From 024cda9664ca4c0ea314bdbae89eb33515948956 Mon Sep 17 00:00:00 2001 From: marcelloc Date: Thu, 27 Oct 2011 20:33:09 -0200 Subject: pfBlocker-dev - version 0.1.1 with countryblock and ipblocklist together --- config/pf-blocker/pfblocker.inc | 190 ++++++++++++++++++++++------ config/pf-blocker/pfblocker.php | 47 ++++--- config/pf-blocker/pfblocker.xml | 141 ++++++++++++++++----- config/pf-blocker/pfblocker_sync.xml | 9 +- config/pf-blocker/pfblocker_topspammers.xml | 136 ++++++++++++++++++++ 5 files changed, 425 insertions(+), 98 deletions(-) create mode 100644 config/pf-blocker/pfblocker_topspammers.xml (limited to 'config') diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc index 7631111a..de28a432 100755 --- a/config/pf-blocker/pfblocker.inc +++ b/config/pf-blocker/pfblocker.inc @@ -34,7 +34,7 @@ require_once("functions.inc"); require_once("pkg-utils.inc"); require_once("globals.inc"); require_once("filter.inc"); - + function pfb_text_area_decode($text){ return preg_replace('/\r\n/', "\n",base64_decode($text)); } @@ -47,6 +47,29 @@ function cb_get_real_interface_address($iface) { return array($ip, long2ip(hexdec($netmask))); } +function pfblocker_Range2CIDR($ip_min, $ip_max) { + #function called without any args + if ($ip_min == "" || $ip_max == "") + return ""; + #function called with same ip in min and max + if ($ip_min == $ip_max) + return $ip_min. "/32"; + #convert ip to decimal numbers + $ip_min_long=ip2long($ip_min); + $ip_max_long=ip2long($ip_max); + #check long results + if ($ip_min_long == -1 || $ip_max_long == -1) + return ""; + #identify bits mask + $bits=(32 -strlen(decbin($ip_max_long - $ip_min_long))); + if ($bits < 0) + return ""; + #identify first ip on range network + $network=long2ip(bindec(substr(decbin($ip_min_long),0,$bits).preg_replace("/\d/","0",substr(decbin($ip_min_long),0,(32-$bits))))); + #print decbin($ip_min_long)."\n".$network."\n"; + return $network . "/". (32 -strlen(decbin($ip_max_long - $ip_min_long))); + } + function sync_package_pfblocker() { global $config; $pfblocker_config=$config['installedpackages']['pfblocker']['config'][0]; @@ -56,82 +79,166 @@ function sync_package_pfblocker() { $web_local=($config['system']['webgui']['protocol'] != ""?$config['system']['webgui']['protocol']:"http"); $port = $config['system']['webgui']['port']; if($port == "") { - if($config['system']['webgui']['protocol'] == "http") + if($config['system']['webgui']['protocol'] == "http") $port = "80"; - else + else $port = "443"; } $web_local .= "://127.0.0.1:".$port.'/pfblocker.php'; #get all selected countries - $countries=$config['installedpackages']['pfblocker']['config'][0]['topspammers'].","; + $countries=$config['installedpackages']['pfblockertopspammers']['config'][0]['countries'].","; foreach ($continents as $continent){ if (is_array($config['installedpackages']['pfblocker'.strtolower(preg_replace('/ /','',$continent))]['config'])) $countries.=$config['installedpackages']['pfblocker'.strtolower(preg_replace('/ /','',$continent))]['config'][0]['countries'].","; } $cb_files = explode(",", $countries); - $ips=""; + + $pfbdir='/usr/local/pkg/pfblocker'; + + #check folders + if (!is_dir($pfbdir)) + mkdir ($pfbdir,0755); + if (! is_dir('/var/db/aliastables/')) + mkdir ('/var/db/aliastables/',0755); + + #get custom lists + $whitelist=pfb_text_area_decode($pfblocker_config['whitelist']); + $ips_in=""; + $ips_out=""; foreach ($cb_files as $iso){ if ($iso <> ""){ - if (file_exists('/usr/local/pkg/pfblocker/'.$iso.'.txt')) - $ips.=file_get_contents('/usr/local/pkg/pfblocker/'.$iso.'.txt'); + if (file_exists($pfbdir.'/'.$iso.'.txt')) + switch ($pfblocker_config['countryblock']){ + case "inbound": + $ips_in.=file_get_contents($pfbdir.'/'.$iso.'.txt'); + break; + case "outbound": + $ips_out.=file_get_contents($pfbdir.'/'.$iso.'.txt'); + break; + case "both": + $ips_in.=file_get_contents($pfbdir.'/'.$iso.'.txt'); + $ips_out.=file_get_contents($pfbdir.'/'.$iso.'.txt'); + break; + case "whitelist": + $whitelist.=file_get_contents($pfbdir.'/'.$iso.'.txt'); + break; + } + } + } + + #Assign IP range lists + foreach ($pfblocker_config['row'] as $row){ + $md5_url = md5($row['url']); + #print $row['action']."
"; + if (file_exists($pfbdir."/".$md5_url.".txt")){ + ${$row['action']}.= file_get_contents($pfbdir.'/'.$md5_url.'.txt'); + } + else{ + if ($row['format'] == "gz") + $url_list= gzfile($row['url']); + else + $url_list= file_get_contents($row['url']); + #extract range lists + $new_file=""; + foreach ($url_list as $line){ + # CIDR format 192.168.0.0/16 + if (preg_match("/(\d+\.\d+\.\d+\.\d+\/\d+)/",$line,$matches)){ + ${$row['action']}.= $matches[1]."\n"; + $new_file.= $matches[1]."\n"; + } + + # Network range 192.168.0.0-192.168.0.254 + if (preg_match("/(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)/",$line,$matches)) + $cidr= pfblocker_Range2CIDR($matches[1],$matches[2]); + if ($cidr != ""){ + ${$row['action']}.= $cidr."\n"; + $new_file.= $cidr."\n"; + } + } + if ($new_file != "") + file_put_contents($pfbdir.'/'.$md5_url.'.txt',$new_file, LOCK_EX); } + #print $row['url']."
" .$md5_url.".txt
"; + #var_dump(gzfile($row['url'])); } + #create all country block lists based on gui - file_put_contents('/usr/local/pkg/cb.txt',$ips, LOCK_EX); + file_put_contents('/usr/local/pkg/pfb_in.txt',$ips_in, LOCK_EX); + + #create all country block lists based on gui + file_put_contents('/usr/local/pkg/pfb_out.txt',$ips_out, LOCK_EX); #write white_list to filesystem - file_put_contents('/usr/local/pkg/cbw.txt',pfb_text_area_decode($pfblocker_config['whitelist']), LOCK_EX); + file_put_contents('/usr/local/pkg/pfb_w.txt',$whitelist, LOCK_EX); + #edit or assign alias "pfblocker" and "pfblockerWL" $aliases=$config['aliases']['alias']; #print "
";
 	$new_aliases=array();
-	if ($ips != ""){
+	$pfBlockerInbound='/var/db/aliastables/pfBlockerInbound.txt';
+	if ($ips_in != ""){
+		#create or reaply alias
+		$new_aliases[]=array("name"=> 'pfBlockerInbound',
+					  		 "url"=> $web_local.'?pfb=in',
+					  		 "updatefreq"=> "7",
+					  		 "address"=>"",
+					  		 "descr"=> "pfBlocker Inbound deny list",
+					  		 "type"=> "urltable",
+					  		 "detail"=> "DO NOT EDIT THIS ALIAS");
+		#force alias file update
+		if (file_exists($pfBlockerInbound))
+			file_put_contents($pfBlockerInbound,$ips_in, LOCK_EX);
+		}
+	else{
+		#remove previous aliastable if exist
+		if (file_exists($pfBlockerInbound))
+			unlink($pfBlockerInbound);
+	}
+	$pfBlockerOutbound='/var/db/aliastables/pfBlockerOutbound.txt';
+	if ($ips_out != "" && $pfblocker_config['outbound_interface'] != ""){
 		#create or reaply alias
-		$new_aliases[]=array("name"=> 'pfblocker',
-					  		 "url"=> $web_local.'?cb=1',
+		$new_aliases[]=array("name"=> 'pfBlockerOutbound',
+					  		 "url"=> $web_local.'?pfb=out',
 					  		 "updatefreq"=> "7",
 					  		 "address"=>"",
-					  		 "descr"=> "pfblocker deny list",
+					  		 "descr"=> "pfBlocker Outbound deny list",
 					  		 "type"=> "urltable",
 					  		 "detail"=> "DO NOT EDIT THIS ALIAS");
 		#force alias file update
-		if (! is_dir('/var/db/aliastables/'))
-			mkdir ('/var/db/aliastables/',0755);
-		if (file_exists('/var/db/aliastables/pfblocker.txt'))
-			file_put_contents('/var/db/aliastables/pfblocker.txt',$ips, LOCK_EX);
+		if (file_exists($pfBlockerOutbound))
+			file_put_contents($pfBlockerOutbound,$ips_out, LOCK_EX);
 		}
 	else{
 		#remove previous aliastable if exist
-		if (file_exists('/var/db/aliastables/pfblocker.txt'))
-			unlink('/var/db/aliastables/pfblocker.txt');
+		if (file_exists($pfBlockerOutbound))
+			unlink($pfBlockerOutbound);
 	}
 	
-	if (pfb_text_area_decode($pfblocker_config['whitelist']) != ""){
+	$pfblockerWL='/var/db/aliastables/pfBlockerWL.txt';
+	if ($whitelist != ""){
 		#create or reaply alias
-		$new_aliases[]=array("name"=> 'pfblockerWL',
-						  	 "url"=> $web_local.'?cbw=1',
+		$new_aliases[]=array("name"=> 'pfBlockerWL',
+						  	 "url"=> $web_local.'?pfb=white',
 						  	 "updatefreq"=> "7",
 						  	 "address"=>"",
-						  	 "descr"=> "pfblocker white list",
+						  	 "descr"=> "pfBlocker White list",
 						  	 "type"=> "urltable",
 						  	 "detail"=> "DO NOT EDIT THIS ALIAS");
 		#force alias file update
-		if (! is_dir('/var/db/aliastables/'))
-			mkdir ('/var/db/aliastables/',0755);
-		if (file_exists('/var/db/aliastables/pfblockerWL.txt'))
-			file_put_contents('/var/db/aliastables/pfblockerWL.txt',pfb_text_area_decode($pfblocker_config['whitelist']), LOCK_EX);
+		if (file_exists($pfblockerWL))
+			file_put_contents($pfblockerWL,$whitelist, LOCK_EX);
 		}
 	else{
 		#remove previous aliastable if exist
-		if (file_exists('/var/db/aliastables/pfblockerWL.txt'))
-			unlink('/var/db/aliastables/pfblockerWL.txt');
+		if (file_exists($pfblockerWL))
+			unlink($pfblockerWL);
 	}
 	
 	if (is_array($aliases))
 	  foreach($aliases as $cbalias){
-		if (! preg_match("/pfblocker.*list/",$cbalias['descr']))
+		if (! preg_match("/pfBlocker.*list/",$cbalias['descr']))
 			$new_aliases[]=	$cbalias;
 	}
 	$config['aliases']['alias']=$new_aliases;
@@ -152,14 +259,14 @@ function sync_package_pfblocker() {
 					"statetimeout"=>"",
 					"statetype"=>"keep state",
 					"os"=> "",
-					"source"=>array("address"=>"pfblockerWL"),
+					"source"=>array("address"=>"pfBlockerWL"),
     				"destination"=>array("any"=>""),
-    				"descr"=>"pfblocker inbound whitelist rule");
+    				"descr"=>"pfBlocker Whitelist rule");
 
 			if ($pfblocker_config['enable_log'])
 				${$iface}[0]["log"]="";
     	}
-		if ($ips != ""){
+		if ($ips_in != ""){
 			${$iface}[1]=array(	"id" => "",
 							"type"=>"block",
 							"tag"=>	"",
@@ -172,9 +279,9 @@ function sync_package_pfblocker() {
 							"statetimeout"=>"",
 						    "statetype"=>"keep state",
 							"os"=> "",
-							"source"=>array("address"=>"pfblocker"),
+							"source"=>array("address"=>"pfBlockerInbound"),
     						"destination"=>array("any"=>""),
-    						"descr"=>"pfblocker inbound deny rule");
+    						"descr"=>"pfBlocker Inbound deny rule");
 
 			if ($pfblocker_config['enable_log'])
 				${$iface}[1]["log"]="";
@@ -196,12 +303,12 @@ function sync_package_pfblocker() {
 							"statetype"=>"keep state",
 							"os"=> "",
     						"source"=>array("any"=>""),
-    						"destination"=>array("address"=>"pfblockerWL"),
-    						"descr"=>"pfblocker outbound whitelist rule");
+    						"destination"=>array("address"=>"pfBlockerWL"),
+    						"descr"=>"pfBlocker Whitelist rule");
 		if ($pfblocker_config['enable_log'])
 				${$iface}[2]["log"]="";			
     	}
-		if ($ips != ""){
+		if ($ips_out != ""){
 			${$iface}[3]= array("id" => "",
 							"type"=>"block",
 							"tag"=>	"",
@@ -215,8 +322,8 @@ function sync_package_pfblocker() {
 							"statetype"=>"keep state",
 							"os"=> "",
     						"source"=>array("any"=>""),
-    						"destination"=>array("address"=>"pfblocker"),
-    						"descr"=>"pfblocker inbound deny rule");
+    						"destination"=>array("address"=>"pfBlockerOutbound"),
+    						"descr"=>"pfBlocker Outbound deny rule");
 			if ($pfblocker_config['enable_log'])
 				${$iface}[3]["log"]="";
 			
@@ -232,7 +339,7 @@ function sync_package_pfblocker() {
 				foreach (${$rule['interface']} as $cb_rules)
 					$new_rules[]=$cb_rules;
 		}
-		if (!preg_match("/pfblocker.*rule/",$rule['descr']))
+		if (!preg_match("/pfBlocker.*rule/",$rule['descr']))
 			$new_rules[]=$rule;	
 	}
 	$config['filter']['rule']=$new_rules;
@@ -329,6 +436,7 @@ function pfblocker_do_xmlrpc_sync($sync_to_ip, $password) {
 	/* xml will hold the sections to sync */
 	$xml = array();
 	$xml['pfblocker'] = $config['installedpackages']['pfblocker'];
+	$xml['pfblockertopspammers'] = $config['installedpackages']['pfblockertopspammers'];
 	$xml['pfblockerafrica'] = $config['installedpackages']['pfblockerafrica'];
 	$xml['pfblockerantartica'] = $config['installedpackages']['pfblockerantartica'];
 	$xml['pfblockerasia'] = $config['installedpackages']['pfblockerasia'];
diff --git a/config/pf-blocker/pfblocker.php b/config/pf-blocker/pfblocker.php
index 73d3d466..e3caa585 100644
--- a/config/pf-blocker/pfblocker.php
+++ b/config/pf-blocker/pfblocker.php
@@ -1,28 +1,38 @@
 ";
 		print $return;
 }
 
-if ($_REQUEST['cb']== 1){# and $_SERVER['REMOTE_ADDR']== '127.0.0.1'){
-	get_networks(1);
+# to be uncomented when this packages gets stable state
+#if($_SERVER['REMOTE_ADDR']== '127.0.0.1'){
+switch ($_REQUEST['pfb']){
+	case "in":
+		get_networks(1);
+	break;	
+	case "out":
+		get_networks(2);
+	break;
+	case "white":
+		get_networks(3);
+	break;
 }
-if ($_REQUEST['cbw']== 1){# and $_SERVER['REMOTE_ADDR']== '127.0.0.1'){
-	get_networks(2);
-}
-
+#}
+	
 function pfblocker_get_countries(){
 $files= array (	"Africa" => "/usr/local/pkg/Africa_cidr.txt",
-				"Antartica" => "/usr/local/pkg/Antartica_cidr.txt",
 				"Asia" => "/usr/local/pkg/Asia_cidr.txt",
 				"Europe" => "/usr/local/pkg/Europe_cidr.txt",
 				"North America" => "/usr/local/pkg/North_America_cidr.txt",
 				"Oceania" => "/usr/local/pkg/Oceania_cidr.txt",
 				"South America"=>"/usr/local/pkg/South_America_cidr.txt");
+
 $cdir='/usr/local/pkg/pfblocker';
 if (! is_dir($cdir))
 	mkdir ($cdir,0755);
@@ -44,7 +54,7 @@ foreach ($files as $cont => $file){
 		else{
 			if (${$ISOCode}==0){
 				${$ISOCode}++;
-			$options.= ''."\n";
+			$options.= ''."\n";
 			}
 			${$ISOCode}.=$line."\n";
 		}
@@ -113,16 +123,17 @@ $xml= <<General
 			/pkg_edit.php?xml=pfblocker.xml&id=0
 		
+		
+			Top Spammers
+			/pkg_edit.php?xml=pfblocker_topspammers.xml&id=0
+			{$active['top']}
+		
+		
 		
 			Africa
 			/pkg_edit.php?xml=pfblocker_Africa.xml&id=0
 			{$active['Africa']}
 		
-		
-			Antartica
-			/pkg_edit.php?xml=pfblocker_Antartica.xml&id=0
-			{$active['Antartica']}
-		
 		
 			Asia
 			/pkg_edit.php?xml=pfblocker_Asia.xml&id=0
diff --git a/config/pf-blocker/pfblocker.xml b/config/pf-blocker/pfblocker.xml
index edbe64d8..e88d7907 100755
--- a/config/pf-blocker/pfblocker.xml
+++ b/config/pf-blocker/pfblocker.xml
@@ -109,13 +109,13 @@
 			
 		
 		
-			Africa
-			/pkg_edit.php?xml=pfblocker_Africa.xml&id=0
-			
+			Top Spammers
+			/pkg_edit.php?xml=pfblocker_topspammers.xml&id=0
 		
+	
 		
-			Antartica
-			/pkg_edit.php?xml=pfblocker_Antartica.xml&id=0
+			Africa
+			/pkg_edit.php?xml=pfblocker_Africa.xml&id=0
 			
 		
 		
@@ -173,47 +173,120 @@
 		
 			Outbound Interface(s)
 			outbound_interface
-			LAN
Select interface(s) that you do not want to send outgoing traffic.

+			LAN or none.
Select interface(s) that you do not want to send outgoing traffic.

 								If you want to create custom outbound rules for blocked countries based on pfBlocker firewall alias, leave this list empty.]]>
 			interfaces_selection
 			
 			
 		
 		
-			Whitelist
-			whitelist
-				
-								  Example: 192.168.1.0/24]]>
-			textarea
-			20
-			06
-			base64
-		
-		
-			Shortcut
+			Network ranges / CIDR lists
 			listtopic
 		
+			
+			Country Action
+			countryblock
+			Block Inbound

+							Select action for countries you have selected


+							Note: 
'Block Inbound' traffic will deny access from selected countries to your network.

+									'Block Outgoing' traffic will deny access from your users to countries you selected to block

+									'Whitelist' will allow access from and to selected countries to your network.

+									'None' will not apply rules to selected countries.]]>
+	    	select
+ 				
+				
+				
+				
+				
+				
+				
+			
 		
-			Top Spammers
-			topspammers
-			
-			
-			
+			Update frequency
+			update
+			Never

+							Select how often pfsense will download Lists files]]>
 	    	select
  				
-				
-				
-				
-				
-				
-				
-				
-				
-				
-				
+ 				
+				
+				
+				
+				
+				
 				
-				10
-				
+			
+
+		
+			
+			none
+			
+								  ON url field, add direct link to list (Example: Ads,
+																	Spyware,
+																	Proxies )
 
+									Compressed lists must be in gz format.

+									File must have only one network per line and could follows PeerBlock syntax	or this below:

+									Network ranges: 172.16.1.0-172.16.1.255

+									CIDR: 172.16.1.0/24
+								   ]]>
+			rowhelper
+			
+			
+			List Action
+			action
+	    	select
+ 				
+				
+				
+				
+				
+				
+			
+			
+			Format
+			format
+	    	select
+ 				
+				
+				
+				
+					
+			
+				Url
+				url
+				input
+				57
+			
+			
+		
+		
+			List info help
+			list_info
+			
+								  ON url field, add direct link to list (Example: Ads,
+																	Spyware,
+																	Proxies )
 
+									Compressed lists must be in gz format.
	
+									File must have only one network per line and could follows PeerBlock syntax	or this below:

+									Network ranges: 172.16.1.0-172.16.1.255

+									CIDR: 172.16.1.0/24
+								   ]]>
+			checkbox
+			
+		
+		
+			Custom list
+			listtopic
+		
+		
+			Whitelist
+			whitelist
+				
+								  Example: 192.168.1.0/24]]>
+			textarea
+			50
+			06
+			base64
 		
 	
 	
diff --git a/config/pf-blocker/pfblocker_sync.xml b/config/pf-blocker/pfblocker_sync.xml
index bc525aa3..43cca1f9 100644
--- a/config/pf-blocker/pfblocker_sync.xml
+++ b/config/pf-blocker/pfblocker_sync.xml
@@ -57,13 +57,12 @@
 			/pkg_edit.php?xml=pfblocker.xml&id=0
 		
 		
-			Africa
-			/pkg_edit.php?xml=pfblocker_Africa.xml&id=0
-			
+			Top Spammers
+			/pkg_edit.php?xml=pfblocker_topspammers.xml&id=0
 		
 		
-			Antartica
-			/pkg_edit.php?xml=pfblocker_Antartica.xml&id=0
+			Africa
+			/pkg_edit.php?xml=pfblocker_Africa.xml&id=0
 			
 		
 		
diff --git a/config/pf-blocker/pfblocker_topspammers.xml b/config/pf-blocker/pfblocker_topspammers.xml
new file mode 100644
index 00000000..dcb02524
--- /dev/null
+++ b/config/pf-blocker/pfblocker_topspammers.xml
@@ -0,0 +1,136 @@
+
+
+
+
+	
+	
+	
+	Describe your package here
+	Describe your package requirements here
+	Currently there are no FAQ items provided.
+	pfblockertopspammers
+	1.0
+	Firewall: pfBlocker
+	/usr/local/pkg/pfblocker.inc
+	
+		pfBlocker
+		Configure pfblocker
+		
Firewall

+		pkg_edit.php?xml=pfblocker.xml&id=0
+	
+
+		
+			General
+			/pkg_edit.php?xml=pfblocker.xml&id=0
+		
+		
+			Top Spammers
+			/pkg_edit.php?xml=pfblocker_topspammers.xml&id=0
+			
+		
+		
+			Africa
+			/pkg_edit.php?xml=pfblocker_Africa.xml&id=0
+			
+		
+		
+			Asia
+			/pkg_edit.php?xml=pfblocker_Asia.xml&id=0
+			
+		
+		
+			Europe
+			/pkg_edit.php?xml=pfblocker_Europe.xml&id=0
+		
+		
+			North America
+			/pkg_edit.php?xml=pfblocker_NorthAmerica.xml&id=0
+		
+		
+			Oceania
+			/pkg_edit.php?xml=pfblocker_Oceania.xml&id=0
+		
+		
+			South America
+			/pkg_edit.php?xml=pfblocker_SouthAmerica.xml&id=0
+		
+		
+			XMLRPC Sync
+			/pkg_edit.php?xml=pfblocker_sync.xml&id=0
+		
+
+	
+		
+			Countries Shortcut
+			listtopic
+		
+		
+			Top Spammers
+			countries
+			
+			
+			
+	    	select
+ 				
+				
+				
+				
+				
+				
+				
+				
+				
+				
+				
+				
+				10
+				
+		
+	
+	
+		pfblocker_php_install_command();
+	
+	
+		pfblocker_php_deinstall_command();
+	
+	
+		pfblocker_validate_input($_POST, &$input_errors);
+		
+	
+		sync_package_pfblocker();
+	
+
-- 
cgit v1.2.3