diff options
author | Chris Buechler <cmb@pfsense.org> | 2013-01-08 01:58:07 -0800 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2013-01-08 01:58:07 -0800 |
commit | 3042761accdea0982089fe879ced13b3458694c2 (patch) | |
tree | 6e66dcaf3ba043929f16aa950a2889de2e92a0cf | |
parent | 1b0074d5d139e71e1540230c3d2e36d71ccaf550 (diff) | |
parent | 3cde94cff2077122a3455bacbefaf295211183b3 (diff) | |
download | pfsense-3042761accdea0982089fe879ced13b3458694c2.zip pfsense-3042761accdea0982089fe879ced13b3458694c2.tar.gz |
Merge pull request #310 from bcyrill/bogons_patch1
Allow changing of bogons update frequency
-rw-r--r-- | conf.default/config.xml | 3 | ||||
-rw-r--r-- | etc/inc/services.inc | 2 | ||||
-rwxr-xr-x | etc/rc.update_bogons.sh | 133 | ||||
-rwxr-xr-x | usr/local/www/interfaces.php | 2 | ||||
-rw-r--r-- | usr/local/www/system_advanced_firewall.php | 35 |
5 files changed, 133 insertions, 42 deletions
diff --git a/conf.default/config.xml b/conf.default/config.xml index df266f0..fb5c7be 100644 --- a/conf.default/config.xml +++ b/conf.default/config.xml @@ -194,6 +194,9 @@ <disablelargereceiveoffloading/> <ipv6allow/> <powerd_mode>hadp</powerd_mode> + <bogons> + <interval>monthly</interval> + </bogons> </system> <interfaces> <wan> diff --git a/etc/inc/services.inc b/etc/inc/services.inc index 18bbe95..82f11db 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -1976,7 +1976,7 @@ function install_cron_job($command, $active=false, $minute="0", $hour="*", $mont } else { if(($is_installed == true) && ($x > 0)) { unset($config['cron']['item'][$x]); - write_config(sprintf(gettext("Remvoed cron job for %s"), $command)); + write_config(sprintf(gettext("Removed cron job for %s"), $command)); } } configure_cron(); diff --git a/etc/rc.update_bogons.sh b/etc/rc.update_bogons.sh index 69870eb..e7e56e2 100755 --- a/etc/rc.update_bogons.sh +++ b/etc/rc.update_bogons.sh @@ -4,10 +4,55 @@ # Part of the pfSense project # www.pfsense.com +# Global variables +proc_error="" + +# Download and extract if necessary +function process_url() { + local file=$1 + local url=$2 + local filename=${url##*/} + local ext=${filename#*.} + + /usr/bin/fetch -q -o $file "${url}" + + if [ ! -f $file ]; then + echo "Could not download ${url}" | logger + proc_error="true" + fi + + case "$ext" in + tar) + mv $file $file.tmp + /usr/bin/tar -xf $file.tmp -O > $file 2> /dev/null + ;; + tar.gz) + ;& + tgz) + mv $file $file.tmp + /usr/bin/tar -xzf $file.tmp -O > $file 2> /dev/null + ;; + tar.bz2) + mv $file $file.tmp + /usr/bin/tar -xjf $file.tmp -O > $file 2> /dev/null + ;; + *) + ;; + esac + + if [ -f $file.tmp ]; then + rm $file.tmp + fi + + if [ ! -f $file ]; then + echo "Could not extract ${filename}" | logger + proc_error="true" + fi +} + echo "rc.update_bogons.sh is starting up." | logger # Sleep for some time, unless an argument is specified. - if [ "$1" = "" ]; then # Grab a random value value=`od -A n -d -N2 /dev/random | awk '{ print $1 }'` @@ -17,59 +62,65 @@ fi echo "rc.update_bogons.sh is beginning the update cycle." | logger -/usr/bin/fetch -q -o /tmp/bogons "http://files.pfsense.org/lists/fullbogons-ipv4.txt" -/usr/bin/fetch -q -o /tmp/bogonsv6 "http://files.pfsense.org/lists/fullbogons-ipv6.txt" -if [ ! -f /tmp/bogons ]; then - echo "Could not download http://files.pfsense.org/lists/fullbogons-ipv4.txt" | logger - dl_error="true" -fi -if [ ! -f /tmp/bogonsv6 ]; then - echo "Could not download http://files.pfsense.org/lists/fullbogons-ipv6.txt" | logger - dl_error="true" +# Load custom bogon configuration +if [ -f /var/etc/bogon_custom ]; then + . /var/etc/bogon_custom fi -if [ "$dl_error" != "" ];then +# Set default values if not overriden +v4url=${v4url:-"http://files.pfsense.org/lists/fullbogons-ipv4.txt"} +v6url=${v6url:-"http://files.pfsense.org/lists/fullbogons-ipv6.txt"} +v4urlcksum=${v4urlcksum:-"${v4url}.md5"} +v6urlcksum=${v6urlcksum:-"${v6url}.md5"} + +process_url /tmp/bogons "${v4url}" +process_url /tmp/bogonsv6 "${v6url}" + +if [ "$proc_error" != "" ]; then # Relaunch and sleep - sh /etc/rc.update_bogons.sh & + sh /etc/rc.update_bogons.sh & exit fi -BOGON_V4_MD5=`/usr/bin/fetch -q -o - "http://files.pfsense.org/lists/fullbogons-ipv4.txt.md5" | awk '{ print $4 }'` -ON_DISK_V4_MD5=`md5 /tmp/bogons | awk '{ print $4 }'` -BOGON_V6_MD5=`/usr/bin/fetch -q -o - "http://files.pfsense.org/lists/fullbogons-ipv6.txt.md5" | awk '{ print $4 }'` -ON_DISK_V6_MD5=`md5 /tmp/bogonsv6 | awk '{ print $4 }'` +BOGON_V4_CKSUM=`/usr/bin/fetch -q -o - "${v4urlcksum}" | awk '{ print $4 }'` +ON_DISK_V4_CKSUM=`md5 /tmp/bogons | awk '{ print $4 }'` +BOGON_V6_CKSUM=`/usr/bin/fetch -q -o - "${v6urlcksum}" | awk '{ print $4 }'` +ON_DISK_V6_CKSUM=`md5 /tmp/bogonsv6 | awk '{ print $4 }'` -if [ "$BOGON_V4_MD5" = "$ON_DISK_V4_MD5" ] || [ "$BOGON_V6_MD5" = "$ON_DISK_V6_MD5" ]; then - # At least one of the downloaded MD5s matches, so mount RW +if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ] || [ "$BOGON_V6_CKSUM" = "$ON_DISK_V6_CKSUM" ]; then + # At least one of the downloaded checksums matches, so mount RW /etc/rc.conf_mount_rw -fi - -if [ "$BOGON_V4_MD5" = "$ON_DISK_V4_MD5" ]; then - egrep -v "^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" /tmp/bogons > /etc/bogons - RESULT=`/sbin/pfctl -t bogons -T replace -f /etc/bogons 2>&1` - rm /tmp/bogons - echo "$RESULT" |awk '{ print "Bogons V4 file downloaded: " $0 }' | logger -else - echo "Could not download http://files.pfsense.org/lists/fullbogons-ipv4.txt.md5 (md5 mismatch)" | logger - md5_error="true" -fi - -if [ "$BOGON_V6_MD5" = "$ON_DISK_V6_MD5" ]; then - egrep -v "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6 - RESULT=`/sbin/pfctl -t bogonsv6 -T replace -f /etc/bogonsv6 2>&1` - rm /tmp/bogonsv6 - echo "$RESULT" |awk '{ print "Bogons V6 file downloaded: " $0 }' | logger -else - echo "Could not download http://files.pfsense.org/lists/fullbogons-ipv6.txt.md5 (md5 mismatch)" | logger - md5_error="true" -fi + + MAXENTRIES=`pfctl -s memory | awk '/table-entries/ { print $4 }'` + + if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ]; then + egrep -v "^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" /tmp/bogons > /etc/bogons + RESULT=`/sbin/pfctl -t bogons -T replace -f /etc/bogons 2>&1` + echo "$RESULT" |awk '{ print "Bogons V4 file downloaded: " $0 }' | logger + rm /tmp/bogons + else + echo "Could not download ${v4url} (checksum mismatch)" | logger + checksum_error="true" + fi -if [ "$BOGON_V4_MD5" = "$ON_DISK_V4_MD5" ] || [ "$BOGON_V6_MD5" = "$ON_DISK_V6_MD5" ]; then + if [ "$BOGON_V6_CKSUM" = "$ON_DISK_V6_CKSUM" ]; then + LINES=`wc -l /tmp/bogonsv6 | awk '{ print $1 }'` + if [ $MAXENTRIES -gt $((2*LINES)) ]; then + egrep -v "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6 + RESULT=`/sbin/pfctl -t bogonsv6 -T replace -f /etc/bogonsv6 2>&1` + echo "$RESULT" |awk '{ print "Bogons V6 file downloaded: " $0 }' | logger + fi + rm /tmp/bogonsv6 + else + echo "Could not download ${v6url} (checksum mismatch)" | logger + checksum_error="true" + fi + # We mounted RW, so switch back to RO /etc/rc.conf_mount_ro fi -if [ "$md5_error" != "" ];then +if [ "$checksum_error" != "" ]; then # Relaunch and sleep sh /etc/rc.update_bogons.sh & exit diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index 7d14829..c4c127b 100755 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -2619,6 +2619,8 @@ $types6 = array("none" => gettext("None"), "staticv6" => gettext("Static IPv6"), "(but not RFC 1918) or not yet assigned by IANA."); ?> <?=gettext("Bogons are prefixes that should never appear in the Internet routing table, " . "and obviously should not appear as the source address in any packets you receive."); ?> + <br/><br/> + <?=gettext("Note: The update frequency can be changed under System->Advanced Firewall/NAT settings.")?> </td> </tr> </table> <!-- End "allcfg" table --> diff --git a/usr/local/www/system_advanced_firewall.php b/usr/local/www/system_advanced_firewall.php index db0aaa4..e65581e 100644 --- a/usr/local/www/system_advanced_firewall.php +++ b/usr/local/www/system_advanced_firewall.php @@ -59,6 +59,7 @@ $pconfig['maximumtables'] = $config['system']['maximumtables']; $pconfig['maximumtableentries'] = $config['system']['maximumtableentries']; $pconfig['disablereplyto'] = isset($config['system']['disablereplyto']); $pconfig['disablenegate'] = isset($config['system']['disablenegate']); +$pconfig['bogonsinterval'] = $config['system']['bogons']['interval']; $pconfig['disablenatreflection'] = $config['system']['disablenatreflection']; $pconfig['enablebinatreflection'] = $config['system']['enablebinatreflection']; $pconfig['reflectiontimeout'] = $config['system']['reflectiontimeout']; @@ -170,6 +171,22 @@ if ($_POST) { $config['system']['tftpinterface'] = implode(",", $_POST['tftpinterface']); else unset($config['system']['tftpinterface']); + + if ($_POST['bogonsinterval'] != $config['system']['bogons']['interval']) { + switch ($_POST['bogonsinterval']) { + case 'daily': + install_cron_job("/usr/bin/nice -n20 /etc/rc.update_bogons.sh", true, "1", "3", "*", "*", "*"); + break; + case 'weekly': + install_cron_job("/usr/bin/nice -n20 /etc/rc.update_bogons.sh", true, "1", "3", "*", "*", "1"); + break; + case 'monthly': + // fall through + default: + install_cron_job("/usr/bin/nice -n20 /etc/rc.update_bogons.sh", true, "1", "3", "1", "*", "*"); + } + $config['system']['bogons']['interval'] = $_POST['bogonsinterval']; + } write_config(); @@ -392,6 +409,24 @@ function update_description(itemnum) { <tr> <td colspan="2" class="list" height="12"> </td> </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?=gettext("Bogon Networks");?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Update Frequency");?></td> + <td width="78%" class="vtable"> + <select name="bogonsinterval" class="formselect"> + <option value="monthly" <?php if (empty($pconfig['bogonsinterval']) || $pconfig['bogonsinterval'] == 'monthly') echo "selected"; ?>><?=gettext("Monthly"); ?></option> + <option value="weekly" <?php if ($pconfig['bogonsinterval'] == 'weekly') echo "selected"; ?>><?=gettext("Weekly"); ?></option> + <option value="daily" <?php if ($pconfig['bogonsinterval'] == 'daily') echo "selected"; ?>><?=gettext("Daily"); ?></option> + </select> + <br/> + <?=gettext("The frequency of updating the lists of IP addresses that are reserved (but not RFC 1918) or not yet assigned by IANA.");?> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"> </td> + </tr> <?php if(count($config['interfaces']) > 1): ?> <tr> <td colspan="2" valign="top" class="listtopic"><?=gettext("Network Address Translation");?></td> |