| 22 |
22 |
* limitations under the License.
|
| 23 |
23 |
*/
|
| 24 |
24 |
|
| 25 |
|
|
| 26 |
25 |
require_once("pfsense-utils.inc");
|
| 27 |
26 |
require_once("easyrule.inc");
|
| 28 |
27 |
require_once("filter.inc");
|
| 29 |
28 |
require_once("shaper.inc");
|
| 30 |
29 |
|
| 31 |
|
$message = "";
|
| 32 |
|
$specialsrcdst = explode(" ", "any pptp pppoe l2tp openvpn");
|
| 33 |
|
$ifdisp = get_configured_interface_with_descr();
|
| 34 |
|
foreach ($ifdisp as $kif => $kdescr) {
|
| 35 |
|
$specialsrcdst[] = "{$kif}";
|
| 36 |
|
$specialsrcdst[] = "{$kif}ip";
|
| 37 |
|
}
|
|
30 |
if (($argc > 1) && !empty($argv[1])) {
|
| 38 |
31 |
|
| 39 |
|
/* Borrow this function from guiconfig.inc since we can't include it for use at the CLI
|
|
32 |
$ret_code = 0;
|
| 40 |
33 |
|
| 41 |
|
- Maybe these need to be moved to util.inc or pfsense-utils.inc?
|
|
34 |
switch (strtolower($argv[1])) {
|
| 42 |
35 |
|
| 43 |
|
*/
|
| 44 |
|
function pconfig_to_address(&$adr, $padr, $pmask, $pnot=false, $pbeginport=0, $pendport=0) {
|
|
36 |
case 'block':
|
| 45 |
37 |
|
| 46 |
|
$adr = array();
|
|
38 |
$message = easyrule_parse_block($argv[2], $argv[3]);
|
| 47 |
39 |
|
| 48 |
|
if ($padr == "any") {
|
| 49 |
|
$adr['any'] = true;
|
| 50 |
|
} else if (is_specialnet($padr)) {
|
| 51 |
|
$adr['network'] = $padr;
|
| 52 |
|
} else {
|
| 53 |
|
$adr['address'] = $padr;
|
| 54 |
|
if ($pmask != 32) {
|
| 55 |
|
$adr['address'] .= "/" . $pmask;
|
| 56 |
|
}
|
| 57 |
|
}
|
|
40 |
break;
|
| 58 |
41 |
|
| 59 |
|
if ($pnot) {
|
| 60 |
|
$adr['not'] = true;
|
| 61 |
|
} else {
|
| 62 |
|
unset($adr['not']);
|
| 63 |
|
}
|
|
42 |
case 'unblock':
|
| 64 |
43 |
|
| 65 |
|
if (($pbeginport != 0) && ($pbeginport != "any")) {
|
| 66 |
|
if ($pbeginport != $pendport) {
|
| 67 |
|
$adr['port'] = $pbeginport . "-" . $pendport;
|
| 68 |
|
} else {
|
| 69 |
|
$adr['port'] = $pbeginport;
|
| 70 |
|
}
|
| 71 |
|
}
|
|
44 |
$message = easyrule_parse_unblock($argv[2], $argv[3]);
|
| 72 |
45 |
|
| 73 |
|
if (is_alias($pbeginport)) {
|
| 74 |
|
$adr['port'] = $pbeginport;
|
| 75 |
|
}
|
| 76 |
|
}
|
|
46 |
break;
|
| 77 |
47 |
|
| 78 |
|
/* Borrow this one from guiconfig.inc also */
|
| 79 |
|
function is_specialnet($net) {
|
| 80 |
|
global $specialsrcdst;
|
|
48 |
case 'showblock':
|
| 81 |
49 |
|
| 82 |
|
if (!$net) {
|
| 83 |
|
return false;
|
| 84 |
|
}
|
| 85 |
|
if (in_array($net, $specialsrcdst)) {
|
| 86 |
|
return true;
|
| 87 |
|
} else {
|
| 88 |
|
return false;
|
| 89 |
|
}
|
| 90 |
|
}
|
|
50 |
$message = easyrule_parse_getblock($argv[2]);
|
| 91 |
51 |
|
|
52 |
break;
|
| 92 |
53 |
|
| 93 |
|
if (($argc > 1) && !empty($argv[1])) {
|
|
54 |
case 'pass':
|
| 94 |
55 |
|
| 95 |
|
/* Automagically derive an alternate alias name from the scripts name
|
| 96 |
|
* This allows for using alternate alias lists with just a symlink */
|
| 97 |
|
if (($alias = basename($argv[0])) != 'easyrule') {
|
| 98 |
|
$blockaliasname = ucfirst($alias).'Rules';
|
| 99 |
|
}
|
|
56 |
$message = easyrule_parse_pass($argv[2], $argv[3], $argv[4], $argv[5], $argv[6]);
|
| 100 |
57 |
|
| 101 |
|
$message = "";
|
| 102 |
|
switch ($argv[1]) {
|
| 103 |
|
case 'block':
|
| 104 |
|
$message = easyrule_parse_block($argv[2], $argv[3]);
|
| 105 |
58 |
break;
|
| 106 |
|
case 'unblock':
|
| 107 |
|
$message = easyrule_parse_unblock($argv[2], $argv[3]);
|
| 108 |
|
break;
|
| 109 |
|
case 'showblock':
|
| 110 |
|
$message = easyrule_parse_getblock($argv[2]);
|
| 111 |
|
break;
|
| 112 |
|
case 'pass':
|
| 113 |
|
$message = easyrule_parse_pass($argv[2], $argv[3], $argv[4], $argv[5], $argv[6]);
|
|
59 |
|
|
60 |
default:
|
|
61 |
|
|
62 |
// Catch footgun and warn the user...
|
|
63 |
easyrule_print_usage();
|
|
64 |
|
|
65 |
$ret_code = 1;
|
|
66 |
|
| 114 |
67 |
break;
|
|
68 |
|
| 115 |
69 |
}
|
| 116 |
|
echo $message . "\n";
|
|
70 |
|
| 117 |
71 |
} else {
|
| 118 |
|
// Print usage:
|
| 119 |
|
echo "usage:\n";
|
| 120 |
|
echo " Blocking only requires an IP to block, block rules can be shown with showblock and revoked using unblock\n";
|
| 121 |
|
echo " " . basename($argv[0]) . " block <interface> <source IP>\n";
|
| 122 |
|
echo "\n";
|
| 123 |
|
echo " Passing requires more detail, as it must be as specific as possible. The destination port is optional if you're using a protocol without a port (e.g. ICMP, OSPF, etc).\n";
|
| 124 |
|
echo " " . basename($argv[0]) . " pass <interface> <protocol> <source IP> <destination ip> [destination port]\n";
|
| 125 |
|
echo "\n";
|
| 126 |
|
echo " Block example:\n";
|
| 127 |
|
echo " " . basename($argv[0]) . " block wan 1.2.3.4\n";
|
| 128 |
|
echo "\n";
|
| 129 |
|
echo " Show active blocks example:\n";
|
| 130 |
|
echo " " . basename($argv[0]) . " showblock wan\n";
|
| 131 |
|
echo "\n";
|
| 132 |
|
echo " Unblock example:\n";
|
| 133 |
|
echo " " . basename($argv[0]) . " unblock wan 1.2.3.4\n";
|
| 134 |
|
echo "\n";
|
| 135 |
|
echo " Pass example (protocol with port):\n";
|
| 136 |
|
echo " " . basename($argv[0]) . " pass wan tcp 1.2.3.4 192.168.0.4 80\n";
|
| 137 |
|
echo "\n";
|
| 138 |
|
echo " Pass example (protocol without port):\n";
|
| 139 |
|
echo " " . basename($argv[0]) . " pass wan icmp 1.2.3.4 192.168.0.4\n";
|
| 140 |
|
echo "\n";
|
|
72 |
|
|
73 |
// Show usage overview
|
|
74 |
easyrule_print_usage();
|
|
75 |
|
|
76 |
}
|
|
77 |
|
|
78 |
print("{$message}\n");
|
|
79 |
|
|
80 |
exit($ret_code);
|
|
81 |
|
|
82 |
function easyrule_print_usage() {
|
|
83 |
|
|
84 |
$s = fn($x) => $x;
|
|
85 |
|
|
86 |
foreach (array(
|
|
87 |
|
|
88 |
"Usage:\n",
|
|
89 |
" Blocking only requires an IP to block, block rules can be shown with showblock and revoked using unblock\n",
|
|
90 |
" {$s(basename($argv[0]))} block <interface> <source IP>\n\n",
|
|
91 |
" Passing requires more detail, as it must be as specific as possible. The destination port is optional if you're using a protocol without a port (e.g. ICMP, OSPF, etc).\n",
|
|
92 |
" {$s(basename($argv[0]))} pass <interface> <protocol> <source IP> <destination ip> [destination port]\n\n",
|
|
93 |
" Block example:\n",
|
|
94 |
" {$s(basename($argv[0]))} block wan 1.2.3.4\n\n",
|
|
95 |
" Show active blocks example:\n",
|
|
96 |
" {$s(basename($argv[0]))} showblock wan\n\n",
|
|
97 |
" Unblock example:\n",
|
|
98 |
" {$s(basename($argv[0]))} unblock wan 1.2.3.4\n\n",
|
|
99 |
" Pass example (protocol with port):\n",
|
|
100 |
" {$s(basename($argv[0]))} pass wan tcp 1.2.3.4 192.168.0.4 80\n\n",
|
|
101 |
" Pass example (protocol without port):\n",
|
|
102 |
" {$s(basename($argv[0]))} pass wan icmp 1.2.3.4 192.168.0.4\n\n"
|
|
103 |
|
|
104 |
) as $line) { print($line); }
|
|
105 |
|
| 141 |
106 |
}
|
|
107 |
|
| 142 |
108 |
?>
|
