1 |
14f9c43f
|
Scott Ullrich
|
#!/bin/sh
|
2 |
ac24dc24
|
Renato Botelho
|
#
|
3 |
|
|
# rc.update_bogons.sh
|
4 |
|
|
#
|
5 |
|
|
# part of pfSense (https://www.pfsense.org)
|
6 |
880ed461
|
jim-p
|
# Copyright (c) 2004-2020 Rubicon Communications, LLC (Netgate)
|
7 |
ac24dc24
|
Renato Botelho
|
# All rights reserved.
|
8 |
|
|
#
|
9 |
|
|
# Based on src/etc/rc.d/savecore from FreeBSD
|
10 |
|
|
#
|
11 |
b12ea3fb
|
Renato Botelho
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
12 |
|
|
# you may not use this file except in compliance with the License.
|
13 |
|
|
# You may obtain a copy of the License at
|
14 |
ac24dc24
|
Renato Botelho
|
#
|
15 |
b12ea3fb
|
Renato Botelho
|
# http://www.apache.org/licenses/LICENSE-2.0
|
16 |
ac24dc24
|
Renato Botelho
|
#
|
17 |
b12ea3fb
|
Renato Botelho
|
# Unless required by applicable law or agreed to in writing, software
|
18 |
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
19 |
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
20 |
|
|
# See the License for the specific language governing permissions and
|
21 |
|
|
# limitations under the License.
|
22 |
14f9c43f
|
Scott Ullrich
|
|
23 |
7c05f800
|
bcyrill
|
# Global variables
|
24 |
|
|
proc_error=""
|
25 |
|
|
|
26 |
7fbb45be
|
Renato Botelho
|
do_not_send_uniqueid=$(/usr/local/sbin/read_xml_tag.sh boolean system/do_not_send_uniqueid)
|
27 |
|
|
if [ "${do_not_send_uniqueid}" != "true" ]; then
|
28 |
|
|
uniqueid=$(/usr/sbin/gnid)
|
29 |
|
|
export HTTP_USER_AGENT="${product}/${product_version}:${uniqueid}"
|
30 |
|
|
else
|
31 |
|
|
export HTTP_USER_AGENT="${product}/${product_version}"
|
32 |
|
|
fi
|
33 |
|
|
|
34 |
7c05f800
|
bcyrill
|
# Download and extract if necessary
|
35 |
c98951ce
|
bcyrill
|
process_url() {
|
36 |
7c05f800
|
bcyrill
|
local file=$1
|
37 |
|
|
local url=$2
|
38 |
|
|
local filename=${url##*/}
|
39 |
|
|
local ext=${filename#*.}
|
40 |
e173dd74
|
Phil Davis
|
|
41 |
690b557c
|
Chris Buechler
|
/usr/bin/fetch -a -w 600 -T 30 -q -o $file "${url}"
|
42 |
e173dd74
|
Phil Davis
|
|
43 |
7c05f800
|
bcyrill
|
if [ ! -f $file ]; then
|
44 |
|
|
echo "Could not download ${url}" | logger
|
45 |
|
|
proc_error="true"
|
46 |
|
|
fi
|
47 |
e173dd74
|
Phil Davis
|
|
48 |
7c05f800
|
bcyrill
|
case "$ext" in
|
49 |
|
|
tar)
|
50 |
|
|
mv $file $file.tmp
|
51 |
|
|
/usr/bin/tar -xf $file.tmp -O > $file 2> /dev/null
|
52 |
|
|
;;
|
53 |
|
|
tar.gz)
|
54 |
c98951ce
|
bcyrill
|
mv $file $file.tmp
|
55 |
|
|
/usr/bin/tar -xzf $file.tmp -O > $file 2> /dev/null
|
56 |
|
|
;;
|
57 |
7c05f800
|
bcyrill
|
tgz)
|
58 |
|
|
mv $file $file.tmp
|
59 |
|
|
/usr/bin/tar -xzf $file.tmp -O > $file 2> /dev/null
|
60 |
|
|
;;
|
61 |
|
|
tar.bz2)
|
62 |
|
|
mv $file $file.tmp
|
63 |
|
|
/usr/bin/tar -xjf $file.tmp -O > $file 2> /dev/null
|
64 |
|
|
;;
|
65 |
|
|
*)
|
66 |
|
|
;;
|
67 |
|
|
esac
|
68 |
e173dd74
|
Phil Davis
|
|
69 |
7c05f800
|
bcyrill
|
if [ -f $file.tmp ]; then
|
70 |
|
|
rm $file.tmp
|
71 |
|
|
fi
|
72 |
e173dd74
|
Phil Davis
|
|
73 |
7c05f800
|
bcyrill
|
if [ ! -f $file ]; then
|
74 |
|
|
echo "Could not extract ${filename}" | logger
|
75 |
|
|
proc_error="true"
|
76 |
|
|
fi
|
77 |
|
|
}
|
78 |
|
|
|
79 |
9c9b1833
|
Scott Ullrich
|
echo "rc.update_bogons.sh is starting up." | logger
|
80 |
|
|
|
81 |
342a2f18
|
Phil Davis
|
# Sleep for some time, unless an argument is specified.
|
82 |
5de28171
|
Scott Ullrich
|
if [ "$1" = "" ]; then
|
83 |
e173dd74
|
Phil Davis
|
# Grab a random value
|
84 |
|
|
value=`od -A n -d -N2 /dev/random | awk '{ print $1 }'`
|
85 |
|
|
echo "rc.update_bogons.sh is sleeping for $value" | logger
|
86 |
|
|
sleep $value
|
87 |
|
|
fi
|
88 |
38b65b80
|
Scott Ullrich
|
|
89 |
9c9b1833
|
Scott Ullrich
|
echo "rc.update_bogons.sh is beginning the update cycle." | logger
|
90 |
|
|
|
91 |
92276df6
|
bcyrill
|
# Load custom bogon configuration
|
92 |
|
|
if [ -f /var/etc/bogon_custom ]; then
|
93 |
|
|
. /var/etc/bogon_custom
|
94 |
|
|
fi
|
95 |
|
|
|
96 |
|
|
# Set default values if not overriden
|
97 |
375fce94
|
Chris Buechler
|
v4url=${v4url:-"https://files.pfsense.org/lists/fullbogons-ipv4.txt"}
|
98 |
|
|
v6url=${v6url:-"https://files.pfsense.org/lists/fullbogons-ipv6.txt"}
|
99 |
92276df6
|
bcyrill
|
v4urlcksum=${v4urlcksum:-"${v4url}.md5"}
|
100 |
|
|
v6urlcksum=${v6urlcksum:-"${v6url}.md5"}
|
101 |
|
|
|
102 |
7c05f800
|
bcyrill
|
process_url /tmp/bogons "${v4url}"
|
103 |
|
|
process_url /tmp/bogonsv6 "${v6url}"
|
104 |
4a41dff7
|
smos
|
|
105 |
7c05f800
|
bcyrill
|
if [ "$proc_error" != "" ]; then
|
106 |
7de4359a
|
Seth Mos
|
# Relaunch and sleep
|
107 |
7c05f800
|
bcyrill
|
sh /etc/rc.update_bogons.sh &
|
108 |
7de4359a
|
Seth Mos
|
exit
|
109 |
|
|
fi
|
110 |
|
|
|
111 |
2076dc46
|
Ermal
|
BOGON_V4_CKSUM=`/usr/bin/fetch -T 30 -q -o - "${v4urlcksum}" | awk '{ print $4 }'`
|
112 |
92276df6
|
bcyrill
|
ON_DISK_V4_CKSUM=`md5 /tmp/bogons | awk '{ print $4 }'`
|
113 |
2076dc46
|
Ermal
|
BOGON_V6_CKSUM=`/usr/bin/fetch -T 30 -q -o - "${v6urlcksum}" | awk '{ print $4 }'`
|
114 |
92276df6
|
bcyrill
|
ON_DISK_V6_CKSUM=`md5 /tmp/bogonsv6 | awk '{ print $4 }'`
|
115 |
342a2f18
|
Phil Davis
|
|
116 |
92276df6
|
bcyrill
|
if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ] || [ "$BOGON_V6_CKSUM" = "$ON_DISK_V6_CKSUM" ]; then
|
117 |
45bc16b9
|
bcyrill
|
ENTRIES_MAX=`pfctl -s memory | awk '/table-entries/ { print $4 }'`
|
118 |
e173dd74
|
Phil Davis
|
|
119 |
3cde94cf
|
bcyrill
|
if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ]; then
|
120 |
45bc16b9
|
bcyrill
|
ENTRIES_TOT=`pfctl -vvsTables | awk '/Addresses/ {s+=$2}; END {print s}'`
|
121 |
|
|
ENTRIES_V4=`pfctl -vvsTables | awk '/-\tbogons$/ {getline; print $2}'`
|
122 |
|
|
LINES_V4=`wc -l /tmp/bogons | awk '{ print $1 }'`
|
123 |
|
|
if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V4:-0}+LINES_V4)) ]; then
|
124 |
|
|
egrep -v "^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" /tmp/bogons > /etc/bogons
|
125 |
|
|
RESULT=`/sbin/pfctl -t bogons -T replace -f /etc/bogons 2>&1`
|
126 |
|
|
echo "$RESULT" | awk '{ print "Bogons V4 file downloaded: " $0 }' | logger
|
127 |
|
|
else
|
128 |
|
|
echo "Not updating IPv4 bogons (increase table-entries limit)" | logger
|
129 |
|
|
fi
|
130 |
3cde94cf
|
bcyrill
|
rm /tmp/bogons
|
131 |
|
|
else
|
132 |
|
|
echo "Could not download ${v4url} (checksum mismatch)" | logger
|
133 |
|
|
checksum_error="true"
|
134 |
|
|
fi
|
135 |
342a2f18
|
Phil Davis
|
|
136 |
3cde94cf
|
bcyrill
|
if [ "$BOGON_V6_CKSUM" = "$ON_DISK_V6_CKSUM" ]; then
|
137 |
8550a21c
|
phildd
|
BOGONS_V6_TABLE_COUNT=`pfctl -sTables | grep ^bogonsv6$ | wc -l | awk '{ print $1 }'`
|
138 |
45bc16b9
|
bcyrill
|
ENTRIES_TOT=`pfctl -vvsTables | awk '/Addresses/ {s+=$2}; END {print s}'`
|
139 |
|
|
LINES_V6=`wc -l /tmp/bogonsv6 | awk '{ print $1 }'`
|
140 |
8550a21c
|
phildd
|
if [ $BOGONS_V6_TABLE_COUNT -gt 0 ]; then
|
141 |
c858c609
|
phildd
|
ENTRIES_V6=`pfctl -vvsTables | awk '/-\tbogonsv6$/ {getline; print $2}'`
|
142 |
|
|
if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V6:-0}+LINES_V6)) ]; then
|
143 |
9b0adf13
|
N0YB
|
egrep -iv "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6
|
144 |
c858c609
|
phildd
|
RESULT=`/sbin/pfctl -t bogonsv6 -T replace -f /etc/bogonsv6 2>&1`
|
145 |
|
|
echo "$RESULT" | awk '{ print "Bogons V6 file downloaded: " $0 }' | logger
|
146 |
|
|
else
|
147 |
|
|
echo "Not saving or updating IPv6 bogons (increase table-entries limit)" | logger
|
148 |
|
|
fi
|
149 |
45bc16b9
|
bcyrill
|
else
|
150 |
c858c609
|
phildd
|
if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT+LINES_V6)) ]; then
|
151 |
9b0adf13
|
N0YB
|
egrep -iv "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6
|
152 |
06ac4c7f
|
Chris Buechler
|
echo "Bogons V6 file downloaded but not updating IPv6 bogons table because it is not in use." | logger
|
153 |
c858c609
|
phildd
|
else
|
154 |
|
|
echo "Not saving IPv6 bogons table (IPv6 Allow is off and table-entries limit is potentially too low)" | logger
|
155 |
|
|
fi
|
156 |
3cde94cf
|
bcyrill
|
fi
|
157 |
|
|
rm /tmp/bogonsv6
|
158 |
|
|
else
|
159 |
|
|
echo "Could not download ${v6url} (checksum mismatch)" | logger
|
160 |
|
|
checksum_error="true"
|
161 |
|
|
fi
|
162 |
342a2f18
|
Phil Davis
|
fi
|
163 |
|
|
|
164 |
7c05f800
|
bcyrill
|
if [ "$checksum_error" != "" ]; then
|
165 |
7de4359a
|
Seth Mos
|
# Relaunch and sleep
|
166 |
e173dd74
|
Phil Davis
|
sh /etc/rc.update_bogons.sh &
|
167 |
342a2f18
|
Phil Davis
|
exit
|
168 |
7de4359a
|
Seth Mos
|
fi
|
169 |
|
|
|
170 |
48e29ac9
|
sullrich
|
echo "rc.update_bogons.sh is ending the update cycle." | logger
|