From e80da3c57d0501d7a5962fcacd6416d47385e86a Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sat, 23 May 2015 16:28:12 -0400 Subject: pfBlockerNG v1.09 --- config/pfblockerng/pfblockerng.php | 296 +++++++++++++++++++------------------ 1 file changed, 156 insertions(+), 140 deletions(-) (limited to 'config/pfblockerng/pfblockerng.php') diff --git a/config/pfblockerng/pfblockerng.php b/config/pfblockerng/pfblockerng.php index 8c0c478d..194f4071 100644 --- a/config/pfblockerng/pfblockerng.php +++ b/config/pfblockerng/pfblockerng.php @@ -148,8 +148,9 @@ function ip_range_to_subnet_array_temp($ip1, $ip2) { # Set php Memory Limit $uname = posix_uname(); -if ($uname['machine'] == "amd64") +if ($uname['machine'] == "amd64") { ini_set('memory_limit', '256M'); +} function pfb_update_check($header_url, $list_url, $url_format, $pfbfolder) { global $pfb; @@ -220,7 +221,6 @@ function pfb_update_check($header_url, $list_url, $url_format, $pfbfolder) { } } - if ($argv[1] == 'update') { sync_package_pfblockerng("cron"); } @@ -251,85 +251,13 @@ if ($argv[1] == 'gc') { } if ($argv[1] == 'cron') { + + // Call Base Hour converter + $pfb_sch = pfb_cron_base_hour(); + $hour = date('G'); $dow = date('N'); $pfb['update_cron'] = FALSE; - - # Start hour of the 'Once a day' Schedule - $pfb['dailystart'] = $config['installedpackages']['pfblockerng']['config'][0]['pfb_dailystart']; - # Start hour of the Scheduler - if ($config['installedpackages']['pfblockerng']['config'][0]['pfb_hour'] != "") { - $pfb['hour'] = $config['installedpackages']['pfblockerng']['config'][0]['pfb_hour']; - } else { - $pfb['hour'] = "1"; - } - $updates = 0; - - # 2 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch2 = strval($shour); - for ($i=0; $i<11; $i++) { - $shour += 2; - if ($shour >= 24) - $shour -= 24; - $sch2 .= "," . strval($shour); - } - - # 3 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch3 = strval($shour); - for ($i=0; $i<7; $i++) { - $shour += 3; - if ($shour >= 24) - $shour -= 24; - $sch3 .= "," . strval($shour); - } - - # 4 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch4 = strval($shour); - for ($i=0; $i<5; $i++) { - $shour += 4; - if ($shour >= 24) - $shour -= 24; - $sch4 .= "," . strval($shour); - } - - # 6 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch6 = strval($shour); - for ($i=0; $i<3; $i++) { - $shour += 6; - if ($shour >= 24) - $shour -= 24; - $sch6 .= "," . strval($shour); - } - - # 8 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch8 = strval($shour); - for ($i=0; $i<2; $i++) { - $shour += 8; - if ($shour >= 24) - $shour -= 24; - $sch8 .= "," . strval($shour); - } - - # 12 Hour Schedule Converter - $shour = intval(substr($pfb['hour'], 0, 2)); - $sch12 = strval($shour) . ","; - $shour += 12; - if ($shour >= 24) - $shour -= 24; - $sch12 .= strval($shour); - - $e_sch2 = explode(",", $sch2); - $e_sch3 = explode(",", $sch3); - $e_sch4 = explode(",", $sch4); - $e_sch6 = explode(",", $sch6); - $e_sch8 = explode(",", $sch8); - $e_sch12 = explode(",", $sch12); - $log = " CRON PROCESS START [ NOW ]\n"; pfb_logger("{$log}","1"); @@ -348,7 +276,7 @@ if ($argv[1] == 'cron') { } # Determine Folder Location for Alias (return array $pfbarr) - pfb_determine_list_detail($list['action']); + pfb_determine_list_detail($list['action'], "", "", ""); $pfbfolder = $pfbarr['folder']; $list_cron = $list['cron']; @@ -370,42 +298,20 @@ if ($argv[1] == 'cron') { } switch ($list_cron) { - case "01hour": - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "02hours": - if (in_array($hour, $e_sch2)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "03hours": - if (in_array($hour, $e_sch3)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "04hours": - if (in_array($hour, $e_sch4)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "06hours": - if (in_array($hour, $e_sch6)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "08hours": - if (in_array($hour, $e_sch8)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; - case "12hours": - if (in_array($hour, $e_sch12)) - pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); - break; case "EveryDay": - if ($hour == $pfb['dailystart']) + if ($hour == $pfb['24hour']) { pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); + } break; case "Weekly": - if ($hour == $pfb['dailystart'] && $dow == $header_dow) + if ($hour == $pfb['24hour'] && $dow == $header_dow) { pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); + } break; default: + if ($pfb['interval'] == "1" || in_array($hour, $pfb_sch)) { + pfb_update_check($header_url, $list_url, $url_format, $pfbfolder); + } break; } } @@ -415,6 +321,30 @@ if ($argv[1] == 'cron') { } } + // If Continents are Defined, continue with Update Process to determine if further changes are required. + $continents = array ( "Africa" => "pfB_Africa", + "Antartica" => "pfB_Antartica", + "Asia" => "pfB_Asia", + "Europe" => "pfB_Europe", + "North America" => "pfB_NAmerica", + "Oceania" => "pfB_Oceania", + "South America" => "pfB_SAmerica", + "Top Spammers" => "pfB_Top", + "Proxy and Satellite" => "pfB_PS" + ); + + if (!$pfb['update_cron']) { + foreach ($continents as $continent => $pfb_alias) { + if (is_array($config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'])) { + $continent_config = $config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'][0]; + if ($continent_config['action'] != "Disabled" && $pfb['enable'] == "on") { + $pfb['update_cron'] = TRUE; + break; + } + } + } + } + if ($pfb['update_cron']) { sync_package_pfblockerng("cron"); } else { @@ -824,44 +754,57 @@ $xml = << LINKS - - Firewall Alias     Firewall Rules     Firewall Logs]]> + Firewall Alias     + Firewall Rules     Firewall Logs]]> info - - IPv4
Countries]]> + countries4 - - - Use CTRL + CLICK to unselect countries]]> - +
Countries

+
Use CTRL + CLICK to unselect countries
]]> + select ${'options4'} ${'ftotal4'} + +EOF; + +// Adjust combinefields variable if IPv6 is empty. +if (!empty (${'options6'})) { + $xml .= <<
IPv4 Countries]]> + + begin EOF; +} else { + $xml .= <<IPv4 Countries]]> + + +EOF; +} // Skip IPv6 when Null data found if (!empty (${'options6'})) { $xml .= << - IPv6
Countries]]> countries6 - - - Use CTRL + CLICK to unselect countries]]> - +
IPv6 Countries
]]> select ${'options6'} ${'ftotal6'} + + + end EOF; @@ -870,7 +813,7 @@ EOF; $xml .= << List Action - Default : Disabled

+ Default: Disabled

Select the Action for Firewall Rules on lists you have selected.

'Disabled' Rules: Disables selection and does nothing to selected Alias.

@@ -901,7 +844,7 @@ $xml .= <<'Alias Permit' and 'Alias Match' will be saved in the Same folder as the other Permit/Match Auto-Rules
  • 'Alias Native' lists are kept in their Native format without any modifications.
    • When using 'Alias' rules, change (pfB_) to ( pfb_ ) in the beginning of rule description and use the 'Exact' spelling of - the Alias (no trailing Whitespace)  Custom 'Alias' rules with 'pfB_ xxx' description will be removed by package if + the Alias (no trailing Whitespace) Custom 'Alias' rules with 'pfB_ xxx' description will be removed by package if using Auto Rule Creation.

    Tip: You can create the Auto Rules and remove "auto rule" from the Rule Descriptions, then disable Auto Rules. This method will 'KEEP' these rules from being 'Deleted' which will allow editing for a Custom Alias Configuration
    ]]> @@ -928,9 +871,10 @@ $xml .= << Enable Logging aliaslog - Enable
    + Enable
    Select - Logging to Status: System Logs: FIREWALL ( Log )
    - This can be overriden by the 'Global Logging' Option in the General Tab.]]>     + This can be overriden by the 'Global Logging' Option in the General Tab.]]> +     select @@ -938,9 +882,87 @@ $xml .= << - Click to SAVE Settings and/or Rule Edits.      Changes are Applied via CRON or - 'Force Update']]> - + Advanced Inbound Firewall Rule Settings + listtopic + + + info + Note: In general Auto-Rules are created as follows:
    +
      Inbound   - 'any' port, 'any' protocol and 'any' destination
      + Outbound - 'any' port, 'any' protocol and 'any' destination address in the lists
    + Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.
    + Select the pfSense 'Port' and/or 'Destination' Alias below:]]> +     +     + + autoports + Enable Custom Port + checkbox + aliasports + + begin + + + Define Alias + aliasports + Click Here to add/edit Aliases + Do not manually enter port numbers.
    Do not use 'pfB_' in the Port Alias name.]]> +     + 21 + aliases + port + + + end +     + + autodest + Enable Custom Destination + checkbox + aliasdest,autonot + + begin + + + aliasdest + Click Here to add/edit Aliases + Do not manually enter Addresses(es).
    Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> +     + 21 + aliases + network + + + +     + + Invert + autonot + Invert - Option to invert the sense of the match.
    + ie - Not (!) Destination Address(es)]]> +     + checkbox + + + end +     + + Custom Protocol + autoproto + Default: any
    Select the Protocol used for Inbound Firewall Rule(s).]]>     + select + + + + + + + 4 + +     + + Click to SAVE Settings and/or Rule Edits.       Changes are Applied via CRON or + 'Force Update']]> listtopic @@ -1122,14 +1144,13 @@ $xmlrep = << LINKS - - Firewall Alias     Firewall Rules     Firewall Logs]]> + Firewall Alias     + Firewall Rules     Firewall Logs]]> info Why Reputation Matters:]]> - info Reputation', each Blocklist will be analyzed for Repeat Offenders in each IP Range.
      Example:    x.x.x.1, x.x.x.2, x.x.x.3, x.x.x.4, x.x.x.5
      @@ -1150,7 +1171,6 @@ $xmlrep = <<listtopic - Individual List Reputation

      ]]>       info @@ -1177,13 +1197,11 @@ $xmlrep = <<       - Collective List Reputation

      ]]>       info       - info [ pMax ] and [ dMax ]
      Can be used to Further analyze for Repeat Offenders.
      @@ -1244,7 +1262,6 @@ $xmlrep = <<listtopic       - INFO info ignore Repeat Offenders in select Countries. The Original Blocklisted IPs remain intact. All other Repeat Offending Country Ranges will be processed.

      @@ -1286,7 +1303,7 @@ $xmlrep = << IPv4
      Country Exclusion
      -
      Geolite Data by:
      MaxMind Inc.  (ISO 3166)]]>       +
      Geolite Data by:
      MaxMind Inc.  (ISO 3166)]]> ccexclude Exclude from the Reputation Process.
      @@ -1305,7 +1322,6 @@ $xmlrep = << Subscription Pro. Blocklist - ETINFO info Emerging Threats IQRisk is a Subscription Professional Reputation List.

      ET IQRisk Blocklist must be entered in the Lists Tab using the following example: @@ -1429,7 +1445,7 @@ $xmlrep = << Update ET Categories et_update - Disable
      + Disable
      Select - Enable ET Update if Category Changes are Made.
      You can perform a 'Force Update' to enable these changes.
      Cron will also resync this list at the next Scheduled Update.]]> @@ -1441,8 +1457,8 @@ $xmlrep = <<       - Click to SAVE Settings and/or Rule Edits.       Changes are Applied via CRON or - 'Force Update'
    ]]> + Click to SAVE Settings and/or Rule Edits.       Changes are Applied via CRON or + 'Force Update']]> listtopic     -- cgit v1.2.3