblockerng/pfblockerng_v6lists.xml index 4a1f879a..9ca39b1d 100644 --- a/config/pfblockerng/pfblockerng_v6lists.xml +++ b/config/pfblockerng/pfblockerng_v6lists.xml @@ -9,7 +9,7 @@ pfBlockerNG_v6lists.xml pfBlockerNG - Copyright (c) 2015 BBcan177@gmail.com + Copyright (c) 2015-2016 BBcan177@gmail.com All rights reserved. Based upon pfblocker for pfSense -- cgit v1.2.3 From 9e390ac951ecbc4850c31d472e180acb65d684b3 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 20 Mar 2016 23:03:01 -0400 Subject: Bump Version * Change Forum thread to 'pfBlockerNG v2.0 w/DNSBL' --- pkg_config.10.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg_config.10.xml b/pkg_config.10.xml index 50690e1e..c3c70cdc 100644 --- a/pkg_config.10.xml +++ b/pkg_config.10.xml @@ -116,12 +116,12 @@ ]]> Security - https://forum.pfsense.org/index.php?topic=86212.0 + https://forum.pfsense.org/index.php?topic=102470.0 https://packages.pfsense.org/packages/config/pfblockerng/pfblockerng.xml - 2.0.4 + 2.0.5 RELEASE 2.2 - BBCan177@gmail.com + BBcan177@gmail.com pfblockerng.xml bin/geoiplookup:net/GeoIP bin/grepcidr:net-mgmt/grepcidr bin/aggregate:net-mgmt/aggregate bin/mwhois:net/whois net -- cgit v1.2.3 From 2faa1392b45db8ad9f92cc58420d592a50134765 Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Mon, 21 Mar 2016 18:06:16 -0400 Subject: Update pfblockerng.php --- config/pfblockerng/pfblockerng.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/pfblockerng/pfblockerng.php b/config/pfblockerng/pfblockerng.php index 075c93cd..8b58e336 100644 --- a/config/pfblockerng/pfblockerng.php +++ b/config/pfblockerng/pfblockerng.php @@ -687,7 +687,7 @@ $xml = << Date: Sat, 26 Mar 2016 10:34:46 -0400 Subject: Update pfblockerng.inc * Remove leading/trailing whitespaces --- config/pfblockerng/pfblockerng.inc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/pfblockerng/pfblockerng.inc b/config/pfblockerng/pfblockerng.inc index e5d3c867..437d912d 100644 --- a/config/pfblockerng/pfblockerng.inc +++ b/config/pfblockerng/pfblockerng.inc @@ -260,15 +260,15 @@ function pfbng_text_area_decode($text, $mode=FALSE) { if (substr(trim($line), 0, 1) != '#' && !empty($line)) { if (strpos($line, '#') !== FALSE) { if ($mode) { - $custom[] = preg_split('/(?=#)/', $line); + $custom[] = preg_split('/\s+(?=#)/', trim($line)); } else { $custom .= trim(strstr($line, '#', TRUE)) . "\n"; } } else { if ($mode) { - $custom[][0] = $line; + $custom[][0] = trim($line); } else { - $custom .= $line . "\n"; + $custom .= trim($line) . "\n"; } } } -- cgit v1.2.3