Could this script be useful?

Guest

ive sound interesting script on polish bsd forum, pfsense devs, just give a minute to look at it:

#!/bin/sh

# Jak we wcześniejszych wersjach.
# Katalog na backup plików 'backupdir' należy utworzyć
name="/root/pf.conf"
ethers="/root/ethers"
users="/root/users"
hosts="/etc/hosts"
# w tym pliku dodajemy dane, jakie mają być dopisane do /etc/hosts
hostsadd="/root/hosts/hosts.add"
backupdir="/root/backup-pf"

echo "-> PF conf maker v. 1.5"
echo "-> Kasuje poprzednie pliki...oraz wykonuje backup do katalogu: $backupdir"
cp $name $backupdir/pf.conf$(date "+.%Y-%m-%d.%H:%M:%S")
cp $ethers $backupdir/ethers$(date "+.%Y-%m-%d.%H:%M:%S")
cp $users $backupdir/users$(date "+.%Y-%m-%d.%H:%M:%S")
cp $hosts $backupdir/hosts$(date "+.%Y-%m-%d.%H:%M:%S")
rm $name
rm $ethers
rm $hosts

echo '
# Ustawiamy niezbędne makrodefinicje
# Makrodefinicje
ext_if =          "fxp0"
int_if =          "xl0"
unfiltered =          "{ lo0 }"
icmp_types =          "{ 8, 15, 30 }"
my_ip =          "80.54.20.9"
dl =             "34816Kb"
ul =             "34816Kb"

# inne Makrodefinicje

# Tablice.. można je sobie dowolnie zmienić, Ja używam następujących:
# Tablice
table <deny>persist file "/root/hosts/hosts.ban"
# całkowicie blokuje IPki
table <ssh>persist file "/root/hosts/hosts.ssh"
# wpuszcza z zewnątrz na ssh tylko te IP
table <snmp>persist file "/root/hosts/hosts.snmp"
# wpuszcza z zewnątrz na snmp tylko te IP
table <www>persist file "/root/hosts/hosts.www"
# wpuszcza z zewnątrz na www tylko te IP
table <platnosc>persist file "/root/hosts/hosts.platnosc"
# Pokazuje info o płatnościach, z tego IP, Poniżej trzeba ustawić gdzie ma przekierować
table <wiadomosc>persist file "/root/hosts/hosts.wiadomosc"
# jak wyżej, tylko że jakaś tam wiadomość

# Opcje
set optimization aggressive
set block-policy drop
set require-order yes
set limit { states 40000, frags 20000, src-nodes 5000 }

# Scrubbing
scrub in all fragment reassemble
scrub out all fragment reassemble

# ALTQ
   ' >> $name
echo '-> Buduje drzewo kolejek...'
echo 'altq on $int_if hfsc bandwidth $dl queue { def \' >> $name
for i in $(cat $users); do
                qdown=`echo $i | cut -f8 -d ";"`
echo $qdown        '\' >> $name
done
echo ' }' >> $name

echo 'altq on $ext_if hfsc bandwidth $ul queue { defu \' >> $name

for i in $(cat $users); do
                qup=`echo $i | cut -f9 -d ";"`
echo $qup     '\' >> $name
done
echo ' }' >> $name
echo "# Kolejki defaultowe: " >> $name

##
## Prosze sobie wpisać wg własnych upodobań upperlimit (dla małych sieci starczy 128 kbit)
##
echo "queue def bandwidth 2% hfsc(default upperlimit 512Kb)" >> $name
echo "queue defu bandwidth 2% hfsc(default upperlimit 512Kb)" >> $name

for i in $(cat $users); do
                nazwa=`echo $i | cut -f1 -d ";"`
                dwl=`echo $i | cut -f6 -d ";"`
                upl=`echo $i | cut -f7 -d ";"`
      qdown=`echo $i | cut -f8 -d ";"`
      qup=`echo $i | cut -f9 -d ";"`
                pri=`echo $i | cut -f11 -d ";"`
echo " queue $qdown             bandwidth 1% priority $pri hfsc( upperlimit $dwl"Kb" )"       >> $name
echo " queue $qup          bandwidth 1% priority $pri hfsc( upperlimit $upl"Kb" )"       >> $name

done
echo '
# NAT, RDR, BINAT
#################

# dwie poniższe reg. kierują ruch z tablic platnosci oraz wiadomosc na ponizsze IP/port
#rdr on $int_if inet proto tcp from <platnosc>to any  -> 83.19.20.10 port 86
#rdr on $int_if inet proto tcp from <wiadomosc>to any -> 83.19.20.10 port 87

   ' >> $name
echo "-> Buduje kolejki natowania"
for i in $(cat $users); do
                ip=`echo $i | cut -f4 -d ";"`
echo "nat on "$"ext_if from $ip -> "$"my_ip"       >> $name
done
echo '
# F I R E W A L L
#################
 # ban z presist file
block in quick on $ext_if inet from <deny>to any label "banned"
block in quick on $int_if inet from <deny>to any label "banned"

 # reguly wejscia - dopuszczone z persist file (warunkowe)
pass in quick on $int_if inet proto tcp from {$int_if} to any port 22
pass in quick on $ext_if inet proto tcp from <ssh>to $ext_if port 22 label "ssh-ext-pass"
pass in quick on $ext_if inet proto { tcp, udp } from <snmp>to $ext_if port 161 label "snmp-pass"
pass in quick on $ext_if inet proto tcp from <www>to $ext_if port 80 label "www-pass"

 # reguly wejscia reszta
pass in quick on $ext_if inet proto udp from any port 53 to any label "DNS-pass"
pass in quick inet proto icmp all icmp-type echoreq label "icmp-pass" modulate state
pass out quick on $ext_if inet proto icmp from $ext_if to any keep state icmp-type $icmp_types label "icmp-pass"

 # kill windows
block in quick on $ext_if inet proto tcp from any to any port {1080,3128,4588,6588,445,3306,134 >< 140} label "ms-ds-block"
block in quick on $ext_if inet proto udp from any to any port {1080,3128,4588,6588,445,3306,134 >< 140} label "ms-ds-block"
block in quick on $int_if inet proto tcp from any to any port {1080,3128,4588,6588,445,3306,134 >< 140} label "ms-ds-block"
block in quick on $int_if inet proto udp from any to any port {1080,3128,4588,6588,445,3306,134 >< 140} label "ms-ds-block"

 # loopback
pass quick on $unfiltered label "loopback-pass"
block in quick on $ext_if inet from any to 255.255.255.255 label "broadcast-block"

############# reg users
   ' >> $name

for i in $(cat $users); do
                ip=`echo $i | cut -f4 -d ";"`
      states=`echo $i | cut -f10 -d ";"`
      qdown=`echo $i | cut -f8 -d ";"`
                qup=`echo $i | cut -f9 -d ";"`   

echo "pass in quick on "$"int_if inet from $ip to any flags S/SA keep state (source-track global, max-src-states $states, if-bound) queue $qdown tag n$ip" >> $name
echo "pass out quick on "$"ext_if all keep state (if-bound) queue $qup tagged n$ip" >> $name
done
echo '
pass out on $ext_if from ($ext_if) to any keep state label "keep state"
block in all
' >> $name
echo '-> Tworze plik /etc/hosts'
for i in $(cat $users); do
                nazwa=`echo $i | cut -f1 -d ";"`               
      ip=`echo $i | cut -f4 -d ";"`
echo "$ip       $nazwa " >> $hosts
done
cat $hostsadd >> $hosts
echo '-> Tworze plik /etc/ethers'
for i in $(cat $users); do
                ip=`echo $i | cut -f4 -d ";"`
                mac=`echo $i | cut -f5 -d ";"`
echo "$ip      $mac" >> $ethers
done

# Odznaczamy poniższe, jeśli chcemy mieć statyczną tablice ARP
#arp -f $ethers
pfctl -f $name</www></snmp></ssh></deny></deny></wiadomosc></platnosc></wiadomosc></platnosc></www></snmp></ssh></deny> 

there should be a file with users looks like:

kapode;192.168.1.16/30;192.168.1.17;192.168.1.18;00:04:23:8f:80:6f;8192;4096;kapoded;kapodeu;500;2;komentarz
kruszyk;192.168.1.20/30;192.168.1.21;192.168.1.22;00:0E:8E:02:41:CB;512;128;kruszykd;kruszyku;500;1;komentarz
mariusz;192.168.1.24/30;192.168.1.25;192.168.1.26;00:0F:3D:67:F9:4D;512;100;mariuszd;masziuszu;500;2;kom 

there is even a http page to add/edit users from this file, take look at it: http://raf.68k.pl/!/view.php

would be nice to implement some parts of this code in feature pfsense versions :)
if you need, i could translate comments in script but i think everything is clear after analyzing it :)

Justinw

I think this could have a great for some individual user control…a few questions though since I don't speak polish...

Nazwa which I'm assuming is username checked against the user file...?

Is the mac address is what is checked in authentication, or the username, or both?

Anyways, I'll look at it, I'm not the best in the world at this kind of thing though.