function fetch_blacklist()
{
global $config, $g;
$url = $config['installedpackages']['dansguardianblacklist']['config'][0]['url'];
if (is_url($url)) {
conf_mount_rw();
print "file download start..";
unlink_if_exists("/usr/local/etc/dansguardian/lists/blacklist.tgz");
exec("/usr/bin/fetch -o /usr/local/etc/dansguardian/lists/blacklist.tgz " . escapeshellarg($url));
chdir("/usr/local/etc/dansguardian/lists");
if (is_dir("blacklists.old")) {
exec('rm -rf /usr/local/etc/dansguardian/lists/blacklists.old');
}
rename("blacklists", "blacklists.old");
exec('/usr/bin/tar -xvzf /usr/local/etc/dansguardian/lists/blacklist.tgz 2>&1', $output, $return);
if (preg_match("/x\\W+(\\w+)/", $output[0], $matches)) {
if ($matches[1] != "blacklists") {
rename("./" . $matches[1], "blacklists");
}
read_lists();
} else {
file_notice("Dansguardian - Could not determine Blacklist extract dir. Categories not updated", "");
}
} else {
file_notice("Dansguardian - Blacklist url is invalid.", "");
}
}
function fetch_blacklist($log_notice = true, $install_process = false)
{
global $config, $g;
if (is_array($config['installedpackages']['dansguardianblacklist']) && is_array($config['installedpackages']['dansguardianblacklist']['config'])) {
$url = $config['installedpackages']['dansguardianblacklist']['config'][0]['url'];
$uw = "Found a previouns install, checking Blacklist config...";
} else {
$uw = "Found a clean install, reading default access lists...";
}
conf_mount_rw();
if ($install_process == true) {
update_output_window($uw);
}
if (isset($url) && is_url($url)) {
if ($log_notice == true) {
print "file download start..";
unlink_if_exists("/usr/local/pkg/blacklist.tgz");
exec("/usr/bin/fetch -o /usr/local/pkg/blacklist.tgz " . escapeshellarg($url), $output, $return);
} else {
#install process
if (file_exists("/usr/local/pkg/blacklist.tgz")) {
update_output_window("Found previous blacklist database, skipping download...");
$return = 0;
} else {
update_output_window("Fetching blacklist");
download_file_with_progress_bar($url, "/usr/local/pkg/blacklist.tgz");
if (file_exists("/usr/local/pkg/blacklist.tgz")) {
$return = 0;
}
}
}
if ($return == 0) {
chdir(DANSGUARDIAN_DIR . "/etc/dansguardian/lists");
if (is_dir("blacklists.old")) {
exec('rm -rf ' . DANSGUARDIAN_DIR . '/etc/dansguardian/lists/blacklists.old');
}
rename("blacklists", "blacklists.old");
exec('/usr/bin/tar -xvzf /usr/local/pkg/blacklist.tgz 2>&1', $output, $return);
if (preg_match("/x\\W+(\\w+)/", $output[1], $matches)) {
if ($matches[1] != "blacklists") {
rename("./" . $matches[1], "blacklists");
}
read_lists($log_notice);
} else {
file_notice("Dansguardian - Could not determine Blacklist extract dir. Categories not updated", "");
}
} else {
file_notice("Dansguardian - Could not fetch blacklists from url", "");
}
} else {
if ($install_process == true) {
read_lists(false, $uw);
} elseif (!empty($url)) {
file_notice("Dansguardian - Blacklist url is invalid.", "");
}
}
}
function crypt_data($val, $pass, $opt)
{
$file = tempnam("/tmp", "php-encrypt");
file_put_contents("{$file}.dec", $val);
exec("/usr/bin/openssl enc {$opt} -aes-256-cbc -in {$file}.dec -out {$file}.enc -k " . escapeshellarg($pass));
if (file_exists("{$file}.enc")) {
$result = file_get_contents("{$file}.enc");
} else {
$result = "";
log_error("Failed to encrypt/decrypt data!");
}
unlink_if_exists($file);
unlink_if_exists("{$file}.dec");
unlink_if_exists("{$file}.enc");
return $result;
}
$domain = htmlspecialchars($_POST['domain']);
$domainparse = str_replace('.', '\\.', $domain);
$pfb['dsupp'] =& $config['installedpackages']['pfblockerngdnsblsettings']['config'][0]['suppression'];
// Collect existing suppression list
$dnssupp_ex = collectsuppression();
// Query for domain in Unbound DNSBL file.
$dnsbl_query = exec("/usr/bin/grep -Hm1 ' \"{$domain} 60 IN A' {$pfb['dnsbl_file']}.conf");
// Save new suppress domain to suppress list.
if (empty($dnsbl_query)) {
$savemsg = gettext("Domain: [ {$domain} ] does not exist in the Unbound Resolver DNSBL");
exec("/usr/local/sbin/unbound-control -c {$pfb['dnsbldir']}/unbound.conf flush {$domain}.");
} else {
// Remove domain from Unbound resolver pfb_dnsbl.conf file
exec("{$pfb['sed']} -i '' '/ \"{$domain} 60 IN A/d' {$pfb['dnsbl_file']}.conf");
$cache_dumpfile = '/var/tmp/unbound_cache';
unlink_if_exists("{$cache_dumpfile}");
$chroot_cmd = "chroot -u unbound -g unbound / /usr/local/sbin/unbound-control -c {$g['unbound_chroot_path']}/unbound.conf";
exec("{$chroot_cmd} dump_cache > {$cache_dumpfile}");
exec("{$chroot_cmd} reload");
if (file_exists($cache_dumpfile) && filesize($cache_dumpfile) > 0) {
exec("{$chroot_cmd} load_cache < {$cache_dumpfile}");
}
exec("/usr/local/sbin/unbound-control -c {$pfb['dnsbldir']}/unbound.conf flush {$domain}");
if (!in_array($domain, $dnssupp_ex)) {
$dnssupp_ex[] = $domain;
$dnssupp_new = base64_encode(implode("\n", $dnssupp_ex));
$pfb['dsupp'] = "{$dnssupp_new}";
write_config("pfBlockerNG: Added {$domain} to DNSBL suppress list");
}
$savemsg = gettext("Removed Domain: [ {$domain} ] from Unbound Resolver DNSBL. You may need to flush your browsers DNS Cache");
}
function begin_install()
{
global $g, $savemsg;
if (file_exists("/tmp/install_complete")) {
return;
}
unlink_if_exists("/tmp/install_complete");
update_installer_status_win(sprintf(gettext("Beginning installation on disk %s."), $disk));
start_installation();
}
// Delete any leftover suricata PID files in /var/run
unlink_if_exists("{$g['varrun_path']}/suricata_*.pid");
}
// Hard kill any running Barnyard2 processes
if (is_process_running("barnyard")) {
killbyname("barnyard2");
sleep(2);
// Delete any leftover barnyard2 PID files in /var/run
unlink_if_exists("{$g['varrun_path']}/barnyard2_*.pid");
}
// Set flag for post-install in progress
$g['suricata_postinstall'] = true;
// Mount file system read/write so we can modify some files
conf_mount_rw();
// Remove any previously installed script since we rebuild it
unlink_if_exists("{$rcdir}suricata.sh");
// Create the top-tier log directory
safe_mkdir(SURICATALOGDIR);
// Create the IP Rep and SID Mods lists directory
safe_mkdir(SURICATA_SID_MODS_PATH);
safe_mkdir(SURICATA_IPREP_PATH);
// Make sure config variable is an array
if (!is_array($config['installedpackages']['suricata']['config'][0])) {
$config['installedpackages']['suricata']['config'][0] = array();
}
// Download the latest GeoIP DB updates and create cron task if the feature is not disabled
if ($config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] != 'off') {
log_error(gettext("[Suricata] Installing free GeoIP country database files..."));
include "/usr/local/pkg/suricata/suricata_geoipupdate.php";
install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_geoipupdate.php", TRUE, 0, 0, 8, "*", "*", "root");
}
defCmdT("last 1000 NTP log entries", "/usr/local/sbin/clog /var/log/ntpd.log 2>&1 | tail -n 1000");
defCmdT("last 1000 OpenVPN log entries", "/usr/local/sbin/clog /var/log/openvpn.log 2>&1 | tail -n 1000");
defCmdT("last 1000 Captive Portal auth log entries", "/usr/local/sbin/clog /var/log/portalauth.log 2>&1 | tail -n 1000");
defCmdT("last 1000 PPP log entries", "/usr/local/sbin/clog /var/log/poes.log 2>&1 | tail -n 1000");
defCmdT("last 1000 relayd log entries", "/usr/local/sbin/clog /var/log/relayd.log 2>&1 | tail -n 1000");
defCmdT("last 1000 resolver log entries", "/usr/local/sbin/clog /var/log/resolver.log 2>&1 | tail -n 1000");
defCmdT("last 1000 routing log entries", "/usr/local/sbin/clog /var/log/routing.log 2>&1 | tail -n 1000");
defCmdT("last 1000 wireless log entries", "/usr/local/sbin/clog /var/log/wireless.log 2>&1 | tail -n 1000");
if (file_exists("/tmp/PHP_errors.log")) {
defCmdT("PHP Error Log", "/bin/cat /tmp/PHP_errors.log");
}
defCmdT("System Message Buffer", "/sbin/dmesg -a");
defCmdT("System Message Buffer (Boot)", "/bin/cat /var/log/dmesg.boot");
defCmdT("sysctl values", "/sbin/sysctl -a");
defCmdT("Kernel Environment", "/bin/kenv");
defCmdT("Installed OS Packages", "/usr/sbin/pkg info");
exec("/bin/date", $dateOutput, $dateStatus);
$currentDate = $dateOutput[0];
$pgtitle = array("{$g['product_name']}", "Status");
include "head.inc";
print_info_box(gettext("Make sure all sensitive information is removed! (Passwords, etc.) before posting " . "information from this page in public places (like mailing lists).") . '<br />' . gettext("Common password fields in config.xml have been automatically redacted.") . '<br />' . gettext("When the page has finished loading, the output will be stored in {$output_file}. It may be downloaded via scp or ") . "<a href=\"/exec.php?dlPath={$output_file}\">" . gettext("Diagnostics > Command Prompt.") . '</a>');
listCmds();
execCmds();
print gettext("Saving output to archive...");
if (is_dir($output_path)) {
mwexec("/usr/bin/tar czpf " . escapeshellarg($output_file) . " -C " . escapeshellarg(dirname($output_path)) . " " . escapeshellarg(basename($output_path)));
unlink_if_exists("{$output_path}/*");
@rmdir($output_path);
}
print gettext("Done.");
include "foot.inc";
$input_errors[] = $vertical_bar_err_text;
}
} else {
$final_address_details[] = sprintf(gettext("Entry added %s"), date('r'));
}
}
} else {
if ($_POST['type'] == "url" || $_POST['type'] == "url_ports") {
$desc_fmt_err_found = false;
/* item is a url type */
for ($x = 0; $x < $max_alias_addresses - 1; $x++) {
$_POST['address' . $x] = trim($_POST['address' . $x]);
if ($_POST['address' . $x]) {
/* fetch down and add in */
$temp_filename = tempnam("{$g['tmp_path']}/", "alias_import");
unlink_if_exists($temp_filename);
$verify_ssl = isset($config['system']['checkaliasesurlcert']);
mkdir($temp_filename);
download_file($_POST['address' . $x], $temp_filename . "/aliases", $verify_ssl);
/* if the item is tar gzipped then extract */
if (stristr($_POST['address' . $x], ".tgz")) {
process_alias_tgz($temp_filename);
} else {
if (stristr($_POST['address' . $x], ".zip")) {
process_alias_unzip($temp_filename);
}
}
if (!isset($alias['aliasurl'])) {
$alias['aliasurl'] = array();
}
$alias['aliasurl'][] = $_POST['address' . $x];
exit;
}
if ($_POST['apply']) {
write_config();
$retval = 0;
/* Setup pf rules since the user may have changed the optimization value */
$retval = filter_configure();
$savemsg = get_std_save_message($retval);
if (stristr($retval, "error") != true) {
$savemsg = get_std_save_message($retval);
} else {
$savemsg = $retval;
}
/* reset rrd queues */
unlink_if_exists("/var/db/rrd/*queuedrops.rrd");
unlink_if_exists("/var/db/rrd/*queues.rrd");
enable_rrd_graphing();
clear_subsystem_dirty('shaper');
}
$pgtitle = array(gettext("Firewall"), gettext("Traffic Shaper"), gettext("Wizards"));
$shortcut_section = "trafficshaper";
$wizards = array(gettext("Multiple Lan/Wan") => "traffic_shaper_wizard_multi_all.xml", gettext("Dedicated Links") => "traffic_shaper_wizard_dedicated.xml");
include "head.inc";
if ($input_errors) {
print_input_errors($input_errors);
}
$tab_array = array();
$tab_array[] = array(gettext("By Interface"), false, "firewall_shaper.php");
$tab_array[] = array(gettext("By Queue"), false, "firewall_shaper_queues.php");
$tab_array[] = array(gettext("Limiter"), false, "firewall_shaper_vinterface.php");
$tab_array[] = array(gettext("Wizards"), true, "firewall_shaper_wizards.php");
@copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$suricatadir}{$emergingthreats_filename_md5}");
}
if ($pkg_interface != "console") {
update_status(gettext("Extraction of {$et_name} rules completed..."));
update_output_window(gettext("Installation of {$et_name} rules completed..."));
}
error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
rmdir_recursive("{$tmpfname}/emerging");
}
}
/* Untar Snort rules file to tmp */
if ($snortdownload == 'on') {
if (file_exists("{$tmpfname}/{$snort_filename}")) {
/* Remove the old Snort rules files */
$vrt_prefix = VRT_FILE_PREFIX;
unlink_if_exists("{$suricatadir}rules/{$vrt_prefix}*.rules");
if ($pkg_interface != "console") {
update_status(gettext("Extracting Snort VRT rules..."));
update_output_window(gettext("Installing Sourcefire VRT rules..."));
}
error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
/* extract snort.org rules and add prefix to all snort.org files */
safe_mkdir("{$tmpfname}/snortrules");
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname}/snortrules rules/");
$files = glob("{$tmpfname}/snortrules/rules/*.rules");
foreach ($files as $file) {
$newfile = basename($file);
@copy($file, "{$suricatadir}rules/" . VRT_FILE_PREFIX . "{$newfile}");
}
/* IP lists */
$files = glob("{$tmpfname}/snortrules/rules/*.txt");
}
} elseif ($openappid_detectors == 'on') {
/**************************************************************************************/
/* Only updated OpenAppID detectors, so do not need to rebuild all interface rules. */
/* Restart snort if running, and not in post-install, so as to pick up the detectors. */
/**************************************************************************************/
if (!$g['snort_postinstall'] && is_service_running("snort") && count($config['installedpackages']['snortglobal']['rule']) > 0) {
if ($pkg_interface != "console") {
update_status(gettext('Restarting Snort to activate the new OpenAppID detectors...'));
update_output_window(gettext("Please wait ... restarting Snort will take some time..."));
}
error_log(gettext("\tRestarting Snort to activate the new OpenAppID detectors...\n"), 3, SNORT_RULES_UPD_LOGFILE);
touch("{$g['varrun_path']}/snort_pkg_starting.lck");
snort_restart_all_interfaces(TRUE);
sleep(2);
unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck");
if ($pkg_interface != "console") {
update_output_window(gettext("Snort has restarted with your new set of OpenAppID detectors..."));
}
log_error(gettext("[Snort] Snort has restarted with your new set of OpenAppID detectors..."));
error_log(gettext("\tSnort has restarted with your new set of OpenAppID detectors.\n"), 3, SNORT_RULES_UPD_LOGFILE);
} else {
if ($pkg_interface != "console") {
update_output_window(gettext("The rules update task is complete..."));
}
}
}
/* remove $tmpfname files */
if (is_dir("{$tmpfname}")) {
rmdir_recursive($tmpfname);
}
if (!$input_errors) {
// We have specified a new location for thebrig's installation, and it's valid, and we don't already have
// a jail at the old location. Call thebrig_populate, which will move all the web stuff and create the
// directory tree
// Also add startup command when thebrig completly installed
thebrig_populate($pconfig['rootfolder'], $config['thebrig']['rootfolder']);
$config['thebrig']['rootfolder'] = $pconfig['rootfolder'];
// Store the newly specified folder in the XML config
$config['thebrig']['template'] = $pconfig['template'];
$config['thebrig']['basejail']['folder'] = $pconfig['basejail'];
$langfile = file("ext/thebrig/lang.inc");
$version_1 = preg_split("/VERSION_NBR, 'v/", $langfile[1]);
$config['thebrig']['version'] = 0 + substr($version_1[1], 0, 3);
write_config();
// Write the config to disk
unlink_if_exists("/tmp/thebrig.tmp");
// Whatever we did, we did it successfully
$retval = 0;
$savemsg = get_std_save_message($retval);
}
// end of no input errors
}
// end of POST
// Display the page title, based on the constants defined in lang.inc
$pgtitle = array(_THEBRIG_EXTN, _THEBRIG_TITLE, _THEBRIG_BASIC_CONFIG, _THEBRIG_VERSION_NBR);
// Uses the global fbegin include
include "fbegin.inc";
// This will evaluate if there were any input errors from prior to the user clicking "save"
if ($input_errors) {
print_input_errors($input_errors);
} elseif ($savemsg) {
}
}
return FALSE;
}
if (isset($_POST['upload'])) {
if ($_FILES["iprep_fileup"]["error"] == UPLOAD_ERR_OK) {
$tmp_name = $_FILES["iprep_fileup"]["tmp_name"];
$name = $_FILES["iprep_fileup"]["name"];
move_uploaded_file($tmp_name, "{$iprep_path}{$name}");
} else {
$input_errors[] = gettext("Failed to upload file {$_FILES["iprep_fileup"]["name"]}");
}
}
if (isset($_POST['iplist_delete']) && isset($_POST['iplist_fname'])) {
if (!snort_is_iplist_active($_POST['iplist_fname'])) {
unlink_if_exists("{$iprep_path}{$_POST['iplist_fname']}");
} else {
$input_errors[] = gettext("This IP List is currently assigned as a Whitelist or Blackist for an interface and cannot be deleted.");
}
}
if (isset($_POST['iplist_edit']) && isset($_POST['iplist_fname'])) {
$file = $iprep_path . basename($_POST['iplist_fname']);
$data = file_get_contents($file);
if ($data !== FALSE) {
$iplist_data = htmlspecialchars($data);
$iplist_edit_style = "display: table-row-group;";
$iplist_name = basename($_POST['iplist_fname']);
unset($data);
} else {
$input_errors[] = gettext("An error occurred reading the file.");
}
$a_nat[$id]['ips_policy_enable'] = 'off';
unset($a_nat[$id]['ips_policy']);
}
$enabled_items = "";
if (is_array($_POST['toenable'])) {
$enabled_items = implode("||", $_POST['toenable']);
} else {
$enabled_items = $_POST['toenable'];
}
$a_nat[$id]['rulesets'] = $enabled_items;
if ($_POST['autoflowbits'] == "on") {
$a_nat[$id]['autoflowbitrules'] = 'on';
} else {
$a_nat[$id]['autoflowbitrules'] = 'off';
if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}")) {
unlink_if_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}");
}
}
write_config("Snort pkg: save enabled rule categories for {$a_nat[$id]['interface']}.");
/*************************************************/
/* Update the snort conf file and rebuild the */
/* rules for this interface. */
/*************************************************/
$rebuild_rules = true;
conf_mount_rw();
snort_generate_conf($a_nat[$id]);
conf_mount_ro();
$rebuild_rules = false;
/* Soft-restart Snort to live-load new rules */
snort_reload_config($a_nat[$id]);
$pconfig = $_POST;
require_once "/etc/inc/filter.inc";
require_once "/etc/inc/config.inc";
$hour = date('H');
$pfbdir = '/usr/local/pkg/pfblocker';
$updates = 0;
$cron = array('01hour' => 1, '04hours' => 4, '12hours' => 12, 'EveryDay' => 23);
if ($config['installedpackages']['pfblockerlists']['config'] != "") {
foreach ($config['installedpackages']['pfblockerlists']['config'] as $list) {
if (is_array($list['row'])) {
foreach ($list['row'] as $row) {
if ($row['url'] != "" && $hour > 0) {
$md5_url = md5($row['url']);
$update_hour = array_key_exists($list['cron'], $cron) ? $cron[$list['cron']] : 25;
if ($row['url'] && $hour % $update_hour == 0) {
print $update_hour . " " . $pfbdir . '/' . $md5_url . '.txt' . "\n";
unlink_if_exists($pfbdir . '/' . $md5_url . '.txt');
$updates++;
}
}
}
}
}
}
if ($updates > 0) {
include "/usr/local/pkg/pfblocker.inc";
sync_package_pfblocker("cron");
}
}
function pfblocker_get_countries()
{
$files = array("Africa" => "/usr/local/pkg/Africa_cidr.txt", "Asia" => "/usr/local/pkg/Asia_cidr.txt", "Europe" => "/usr/local/pkg/Europe_cidr.txt", "North America" => "/usr/local/pkg/North_America_cidr.txt", "Oceania" => "/usr/local/pkg/Oceania_cidr.txt", "South America" => "/usr/local/pkg/South_America_cidr.txt");
find_alias_reference(array('nat', 'outbound', 'rule'), array('destination', 'address'), $alias_name, $is_alias_referenced, $referenced_by);
find_alias_reference(array('nat', 'outbound', 'rule'), array('dstport'), $alias_name, $is_alias_referenced, $referenced_by);
find_alias_reference(array('nat', 'outbound', 'rule'), array('target'), $alias_name, $is_alias_referenced, $referenced_by);
// Alias in an alias
find_alias_reference(array('aliases', 'alias'), array('address'), $alias_name, $is_alias_referenced, $referenced_by);
// Load Balancer
find_alias_reference(array('load_balancer', 'lbpool'), array('port'), $alias_name, $is_alias_referenced, $referenced_by);
find_alias_reference(array('load_balancer', 'virtual_server'), array('port'), $alias_name, $is_alias_referenced, $referenced_by);
// Static routes
find_alias_reference(array('staticroutes', 'route'), array('network'), $alias_name, $is_alias_referenced, $referenced_by);
if ($is_alias_referenced == true) {
$savemsg = sprintf(gettext("Cannot delete alias. Currently in use by %s"), htmlspecialchars($referenced_by));
} else {
if (preg_match("/urltable/i", $a_aliases[$_GET['id']]['type'])) {
// this is a URL table type alias, delete its file as well
unlink_if_exists("/var/db/aliastables/" . $a_aliases[$_GET['id']]['name'] . ".txt");
}
unset($a_aliases[$_GET['id']]);
if (write_config()) {
filter_configure();
mark_subsystem_dirty('aliases');
}
header("Location: firewall_aliases.php?tab=" . $tab);
exit;
}
}
}
function find_alias_reference($section, $field, $origname, &$is_alias_referenced, &$referenced_by)
{
global $config;
if (!$origname || $is_alias_referenced) {
if (file_exists("{$suricata_rules_upd_log}")) {
unlink_if_exists("{$suricata_rules_upd_log}");
}
}
if ($_POST['update']) {
// Go see if new updates for rule sets are available
header("Location: /suricata/suricata_download_rules.php");
exit;
}
if ($_POST['force']) {
// Mount file system R/W since we need to remove files
conf_mount_rw();
// Remove the existing MD5 signature files to force a download
unlink_if_exists("{$suricatadir}{$emergingthreats_filename}.md5");
unlink_if_exists("{$suricatadir}{$snort_community_rules_filename}.md5");
unlink_if_exists("{$suricatadir}{$snort_rules_file}.md5");
// Revert file system to R/O.
conf_mount_ro();
// Go download the updates
header("Location: /suricata/suricata_download_rules.php");
exit;
}
/* check for logfile */
if (file_exists("{$suricata_rules_upd_log}")) {
$suricata_rules_upd_log_chk = 'yes';
} else {
$suricata_rules_upd_log_chk = 'no';
}
if ($_POST['view'] && $suricata_rules_upd_log_chk == 'yes') {
$contents = @file_get_contents($suricata_rules_upd_log);
if (empty($contents)) {
delete_package($pkgtodo['name'] . '-' . $pkgtodo['version'], $pkg_id);
delete_package_xml($pkgtodo['name']);
install_package($pkgtodo['name']);
$pkg_id++;
}
}
update_status("All packages reinstalled.");
$static_output .= "\n\nAll packages reinstalled.";
start_service(htmlspecialchars($_GET['pkg']));
update_output_window($static_output);
break;
default:
$status = install_package(htmlspecialchars($_GET['id']));
if ($status == -1) {
update_status("Installation of " . htmlspecialchars($_GET['id']) . " FAILED!");
$static_output .= "\n\nInstallation halted.";
} else {
update_status("Installation of " . $_GET['id'] . " completed.");
$static_output .= "\n\nInstallation completed. Please check to make sure that the package is configured from the respective menu then start the package.";
}
update_output_window($static_output);
}
// Delete all temporary package tarballs and staging areas.
unlink_if_exists("/tmp/apkg_*");
rmdir_recursive("/var/tmp/instmp*");
/* read only fs */
conf_mount_ro();
// close log
if ($fd_log) {
fclose($fd_log);
}
} elseif ($_GET) {
if (!isset($_GET['newver']) && !isset($_GET['rmver']) && !isset($_GET['getcfg']) && !isset($_GET['diff'])) {
header("Location: diag_confbak.php");
return;
}
conf_mount_rw();
$confvers = unserialize(file_get_contents($g['cf_conf_path'] . '/backup/backup.cache'));
if ($_GET['newver'] != "") {
if (config_restore($g['conf_path'] . '/backup/config-' . $_GET['newver'] . '.xml') == 0) {
$savemsg = sprintf(gettext('Successfully reverted to timestamp %1$s with description "%2$s".'), date(gettext("n/j/y H:i:s"), $_GET['newver']), htmlspecialchars($confvers[$_GET['newver']]['description']));
} else {
$savemsg = gettext("Unable to revert to the selected configuration.");
}
}
if ($_GET['rmver'] != "") {
unlink_if_exists($g['conf_path'] . '/backup/config-' . $_GET['rmver'] . '.xml');
$savemsg = sprintf(gettext('Deleted backup with timestamp %1$s and description "%2$s".'), date(gettext("n/j/y H:i:s"), $_GET['rmver']), htmlspecialchars($confvers[$_GET['rmver']]['description']));
}
conf_mount_ro();
}
if ($_GET['getcfg'] != "") {
$file = $g['conf_path'] . '/backup/config-' . $_GET['getcfg'] . '.xml';
$exp_name = urlencode("config-{$config['system']['hostname']}.{$config['system']['domain']}-{$_GET['getcfg']}.xml");
$exp_data = file_get_contents($file);
$exp_size = strlen($exp_data);
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename={$exp_name}");
header("Content-Length: {$exp_size}");
echo $exp_data;
exit;
}
$savemsg .= <<<EOF
\t\t\t\t\t\t\t<br />
\t\t\t\t\t\t<form action="reboot.php" method="post">
\t\t\t\t\t\t\tWould you like to reboot?
\t\t\t\t\t\t\t<input name="Submit" type="submit" class="formbtn" value=" Yes " />
\t\t\t\t\t\t\t<input name="Submit" type="submit" class="formbtn" value=" No " />
\t\t\t\t\t\t</form>
EOF;
} else {
$savemsg = "Unable to revert to the selected configuration.";
}
print_info_box($savemsg);
} else {
log_error("There was an error when restoring the AutoConfigBackup item");
}
unlink_if_exists("/tmp/config_restore.xml");
conf_mount_ro();
}
if ($_REQUEST['download']) {
// Phone home and obtain backups
$curl_session = curl_init();
curl_setopt($curl_session, CURLOPT_URL, $get_url);
curl_setopt($curl_session, CURLOPT_HTTPHEADER, array("Authorization: Basic " . base64_encode("{$username}:{$password}")));
curl_setopt($curl_session, CURLOPT_POST, 3);
curl_setopt($curl_session, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($curl_session, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl_session, CURLOPT_POSTFIELDS, "action=restore" . "&hostname=" . urlencode($hostname) . "&revision=" . urlencode($_REQUEST['download']));
curl_setopt($curl_session, CURLOPT_USERAGENT, $g['product_name'] . '/' . rtrim(file_get_contents("/etc/version")));
// Proxy
curl_setopt_array($curl_session, configure_proxy());
$data = curl_exec($curl_session);
function pfb_update_check($header, $list_url, $pfbfolder, $pfborig, $pflex, $format)
{
global $config, $pfb;
$log = "[ {$header} ]\n";
pfb_logger("{$log}", 1);
$pfb['cron_update'] = FALSE;
// Determine if previous download fails have exceeded threshold.
if ($pfb['restore'] == 'on') {
if ($pfb['skipfeed'] != 0) {
// Call function to get all previous download fails
pfb_failures();
if ($pfb['failed'][$header] >= $pfb['skipfeed']) {
$log = " Max daily download failure attempts exceeded. Clear widget 'failed downloads' to reset.\n\n";
pfb_logger("{$log}", 1);
unlink_if_exists("{$pfbfolder}/{$header}.fail");
return;
}
}
// Attempt download, when a previous 'fail' file marker is found.
if (file_exists("{$pfbfolder}/{$header}.fail")) {
$log = "\t\t\tPrevious download failed.\tRe-attempt download\n";
pfb_logger("{$log}", 1);
$pfb['update_cron'] = TRUE;
unlink_if_exists("{$pfbfolder}/{$header}.txt");
return;
}
} else {
unlink_if_exists("{$pfbfolder}/{$header}.fail");
}
// Check if List file doesn't exist or Format is 'whois'.
if (!file_exists("{$pfbfolder}/{$header}.txt") || $format == 'whois') {
$log = "\t\t\t\t\t\t\tUpdate found\n";
pfb_logger("{$log}", 1);
$pfb['update_cron'] = TRUE;
return;
}
$host = @parse_url($list_url);
$local_file = "{$pfborig}/{$header}.orig";
// Compare previously downloaded file timestamp with remote timestamp
if (file_exists($local_file)) {
if ($format == 'rsync') {
$log = "\t\t\t\t( rsync )\t\tUpdate found\n";
pfb_logger("{$log}", 1);
$pfb['update_cron'] = TRUE;
unlink_if_exists("{$pfbfolder}/{$header}.txt");
return;
}
// Determine if URL is Remote or Local
if (in_array($host['host'], array('127.0.0.1', $pfb['iplocal'], ''))) {
clearstatcache();
$remote_tds = gmdate('D, d M Y H:i:s T', @filemtime($list_url));
} else {
// Download URL headers and compare previously downloaded file with remote timestamp
if ($ch = curl_init($list_url)) {
curl_setopt_array($ch, $pfb['curl_defaults']);
// Load curl default settings
curl_setopt($ch, CURLOPT_NOBODY, true);
// Exclude the body from the output
curl_setopt($ch, CURLOPT_TIMEOUT, 60);
// Allow downgrade of cURL settings if user configured
if ($pflex == 'Flex') {
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'TLSv1.2, TLSv1, SSLv3');
}
// Try up to 3 times to download the file before giving up
for ($retries = 1; $retries <= 3; $retries++) {
if (curl_exec($ch)) {
$remote_stamp_raw = curl_getinfo($ch, CURLINFO_FILETIME);
break;
// Break on success
}
sleep(3);
}
if ($remote_stamp_raw != -1) {
$remote_tds = gmdate('D, d M Y H:i:s T', $remote_stamp_raw);
}
} else {
$remote_stamp_raw = -1;
}
curl_close($ch);
}
// If remote timestamp not found, Attempt md5 comparison
if ($remote_stamp_raw == -1) {
// Collect md5 checksums
$remote_md5 = @md5_file($list_url);
$local_md5 = @md5_file($local_file);
if ($remote_md5 != $local_md5) {
$log = "\t\t\t\t( md5 changed )\t\tUpdate found\n";
pfb_logger("{$log}", 1);
$pfb['update_cron'] = TRUE;
unlink_if_exists("{$pfbfolder}/{$header}.txt");
return;
} else {
$log = "\t( No remote timestamp/md5 unchanged )\t\tUpdate not required\n";
pfb_logger("{$log}", 1);
return;
}
} else {
$log = " Remote timestamp: {$remote_tds}\n";
pfb_logger("{$log}", 1);
clearstatcache();
$local_tds = gmdate('D, d M Y H:i:s T', @filemtime($local_file));
$log = " Local timestamp: {$local_tds}\t";
pfb_logger("{$log}", 1);
if ("{$remote_tds}" != "{$local_tds}") {
$pfb['cron_update'] = TRUE;
} else {
$log = "Update not required\n";
pfb_logger("{$log}", 1);
$pfb['cron_update'] = FALSE;
}
}
} else {
$pfb['cron_update'] = TRUE;
}
if ($pfb['cron_update']) {
// Trigger CRON process if updates are found.
$pfb['update_cron'] = TRUE;
$log = "Update found\n";
pfb_logger("{$log}", 1);
unlink_if_exists("{$pfbfolder}/{$header}.txt");
}
return;
}
if (isset($id) && isset($a_nat[$id])) {
$a_nat[$id] = $natent;
write_config("Snort pkg: saved modified preprocessor settings for {$a_nat[$id]['interface']}.");
}
/*************************************************/
/* Update the snort.conf file and rebuild the */
/* rules for this interface. */
/*************************************************/
$rebuild_rules = true;
conf_mount_rw();
snort_generate_conf($natent);
conf_mount_ro();
$rebuild_rules = false;
/* If 'preproc_auto_rule_disable' is off, then clear log file */
if ($natent['preproc_auto_rule_disable'] == 'off') {
unlink_if_exists("{$snortlogdir}/{$disabled_rules_log}");
}
/*******************************************************/
/* Signal Snort to reload Host Attribute Table if one */
/* is configured and saved. */
/*******************************************************/
if ($natent['host_attribute_table'] == "on" && !empty($natent['host_attribute_data'])) {
snort_reload_config($natent, "SIGURG");
}
/* Sync to configured CARP slaves if any are enabled */
snort_sync_on_changes();
// We have saved changes, so clear "dirty" flag
clear_subsystem_dirty('snort_preprocessors');
/* after click go to this page */
header('Expires: Sat, 26 Jul 1997 05:00:00 GMT');
header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
}
$a_out =& $config['nat']['advancedoutbound']['rule'];
if ($_POST['apply']) {
write_config();
$retval = 0;
config_lock();
$retval |= filter_configure();
config_unlock();
if (stristr($retval, "error") != true) {
$savemsg = get_std_save_message($retval);
} else {
$savemsg = $retval;
}
if ($retval == 0) {
unlink_if_exists($d_natconfdirty_path);
unlink_if_exists($d_filterconfdirty_path);
}
}
if (isset($_POST['save']) && $_POST['save'] == "Save") {
/* mutually exclusive settings - if user wants advanced NAT, we don't generate automatic rules */
switch ($_POST['advancedoripsec']) {
case "ipsecpassthru":
$config['nat']['ipsecpassthru']['enable'] = true;
unset($config['nat']['advancedoutbound']['enable']);
if (count($config['nat']['advancedoutbound']['rule']) == 0) {
unset($config['nat']['advancedoutbound']['rule']);
}
break;
case "advancedoutboundnat":
$was_enabled = isset($config['nat']['advancedoutbound']['enable']);
$config['nat']['advancedoutbound']['enable'] = true;
if (is_service_running("suricata")) {
log_error(gettext("[Suricata] Suricata STOP for all interfaces..."));
}
killbyname("suricata");
sleep(1);
// Delete any leftover suricata PID files in /var/run
unlink_if_exists("{$g['varrun_path']}/suricata_*.pid");
/* Make sure all active Barnyard2 processes are terminated */
/* Log a message only if a running process is detected */
if (is_service_running("barnyard2")) {
log_error(gettext("[Suricata] Barnyard2 STOP for all interfaces..."));
}
killbyname("barnyard2");
sleep(1);
// Delete any leftover barnyard2 PID files in /var/run
unlink_if_exists("{$g['varrun_path']}/barnyard2_*.pid");
/* Remove the Suricata cron jobs. */
install_cron_job("suricata_check_for_rule_updates.php", false);
install_cron_job("suricata_check_cron_misc.inc", false);
install_cron_job("{$suri_pf_table}", false);
/* See if we are to keep Suricata log files on uninstall */
if ($config['installedpackages']['suricata']['config'][0]['clearlogs'] == 'on') {
log_error(gettext("[Suricata] Clearing all Suricata-related log files..."));
@unlink("{$suricata_rules_upd_log}");
mwexec("/bin/rm -rf {$suricatalogdir}");
}
// Mount filesystem read-write to remove our files
conf_mount_rw();
/* Remove the Suricata GUI app directories */
mwexec("/bin/rm -rf /usr/local/pkg/suricata");
mwexec("/bin/rm -rf /usr/local/www/suricata");
if ($firmwareupdate) {
mwexec_bg("{$upgrade_script}");
} else {
mwexec_bg("{$upgrade_script} -i {$pkgname}");
}
$start_polling = true;
break;
}
}
$uptodatemsg = gettext("Up to date.");
$confirmlabel = gettext("Confirm Update");
$sysmessage = gettext("Status");
// $completed just means that we are refreshing the page to update any new menu items
// that were installed
if ($completed) {
unlink_if_exists($logfilename . ".json");
// If this was a firmware update and a reboot was initiated, display the "Rebooting" message
// and start the countdown timer
if ($firmwareupdate && $reboot_needed) {
?>
<script>
//<![CDATA[
events.push(function() {
time = "<?php
echo $guitimeout;
?>
";
startCountdown();
});
//]]>
</script>
// System Sounds
if ($_POST['disablebeep'] == "yes") {
$config['system']['disablebeep'] = true;
} else {
unset($config['system']['disablebeep']);
}
if (!$input_errors) {
write_config();
pfSenseHeader("system_advanced_notifications.php");
return;
}
}
if (isset($_POST['test-growl'])) {
// Send test message via growl
if ($config['notifications']['growl']['ipaddress'] && ($config['notifications']['growl']['password'] = $_POST['password'])) {
unlink_if_exists($g['vardb_path'] . "/growlnotices_lastmsg.txt");
register_via_growl();
notify_via_growl(sprintf(gettext("This is a test message from %s. It is safe to ignore this message."), $g['product_name']), true);
}
}
if (isset($_POST['test-smtp'])) {
// Send test message via smtp
if (file_exists("/var/db/notices_lastmsg.txt")) {
unlink("/var/db/notices_lastmsg.txt");
}
$savemsg = notify_via_smtp(sprintf(gettext("This is a test message from %s.\t It is safe to ignore this message."), $g['product_name']), true);
}
}
$pgtitle = array(gettext("System"), gettext("Advanced"), gettext("Notifications"));
include "head.inc";
if ($input_errors) {
$d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty";
if (!is_array($config['installedpackages']['haproxy']['ha_pools']['item'])) {
$config['installedpackages']['haproxy']['ha_pools']['item'] = array();
}
if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) {
$config['installedpackages']['haproxy']['ha_backends']['item'] = array();
}
$a_pools =& $config['installedpackages']['haproxy']['ha_pools']['item'];
$a_backends =& $config['installedpackages']['haproxy']['ha_backends']['item'];
if ($_POST) {
$pconfig = $_POST;
if ($_POST['apply']) {
$retval = 0;
$retval = haproxy_configure();
$savemsg = get_std_save_message($retval);
unlink_if_exists($d_haproxyconfdirty_path);
}
}
if ($_GET['act'] == "del") {
if (isset($a_pools[$_GET['id']])) {
unset($a_pools[$_GET['id']]);
write_config();
touch($d_haproxyconfdirty_path);
}
header("Location: haproxy_pools.php");
exit;
}
$pf_version = substr(trim(file_get_contents("/etc/version")), 0, 3);
if ($pf_version < 2.0) {
$one_two = true;
}
##|*DESCR=Allow access to the 'Hidden: Detailed Status' page.
##|*MATCH=status.php*
##|-PRIV
/* Execute a command, with a title, and generate an HTML table
* showing the results.
*/
/* include all configuration functions */
require_once "guiconfig.inc";
require_once "functions.inc";
$output_path = "/tmp/status_output/";
$output_file = "/tmp/status_output.tgz";
if (is_dir($output_path)) {
unlink_if_exists("{$output_path}/*");
@rmdir($output_path);
}
unlink_if_exists($output_file);
mkdir($output_path);
function doCmdT($title, $command)
{
global $output_path, $output_file;
/* Fixup output directory */
$rubbish = array('|', '-', '/', '.', ' ');
/* fixes the <a> tag to be W3C compliant */
echo "\n<a name=\"" . str_replace($rubbish, '', $title) . "\" id=\"" . str_replace($rubbish, '', $title) . "\"></a>\n";
print '<div class="panel panel-default">';
print '<div class="panel-heading">' . $title . '</div>';
print '<div class="panel-body">';
print '<pre>';
if ($command == "dumpconfigxml") {
$ofd = @fopen("{$output_path}/config-sanitized.xml", "w");
$fd = @fopen("/conf/config.xml", "r");
$pconfig['txkey'] = $i;
}
$i++;
}
if (!isset($wepkey['txkey'])) {
$pconfig['txkey'] = 1;
}
}
}
}
if ($_POST['apply']) {
unset($input_errors);
if (!is_subsystem_dirty('interfaces')) {
$input_errors[] = gettext("You have already applied your settings!");
} else {
unlink_if_exists("{$g['tmp_path']}/config.cache");
clear_subsystem_dirty('interfaces');
if (file_exists("{$g['tmp_path']}/.interfaces.apply")) {
$toapplylist = unserialize(file_get_contents("{$g['tmp_path']}/.interfaces.apply"));
foreach ($toapplylist as $ifapply => $ifcfgo) {
if (isset($config['interfaces'][$ifapply]['enable'])) {
interface_bring_down($ifapply, false, $ifcfgo);
interface_configure($ifapply, true);
} else {
interface_bring_down($ifapply, true, $ifcfgo);
if (isset($config['dhcpd'][$ifapply]['enable']) || isset($config['dhcpdv6'][$ifapply]['enable'])) {
services_dhcpd_configure();
}
}
}
}
flush();
usleep(500);
}
}
if ($graphcmdreturn != 0 || !$data) {
log_error(sprintf(gettext('Failed to create graph with error code %1$s, the error is: %2$s'), $graphcmdreturn, $graphcmdoutput));
if (strstr($curdatabase, "queues")) {
log_error(sprintf(gettext("failed to create graph from %s%s, removing database"), $rrddbpath, $curdatabase));
unlink_if_exists($rrddbpath . $curif . $queues);
flush();
usleep(500);
enable_rrd_graphing();
}
if (strstr($curdatabase, "queuesdrop")) {
log_error(sprintf(gettext("failed to create graph from %s%s, removing database"), $rrddbpath, $curdatabase));
unlink_if_exists($rrddbpath . $curdatabase);
flush();
usleep(500);
enable_rrd_graphing();
}
header("Content-type: image/png");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-cache, no-store, must-revalidate");
header("Pragma: no-cache");
$input_errors[] = gettext("There has been an error in rendering the graph. Please check your system logs.");
print_input_errors($input_errors);
} else {
$file = "{$rrdtmppath}{$curdatabase}-{$curgraph}.png";
if (file_exists("{$file}")) {
header("Content-type: image/png");
