From b46cdd37023fccc545db507b939f70bf8af7f7a0 Mon Sep 17 00:00:00 2001
From: Marcello Coutinho <marcellocoutinho@gmail.com>
Date: Thu, 10 Oct 2013 00:41:08 -0300
Subject: bind - add rate limit option

---
 config/bind/bind.inc | 17 +++++++++++++++--
 config/bind/bind.xml | 52 ++++++++++++++++++++++++++++++++++++++++------------
 2 files changed, 55 insertions(+), 14 deletions(-)

(limited to 'config/bind')

diff --git a/config/bind/bind.inc b/config/bind/bind.inc
index d1ff106f..4e01214a 100644
--- a/config/bind/bind.inc
+++ b/config/bind/bind.inc
@@ -72,7 +72,20 @@ $bind_conf .= <<<EOD
 
 		max-cache-size $ram_limit;\n
 EOD;
-
+	// check response rate limit option
+	//https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html
+	//http://ss.vix.su/~vjs/rl-arm.html
+	if ($bind['rate_enabled']=="on"){
+		$rate_limit=($bind['rate_limit']?$bind['rate_limit']:"15");
+		$log_only=($bind['log_only']=="no"?"no":"yes");
+		$bind_conf .= <<<EOD
+		rate-limit {
+			responses-per-second {$rate_limit};
+			log-only {$log_only};
+    		};
+    	
+EOD;
+	}
 	//check ips to listen on
 	if (preg_match("/All/",$bind['listenon'])){
 		$bind_listenonv6="Any;";
@@ -97,7 +110,7 @@ EOD;
 	}
 	$bind_listenonv6=($bind_listenonv6==""?"none;":$bind_listenonv6);
 	$bind_listenon=($bind_listenon==""?"none;":$bind_listenon);
-	print "<PRE>$bind_listenonv6 $bind_listenon";
+	//print "<PRE>$bind_listenonv6 $bind_listenon";
 	if (key_exists("ipv6allow",$config['system'])){
 		$bind_conf .="\t\tlisten-on-v6 { $bind_listenonv6 };\n";
 		}
diff --git a/config/bind/bind.xml b/config/bind/bind.xml
index a3b9e572..97dc7012 100644
--- a/config/bind/bind.xml
+++ b/config/bind/bind.xml
@@ -124,6 +124,11 @@
                 <item>http://www.pfsense.org/packages/config/bind/pkg_bind.inc</item>
         </additional_files_needed>
         <fields>
+                <field>
+                        <type>listtopic</type>
+                        <name>Daemon Settings</name>
+                        <fieldname>temp01</fieldname>
+                </field>
                 <field>
                         <fielddescr>Enable Bind</fielddescr>
                         <fieldname>enable_bind</fieldname>
@@ -132,6 +137,15 @@
                         <type>checkbox</type>
                         <required/>
                 </field>
+              <field>
+                        <fielddescr>Listen-on</fielddescr>
+                        <fieldname>listenon</fieldname>
+                        <description><![CDATA[Enable Named to listen on.]]></description>
+                        <type>interfaces_selection</type>
+                        <showlistenall/>
+                        <showvirtualips/>
+                        <multiple/>
+                </field>
                 <field>
                         <fielddescr>Enable logging</fielddescr>
                         <fieldname>bind_logging</fieldname>
@@ -151,27 +165,43 @@
                         <type>checkbox</type>
                 </field>
                 <field>
-					<fielddescr>Limitar Memory RAM</fielddescr>
+					<fielddescr>Limit Memory use</fielddescr>
 					<fieldname>bind_ram_limit</fieldname>
-					<description>Limits the use of RAM for the DNS when much use does not exhaust the resources of the machine, recommend 256M</description>
+					<description>Limits RAM use for DNS server, recommend 256M</description>
 					<type>input</type>
                 	<size>10</size>
 					<default_value>256M</default_value>
                	</field>
                 <field>
                         <type>listtopic</type>
-                        <name>Listen on Interfaces</name>
+                        <name>Response limit</name>
                         <fieldname>temp01</fieldname>
                 </field>
                 <field>
-                        <fielddescr>Listen-on</fielddescr>
-                        <fieldname>listenon</fieldname>
-                        <description><![CDATA[Enable Named to listen on.]]></description>
-                        <type>interfaces_selection</type>
-                        <showlistenall/>
-                        <showvirtualips/>
-                        <multiple/>
+                        <fielddescr>Rate limit</fielddescr>
+                        <fieldname>rate_enabled</fieldname>
+                        <description>Limit/rate response queries to prevent DOS attack.</description>
+                        <type>checkbox</type>
+                        <enablefields>rate_limit,log_only</enablefields>
+                </field>
+				<field>
+					<fielddescr>Limit Action</fielddescr>
+					<fieldname>log_only</fieldname>
+					<description>Select what to do when a query reaches a limit.</description>
+					<type>select</type>
+						<options>
+							<option><name>Deny query</name><value>no</value></option>
+							<option><name>Log only</name><value>yes</value></option>
+						</options>
+				</field>
+				<field>
+					<fielddescr>limit</fielddescr>
+					<fieldname>rate_limit</fieldname>
+					<description>Set rate limit. Default to 15.</description>
+					<type>input</type>
+                	<size>10</size>
                 </field>
+
                 <field>
                         <type>listtopic</type>
                         <name>Forwarder Config</name>
@@ -211,8 +241,6 @@
     	<custom_php_after_head_command>
     	</custom_php_after_head_command>
         <custom_php_command_before_form>
-                bind_views_before_form_dest(&amp;$pkg,"bindacls","name","listenonv6");
-                bind_views_before_form_dest(&amp;$pkg,"bindacls","name","listenon");
         </custom_php_command_before_form>
         <custom_add_php_command>
         </custom_add_php_command>
-- 
cgit v1.2.3