Could this script be useful?



  • ive sound interesting script on polish bsd forum, pfsense devs, just give a minute to look at it:

    
    #!/bin/sh
    
    # Jak we wcześniejszych wersjach.
    # Katalog na backup plików 'backupdir' należy utworzyć
    name="/root/pf.conf"
    ethers="/root/ethers"
    users="/root/users"
    hosts="/etc/hosts"
    # w tym pliku dodajemy dane, jakie mają być dopisane do /etc/hosts
    hostsadd="/root/hosts/hosts.add"
    backupdir="/root/backup-pf"
    
    echo "-> PF conf maker v. 1.5"
    echo "-> Kasuje poprzednie pliki...oraz wykonuje backup do katalogu: $backupdir"
    cp $name $backupdir/pf.conf$(date "+.%Y-%m-%d.%H:%M:%S")
    cp $ethers $backupdir/ethers$(date "+.%Y-%m-%d.%H:%M:%S")
    cp $users $backupdir/users$(date "+.%Y-%m-%d.%H:%M:%S")
    cp $hosts $backupdir/hosts$(date "+.%Y-%m-%d.%H:%M:%S")
    rm $name
    rm $ethers
    rm $hosts
    
    echo '
    # Ustawiamy niezbędne makrodefinicje
    # Makrodefinicje
    ext_if =          "fxp0"
    int_if =          "xl0"
    unfiltered =          "{ lo0 }"
    icmp_types =          "{ 8, 15, 30 }"
    my_ip =          "80.54.20.9"
    dl =             "34816Kb"
    ul =             "34816Kb"
    
    # inne Makrodefinicje
    
    # Tablice.. można je sobie dowolnie zmienić, Ja używam następujących:
    # Tablice
    table <deny>persist file "/root/hosts/hosts.ban"
    # całkowicie blokuje IPki
    table <ssh>persist file "/root/hosts/hosts.ssh"
    # wpuszcza z zewnątrz na ssh tylko te IP
    table <snmp>persist file "/root/hosts/hosts.snmp"
    # wpuszcza z zewnątrz na snmp tylko te IP
    table <www>persist file "/root/hosts/hosts.www"
    # wpuszcza z zewnątrz na www tylko te IP
    table <platnosc>persist file "/root/hosts/hosts.platnosc"
    # Pokazuje info o płatnościach, z tego IP, Poniżej trzeba ustawić gdzie ma przekierować
    table <wiadomosc>persist file "/root/hosts/hosts.wiadomosc"
    # jak wyżej, tylko że jakaś tam wiadomość
    
    # Opcje
    set optimization aggressive
    set block-policy drop
    set require-order yes
    set limit { states 40000, frags 20000, src-nodes 5000 }
    
    # Scrubbing
    scrub in all fragment reassemble
    scrub out all fragment reassemble
    
    # ALTQ
       ' >> $name
    echo '-> Buduje drzewo kolejek...'
    echo 'altq on $int_if hfsc bandwidth $dl queue { def \' >> $name
    for i in $(cat $users); do
                    qdown=`echo $i | cut -f8 -d ";"`
    echo $qdown        '\' >> $name
    done
    echo ' }' >> $name
    
    echo 'altq on $ext_if hfsc bandwidth $ul queue { defu \' >> $name
    
    for i in $(cat $users); do
                    qup=`echo $i | cut -f9 -d ";"`
    echo $qup     '\' >> $name
    done
    echo ' }' >> $name
    echo "# Kolejki defaultowe: " >> $name
    
    ##
    ## Prosze sobie wpisać wg własnych upodobań upperlimit (dla małych sieci starczy 128 kbit)
    ##
    echo "queue def bandwidth 2% hfsc(default upperlimit 512Kb)" >> $name
    echo "queue defu bandwidth 2% hfsc(default upperlimit 512Kb)" >> $name
    
    for i in $(cat $users); do
                    nazwa=`echo $i | cut -f1 -d ";"`
                    dwl=`echo $i | cut -f6 -d ";"`
                    upl=`echo $i | cut -f7 -d ";"`
          qdown=`echo $i | cut -f8 -d ";"`
          qup=`echo $i | cut -f9 -d ";"`
                    pri=`echo $i | cut -f11 -d ";"`
    echo " queue $qdown             bandwidth 1% priority $pri hfsc( upperlimit $dwl"Kb" )"       >> $name
    echo " queue $qup          bandwidth 1% priority $pri hfsc( upperlimit $upl"Kb" )"       >> $name
    
    done
    echo '
    # NAT, RDR, BINAT
    #################
    
    # dwie poniższe reg. kierują ruch z tablic platnosci oraz wiadomosc na ponizsze IP/port
    #rdr on $int_if inet proto tcp from <platnosc>to any  -> 83.19.20.10 port 86
    #rdr on $int_if inet proto tcp from <wiadomosc>to any -> 83.19.20.10 port 87
    
       ' >> $name
    echo "-> Buduje kolejki natowania"
    for i in $(cat $users); do
                    ip=`echo $i | cut -f4 -d ";"`
    echo "nat on "$"ext_if from $ip -> "$"my_ip"       >> $name
    done
    echo '
    # F I R E W A L L
    #################
     # ban z presist file
    block in quick on $ext_if inet from <deny>to any label "banned"
    block in quick on $int_if inet from <deny>to any label "banned"
    
     # reguly wejscia - dopuszczone z persist file (warunkowe)
    pass in quick on $int_if inet proto tcp from {$int_if} to any port 22
    pass in quick on $ext_if inet proto tcp from <ssh>to $ext_if port 22 label "ssh-ext-pass"
    pass in quick on $ext_if inet proto { tcp, udp } from <snmp>to $ext_if port 161 label "snmp-pass"
    pass in quick on $ext_if inet proto tcp from <www>to $ext_if port 80 label "www-pass"
    
     # reguly wejscia reszta
    pass in quick on $ext_if inet proto udp from any port 53 to any label "DNS-pass"
    pass in quick inet proto icmp all icmp-type echoreq label "icmp-pass" modulate state
    pass out quick on $ext_if inet proto icmp from $ext_if to any keep state icmp-type $icmp_types label "icmp-pass"
    
     # kill windows
    block in quick on $ext_if inet proto tcp from any to any port {1080,3128,4588,6588,445,3306,134 >< 140} label "ms-ds-block"
    block in quick on $ext_if inet proto udp from any to any port {1080,3128,4588,6588,445,3306,134 >< 140} label "ms-ds-block"
    block in quick on $int_if inet proto tcp from any to any port {1080,3128,4588,6588,445,3306,134 >< 140} label "ms-ds-block"
    block in quick on $int_if inet proto udp from any to any port {1080,3128,4588,6588,445,3306,134 >< 140} label "ms-ds-block"
    
     # loopback
    pass quick on $unfiltered label "loopback-pass"
    block in quick on $ext_if inet from any to 255.255.255.255 label "broadcast-block"
    
    ############# reg users
       ' >> $name
    
    for i in $(cat $users); do
                    ip=`echo $i | cut -f4 -d ";"`
          states=`echo $i | cut -f10 -d ";"`
          qdown=`echo $i | cut -f8 -d ";"`
                    qup=`echo $i | cut -f9 -d ";"`   
    
    echo "pass in quick on "$"int_if inet from $ip to any flags S/SA keep state (source-track global, max-src-states $states, if-bound) queue $qdown tag n$ip" >> $name
    echo "pass out quick on "$"ext_if all keep state (if-bound) queue $qup tagged n$ip" >> $name
    done
    echo '
    pass out on $ext_if from ($ext_if) to any keep state label "keep state"
    block in all
    ' >> $name
    echo '-> Tworze plik /etc/hosts'
    for i in $(cat $users); do
                    nazwa=`echo $i | cut -f1 -d ";"`               
          ip=`echo $i | cut -f4 -d ";"`
    echo "$ip       $nazwa " >> $hosts
    done
    cat $hostsadd >> $hosts
    echo '-> Tworze plik /etc/ethers'
    for i in $(cat $users); do
                    ip=`echo $i | cut -f4 -d ";"`
                    mac=`echo $i | cut -f5 -d ";"`
    echo "$ip      $mac" >> $ethers
    done
    
    # Odznaczamy poniższe, jeśli chcemy mieć statyczną tablice ARP
    #arp -f $ethers
    pfctl -f $name</www></snmp></ssh></deny></deny></wiadomosc></platnosc></wiadomosc></platnosc></www></snmp></ssh></deny> 
    

    there should be a file with users looks like:

    
    kapode;192.168.1.16/30;192.168.1.17;192.168.1.18;00:04:23:8f:80:6f;8192;4096;kapoded;kapodeu;500;2;komentarz
    kruszyk;192.168.1.20/30;192.168.1.21;192.168.1.22;00:0E:8E:02:41:CB;512;128;kruszykd;kruszyku;500;1;komentarz
    mariusz;192.168.1.24/30;192.168.1.25;192.168.1.26;00:0F:3D:67:F9:4D;512;100;mariuszd;masziuszu;500;2;kom 
    
    

    there is even a http page to add/edit users from this file, take look at it: http://raf.68k.pl/!/view.php

    would be nice to implement some parts of this code in feature pfsense versions :)
    if you need, i could translate comments in script but i think everything is clear after analyzing it :)



  • I think this could have a great for some individual user control…a few questions though since I don't speak polish...

    Nazwa which I'm assuming is username checked against the user file...?

    Is the mac address is what is checked in authentication, or the username, or both?

    Anyways, I'll look at it, I'm not the best in the world at this kind of thing though.


Locked