From b1ef3af0c8c141b75dc61ba9c68f80b961e9f03d Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Sun, 15 Nov 2015 22:35:26 -0500 Subject: pfBlockerNG v2.0 --- config/pfblockerng/pfblockerng.widget.php | 392 ++++++++++++++++++------------ 1 file changed, 233 insertions(+), 159 deletions(-) (limited to 'config/pfblockerng/pfblockerng.widget.php') diff --git a/config/pfblockerng/pfblockerng.widget.php b/config/pfblockerng/pfblockerng.widget.php index c9522cd7..c70bd05b 100644 --- a/config/pfblockerng/pfblockerng.widget.php +++ b/config/pfblockerng/pfblockerng.widget.php @@ -3,19 +3,17 @@ pfBlockerNG.widget.php pfBlockerNG - Copyright (C) 2015 BBcan177@gmail.com + Copyright (c) 2015 BBcan177@gmail.com All rights reserved. Based Upon pfblocker : - Copyright 2011 Thomas Schaefer - Tomschaefer.org - Copyright 2011 Marcello Coutinho - Part of pfSense widgets (www.pfsense.org) + Copyright (c) 2011 Thomas Schaefer + Copyright (c) 2011 Marcello Coutinho Adapted From: snort_alerts.widget.php - Copyright (C) 2009 Jim Pingle - mod 24-07-2012 - mod 28-02-2015 by Bill Meeks + Copyright (c) 2015 Electric Sheep Fencing, LLC. All rights reserved. + Copyright (c) 2015 Bill Meeks Javascript and Integration modifications by J. Nieuwenhuizen @@ -43,9 +41,9 @@ POSSIBILITY OF SUCH DAMAGE. */ $nocsrf = true; -@require_once("/usr/local/www/widgets/include/widget-pfblockerng.inc"); -@require_once("/usr/local/pkg/pfblockerng/pfblockerng.inc"); -@require_once("guiconfig.inc"); +@require_once('/usr/local/www/widgets/include/widget-pfblockerng.inc'); +@require_once('/usr/local/pkg/pfblockerng/pfblockerng.inc'); +@require_once('guiconfig.inc'); pfb_global(); @@ -58,71 +56,62 @@ $pfb['err'] = " 'off', 'sortcolumn' => 'none', 'sortdir' => 'asc', 'maxfails' => 3, 'maxpivot' => 200); +$pfb['wglobal'] = &$config['installedpackages']['pfblockerngglobal']; +foreach ($wglobal_array as $type => $value) { + $pfb[$type] = $pfb['wglobal']['widget-' . "{$type}"] ?: $value; } // Save widget customizations -if ($_POST) { - if (is_numeric($_POST['pfb_maxfails'])) { - $pfb['global']['widget-maxfails'] = $_POST['pfb_maxfails']; - } - if (is_numeric($_POST['pfb_maxpivot'])) { - $pfb['global']['widget-maxpivot'] = $_POST['pfb_maxpivot']; - } - if (!empty($_POST['pfb_popup'])) { - $pfb['global']['widget-popup'] = $_POST['pfb_popup']; - } - if (!empty($_POST['pfb_sortcolumn'])) { - $pfb['global']['widget-sortcolumn'] = $_POST['pfb_sortcolumn']; +if (isset($_POST['pfb_submit'])) { + $pfb['wglobal']['widget-popup'] = htmlspecialchars($_POST['pfb_popup']) ?: 'off'; + $pfb['wglobal']['widget-sortcolumn'] = htmlspecialchars($_POST['pfb_sortcolumn']) ?: 'none'; + $pfb['wglobal']['widget-sortdir'] = htmlspecialchars($_POST['pfb_sortdir']) ?: 'asc'; + + if (ctype_digit(htmlspecialchars($_POST['pfb_maxfails']))) { + $pfb['wglobal']['widget-maxfails'] = htmlspecialchars($_POST['pfb_maxfails']); } - if (!empty($_POST['pfb_sortdir'])) { - $pfb['global']['widget-sortdir'] = $_POST['pfb_sortdir']; + if (ctype_digit(htmlspecialchars($_POST['pfb_maxpivot']))) { + $pfb['wglobal']['widget-maxpivot'] = htmlspecialchars($_POST['pfb_maxpivot']); } - write_config("pfBlockerNG: Saved Widget customizations via Dashboard"); - header("Location: ../../index.php"); + + write_config('pfBlockerNG: Saved Widget customizations via Dashboard'); + header('Location: ../../index.php'); } // Ackwnowlege failed downloads if (isset($_POST['pfblockerngack'])) { - exec("/usr/bin/sed -i '' 's/FAIL/Fail/g' {$pfb['errlog']}"); - header("Location: ../../index.php"); + exec("{$pfb['sed']} -i '' 's/FAIL/Fail/g' {$pfb['errlog']}"); + header('Location: ../../index.php'); } // Called by Ajax to update table contents if (isset($_GET['getNewCounts'])) { - pfBlockerNG_get_table("js"); + pfBlockerNG_get_table('js'); return; } +// Reset DNSBL Alias packet counters +if (isset($_POST['pfblockerngdnsblclear'])) { + $dnsbl_info = array_map('str_getcsv', @file("{$pfb['dnsbl_info']}")); + if (!empty ($dnsbl_info)) { + $handle = fopen("{$pfb['dnsbl_info']}", 'w'); + foreach ($dnsbl_info as $line) { + if (substr($line[0], 0, 1) != '#') { + $line[3] = '0'; + } + fputcsv($handle, $line); + } + fclose ($handle); + } + header('Location: ../../index.php'); +} + // Sort widget table according to user configuration -function pfbsort(&$array, $subkey="id", $sort_ascending=FALSE) { +function pfbsort(&$array, $subkey='id', $sort_ascending=FALSE) { if (empty($array)) { return; } @@ -130,12 +119,16 @@ function pfbsort(&$array, $subkey="id", $sort_ascending=FALSE) { $temp_array[key($array)] = array_shift($array); } + if ($subkey == 'alias') { + $subkey = 0; + } + foreach ($array as $key => $val) { $offset = 0; $found = FALSE; foreach ($temp_array as $tmp_key => $tmp_val) { - if (!$found and strtolower($val[$subkey]) > strtolower($tmp_val[$subkey])) { - $temp_array = array_merge((array)array_slice($temp_array,0,$offset), array($key => $val), array_slice($temp_array,$offset)); + if (!$found && strtolower($val[$subkey]) > strtolower($tmp_val[$subkey])) { + $temp_array = array_merge((array)array_slice($temp_array, 0, $offset), array($key => $val), array_slice($temp_array, $offset)); $found = TRUE; } $offset++; @@ -156,14 +149,14 @@ function pfbsort(&$array, $subkey="id", $sort_ascending=FALSE) { // Collect all pfBlockerNG statistics function pfBlockerNG_get_counts() { global $config, $pfb; - $pfb_table = array(); + $pfb_table = $pfb_dtable = array(); /* Alias Table Definitions - 'update' - Last Updated Timestamp 'rule' - Total number of Firewall rules per alias 'count' - Total Line Count per alias 'packets' - Total number of pf packets per alias */ - exec("/sbin/pfctl -vvsTables | grep -A4 'pfB_'", $pfb_pfctl); + exec("{$pfb['pfctl']} -vvsTables | {$pfb['grep']} -A4 'pfB_'", $pfb_pfctl); if (!empty($pfb_pfctl)) { foreach($pfb_pfctl as $line) { $line = trim(str_replace(array( '[', ']' ), '', $line)); @@ -173,9 +166,9 @@ function pfBlockerNG_get_counts() { unset($pfb_alias); continue; } - exec("/usr/bin/grep -cv '^1\.1\.1\.1' {$pfb['aliasdir']}/{$pfb_alias}.txt", $match); + exec("{$pfb['grep']} -cv '^1\.1\.1\.1$' {$pfb['aliasdir']}/{$pfb_alias}.txt", $match); $pfb_table[$pfb_alias] = array('count' => $match[1], 'img' => $pfb['down']); - exec("ls -ld {$pfb['aliasdir']}/{$pfb_alias}.txt | awk '{ print $6,$7,$8 }'", $update); + exec("{$pfb['ls']} -ld {$pfb['aliasdir']}/{$pfb_alias}.txt | {$pfb['awk']} '{ print $6,$7,$8 }'", $update); $pfb_table[$pfb_alias]['update'] = $update[0]; $pfb_table[$pfb_alias]['rule'] = 0; unset($match, $update); @@ -198,21 +191,21 @@ function pfBlockerNG_get_counts() { } else { // Error. No pf labels found. - $pfb['pfctl'] = TRUE; + $pfb['pfctlerr'] = TRUE; } // Determine if firewall rules are defined - if (is_array($config['filter']['rule'])) { + if (isset($config['filter']['rule'])) { foreach ($config['filter']['rule'] as $rule) { // Skip disabled rules if (isset($rule['disabled'])) { continue; } - if (stripos($rule['source']['address'], "pfb_") !== FALSE) { + if (stripos($rule['source']['address'], 'pfb_') !== FALSE) { $pfb_table[$rule['source']['address']]['img'] = $pfb['up']; $pfb_table[$rule['source']['address']]['rule'] += 1; } - if (stripos($rule['destination']['address'], "pfb_") !== FALSE) { + if (stripos($rule['destination']['address'], 'pfb_') !== FALSE) { $pfb_table[$rule['destination']['address']]['img'] = $pfb['up']; $pfb_table[$rule['destination']['address']]['rule'] += 1; } @@ -220,79 +213,115 @@ function pfBlockerNG_get_counts() { } // Collect packet fence rule numbers - exec("/sbin/pfctl -vv -sr | grep 'pfB_'", $pfrules); + exec("{$pfb['pfctl']} -vv -sr | {$pfb['grep']} 'pfB_'", $pfrules); if (!empty($pfrules)) { foreach ($pfrules as $result) { // Sample : @112(0) block return in log quick on em1 from any to label "USER_RULE: pfB_PRI1" - if (preg_match("/@(\d+)\(\d+\).*\<(pfB_\w+):\d+\>/", $result, $rule)) { - $pfb_table[$rule[2]]['rules'] .= $rule[1] . '|'; + $id = strstr($result, '(', FALSE); + $id = ltrim(strstr($id, ')', TRUE), '('); + $descr = ltrim(stristr($result, ' 'disabled', 'img' => $pfb['down']); + } else { + $pfb_dtable[$line[0]] = array ('count' => $line[2], 'img' => $pfb['up']); + } + $pfb_dtable[$line[0]]['update'] = "{$line[1]}"; + $pfb_dtable[$line[0]]['packets'] = "{$line[3]}"; + } } } } // Sort tables per sort customization - if ($pfb['sortcolumn'] != "none") { - if ($pfb['sortdir'] == "asc") { - pfbsort($pfb_table, $pfb['sortcolumn'], TRUE); - } else { + if ($pfb['sortcolumn'] != 'none') { + if ($pfb['sortdir'] == 'asc') { pfbsort($pfb_table, $pfb['sortcolumn'], FALSE); + pfbsort($pfb_dtable, $pfb['sortcolumn'], FALSE); + } else { + pfbsort($pfb_table, $pfb['sortcolumn'], TRUE); + pfbsort($pfb_dtable, $pfb['sortcolumn'], TRUE); } } + $pfb_table = array_merge($pfb_table, $pfb_dtable); return $pfb_table; } // Called on initial load and Ajax to update table contents -function pfBlockerNG_get_table($mode="") { +function pfBlockerNG_get_table($mode='') { global $pfb; $counter = 0; $dcounter = 1; $response = ''; $pfb_table = pfBlockerNG_get_counts(); if (!empty($pfb_table)) { foreach ($pfb_table as $pfb_alias => $values) { - // Add firewall rules count associated with alias - $values['img'] = $values['img'] . "({$values['rule']})"; - - // If packet fence errors found, display error. - if ($pfb['pfctl']) { - $values['img'] = $pfb['err']; - } - - // Alias table popup - if ($values['count'] > 0 && $pfb['popup'] == "on") { - $alias_popup = rule_popup($pfb_alias, '', '', ''); - $alias_span = $alias_popup['src']; - $alias_span_end = $alias_popup['src_end']; - } - else { - $alias_span = ''; - $alias_span_end = ''; - } + if (strpos($pfb_alias, 'DNSBL_') !== FALSE) { + $alias_span = $alias_span_end = ''; + $packets = $values['packets']; + $dnsbl = TRUE; + } else { + // Add firewall rules count associated with alias + $values['img'] = $values['img'] . "({$values['rule']})"; + + // If packet fence errors found, display error. + if ($pfb['pfctlerr']) { + $values['img'] = $pfb['err']; + } - // Packet column pivot to Alerts Tab - if ($values['packets'] > 0) { - $rules = rtrim($values['rules'], '|'); - if ($values['packets'] > $pfb['maxpivot']) { - $aentries = $pfb['maxpivot']; - } else { - $aentries = $values['packets']; + // Alias table popup + if ($values['count'] > 0 && $pfb['popup'] == 'on') { + $alias_popup = rule_popup($pfb_alias, '', '', ''); + $alias_span = $alias_popup['src']; + $alias_span_end = $alias_popup['src_end']; + } + else { + $alias_span = $alias_span_end = ''; } - $packets = " 0) { + $rules = rtrim($values['rules'], '|'); + if ($values['packets'] > $pfb['maxpivot']) { + $aentries = $pfb['maxpivot']; + } else { + $aentries = $values['packets']; + } + + $packets = " - " . $alias_span . $pfb_alias . $alias_span_end . " + {$alias_span}{$pfb_alias}{$alias_span_end} {$values['count']} {$packets} {$values['update']} @@ -304,29 +333,51 @@ function pfBlockerNG_get_table($mode="") { } // Status indicator if pfBlockerNG is enabled/disabled -if ("{$pfb['enable']}" == "on") { - $pfb_status = "/themes/{$g['theme']}/images/icons/icon_pass.gif"; - $pfb_msg = "pfBlockerNG is Active."; +if ($pfb['enable'] == 'on') { + $mode = 'pass'; + $pfb_msg = 'pfBlockerNG is Active.'; + + if ($pfb['config']['enable_dup'] == 'on') { + // Check Masterfile Database Sanity + $db_sanity = exec("{$pfb['grep']} 'Sanity check' {$pfb['logdir']}/pfblockerng.log | {$pfb['grep']} -o 'PASSED' | tail -1"); + if ($db_sanity != 'PASSED') { + $mode = 'reject'; + $pfb_msg = 'pfBlockerNG deDuplication is out of sync. Perform a Force Reload to correct.'; + } + } +} else { + $mode = 'block'; + $pfb_msg = 'pfBlockerNG is Disabled.'; +} +$pfb_status = "/themes/{$g['theme']}/images/icons/icon_{$mode}.gif"; + +// Status indicator if DNSBL is actively running +if ($pfb['dnsbl'] == 'on' && $pfb['unbound_state'] == 'on' && $pfb['enable'] == 'on' && + strpos(file_get_contents("{$pfb['dnsbldir']}/unbound.conf"), 'pfb_dnsbl') !== FALSE) { + $mode = 'pass'; + $dnsbl_msg = 'DNSBL is Active.'; } else { - $pfb_status = "/themes/{$g['theme']}/images/icons/icon_block.gif"; - $pfb_msg = "pfBlockerNG is Disabled."; + $mode = 'block'; + $dnsbl_msg = 'DNSBL is Disabled.'; } +$dnsbl_status = "/themes/{$g['theme']}/images/icons/icon_{$mode}.gif"; // Collect total IP/Cidr counts -$dcount = exec("cat {$pfb['denydir']}/*.txt | grep -cv '^#\|^$\|^1\.1\.1\.1'"); -$pcount = exec("cat {$pfb['permitdir']}/*.txt | grep -cv '^#\|^$\|^1\.1\.1\.1'"); -$mcount = exec("cat {$pfb['matchdir']}/*.txt | grep -cv '^#\|^$\|^1\.1\.1\.1'"); -$ncount = exec("cat {$pfb['nativedir']}/*.txt | grep -cv '^#\|^$\|^1\.1\.1\.1'"); +$dcount = exec("{$pfb['cat']} {$pfb['denydir']}/*.txt | {$pfb['grep']} -cv '^#\|^$\|^1\.1\.1\.1$'"); +$pcount = exec("{$pfb['cat']} {$pfb['permitdir']}/*.txt | {$pfb['grep']} -cv '^#\|^$\|^1\.1\.1\.1$'"); +$mcount = exec("{$pfb['cat']} {$pfb['matchdir']}/*.txt | {$pfb['grep']} -cv '^#\|^$\|^1\.1\.1\.1$'"); +$ncount = exec("{$pfb['cat']} {$pfb['nativedir']}/*.txt | {$pfb['grep']} -cv '^#\|^$\|^1\.1\.1\.1$'"); +$scount = exec("{$pfb['grep']} -c ^ {$pfb['dnsbl_file']}.conf"); +$maxver = exec("grep -o 'Last-.*' /var/log/pfblockerng/maxmind_ver"); // Collect number of suppressed hosts +$pfbsupp_cnt = 0; if (file_exists("{$pfb['supptxt']}")) { - $pfbsupp_cnt = exec ("/usr/bin/grep -c ^ {$pfb['supptxt']}"); -} else { - $pfbsupp_cnt = 0; + $pfbsupp_cnt = exec("{$pfb['grep']} -c ^ {$pfb['supptxt']}"); } // Collect any failed downloads -exec("grep $(date +%m/%d/%y) {$pfb['errlog']} | grep 'FAIL'", $results); +exec("{$pfb['grep']} 'FAIL' {$pfb['errlog']} | {$pfb['grep']} $(date +%m/%d/%y)", $results); $results = array_reverse($results); ?> @@ -343,7 +394,7 @@ $results = array_reverse($results); @@ -357,9 +408,7 @@ $results = array_reverse($results); - "/> + "/> + + + +   + + {$scount}  "); ?> + +
+ + "/> +
+ + + + + + +  MaxMind: {$maxver}"; ?> + + @@ -426,17 +499,18 @@ $results = array_reverse($results); " . $result . ""); - $counter++; - if ($counter > $pfb['maxfails']) { + if ($counter > $pfb['maxfails'] && $entries > $pfb['maxfails']) { // To many errors stop displaying - echo(" " . (count($results) - $pfb['maxfails']) . " more error(s)..."); + echo("" . ($entries - $pfb['maxfails']) . ' more error(s)...'); break; } + echo("{$result}"); + $counter++; } } -- cgit v1.2.3