From b826f027192c51b86684a06a572c0aca82cb0a58 Mon Sep 17 00:00:00 2001 From: Marcello Coutinho Date: Tue, 1 Nov 2011 01:47:50 -0200 Subject: pfBlocker - version 0.1.4 changes alias/lists/rules engine and gui --- config/pf-blocker/pfBlocker.widget.php | 64 ++- config/pf-blocker/pfblocker.inc | 602 +++++++++++++++------------- config/pf-blocker/pfblocker.php | 89 ++-- config/pf-blocker/pfblocker.xml | 128 +----- config/pf-blocker/pfblocker_lists.xml | 237 +++++++++++ config/pf-blocker/pfblocker_sync.xml | 6 + config/pf-blocker/pfblocker_topspammers.xml | 28 +- 7 files changed, 697 insertions(+), 457 deletions(-) create mode 100755 config/pf-blocker/pfblocker_lists.xml (limited to 'config') diff --git a/config/pf-blocker/pfBlocker.widget.php b/config/pf-blocker/pfBlocker.widget.php index ec1d08a2..6830275a 100644 --- a/config/pf-blocker/pfBlocker.widget.php +++ b/config/pf-blocker/pfBlocker.widget.php @@ -33,49 +33,43 @@ echo ""; -$in=""; -$out=""; -$white=""; +$pfb_table=array(); +$out=""; +$in=""; +if (is_array($config['aliases']['alias'])) +foreach ($config['aliases']['alias'] as $cbalias){ + if (preg_match("/pfBlocker/",$cbalias['name'])){ + + if (file_exists('/var/db/aliastables/'.$cbalias['name'].'.txt')){ + preg_match("/(\d+)/",exec("/usr/bin/wc -l /var/db/aliastables/".$cbalias['name'].".txt"),$matches); + $pfb_table[$cbalias['name']]=array("count" => $matches[1], + "img"=> $out); + } + } + } $rules=$config['filter']['rule']; #echo "
";
 foreach($rules as $rule){
-	if ($rule['destination']['address'] == 'pfBlockerOutbound' && $out == ""){
-		#print_r($rule);
-		$out="";
-	}
-		
-	if ($rule['source']['address']== 'pfBlockerInbound' && $in == "")
-		$in="";
+	if (preg_match("/pfBlocker/",$rule['source']['address']))
+		$pfb_table[$rule['source']['address']]["img"]=$in;
 		
-	if ($rule['source']['address']== 'pfBlockerWL' && $white == "")
-		$white="";
-		
-	if ($rule['destination']['address']== 'pfBlockerWL' && $white == "")
-		$white="";
+	if (preg_match("/pfBlocker/",$rule['destination']['address']))
+		$pfb_table[$rule['destination']['address']]["img"]=$in;
 }
+print "
";
+#var_dump($pfb_table);
+#exit;
+	print "
"; + print ""; + print ""; -$in=($in != ""?$in:""); -$out=($out != ""?$out:""); -$white=($white != ""?$white:""); - -echo " "; -echo " "; -echo " "; -echo" "; -echo" "; -if (file_exists("/usr/local/pkg/pfb_in.txt")) { - $resultsIP = preg_match_all("/\//",file_get_contents("/usr/local/pkg/pfb_in.txt"),$matches); - echo " "; +foreach ($pfb_table as $alias => $values){ + print ""; + print ""; + print ""; } -if (file_exists("/usr/local/pkg/pfb_out.txt")) { - $resultsIP = preg_match_all("/\//",file_get_contents("/usr/local/pkg/pfb_out.txt"),$matches); - echo " "; -} -if (file_exists("/usr/local/pkg/pfb_w.txt")) { - $resultsIP = preg_match_all("/\//",file_get_contents("/usr/local/pkg/pfb_w.txt"),$matches); - echo " ";} - echo" "; echo"
AliasCIDRsStatus
pfBlockerInbound".$in."pfBlockerOutbound".$out."pfBlockerWL".$white."
". count($matches[0])." Networks".$alias ."".$values["count"]."".$values["img"]."
" . count($matches[0])." Networks" . count($matches[0])." Networks
"; +exit; ?> \ No newline at end of file diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc index f9f6d951..ec017df8 100755 --- a/config/pf-blocker/pfblocker.inc +++ b/config/pf-blocker/pfblocker.inc @@ -72,9 +72,9 @@ function pfblocker_Range2CIDR($ip_min, $ip_max) { function sync_package_pfblocker() { global $config; + $pfblocker_enable=$config['installedpackages']['pfblocker']['config'][0]['enable_cb']; $pfblocker_config=$config['installedpackages']['pfblocker']['config'][0]; - $continents= array("Africa","Antartica","Asia","Europe","North America","Oceania","South America"); - + $table_limit =($config['system']['maximumtableentries']!= ""?$config['system']['maximumtableentries']:"100000"); #get local web gui configuration $web_local=($config['system']['webgui']['protocol'] != ""?$config['system']['webgui']['protocol']:"http"); $port = $config['system']['webgui']['port']; @@ -86,304 +86,355 @@ function sync_package_pfblocker() { } $web_local .= "://127.0.0.1:".$port.'/pfblocker.php'; - #get all selected countries - $countries=$config['installedpackages']['pfblockertopspammers']['config'][0]['countries'].","; - foreach ($continents as $continent){ - if (is_array($config['installedpackages']['pfblocker'.strtolower(preg_replace('/ /','',$continent))]['config'])) - $countries.=$config['installedpackages']['pfblocker'.strtolower(preg_replace('/ /','',$continent))]['config'][0]['countries'].","; - } - $cb_files = explode(",", $countries); - - $pfbdir='/usr/local/pkg/pfblocker'; - #check folders + $pfbdir='/usr/local/pkg/pfblocker'; + $pfb_alias_dir='/usr/local/pkg/pfblocker_aliases'; if (!is_dir($pfbdir)) mkdir ($pfbdir,0755); + if (!is_dir($pfb_alias_dir)) + mkdir ($pfb_alias_dir,0755); if (! is_dir('/var/db/aliastables/')) mkdir ('/var/db/aliastables/',0755); - - #get custom lists - $whitelist=pfb_text_area_decode($pfblocker_config['whitelist']); - $ips_in=""; - $ips_out=""; - foreach ($cb_files as $iso){ - if ($iso <> ""){ - if (file_exists($pfbdir.'/'.$iso.'.txt')) - switch ($pfblocker_config['countryblock']){ - case "inbound": - $ips_in.=file_get_contents($pfbdir.'/'.$iso.'.txt'); + + $continents= array( "Africa" => "pfBlockerAfrica", + "Antartica" => "pfBlockerAntartica", + "Asia" => "pfBlockerAsia", + "Europe" => "pfBlockerEurope", + "North America" => "pfBlockerNorthAmerica", + "Oceania" => "pfBlockerOceania", + "South America" => "pfBlockerSouthAmerica", + "Top Spammers" => "pfBlockerTopSpammers"); + + #create rules vars and arrays + $new_aliases=array(); + $permit_inbound=array(); + $permit_outbound=array(); + $deny_inbound=array(); + $deny_outbound=array(); + $aliases_list=array(); + #check if pfblocker is enabled or not. + $deny_action_inbound=($pfblocker_config['inbound_deny_action']!= ""?$pfblocker_config['inbound_deny_action']:"block"); + $deny_action_outbound=($pfblocker_config['outbound_deny_action']!= ""?$pfblocker_config['outbound_deny_action']:"reject"); + $base_rule= array( "id" => "", + "tag"=> "", + "tagged"=> "", + "max"=> "", + "max-src-nodes"=>"", + "max-src-conn"=> "", + "max-src-states"=>"", + "statetimeout"=>"", + "statetype"=>"keep state", + "os"=> ""); +############################################# +# Assign Countries # +############################################# + foreach ($continents as $continent => $pfb_alias){ + ${$continent}=""; + if (is_array($config['installedpackages']['pfblocker'.strtolower(preg_replace('/ /','',$continent))]['config'])){ + $continent_config=$config['installedpackages']['pfblocker'.strtolower(preg_replace('/ /','',$continent))]['config'][0]; + if ($continent_config['action'] != 'Disabled' && $continent_config['action'] != '' && $pfblocker_enable == "on") + foreach (explode(",", $continent_config['countries']) as $iso){ + #var_dump ($iso); + if ($iso <> "" && file_exists($pfbdir.'/'.$iso.'.txt')) + ${$continent} .= file_get_contents($pfbdir.'/'.$iso.'.txt'); + } + if($continent_config['countries'] != "" && $pfblocker_enable == "on"){ + #write alias file + file_put_contents($pfb_alias_dir.'/'.$pfb_alias.'.txt',${$continent},LOCK_EX); + #Create alias config + $new_aliases[]=array("name"=> $pfb_alias, + "url"=> $web_local.'?pfb='.$pfb_alias, + "updatefreq"=> "32", + "address"=>"", + "descr"=> "pfBlocker country list", + "type"=> "urltable", + "detail"=> "DO NOT EDIT THIS ALIAS"); + #force alias file update + if (file_exists($pfb_alias_dir.'/'.$pfb_alias.'.txt')) + file_put_contents($pfb_alias_dir.'/'.$pfb_alias.'.txt',${$continent}, LOCK_EX); + #Create rule if action permits + switch($continent_config['action']){ + case "Deny_Outbound": + $rule = $base_rule; + $rule["type"] = $deny_action_outbound; + $rule["descr"]= "pfBlocker Outbound rule"; + $rule["source"]=array("any"=>""); + $rule["destination"]= array("address"=> $pfb_alias); + if ($pfblocker_config['enable_log']) + $rule["log"]=""; + $deny_outbound[]=$rule; + break; + case "Deny_Inbound": + $rule = $base_rule; + $rule["type"] = $deny_action_inbound; + $rule["descr"]= "pfBlocker Inbound rule"; + $rule["source"]= array("address"=> $pfb_alias); + $rule["destination"]=array("any"=>""); + if ($pfblocker_config['enable_log']) + $rule["log"]=""; + $deny_inbound[]=$rule; break; - case "outbound": - $ips_out.=file_get_contents($pfbdir.'/'.$iso.'.txt'); + case "Permit_Outbound": + $rule = $base_rule; + $rule["type"] = "pass"; + $rule["descr"]= "pfBlocker Outbound rule"; + $rule["source"]=array("any"=>""); + $rule["destination"]= array("address"=> $pfb_alias); + if ($pfblocker_config['enable_log']) + $rule["log"]=""; + $permit_outbound[]=$rule; break; - case "both": - $ips_in.=file_get_contents($pfbdir.'/'.$iso.'.txt'); - $ips_out.=file_get_contents($pfbdir.'/'.$iso.'.txt'); + case "Permit_Inbound": + $rule = $base_rule; + $rule["type"] = "pass"; + $rule["descr"]= "pfBlocker Inbound rule"; + $rule["source"]= array("address"=> $pfb_alias); + $rule["destination"]=array("any"=>""); + if ($pfblocker_config['enable_log']) + $rule["log"]=""; + $permit_inbound[]=$rule; break; - case "whitelist": - $whitelist.=file_get_contents($pfbdir.'/'.$iso.'.txt'); - break; } + } } + #mark pfctl aliastable for cleanup + if (!in_array($pfb_alias, $aliases_list)) + $aliases_list[]=$pfb_alias; + } - #Assign IP range lists - foreach ($pfblocker_config['row'] as $row){ - $md5_url = md5($row['url']); - #print $row['action']."
"; - if (file_exists($pfbdir."/".$md5_url.".txt")){ - ${$row['action']}.= file_get_contents($pfbdir.'/'.$md5_url.'.txt'); - } - else{ - if ($row['format'] == "gz") - $url_list= gzfile($row['url']); - else - $url_list= file($row['url']); - #extract range lists - $new_file=""; - foreach ($url_list as $line){ - # CIDR format 192.168.0.0/16 - if (preg_match("/(\d+\.\d+\.\d+\.\d+\/\d+)/",$line,$matches)){ - ${$row['action']}.= $matches[1]."\n"; - $new_file.= $matches[1]."\n"; + ############################################# + # Assign lists # + ############################################# + #print "
";
+	if($config['installedpackages']['pfblockerlists']['config'] != "")
+		foreach($config['installedpackages']['pfblockerlists']['config'] as $list){
+		 $alias="pfBlocker".preg_replace("/\W/","",$list['aliasname']);
+		 #print $list['aliasname'].$list['action']." ".$alias." ".$row['url']."
"; + if ($alias != "pfBlocker" && $list['action'] != "" && $list['action'] != 'Disabled' && $pfblocker_enable == "on"){ + #remove empty lists files if any + if (is_array($list['row'])) + foreach ($list['row'] as $row){ + #print $list['aliasname'].$list['action'].$list['cron']." ".$alias." ".$row['url']."$update_local
"; + if ($row['url'] != ""){ + $md5_url = md5($row['url']); + if (file_exists($pfbdir."/".$md5_url.".txt")){ + ${$alias}.= file_get_contents($pfbdir.'/'.$md5_url.'.txt'); + } + else{ + if ($row['format'] == "gz") + $url_list= gzfile($row['url']); + else + $url_list= file($row['url']); + #extract range lists + $new_file=""; + if (is_array($url_list)) + foreach ($url_list as $line){ + # CIDR format 192.168.0.0/16 + if (preg_match("/(\d+\.\d+\.\d+\.\d+\/\d+)/",$line,$matches)){ + ${$alias}.= $matches[1]."\n"; + $new_file.= $matches[1]."\n"; + } + # Network range 192.168.0.0-192.168.0.254 + if (preg_match("/(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)/",$line,$matches)){ + $cidr= pfblocker_Range2CIDR($matches[1],$matches[2]); + if ($cidr != ""){ + ${$alias}.= $cidr."\n"; + $new_file.= $cidr."\n"; + } + } + } + if ($new_file != "") + file_put_contents($pfbdir.'/'.$md5_url.'.txt',$new_file, LOCK_EX); + } + } } - - # Network range 192.168.0.0-192.168.0.254 - if (preg_match("/(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)/",$line,$matches)) - $cidr= pfblocker_Range2CIDR($matches[1],$matches[2]); - if ($cidr != ""){ - ${$row['action']}.= $cidr."\n"; - $new_file.= $cidr."\n"; + #check custom network list + if (pfb_text_area_decode($list['custom']) != "") + ${$alias}.=pfb_text_area_decode($list['custom'])."\n"; + #save alias file if not empty + if (${$alias} == ""){ + if (file_exists($pfb_alias_dir.'/'.$alias.'.txt')) + unlink($pfb_alias_dir.'/'.$alias.'.txt'); } + else{ + file_put_contents($pfb_alias_dir.'/'.$alias.'.txt',${$alias}, LOCK_EX); + #create alias + $new_aliases[]=array("name"=> $alias, + "url"=> $web_local.'?pfb='.$alias, + "updatefreq"=> "32", + "address"=>"", + "descr"=> "pfBlocker user list", + "type"=> "urltable", + "detail"=> "DO NOT EDIT THIS ALIAS"); + #Create rule if action permits + switch($list['action']){ + case "Deny_Outbound": + $rule = $base_rule; + $rule["type"] = $deny_action_outbound; + $rule["descr"]= "pfBlocker Outbound rule"; + $rule["source"]=array("any"=>""); + $rule["destination"]= array("address"=> $alias); + if ($pfblocker_config['enable_log']) + $rule["log"]=""; + $deny_outbound[]=$rule; + break; + case "Deny_Inbound": + $rule = $base_rule; + $rule["type"] = $deny_action_inbound; + $rule["descr"]= "pfBlocker Inbound rule"; + $rule["source"]= array("address"=> $alias); + $rule["destination"]=array("any"=>""); + if ($pfblocker_config['enable_log']) + $rule["log"]=""; + $deny_inbound[]=$rule; + break; + case "Permit_Outbound": + $rule = $base_rule; + $rule["type"] = "pass"; + $rule["descr"]= "pfBlocker Outbound rule"; + $rule["source"]=array("any"=>""); + $rule["destination"]= array("address"=> $alias); + if ($pfblocker_config['enable_log']) + $rule["log"]=""; + $permit_outbound[]=$rule; + break; + case "Permit_Inbound": + $rule = $base_rule; + $rule["type"] = "pass"; + $rule["descr"]= "pfBlocker Inbound rule"; + $rule["source"]= array("address"=> $alias); + $rule["destination"]=array("any"=>""); + if ($pfblocker_config['enable_log']) + $rule["log"]=""; + $permit_inbound[]=$rule; + break; + } + } + #mark pfctl aliastable for cleanup + if (!in_array($alias, $aliases_list)) + $aliases_list[]=$alias; + } + else{ + #unlink previous pfblocker alias list if any + if (file_exists($pfb_alias_dir.'/'.$alias.'.txt')) + unlink($pfb_alias_dir.'/'.$alias.'.txt'); } - if ($new_file != "") - file_put_contents($pfbdir.'/'.$md5_url.'.txt',$new_file, LOCK_EX); - } - #print $row['url']."
" .$md5_url.".txt
"; - #var_dump(gzfile($row['url'])); - } - - #create all country block lists based on gui - file_put_contents('/usr/local/pkg/pfb_in.txt',$ips_in, LOCK_EX); - - #create all country block lists based on gui - file_put_contents('/usr/local/pkg/pfb_out.txt',$ips_out, LOCK_EX); - - #write white_list to filesystem - file_put_contents('/usr/local/pkg/pfb_w.txt',$whitelist, LOCK_EX); - - - #edit or assign alias "pfblockerInbound", "pfblockerOutbound" and "pfblockerWL" - $aliases=$config['aliases']['alias']; - $new_aliases=array(); - $pfBlockerInbound='/var/db/aliastables/pfBlockerInbound.txt'; - if ($ips_in != "" && $config['installedpackages']['pfblocker']['config'][0]['enable_cb'] == "on"){ - #create or reaply alias - $new_aliases[]=array("name"=> 'pfBlockerInbound', - "url"=> $web_local.'?pfb=in', - "updatefreq"=> "7", - "address"=>"", - "descr"=> "pfBlocker Inbound deny list", - "type"=> "urltable", - "detail"=> "DO NOT EDIT THIS ALIAS"); - #force alias file update - if (file_exists($pfBlockerInbound)) - file_put_contents($pfBlockerInbound,$ips_in, LOCK_EX); - } - else{ - #remove previous aliastable if exist - if (file_exists($pfBlockerInbound)) - unlink($pfBlockerInbound); - } - $pfBlockerOutbound='/var/db/aliastables/pfBlockerOutbound.txt'; - if ($ips_out != "" && $config['installedpackages']['pfblocker']['config'][0]['enable_cb'] == "on"){ - #create or reaply alias - $new_aliases[]=array("name"=> 'pfBlockerOutbound', - "url"=> $web_local.'?pfb=out', - "updatefreq"=> "7", - "address"=>"", - "descr"=> "pfBlocker Outbound deny list", - "type"=> "urltable", - "detail"=> "DO NOT EDIT THIS ALIAS"); - #force alias file update - if (file_exists($pfBlockerOutbound)) - file_put_contents($pfBlockerOutbound,$ips_out, LOCK_EX); } - else{ - #remove previous aliastable if exist - if (file_exists($pfBlockerOutbound)) - unlink($pfBlockerOutbound); - } - - $pfblockerWL='/var/db/aliastables/pfBlockerWL.txt'; - if ($whitelist != "" && $config['installedpackages']['pfblocker']['config'][0]['enable_cb'] == "on"){ - #create or reaply alias - $new_aliases[]=array("name"=> 'pfBlockerWL', - "url"=> $web_local.'?pfb=white', - "updatefreq"=> "7", - "address"=>"", - "descr"=> "pfBlocker White list", - "type"=> "urltable", - "detail"=> "DO NOT EDIT THIS ALIAS"); - #force alias file update - if (file_exists($pfblockerWL)) - file_put_contents($pfblockerWL,$whitelist, LOCK_EX); + #update pfsense alias table + $aliases=$config['aliases']['alias']; + foreach($aliases as $cbalias){ + if (preg_match("/pfBlocker/",$cbalias['name'])){ + #mark pfctl aliastable for cleaning + if (!in_array($cbalias['name'], $aliases_list)) + $aliases_list[]=$cbalias['name']; #mark aliastable for cleaning + #remove previous aliastable file if exist + $aliastablefile="/var/db/aliastables/".$cbalias['name'].".txt"; + if (file_exists($aliastablefile)) + unlink($aliastablefile); + } + else{ + $new_aliases[]= $cbalias; + if (file_exists($pfb_alias_dir.'/'.$alias.'.txt') && $message ==""){ + preg_match("/(\d+)/",exec("/usr/bin/wc -l ".$pfb_alias_dir.'/'.$alias.'.txt'),$matches); + } + if (($matches[1] * 2.1)>= $table_limit ) + #alias table too large + $message= $alias .' alias table is too large. Reduce networks in list or increase "Firewall Maximum Table Entries" value to at least '. (int)($matches[1] * 2.1) .' in "system - advanced - Firewall/NAT".'; + } } - else{ - #remove previous aliastable if exist - if (file_exists($pfblockerWL)) - unlink($pfblockerWL); - } + #apply new alias table to xml + if ($message == "") + $config['aliases']['alias']=$new_aliases; + #exit; + ############################################# + # Assign rules # + ############################################# + #print "
";
+	#var_dump($permit_inbound);
+	#var_dump($permit_outbound);
+	#var_dump($deny_inbound);
+	#var_dump($deny_outbound);			
+	#var_dump($pfblocker_config['inbound_interface']);
+	#print count($deny_inbound) .count($deny_inbound);
 	
-	if (is_array($aliases))
-	  foreach($aliases as $cbalias){
-		if (! preg_match("/pfBlocker.*list/",$cbalias['descr']))
-			$new_aliases[]=	$cbalias;
-	}
-	$config['aliases']['alias']=$new_aliases;
-	
-	# check pfBlocker filter options
-	$ifaces = $pfblocker_config['inbound_interface'];
-	if ($ifaces != "")
-      foreach (explode(",", $ifaces) as $i => $iface) {
-    	if ($whitelist != "" && $iface != ""){
-			${$iface}[0]=array("id" => "",
-					"type"=>"pass",
-					"tag"=>	"",
-					"interface" => $iface,
-					"tagged"=> "",
-					"max"=>	 "",
-					"max-src-nodes"=>"",
-					"max-src-conn"=> "",
-					"max-src-states"=>"",
-					"statetimeout"=>"",
-					"statetype"=>"keep state",
-					"os"=> "",
-					"source"=>array("address"=>"pfBlockerWL"),
-    				"destination"=>array("any"=>""),
-    				"descr"=>"pfBlocker Whitelist rule");
-
-			if ($pfblocker_config['enable_log'])
-				${$iface}[0]["log"]="";
-    	}
-		if ($ips_in != "" && $iface != ""){
-			$action=($pfblocker_config['inbound_deny_action']!= ""?$pfblocker_config['inbound_deny_action']:"block");
-			${$iface}[1]=array(	"id" => "",
-							"type"=>$action,
-							"tag"=>	"",
-							"interface" => $iface,
-							"tagged"=> "",
-							"max"=>	 "",
-							"max-src-nodes"=>"",
-							"max-src-conn"=> "",
-							"max-src-states"=>"",
-							"statetimeout"=>"",
-						    "statetype"=>"keep state",
-							"os"=> "",
-							"source"=>array("address"=>"pfBlockerInbound"),
-    						"destination"=>array("any"=>""),
-    						"descr"=>"pfBlocker Inbound deny rule");
-
-			if ($pfblocker_config['enable_log'])
-				${$iface}[1]["log"]="";
+	# Inbound filter options
+	$inbound_interface = $pfblocker_config['inbound_interface'];
+	if (count($deny_inbound) > 0 || count($permit_inbound) > 0){
+		if($inbound_interface == "")
+			$message="Unable to apply rules.Inbound Interface option not configured.";
+		 if ($inbound_interface == "lo0")
+			$message="Floating rules are not implemented in pfBlocker yet, choose Inbound Interface other than loopback or change action to Alias only.";
 		}
-	}
-	$ifaces = $pfblocker_config['outbound_interface'];
-	if ($ifaces != "")
-      foreach (explode(",", $ifaces) as $i => $iface) {
-    	if ($whitelist != "" && $iface != ""){
-			${$iface}[2]=array(	"id" => "",
-							"type"=>"pass",
-							"tag"=>	"",
-							"interface" => $iface,
-							"tagged"=> "",
-							"max"=>	 "",
-							"max-src-nodes"=>"",
-							"max-src-conn"=> "",
-							"max-src-states"=>"",
-							"statetimeout"=>"",
-							"statetype"=>"keep state",
-							"os"=> "",
-    						"source"=>array("any"=>""),
-    						"destination"=>array("address"=>"pfBlockerWL"),
-    						"descr"=>"pfBlocker Whitelist rule");
-		if ($pfblocker_config['enable_log'])
-				${$iface}[2]["log"]="";			
-    	}
-		if ($ips_out != "" && $iface != ""){
-			$action=($pfblocker_config['outbound_deny_action']!= ""?$pfblocker_config['outbound_deny_action']:"block");
-			${$iface}[3]= array("id" => "",
-							"type"=>$action,
-							"tag"=>	"",
-							"interface" => $iface,
-							"tagged"=> "",
-							"max"=>	 "",
-							"max-src-nodes"=>"",
-							"max-src-conn"=> "",
-							"max-src-states"=>"",
-							"statetimeout"=>"",
-							"statetype"=>"keep state",
-							"os"=> "",
-    						"source"=>array("any"=>""),
-    						"destination"=>array("address"=>"pfBlockerOutbound"),
-    						"descr"=>"pfBlocker Outbound deny rule");
-			if ($pfblocker_config['enable_log'])
-				${$iface}[3]["log"]="";
-			
+		
+	# Outbound filter options
+	$outbound_interface = $pfblocker_config['outbound_interface'];
+	if (count($deny_outbound) > 0 || count($permit_outbound) > 0){
+		if($outbound_interface == "")
+			$message="Unable to apply rules.Outbound Interface option not configured.";
+		 if ($outbound_interface == "lo0")
+			$message="Floating rules are not implemented in pfBlocker yet, choose Outbound Interface other than loopback or change action to Alias only.";
 		}
-
-	}
-	$last_iface="";
-	$rules=$config['filter']['rule'];
-	foreach ($rules as $rule){
-		if ($rule['interface'] <> $last_iface){
-			$last_iface = $rule['interface'];
-			#apply pfblocker rules if enabled
-			if ($config['installedpackages']['pfblocker']['config'][0]['enable_cb'] == "on" && is_array(${$rule['interface']}))
-				foreach (${$rule['interface']} as $cb_rules)
-					$new_rules[]=$cb_rules;
+		
+	if ($message == "")
+		{
+		$last_iface="";
+		$rules=$config['filter']['rule'];
+		$new_rules=array();
+		foreach ($rules as $rule){
+			if ($rule['interface'] <> $last_iface){
+				$last_iface = $rule['interface'];
+				#apply pfblocker rules if enabled
+				
+				#Inbound
+				if (preg_match("/$last_iface/",$inbound_interface)){
+					#permit rules
+					if (is_array($permit_inbound))
+						foreach ($permit_inbound as $cb_rules){
+							$cb_rules['interface']=$rule['interface'];
+							$new_rules[]=$cb_rules;	
+						}
+					#deny rules
+					if (is_array($deny_inbound))
+						foreach ($deny_inbound as $cb_rules){
+							$cb_rules['interface']=$rule['interface'];
+							$new_rules[]=$cb_rules;	
+						}
+				}
+				#Outbound
+				if (preg_match("/$last_iface/",$outbound_interface)){
+					#permit rules
+					if (is_array($permit_outbound))
+						foreach ($permit_outbound as $cb_rules){
+							$cb_rules['interface']=$rule['interface'];
+							$new_rules[]=$cb_rules;	
+						}
+					#deny rules
+					if (is_array($deny_outbound))
+						foreach ($deny_outbound as $cb_rules){
+							$cb_rules['interface']=$rule['interface'];
+							$new_rules[]=$cb_rules;	
+						}
+				}
+			}
+		  #include all rules that is not from pfBlocker
+		  if (!preg_match("/pfBlocker.*rule/",$rule['descr']) && $rule['interface'] != "")
+					$new_rules[]=$rule;
 		}
-		if (!preg_match("/pfBlocker.*rule/",$rule['descr']))
-			$new_rules[]=$rule;	
-	}
-	$config['filter']['rule']=$new_rules;
-
-	#check aliastable size
-	preg_match("/(\d+)/",exec("/usr/bin/wc -l /usr/local/pkg/pfb_in.txt"),$matches);
-	$count_ips_in = $matches[1];
-	preg_match("/(\d+)/",exec("/usr/bin/wc -l /usr/local/pkg/pfb_out.txt"),$matches);
-	$count_ips_out = $matches[1];
-	preg_match("/(\d+)/",exec("/usr/bin/wc -l /usr/local/pkg/pfb_w.txt"),$matches);
-	$count_ips_w = $matches[1];
-	
-	#get higher value
-	$max=$count_ips_in;
-	if ($max < $count_ips_out)
-		$max = $count_ips_out;
-	if ($max < $count_ips_w)
-		$max = $count_ips_w;
-	$sum=($count_ips_in + $count_ips_out + $count_ips_w);
-	#check table size client option
-	$table_limit =($config['system']['maximumtableentries']!= ""?$config['system']['maximumtableentries']:"100000");
+		$config['filter']['rule']=$new_rules;
+		}	
 
-	#check for possible table size erros
-	$error_message="";
-    if ($count_ips_in >= $table_limit )
-    	$message='pfBlockerInbound alias table is too large. Reduce Inbound list or increase "Firewall Maximum Table Entries" value to at least '.($sum +1000).' in "system - advanced - Firewall/NAT".';
-	if ($count_ips_out >= $table_limit )
-    	$message='pfBlockerOutbound alias table is too large. Reduce Outbound List or  increase "Firewall Maximum Table Entries" value to at least '.($sum +1000).' in "system - advanced - Firewall/NAT".';
-	if ($count_ips_w >= $table_limit )
-    	$message='pfBlockerWL alias table is too large. Reduce whitelist or increase "Firewall Maximum Table Entries" value to at least '.($sum +1000).' in "system - advanced - Firewall/NAT ".';
-    	
 	if ($message == ""){
-		#save and apply all changes*/
+		#save and apply all changes
 
+		# to be removed in final version
+		$aliases_list[]="pfBlockerInbound"; #remove previous version lists
+		$aliases_list[]="pfBlockerOutbound";#remove previous version lists
+		$aliases_list[]="pfBlockerWL";		#remove previous version lists
+		#exit;
 		#update pfctrl tables
-		$tables = array ('pfBlockerOutbound' => 'pfb_out.txt',
-				 'pfBlockerInbound'  => 'pfb_in.txt',
-				 'pfBlockerWL'  => 'pfb_w.txt');
-		foreach ($tables as $table => $pfb_file)
-			exec("/sbin/pfctl -t " . escapeshellarg($table) . " -T replace -f /usr/local/pkg/" . escapeshellarg($pfb_file) . " 2>&1", $result_pfb);
+		foreach ($aliases_list as $table)
+			exec("/sbin/pfctl -t " . escapeshellarg($table) . " -T kill 2>&1", $result_pfb);
 
 		#write config
    		write_config();
@@ -485,6 +536,7 @@ function pfblocker_do_xmlrpc_sync($sync_to_ip, $password) {
 	/* xml will hold the sections to sync */
 	$xml = array();
 	$xml['pfblocker'] = $config['installedpackages']['pfblocker'];
+	$xml['pfblockerlists'] = $config['installedpackages']['pfblockerlists'];
 	$xml['pfblockertopspammers'] = $config['installedpackages']['pfblockertopspammers'];
 	$xml['pfblockerafrica'] = $config['installedpackages']['pfblockerafrica'];
 	$xml['pfblockerantartica'] = $config['installedpackages']['pfblockerantartica'];
diff --git a/config/pf-blocker/pfblocker.php b/config/pf-blocker/pfblocker.php
index f1dd85f5..b6c595ab 100644
--- a/config/pf-blocker/pfblocker.php
+++ b/config/pf-blocker/pfblocker.php
@@ -1,29 +1,27 @@
 ";
-		print $return;
+	$file='/usr/local/pkg/pfblocker_aliases/'.$pfb.'.txt';
+	if ($file)
+		$return= file_get_contents($file);
+	print $return;
 }
 
 # to be uncomented when this packages gets stable state
 #if($_SERVER['REMOTE_ADDR']== '127.0.0.1'){
-switch ($_REQUEST['pfb']){
-	case "in":
-		get_networks(1);
-	break;	
-	case "out":
-		get_networks(2);
-	break;
-	case "white":
-		get_networks(3);
-	break;
-}
+if (preg_match("/(\w+)/",$_REQUEST['pfb'],$matches))
+	get_networks($matches[1]);
 #}
+
+if ($argv[1]=='cron' && preg_match("/\d+/",$argv[2],$matches)){
+        #require_once("/etc/inc/util.inc");
+        #require_once("/etc/inc/functions.inc");
+        #require_once("/etc/inc/etpkg-utils.inc");
+        #require_once("/etc/inc/globals.inc");
+        #require_once("/etc/inc/filter.inc");
+        include "/usr/local/pkg/pfblocker.inc";
+        print "id".$argv[2];
+        sync_package_pfblocker($argv[2]);
+        }
 	
 function pfblocker_get_countries(){
 $files= array (	"Africa" => "/usr/local/pkg/Africa_cidr.txt",
@@ -123,6 +121,10 @@ $xml= <<General
 			/pkg_edit.php?xml=pfblocker.xml&id=0
 		
+		
+			Lists
+			/pkg.php?xml=pfblocker_lists.xml
+		
 		
 			Top Spammers
 			/pkg_edit.php?xml=pfblocker_topspammers.xml&id=0
@@ -166,22 +168,45 @@ $xml= <<
 	
 	
-			Continent {$cont}
-			listtopic
+		Continent {$cont}
+		listtopic
+	
+		
+		Countries
+		countries
+		
+		
+				Use CTRL + CLICK to unselect countries]]>
+		
+		select
+ 			
+			{$options}
+ 			
+			{$total}
+			
 		
 		
-			Countries
-			countries
-			
-			
-			
+		Action
+		action
+		Disabled
+ Select action for countries you have selected in {$cont}

+ Note:
'Deny Inbound' - Will deny access from selected countries to your network.
+ 'Deny Outbound' - Will deny access from your users to countries you selected to block
+ 'Permit Inbound' - Will allow access from selected countries to your network.
+ 'Permit Outbound' - Will allow access from your users to countries you selected to block
+ 'Alias Only' - Will create alias {$cont} with selected countries to help custom rule assignments.
+ 'Disabled' - Will just keep selection and do nothing to selected countries.
]]>
select - {$options} - - {$total} - -
+ + + + + + + + + pfblocker_php_install_command(); @@ -201,4 +226,4 @@ EOF; } } -?> \ No newline at end of file +?> diff --git a/config/pf-blocker/pfblocker.xml b/config/pf-blocker/pfblocker.xml index 77a81e24..eef4c882 100755 --- a/config/pf-blocker/pfblocker.xml +++ b/config/pf-blocker/pfblocker.xml @@ -50,7 +50,7 @@ pfBlocker Configure pfblocker
Firewall
- pkg_edit.php?xml=pfblocker.xml&id=0 + pkg_edit.php?xml=pfblocker.xml http://www.pfsense.org/packages/config/pf-blocker/pfblocker.inc @@ -72,6 +72,11 @@ /usr/local/pkg/ 0755 + + http://www.pfsense.org/packages/config/pf-blocker/pfblocker_lists.xml + /usr/local/pkg/ + 0755 + http://www.pfsense.org/packages/config/pf-blocker/pfblocker_sync.xml /usr/local/pkg/ @@ -113,6 +118,11 @@ /pkg_edit.php?xml=pfblocker.xml&id=0
+ + Lists + /pkg.php?xml=pfblocker_lists.xml + + Top Spammers /pkg_edit.php?xml=pfblocker_topspammers.xml&id=0 @@ -169,8 +179,7 @@ Inbound Interface(s) inbound_interface - WAN
Select interface(s) that you want to block incoming traffic.
- If you want to create custom inbound rules for blocked countries based on pfBlocker firewall alias, leave this list empty.]]>
+ WAN
Select interface(s) that you want to block incoming traffic.]]>
interfaces_selection @@ -189,8 +198,7 @@ Outbound Interface(s) outbound_interface - LAN or none.
Select interface(s) that you do not want to send outgoing traffic.
- If you want to create custom outbound rules for blocked countries based on pfBlocker firewall alias, leave this list empty.]]>
+ LAN or none.
Select interface(s) that you do not want to send outgoing traffic.]]>
interfaces_selection @@ -206,115 +214,7 @@
- - - Network ranges / CIDR lists - listtopic - - - - Country Action - countryblock - Block Inbound
- Select action for countries you have selected

- Note:
'Deny Inbound' traffic will deny access from selected countries to your network.
- 'Deny Outgoing' traffic will deny access from your users to countries you selected to block
- 'Whitelist' will allow access from and to selected countries to your network.
- 'None' will not apply rules to selected countries.]]>
- select - - - - - - - -
- - Update frequency - update - Never
- Select how often pfsense will download List files]]>
- select - - - - - - - -
- - - none - - ON url field, add direct link to list (Example: Ads, - Spyware, - Proxies )
- Compressed lists must be in gz format.
- File must have only one network per line and could follows PeerBlock syntax or this below:
- Network ranges: 172.16.1.0-172.16.1.255
- CIDR: 172.16.1.0/24 - ]]>
- rowhelper - - - List Action - action - select - - - - - - - - - Format - format - select - - - - - - - Url - url - input - 55 - - -
- - List info help - list_info - - ON url field, add direct link to list (Example: Ads, - Spyware, - Proxies )
- Compressed lists must be in gz format.
- File must have only one network per line and could follows PeerBlock syntax or this below:
- Network ranges: 172.16.1.0-172.16.1.255
- CIDR: 172.16.1.0/24 - ]]>
- checkbox - -
- - Custom list - listtopic - - - Whitelist - whitelist - - Example: 192.168.1.0/24]]> - textarea - 50 - 06 - base64 - + pfblocker_php_install_command(); diff --git a/config/pf-blocker/pfblocker_lists.xml b/config/pf-blocker/pfblocker_lists.xml new file mode 100755 index 00000000..08574783 --- /dev/null +++ b/config/pf-blocker/pfblocker_lists.xml @@ -0,0 +1,237 @@ + + + + + + + Copyright (C) 2011 Marcello Coutinho + + All rights reserved. +*/ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + pfblockerlists + 1.0 + Firewall: pfBlocker + /usr/local/pkg/pfblocker.inc + + pfBlocker + +
Firewall
+ pfblocker_lists.xml +
+ + + General + /pkg_edit.php?xml=pfblocker.xml&id=0 + + + Lists + /pkg.php?xml=pfblocker_lists.xml + + + + + Top Spammers + /pkg_edit.php?xml=pfblocker_topspammers.xml&id=0 + + + + Africa + /pkg_edit.php?xml=pfblocker_Africa.xml&id=0 + + + + Asia + /pkg_edit.php?xml=pfblocker_Asia.xml&id=0 + + + + Europe + /pkg_edit.php?xml=pfblocker_Europe.xml&id=0 + + + North America + /pkg_edit.php?xml=pfblocker_NorthAmerica.xml&id=0 + + + Oceania + /pkg_edit.php?xml=pfblocker_Oceania.xml&id=0 + + + South America + /pkg_edit.php?xml=pfblocker_SouthAmerica.xml&id=0 + + + XMLRPC Sync + /pkg_edit.php?xml=pfblocker_sync.xml&id=0 + + + + + Alias + aliasname + + + Description + description + + + + Action + action + + + Update Frequency + cron + + + + + Network ranges / CIDR lists + listtopic + + + Alias Name + aliasname + + Example: Badguys
+ Do not include pfBlocker name, it's done by package.
+ International, special or space caracters will be ignored in pfsense alias name.
]]>
+ input + 20 +
+ + List Description + description + input + 90 + + + + none + + 'Url or local file' - Add direct link to list (Example: Ads, + Spyware, + Proxies )
+
Note:
+ Compressed lists must be in gz format.
+ Downloaded or local file must have only one network per line and could follows PeerBlock syntax or this below:
+ Network ranges: 172.16.1.0-172.16.1.255
+ IP Address: 172.16.1.10
+ CIDR: 172.16.1.0/24 + ]]>
+ rowhelper + + + Format + format + select + + + + + + + Url or localfile + url + input + 75 + + +
+ + List Action + Deny Inbound
+ Select action for network on lists you have selected.

+ Note:
'Deny Inbound' - Will deny access from selected countries to your network.
+ 'Deny Outbound' - Will deny access from your users to countries you selected to block
+ 'Permit Inbound' - Will allow access from selected countries to your network.
+ 'Permit Outbound' - Will allow access from your users to countries you selected to block
+ 'Alias Only' - Will create an alias with selected countries to help custom rule assignments.
+ 'Disabled' - Will just keep selection and do nothing to selected countries.
]]>
+ action + select + + + + + + + + +
+ + Update frequency + cron + Never
+ Select how often pfsense will download List files]]>
+ select + + + + + + + +
+ + Custom list + listtopic + + + CIDR + custom + + Example: 192.168.1.0/24]]> + textarea + 50 + 10 + base64 + +
+ + pfblocker_php_install_command(); + + + pfblocker_php_deinstall_command(); + + + pfblocker_validate_input($_POST, &$input_errors); + + + sync_package_pfblocker(); + +
\ No newline at end of file diff --git a/config/pf-blocker/pfblocker_sync.xml b/config/pf-blocker/pfblocker_sync.xml index 43cca1f9..41e5403c 100644 --- a/config/pf-blocker/pfblocker_sync.xml +++ b/config/pf-blocker/pfblocker_sync.xml @@ -56,10 +56,16 @@ General /pkg_edit.php?xml=pfblocker.xml&id=0
+ + Lists + /pkg.php?xml=pfblocker_lists.xml + + Top Spammers /pkg_edit.php?xml=pfblocker_topspammers.xml&id=0 + Africa /pkg_edit.php?xml=pfblocker_Africa.xml&id=0 diff --git a/config/pf-blocker/pfblocker_topspammers.xml b/config/pf-blocker/pfblocker_topspammers.xml index dcb02524..f6bf8664 100644 --- a/config/pf-blocker/pfblocker_topspammers.xml +++ b/config/pf-blocker/pfblocker_topspammers.xml @@ -57,6 +57,10 @@ General /pkg_edit.php?xml=pfblocker.xml&id=0 + + Lists + /pkg.php?xml=pfblocker_lists.xml + Top Spammers /pkg_edit.php?xml=pfblocker_topspammers.xml&id=0 @@ -102,7 +106,8 @@ Top Spammers countries - + + Use CTRL + CLICK to unselect countries]]> select @@ -120,6 +125,27 @@ 10 + + Action + action + Deny Inbound
+ Select action for countries you have selected.

+ Note:
'Deny Inbound' - Will deny access from selected countries to your network.
+ 'Deny Outbound' - Will deny access from your users to countries you selected to block
+ 'Permit Inbound' - Will allow access from selected countries to your network.
+ 'Permit Outbound' - Will allow access from your users to countries you selected to block
+ 'Alias Only' - Will create alias pfBlockerTopSpammers with selected countries to help custom rule assignments. + 'Disabled' - Will just keep selection and do nothing to selected countries.
]]>
+ select + + + + + + + + +
pfblocker_php_install_command(); -- cgit v1.2.3