Could this script be useful?
-
ive sound interesting script on polish bsd forum, pfsense devs, just give a minute to look at it:
#!/bin/sh # Jak we wcześniejszych wersjach. # Katalog na backup plików 'backupdir' należy utworzyć name="/root/pf.conf" ethers="/root/ethers" users="/root/users" hosts="/etc/hosts" # w tym pliku dodajemy dane, jakie mają być dopisane do /etc/hosts hostsadd="/root/hosts/hosts.add" backupdir="/root/backup-pf" echo "-> PF conf maker v. 1.5" echo "-> Kasuje poprzednie pliki...oraz wykonuje backup do katalogu: $backupdir" cp $name $backupdir/pf.conf$(date "+.%Y-%m-%d.%H:%M:%S") cp $ethers $backupdir/ethers$(date "+.%Y-%m-%d.%H:%M:%S") cp $users $backupdir/users$(date "+.%Y-%m-%d.%H:%M:%S") cp $hosts $backupdir/hosts$(date "+.%Y-%m-%d.%H:%M:%S") rm $name rm $ethers rm $hosts echo ' # Ustawiamy niezbędne makrodefinicje # Makrodefinicje ext_if = "fxp0" int_if = "xl0" unfiltered = "{ lo0 }" icmp_types = "{ 8, 15, 30 }" my_ip = "80.54.20.9" dl = "34816Kb" ul = "34816Kb" # inne Makrodefinicje # Tablice.. można je sobie dowolnie zmienić, Ja używam następujących: # Tablice table <deny>persist file "/root/hosts/hosts.ban" # całkowicie blokuje IPki table <ssh>persist file "/root/hosts/hosts.ssh" # wpuszcza z zewnątrz na ssh tylko te IP table <snmp>persist file "/root/hosts/hosts.snmp" # wpuszcza z zewnątrz na snmp tylko te IP table <www>persist file "/root/hosts/hosts.www" # wpuszcza z zewnątrz na www tylko te IP table <platnosc>persist file "/root/hosts/hosts.platnosc" # Pokazuje info o płatnościach, z tego IP, Poniżej trzeba ustawić gdzie ma przekierować table <wiadomosc>persist file "/root/hosts/hosts.wiadomosc" # jak wyżej, tylko że jakaś tam wiadomość # Opcje set optimization aggressive set block-policy drop set require-order yes set limit { states 40000, frags 20000, src-nodes 5000 } # Scrubbing scrub in all fragment reassemble scrub out all fragment reassemble # ALTQ ' >> $name echo '-> Buduje drzewo kolejek...' echo 'altq on $int_if hfsc bandwidth $dl queue { def \' >> $name for i in $(cat $users); do qdown=`echo $i | cut -f8 -d ";"` echo $qdown '\' >> $name done echo ' }' >> $name echo 'altq on $ext_if hfsc bandwidth $ul queue { defu \' >> $name for i in $(cat $users); do qup=`echo $i | cut -f9 -d ";"` echo $qup '\' >> $name done echo ' }' >> $name echo "# Kolejki defaultowe: " >> $name ## ## Prosze sobie wpisać wg własnych upodobań upperlimit (dla małych sieci starczy 128 kbit) ## echo "queue def bandwidth 2% hfsc(default upperlimit 512Kb)" >> $name echo "queue defu bandwidth 2% hfsc(default upperlimit 512Kb)" >> $name for i in $(cat $users); do nazwa=`echo $i | cut -f1 -d ";"` dwl=`echo $i | cut -f6 -d ";"` upl=`echo $i | cut -f7 -d ";"` qdown=`echo $i | cut -f8 -d ";"` qup=`echo $i | cut -f9 -d ";"` pri=`echo $i | cut -f11 -d ";"` echo " queue $qdown bandwidth 1% priority $pri hfsc( upperlimit $dwl"Kb" )" >> $name echo " queue $qup bandwidth 1% priority $pri hfsc( upperlimit $upl"Kb" )" >> $name done echo ' # NAT, RDR, BINAT ################# # dwie poniższe reg. kierują ruch z tablic platnosci oraz wiadomosc na ponizsze IP/port #rdr on $int_if inet proto tcp from <platnosc>to any -> 83.19.20.10 port 86 #rdr on $int_if inet proto tcp from <wiadomosc>to any -> 83.19.20.10 port 87 ' >> $name echo "-> Buduje kolejki natowania" for i in $(cat $users); do ip=`echo $i | cut -f4 -d ";"` echo "nat on "$"ext_if from $ip -> "$"my_ip" >> $name done echo ' # F I R E W A L L ################# # ban z presist file block in quick on $ext_if inet from <deny>to any label "banned" block in quick on $int_if inet from <deny>to any label "banned" # reguly wejscia - dopuszczone z persist file (warunkowe) pass in quick on $int_if inet proto tcp from {$int_if} to any port 22 pass in quick on $ext_if inet proto tcp from <ssh>to $ext_if port 22 label "ssh-ext-pass" pass in quick on $ext_if inet proto { tcp, udp } from <snmp>to $ext_if port 161 label "snmp-pass" pass in quick on $ext_if inet proto tcp from <www>to $ext_if port 80 label "www-pass" # reguly wejscia reszta pass in quick on $ext_if inet proto udp from any port 53 to any label "DNS-pass" pass in quick inet proto icmp all icmp-type echoreq label "icmp-pass" modulate state pass out quick on $ext_if inet proto icmp from $ext_if to any keep state icmp-type $icmp_types label "icmp-pass" # kill windows block in quick on $ext_if inet proto tcp from any to any port {1080,3128,4588,6588,445,3306,134 >< 140} label "ms-ds-block" block in quick on $ext_if inet proto udp from any to any port {1080,3128,4588,6588,445,3306,134 >< 140} label "ms-ds-block" block in quick on $int_if inet proto tcp from any to any port {1080,3128,4588,6588,445,3306,134 >< 140} label "ms-ds-block" block in quick on $int_if inet proto udp from any to any port {1080,3128,4588,6588,445,3306,134 >< 140} label "ms-ds-block" # loopback pass quick on $unfiltered label "loopback-pass" block in quick on $ext_if inet from any to 255.255.255.255 label "broadcast-block" ############# reg users ' >> $name for i in $(cat $users); do ip=`echo $i | cut -f4 -d ";"` states=`echo $i | cut -f10 -d ";"` qdown=`echo $i | cut -f8 -d ";"` qup=`echo $i | cut -f9 -d ";"` echo "pass in quick on "$"int_if inet from $ip to any flags S/SA keep state (source-track global, max-src-states $states, if-bound) queue $qdown tag n$ip" >> $name echo "pass out quick on "$"ext_if all keep state (if-bound) queue $qup tagged n$ip" >> $name done echo ' pass out on $ext_if from ($ext_if) to any keep state label "keep state" block in all ' >> $name echo '-> Tworze plik /etc/hosts' for i in $(cat $users); do nazwa=`echo $i | cut -f1 -d ";"` ip=`echo $i | cut -f4 -d ";"` echo "$ip $nazwa " >> $hosts done cat $hostsadd >> $hosts echo '-> Tworze plik /etc/ethers' for i in $(cat $users); do ip=`echo $i | cut -f4 -d ";"` mac=`echo $i | cut -f5 -d ";"` echo "$ip $mac" >> $ethers done # Odznaczamy poniższe, jeśli chcemy mieć statyczną tablice ARP #arp -f $ethers pfctl -f $name</www></snmp></ssh></deny></deny></wiadomosc></platnosc></wiadomosc></platnosc></www></snmp></ssh></deny>
there should be a file with users looks like:
kapode;192.168.1.16/30;192.168.1.17;192.168.1.18;00:04:23:8f:80:6f;8192;4096;kapoded;kapodeu;500;2;komentarz kruszyk;192.168.1.20/30;192.168.1.21;192.168.1.22;00:0E:8E:02:41:CB;512;128;kruszykd;kruszyku;500;1;komentarz mariusz;192.168.1.24/30;192.168.1.25;192.168.1.26;00:0F:3D:67:F9:4D;512;100;mariuszd;masziuszu;500;2;kom
there is even a http page to add/edit users from this file, take look at it: http://raf.68k.pl/!/view.php
would be nice to implement some parts of this code in feature pfsense versions :)
if you need, i could translate comments in script but i think everything is clear after analyzing it :) -
I think this could have a great for some individual user control…a few questions though since I don't speak polish...
Nazwa which I'm assuming is username checked against the user file...?
Is the mac address is what is checked in authentication, or the username, or both?
Anyways, I'll look at it, I'm not the best in the world at this kind of thing though.