From 0946cc52048c95dbf8a2c17578578be30d270c58 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Sat, 22 May 2010 22:43:59 -0400 Subject: Adding IP-Blocklist package: This package uses the pf (pfctl) to block IP addresses. For each IP range or list added a pf table is made and applied to the firewall to prevent traffic from being sent to and traffic from being received from the target. You can either enter an IP range manually (experimental) or add a list from sites like iblocklist.com. Tested on 1.2.2 and 1.2.3 with FF and IE. --- config/ipblocklist/IP-Blocklist.sh | 1 + config/ipblocklist/convert-execute.sh | 77 ++++++++++++++++ config/ipblocklist/convert.pl | 67 ++++++++++++++ config/ipblocklist/index.tmp | 11 +++ config/ipblocklist/ipblocklist.inc | 130 ++++++++++++++++++++++++++ config/ipblocklist/ipblocklist.tmp | 156 ++++++++++++++++++++++++++++++++ config/ipblocklist/ipblocklist.xml | 145 +++++++++++++++++++++++++++++ config/ipblocklist/ipblocklist_list.tmp | 115 +++++++++++++++++++++++ config/ipblocklist/manual_add.tmp | 69 ++++++++++++++ config/ipblocklist/purge.tmp | 26 ++++++ config/ipblocklist/purgeip.tmp | 26 ++++++ 11 files changed, 823 insertions(+) create mode 100755 config/ipblocklist/IP-Blocklist.sh create mode 100755 config/ipblocklist/convert-execute.sh create mode 100755 config/ipblocklist/convert.pl create mode 100755 config/ipblocklist/index.tmp create mode 100755 config/ipblocklist/ipblocklist.inc create mode 100755 config/ipblocklist/ipblocklist.tmp create mode 100755 config/ipblocklist/ipblocklist.xml create mode 100755 config/ipblocklist/ipblocklist_list.tmp create mode 100755 config/ipblocklist/manual_add.tmp create mode 100755 config/ipblocklist/purge.tmp create mode 100755 config/ipblocklist/purgeip.tmp (limited to 'config/ipblocklist') diff --git a/config/ipblocklist/IP-Blocklist.sh b/config/ipblocklist/IP-Blocklist.sh new file mode 100755 index 00000000..14ca535d --- /dev/null +++ b/config/ipblocklist/IP-Blocklist.sh @@ -0,0 +1 @@ +/usr/local/www/packages/ipblocklist/convert-execute.sh \ No newline at end of file diff --git a/config/ipblocklist/convert-execute.sh b/config/ipblocklist/convert-execute.sh new file mode 100755 index 00000000..f50baa98 --- /dev/null +++ b/config/ipblocklist/convert-execute.sh @@ -0,0 +1,77 @@ +pfctl -t ipblocklist -T kill +sed -i -e '/ipblocklist/d' /tmp/rules.debug + +#ipfw -f -q flush (Version 0.1.4) +ls lists > file_list.txt +filelist="file_list.txt" + +#READ contents in file_list.txt and process as file +for fileline in $(cat $filelist); do +iplist="lists/$fileline" +iplistout="lists/ipfw.ipfw" +perl convert.pl $iplist $iplistout +done +#echo "ipfw made" + +#clean up ipfw.ipfw (duplicates) +rm lists/ipfw.ipfwTEMP +sort lists/ipfw.ipfw | uniq -u >> lists/ipfw.ipfwTEMP +mv lists/ipfw.ipfwTEMP lists/ipfw.ipfw +#echo "ipfw clean" + + + +#Now edit /tmp/rules.debug + +#find my line for table +export i=`grep -n 'block quick from any to ' /tmp/rules.debug | grep -o '[0-9]\{2\}'` +export t=`grep -n 'User Aliases' /tmp/rules.debug |grep -o '[0-9]'` + +i=$(($i+'1')) +t=$(($t+'1')) +#echo $i +#echo $t + +rm /tmp/rules.debug.tmp + +#Insert table-entry limit +sed -i -e '/900000/d' /tmp/rules.debug +while read line + do a=$(($a+1)); + #echo $a; + if [ "$a" = "$t" ]; then + echo "" >> /tmp/rules.debug.tmp + echo "set limit table-entries 900000" >> /tmp/rules.debug.tmp + fi + echo $line >> /tmp/rules.debug.tmp +done < "/tmp/rules.debug" + +mv /tmp/rules.debug /tmp/rules.debug.old +mv /tmp/rules.debug.tmp /tmp/rules.debug + +pfctl -o basic -f /tmp/rules.debug > errorOUT.txt 2>&1 + +rm /tmp/rules.debug.tmp +#Insert ipblocklist rules +a="0" +echo $a +while read line + do a=$(($a+1)); + echo $a; + if [ "$a" = "$i" ]; then + echo "" >> /tmp/rules.debug.tmp + echo "#ipblocklist" >> /tmp/rules.debug.tmp + echo "table persist file '/usr/local/www/packages/ipblocklist/lists/ipfw.ipfw'" >> /tmp/rules.debug.tmp + echo "block quick from to any label 'IP-Blocklist'" >> /tmp/rules.debug.tmp + echo "block quick from any to label 'IP-Blocklist'" >> /tmp/rules.debug.tmp + fi + echo $line >> /tmp/rules.debug.tmp +done < "/tmp/rules.debug" + +mv /tmp/rules.debug /tmp/rules.debug.old +mv /tmp/rules.debug.tmp /tmp/rules.debug + +#Now execute the ipfw list (Take a long time in old version) +#sh lists/ipfw.ipfw (Version 0.1.4) +rm errorOUT.txt +pfctl -o basic -f /tmp/rules.debug > errorOUT.txt 2>&1 diff --git a/config/ipblocklist/convert.pl b/config/ipblocklist/convert.pl new file mode 100755 index 00000000..44b4add2 --- /dev/null +++ b/config/ipblocklist/convert.pl @@ -0,0 +1,67 @@ +#!/usr/bin/perl -w +use strict; + +if($#ARGV != 1) { + print("Usage: $0 \n"); + exit(1); +} + +my ($line,$title,$iprange,$cidr); +my $i = 30000; + +open(INFILE,'<',$ARGV[0]) or die("Could not open input file $ARGV[0]"); +open(OUTFILE,'>>',$ARGV[1]) or die("Could not open output file $ARGV[1]"); + +foreach $line () { + chomp($line); + $line =~ s/:((\d{1,3}[-\.]*){8})//; + $iprange = $1; + print OUTFILE "#$line\n"; + foreach $cidr (split(/\n/,range($iprange))) { + print OUTFILE "$cidr\n"; + #print OUTFILE "ipfw -q add 1000 drop ip from any to $cidr\n"; (version 0.1.4) + #$i++; + #print OUTFILE "ipfw -q add 1001 drop ip from $cidr to any\n"; (version 0.1.4) + #$i++; + } +} + +close(INFILE); +close(OUTFILE); + +sub ntoa { + return join ".",unpack("CCCC",pack("N",shift)); +} +sub aton { + return unpack 'N', pack 'C4', split/\./, shift; +} +sub deaggregate { + my $thirtytwobits = 4294967295; + my $start = shift; + my $end = shift; + my $base = $start; + my ($step,$output); + while ($base <= $end) { + $step = 0; + while (($base | (1 << $step)) != $base) { + if (($base | (((~0) & $thirtytwobits) >> (31-$step))) > $end) { + last; + } + $step++; + } + if($step == 0) { + $output .= ntoa($base); + }else{ + $output .= ntoa($base)."/" .(32-$step); + } + $output .= "\n"; + $base += 1 << $step; + } + return $output; +} +sub range { + my ($address,$address2) = split /-/, shift; + $address = aton($address); + $address2 = aton($address2); + return deaggregate($address,$address2); +} \ No newline at end of file diff --git a/config/ipblocklist/index.tmp b/config/ipblocklist/index.tmp new file mode 100755 index 00000000..7c768af6 --- /dev/null +++ b/config/ipblocklist/index.tmp @@ -0,0 +1,11 @@ + + + + + + + \ No newline at end of file diff --git a/config/ipblocklist/ipblocklist.inc b/config/ipblocklist/ipblocklist.inc new file mode 100755 index 00000000..a950d188 --- /dev/null +++ b/config/ipblocklist/ipblocklist.inc @@ -0,0 +1,130 @@ +10^x|1024->2^x] + $s=array('B', 'kB', 'MB', 'GB', 'TB', 'PB', 'EB', 'ZB'); + $e=floor(log($bytes,$convention)); + return round($bytes/pow($convention,$e),2).' '.$s[$e]; +} + + + + +function php_sync_package() +{ + global $config; +} + + +function php_install_command() +{ + + global $config; + conf_mount_rw(); + config_lock(); + + if (!is_dir('/usr/local/www/packages/')) { + exec("mkdir /usr/local/www/packages/"); + } + + if (!is_dir('/usr/local/www/packages/ipblocklist/')) { + exec("mkdir /usr/local/www/packages/ipblocklist/"); + } + + + //install PERL + exec("pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/All/perl-5.8.9_2.tbz"); + exec("pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/All/p5-Net-CIDR-0.13.tbz"); + + //rename PHP files from .tmp to .php + exec("cp /tmp/ipblocklist.tmp /usr/local/www/packages/ipblocklist/ipblocklist.php"); + unlink_if_exists("/tmp/ipblocklist.tmp"); + exec("cp /tmp/ipblocklist_list.tmp /usr/local/www/packages/ipblocklist/ipblocklist_list.php"); + unlink_if_exists("/tmp/ipblocklist_list.tmp"); + exec("cp /tmp/purge.tmp /usr/local/www/packages/ipblocklist/purge.php"); + unlink_if_exists("/tmp/purge.tmp"); + exec("cp /tmp/index.tmp /usr/local/www/packages/ipblocklist/index.php"); + unlink_if_exists("/tmp/index.tmp"); + exec("cp /tmp/manual_add.tmp /usr/local/www/packages/ipblocklist/manual_add.php"); + unlink_if_exists("/tmp/manual_add.tmp"); + exec("cp /tmp/purgeip.tmp /usr/local/www/packages/ipblocklist/purgeip.php"); + unlink_if_exists("/tmp/purgeip.tmp"); + //Get scripts + exec("cp /tmp/convert.pl /usr/local/www/packages/ipblocklist/convert.pl"); + unlink_if_exists("/tmp/convert.pl"); + exec("cp /tmp/convert-execute.sh /usr/local/www/packages/ipblocklist/convert-execute.sh"); + unlink_if_exists("/tmp/convert-execute.sh"); + exec("cp /tmp/IP-Blocklist.sh /usr/local/etc/rc.d/IP-Blocklist.sh"); + unlink_if_exists("/tmp/convert-execute.sh"); + + + + conf_mount_ro(); + config_unlock(); +} + + +function deinstall_command() +{ + conf_mount_rw(); + $handle = popen("/usr/local/etc/rc.d/ipblocklist.sh stop", "r"); + unlink_if_exists("/usr/local/pkg/ipblocklist.xml"); + unlink_if_exists("/usr/local/pkg/ipblocklist.inc"); + exec("rm -R /usr/local/www/packages/ipblocklist/ipblocklists"); + exec("rm -R /usr/local/www/packages/ipblocklist"); + exec("rm /usr/local/etc/rc.d/IP-Blocklist.sh"); + exec("pfctl -t ipblocklist -T kill"); + exec("ipfw -f flush"); + conf_mount_ro(); +} + +?> \ No newline at end of file diff --git a/config/ipblocklist/ipblocklist.tmp b/config/ipblocklist/ipblocklist.tmp new file mode 100755 index 00000000..cf61bfc8 --- /dev/null +++ b/config/ipblocklist/ipblocklist.tmp @@ -0,0 +1,156 @@ +0) { + + conf_mount_rw(); + + $ent = array(); + + if ($_POST['enable'] == 1) { + //echo "enabled"; + $config['installedpackages']['ipblocklist_settings']['config'][0]['enable'] = 1; + + //Load ipfw.ko + //exec("kldload ipfw.ko"); (Version 0.1.4) + //Process list by downloading and extracting + $myFile = "lists.txt"; + $fileContents = file_get_contents($myFile); + $lines = explode(PHP_EOL, $fileContents); + //Remove DIR lists to eliminate duplates + exec("rm -R lists"); + //Process each list URL, Extract, and put in DIR lists + exec("mkdir lists"); + foreach ($lines as $line) { + exec("fetch -o lists $line"); + $filename = basename($line); + //Extract list + exec("gzip -d lists/$filename"); + } + //Prep pfctl + mwexec("touch lists/ipfw.ipfw"); + //Now clear ipfw, and process each list to ipfw commands + mwexec("sh convert-execute.sh"); + + } + else { + //echo "disabled"; + $config['installedpackages']['ipblocklist_settings']['config'][0]['enable'] = 0; + //Clear Lists + mwexec("ipfw -f flush"); + mwexec("pfctl -t ipblocklist -T kill"); + mwexec("rm -R /usr/local/www/packages/ipblocklist/lists"); + mwexec("sed -i -e '/ipblocklist/d' /tmp/rules.debug"); + mwexec("pfctl -o basic -f /tmp/rules.debug"); + //Clear errorOUT.txt + mwexec("rm errorOUT.txt"); + + } + + + write_config(); + //services_dnsmasq_configure(); + sleep(1); + $savemsg_dnsb = "IP-Blocklist settings have been saved/updated. "; + conf_mount_ro(); +} +?> + + +

Firewall: IP-Blocklist

+
+ +\n"; +} +else { + echo "\n"; +} +?> + +Enable IP-Blocklist

+ + + + +
+ + + +
+ +
+
+ Usage +
+ Add direct link to list and press + (Example: + Level1, + Level2, + Level3) +
+ Compressed lists should have .gz extention
+
+ +
Warning! - Apply after each reboot or firewall change. Use at your own risk. +
Current Status = "; + ob_start(); + $results = exec("pfctl -s rules | grep -c ipblocklist"); + ob_end_clean(); + if ($results == '2') echo "Running"; + else + echo "NOT running"; + + //Get Errors if exists + ob_start(); + $results = exec("tail -r errorOUT.txt"); + ob_end_clean(); + echo "
"; + echo $results; + echo ""; + ?> + + + +
+
+ + + + + +"; +?> + +
+ + + + + + + \ No newline at end of file diff --git a/config/ipblocklist/ipblocklist.xml b/config/ipblocklist/ipblocklist.xml new file mode 100755 index 00000000..9b9e3c72 --- /dev/null +++ b/config/ipblocklist/ipblocklist.xml @@ -0,0 +1,145 @@ + + + + + + + + IP Blocklist + perl + http://forum.pfsense.org/index.php/topic,24769.0.html + IP Blocklist Settings + 0.1.9 + Settings + /usr/local/pkg/ipblocklist.inc + + IP Blocklist + IP Blocklist settings. +
Firewall
+ ipblocklist.xml + /packages/ipblocklist/ipblocklist.php + + + + Settings + /packages/ipblocklist/ipblocklist.php + + + + installedpackages->package->$packagename->configuration->ipblocklist + + /usr/local/pkg/ + 0755 + http://www.tomschaefer.org/temp/pfsense/packages/packages/config/IP-Blocklist/ipblocklist.xml + + + /usr/local/pkg/ + 0755 + http://www.tomschaefer.org/temp/pfsense/packages/packages/config/IP-Blocklist/ipblocklist.inc + + + /tmp/ + 0755 + http://www.tomschaefer.org/temp/pfsense/packages/packages/config/IP-Blocklist/ipblocklist.tmp + + + /tmp/ + 0755 + http://www.tomschaefer.org/temp/pfsense/packages/packages/config/IP-Blocklist/ipblocklist_list.tmp + + + /tmp/ + 0755 + http://www.tomschaefer.org/temp/pfsense/packages/packages/config/IP-Blocklist/convert.pl + + + /tmp/ + 0755 + http://www.tomschaefer.org/temp/pfsense/packages/packages/config/IP-Blocklist/convert-execute.sh + + + /tmp/ + 0755 + http://www.tomschaefer.org/temp/pfsense/packages/packages/config/IP-Blocklist/purge.tmp + + + /tmp/ + 0755 + http://www.tomschaefer.org/temp/pfsense/packages/packages/config/IP-Blocklist/index.tmp + + + /tmp/ + 0755 + http://www.tomschaefer.org/temp/pfsense/packages/packages/config/IP-Blocklist/manual_add.tmp + + + /tmp/ + 0755 + http://www.tomschaefer.org/temp/pfsense/packages/packages/config/IP-Blocklist/purgeip.tmp + + + /tmp/ + 0755 + http://www.tomschaefer.org/temp/pfsense/packages/packages/config/IP-Blocklist/IP-Blocklist.sh + + + + Variable One + var1 + Enter the variable one here. + input + + + Variable Two + var1 + Enter the variable one here. + input + + + + + + php_sync_package(); + + + php_sync_package(); + + + php_install_command(); + + + deinstall_command(); + + \ No newline at end of file diff --git a/config/ipblocklist/ipblocklist_list.tmp b/config/ipblocklist/ipblocklist_list.tmp new file mode 100755 index 00000000..669f4384 --- /dev/null +++ b/config/ipblocklist/ipblocklist_list.tmp @@ -0,0 +1,115 @@ + + +Manual +Add List URL:
+ + +Purge All + + + + + sizeof($arr)) + { + // print an error + print "You have chosen a line number, [$lineNum], higher than the length of the file."; + // exit the function + exit; + } + + //remove the line + unset($arr["$lineToDelete"]); + + // open the file for reading + if (!$fp = fopen($fileName, 'w+')) + { + // print an error + print "Cannot open file ($fileName)"; + // exit the function + exit; + } + + // if $fp is valid + if($fp) + { + // write the array to the file + foreach($arr as $line) { fwrite($fp,$line); } + + // close the file + fclose($fp); + } + +echo "done"; +} + + +$myFile = "lists.txt"; +$content = $_REQUEST['content']; +$fh = fopen($myFile, 'a+'); +fwrite($fh, $content); +if (strlen($content) > 1) { + fwrite($fh, "\n"); + } else { +} +fclose($fh); + + +//echo (filesize($myFile)); +if (filesize($myFile) > 1) { + //$fh = fopen($myFile, 'r'); + //$theData = fread($fh, filesize($myFile)); + //fclose($fh); + echo "
Current List(s):
"; + // Get the whole file into a single string + $fileContents = file_get_contents($myFile); + + // Explode the file contents string by each line + $lines = explode(PHP_EOL, $fileContents); // Replace PHP_EOL with "\r\n" or "\n" or "\r" if you like + + // Iterate through each line and do what you need with it + + foreach ($lines as $line) { + $i++; + echo ""; + echo " "; + echo $line; + //echo ""; + // echo $i; + echo "
"; + + } + + + //echo $theData; + + +} +echo "

"; + + + + +?> \ No newline at end of file diff --git a/config/ipblocklist/manual_add.tmp b/config/ipblocklist/manual_add.tmp new file mode 100755 index 00000000..ecf42678 --- /dev/null +++ b/config/ipblocklist/manual_add.tmp @@ -0,0 +1,69 @@ + + + + +Manual + +Experimental! - This uses a different process to block IPs (uses IPFW) +
Enter in IP format (xx.xx.xx.xx) or CIDR format (xx.xx.xx.xx/xx) +
+ + +
+ + 1) { + fwrite($fh, "\n"); + } else { + +} +fclose($fh); + + +//echo (filesize($myFile)); +if (filesize($myFile) > 1) { + //$fh = fopen($myFile, 'r'); + //$theData = fread($fh, filesize($myFile)); + //fclose($fh); + echo "
Current List(s):
"; + // Get the whole file into a single string + $fileContents = file_get_contents($myFile); + + // Explode the file contents string by each line + $lines = explode(PHP_EOL, $fileContents); // Replace PHP_EOL with "\r\n" or "\n" or "\r" if you like + + // Iterate through each line and do what you need with it + + foreach ($lines as $line) { + $i++; + echo ""; + echo " "; + exec("kldload ipfw.ko"); + exec("ipfw -q add 2000 drop ip from any to $line"); + exec("ipfw -q add 2001 drop ip from $line to any"); + echo $line; + //echo ""; + // echo $i; + echo "
"; + + } + + + + + +} +echo "

"; + + + + +?> \ No newline at end of file diff --git a/config/ipblocklist/purge.tmp b/config/ipblocklist/purge.tmp new file mode 100755 index 00000000..47dbed98 --- /dev/null +++ b/config/ipblocklist/purge.tmp @@ -0,0 +1,26 @@ + temp_lists.txt"); +if ($line == 0) { + exec("rm lists.txt"); + } else { + exec("sed $line'd' lists.txt > temp_lists.txt"); + } +exec("more temp_lists.txt > lists.txt"); +exec("rm temp_lists.txt"); + + +?> + + + + + + + \ No newline at end of file diff --git a/config/ipblocklist/purgeip.tmp b/config/ipblocklist/purgeip.tmp new file mode 100755 index 00000000..3622797a --- /dev/null +++ b/config/ipblocklist/purgeip.tmp @@ -0,0 +1,26 @@ + temp_ips.ipfw"); +if ($line == 0) { + exec("rm ips.ipfw"); + } else { + exec("sed $line'd' ips.ipfw > temp_ips.ipfw"); + } +exec("more temp_ips.ipfw > ips.ipfw"); +exec("rm temp_ips.ipfw"); + + +?> + + + + + + + \ No newline at end of file -- cgit v1.2.3