wok-current diff squidguard/stuff/squidGuard-1.4-dnsbl.patch @ rev 16939
Up geeqie (1.2)
author | Xander Ziiryanoff <psychomaniak@xakep.ru> |
---|---|
date | Wed Jul 23 13:55:35 2014 +0200 (2014-07-23) |
parents | |
children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/squidguard/stuff/squidGuard-1.4-dnsbl.patch Wed Jul 23 13:55:35 2014 +0200 1.3 @@ -0,0 +1,282 @@ 1.4 +diff -Naurb squidGuard-1.4/doc/configuration.html squidGuard-1.4-dnsbl/doc/configuration.html 1.5 +--- squidGuard-1.4/doc/configuration.html 2007-11-16 17:58:32.000000000 +0100 1.6 ++++ squidGuard-1.4-dnsbl/doc/configuration.html 2009-03-04 18:07:15.000000000 +0100 1.7 +@@ -1630,6 +1630,15 @@ 1.8 + "<B><TT>^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}($|[:/])</TT></B>". 1.9 + </DD> 1.10 + <DT> 1.11 ++ <B>dnsbl</B> 1.12 ++ </DT> 1.13 ++ <DD> 1.14 ++ <B>!dnsbl</B> can be used to dynamically check domain names against 1.15 ++ DNS-based blacklists, such as black.uribl.com, which is the default. 1.16 ++ The DNS blacklist can be set to another domain by setting 1.17 ++ !dnsbl:your.blacklist.domain.com 1.18 ++ </DD> 1.19 ++ <DT> 1.20 + <B>any</B> 1.21 + </DT> 1.22 + <DD> 1.23 +@@ -2419,6 +2428,9 @@ 1.24 + even if they would match a blocking regex: 1.25 + <BR> 1.26 + <TT><B>+</B></TT> limiting the usage of IP-address URLs: 1.27 ++ <BR> 1.28 ++ <TT><B>+</B></TT> blocking sites known to be part of the 1.29 ++ black.uribl.com DNS blacklist. 1.30 + </P> 1.31 + 1.32 + <TT> 1.33 +@@ -2442,7 +2454,7 @@ 1.34 + 1.35 + acl { 1.36 + default { 1.37 +- pass local good !in-addr !porn all 1.38 ++ pass local good !in-addr !porn !dnsbl:black.uribl.com all 1.39 + redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u 1.40 + } 1.41 + } 1.42 +diff -Naurb squidGuard-1.4/doc/configuration.txt squidGuard-1.4-dnsbl/doc/configuration.txt 1.43 +--- squidGuard-1.4/doc/configuration.txt 2007-11-16 17:58:32.000000000 +0100 1.44 ++++ squidGuard-1.4-dnsbl/doc/configuration.txt 2009-03-04 18:09:39.000000000 +0100 1.45 +@@ -637,6 +637,12 @@ 1.46 + "^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9 1.47 + ]\{1,3\}($|[:/])". 1.48 + 1.49 ++ dnsbl 1.50 ++ !dnsbl can be used to dynamically check domain names against 1.51 ++ DNS-based blacklists, such as black.uribl.com, which is the default. 1.52 ++ The DNS blacklist can be set to another domain by setting 1.53 ++ !dnsbl:your.blacklist.domain.com 1.54 ++ 1.55 + any 1.56 + matches any URL and is a fast equivalent to the 1.57 + expression ".*". 1.58 +@@ -1052,6 +1058,7 @@ 1.59 + + ensuring local and good sites are passed even if they would match a 1.60 + blocking regex: 1.61 + + limiting the usage of IP-address URLs: 1.62 ++ + blocking sites known to be part of the black.uribl.com DNS blacklist: 1.63 + logdir /usr/local/squidGuard/log 1.64 + dbhome /usr/local/squidGuard/db 1.65 + 1.66 +@@ -1071,7 +1078,7 @@ 1.67 + 1.68 + acl { 1.69 + default { 1.70 +- pass local good !in-addr !porn all 1.71 ++ pass local good !in-addr !porn !dnsbl:black.uribl.com all 1.72 + redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n& 1.73 + clientuser=%i&clientgroup=%s&url=%u 1.74 + } 1.75 +diff -Naurb squidGuard-1.4/doc/extended.html squidGuard-1.4-dnsbl/doc/extended.html 1.76 +--- squidGuard-1.4/doc/extended.html 2007-11-16 17:58:37.000000000 +0100 1.77 ++++ squidGuard-1.4-dnsbl/doc/extended.html 2009-03-04 18:15:59.000000000 +0100 1.78 +@@ -168,6 +168,34 @@ 1.79 + </pre> 1.80 + </td></tr></table> 1.81 + <br><br> 1.82 ++ 1.83 ++<li> <a name=notIP> <b>Using online DNS blacklists</b></a><br><br> 1.84 ++Several DNS based databases can be used to block domain names referrenced in 1.85 ++blacklists. First choose which database you would like to trust (some well known 1.86 ++are : http://www.uribl.com/, or http://www.surbl.org/). 1.87 ++Be aware that this will raise several DNS requests every time squidGuard 1.88 ++receives a request to filter. SquidGuard will not cache any DNS result, so make 1.89 ++sure your DNS server does, and mesure the performance impact before using on 1.90 ++production. 1.91 ++To get squidGuard to request DNS dynamically and block listed domain names, just use : 1.92 ++<br><br> 1.93 ++<table width="75%" cellpadding="0" cellspacing="0" style="background-color: #f2fff0; border: solid 1px #2299bf;"> 1.94 ++<tr> 1.95 ++<td style="background-color: #77afaf; border-bottom: 1px solid #888;"> <font size="-1" color=white>Blocking domain names referenced in a DNS blacklist</font> 1.96 ++</td></tr> 1.97 ++<tr> 1.98 ++<td> 1.99 ++<pre> acl { 1.100 ++ default { 1.101 ++ pass !dnsbl:black.uribl.com all 1.102 ++ redirect http://localhost/block.html 1.103 ++ } 1.104 ++ } 1.105 ++</pre> 1.106 ++</td></tr> 1.107 ++</table> 1.108 ++<br><br> 1.109 ++ 1.110 + <li><a name=blocklog><b>Logging blocked access tries</b></a> 1.111 + <br><br> 1.112 + It may be of interest who is accessing blocked sites. To track that 1.113 +diff -Naurb squidGuard-1.4/doc/extended.txt squidGuard-1.4-dnsbl/doc/extended.txt 1.114 +--- squidGuard-1.4/doc/extended.txt 2007-11-16 17:58:32.000000000 +0100 1.115 ++++ squidGuard-1.4-dnsbl/doc/extended.txt 2009-03-04 18:18:01.000000000 +0100 1.116 +@@ -100,6 +100,29 @@ 1.117 + 172.16.12.0/255.255.255.0 1.118 + 10.5.3.1/28 1.119 + 1.120 ++ Using online DNS blacklists 1.121 ++ Several DNS based databases can be used to block domain names referrenced in 1.122 ++ blacklists. First choose which database you would like to trust (some well known 1.123 ++ are : http://www.uribl.com/, or http://www.surbl.org/). 1.124 ++ Be aware that this will raise several DNS requests every time squidGuard 1.125 ++ receives a request to filter. SquidGuard will not cache any DNS result, so make 1.126 ++ sure your DNS server does, and mesure the performance impact before using on 1.127 ++ production. 1.128 ++ To get squidGuard to request DNS dynamically and block listed domain names, just use : 1.129 ++acl { 1.130 ++ default { 1.131 ++ pass !dnsbl:black.uribl.com all 1.132 ++ redirect http://localhost/block.html 1.133 ++ } 1.134 ++} 1.135 ++ 1.136 ++ 1.137 ++ 1.138 ++ 1.139 ++ 1.140 ++ 1.141 ++ 1.142 ++ 1.143 + Logging blocked access tries 1.144 + It may be of interest who is accessing blocked sites. To track that 1.145 + down you can add a log directive to your src or dest definitions in 1.146 +diff -Naurb squidGuard-1.4/src/sg.h.in squidGuard-1.4-dnsbl/src/sg.h.in 1.147 +--- squidGuard-1.4/src/sg.h.in 2007-11-16 17:58:32.000000000 +0100 1.148 ++++ squidGuard-1.4-dnsbl/src/sg.h.in 2009-03-04 17:38:32.000000000 +0100 1.149 +@@ -68,6 +68,7 @@ 1.150 + #define ACL_TYPE_DEFAULT 1 1.151 + #define ACL_TYPE_TERMINATOR 2 1.152 + #define ACL_TYPE_INADDR 3 1.153 ++#define ACL_TYPE_DNSBL 4 1.154 + 1.155 + #define REQUEST_TYPE_REWRITE 1 1.156 + #define REQUEST_TYPE_REDIRECT 2 1.157 +@@ -301,6 +302,7 @@ 1.158 + 1.159 + struct AclDest { 1.160 + char *name; 1.161 ++ char *dns_suffix; 1.162 + struct Destination *dest; 1.163 + int access; 1.164 + int type; 1.165 +diff -Naurb squidGuard-1.4/src/sg.y.in squidGuard-1.4-dnsbl/src/sg.y.in 1.166 +--- squidGuard-1.4/src/sg.y.in 2008-05-17 20:25:18.000000000 +0200 1.167 ++++ squidGuard-1.4-dnsbl/src/sg.y.in 2009-03-22 21:43:08.000000000 +0100 1.168 +@@ -2253,6 +2274,7 @@ 1.169 + int allowed; 1.170 + #endif 1.171 + { 1.172 ++ char *subval = NULL; 1.173 + struct Destination *dest = NULL; 1.174 + struct sgRewrite *rewrite = NULL; 1.175 + struct AclDest *acldest; 1.176 +@@ -2264,6 +2286,9 @@ 1.177 + allowed=0; 1.178 + else if(!strcmp(value,"in-addr")){ 1.179 + type = ACL_TYPE_INADDR; 1.180 ++ } else if (!strncmp(value,"dnsbl",5)) { 1.181 ++ subval = strstr(value,":"); 1.182 ++ type = ACL_TYPE_DNSBL; 1.183 + } else { 1.184 + if((dest = sgDestFindName(value)) == NULL){ 1.185 + sgLogFatalError("%s: ACL destination %s is not defined in configfile %s", 1.186 +@@ -2278,6 +2303,25 @@ 1.187 + acldest->dest = dest; 1.188 + acldest->access = allowed; 1.189 + acldest->type = type; 1.190 ++ if (type == ACL_TYPE_DNSBL) 1.191 ++ { 1.192 ++ if ((subval==NULL) || (subval[1])=='\0')//Config does not define which dns domain to use 1.193 ++ { 1.194 ++ acldest->dns_suffix = (char *) sgCalloc(1,strlen(".black.uribl.com")+1); 1.195 ++ strcpy(acldest->dns_suffix, ".black.uribl.com"); 1.196 ++ }else{ 1.197 ++ subval=subval+1; 1.198 ++ if (strspn(subval,".-abcdefghijklmnopqrstuvwxyz0123456789") != 1.199 ++ strlen(subval) ) 1.200 ++ { 1.201 ++ sgLogFatalError("%s: provided dnsbl \"%s\" doesn't look like a valid domain suffix", 1.202 ++ progname,subval); 1.203 ++ } 1.204 ++ acldest->dns_suffix = (char *) sgCalloc(1,strlen(subval)+1); 1.205 ++ strcpy(acldest->dns_suffix, "."); 1.206 ++ strcat(acldest->dns_suffix,subval); 1.207 ++ } 1.208 ++ } 1.209 + acldest->next = NULL; 1.210 + if(lastAcl->pass == NULL){ 1.211 + lastAcl->pass = acldest; 1.212 +@@ -2365,6 +2409,56 @@ 1.213 + return acl; 1.214 + } 1.215 + 1.216 ++char *strip_fqdn(char *domain) 1.217 ++{ 1.218 ++ char *result; 1.219 ++ result=strstr(domain,"."); 1.220 ++ if (result == NULL) 1.221 ++ return NULL; 1.222 ++ return (result+1); 1.223 ++} 1.224 ++ 1.225 ++int is_blacklisted(char *domain, char *suffix) 1.226 ++{ 1.227 ++ char target[MAX_BUF]; 1.228 ++ struct addrinfo *res; 1.229 ++ int result; 1.230 ++ //Copying domain to target 1.231 ++ if (strlen(domain)+strlen(suffix)+1>MAX_BUF) 1.232 ++ { 1.233 ++ //Buffer overflow risk - just return and accept 1.234 ++@NOLOG1@ 1.235 ++ if( globalDebug == 1 ) { sgLogError("dnsbl : too long domain name - accepting without actual check"); } 1.236 ++@NOLOG2@ 1.237 ++ return(0); 1.238 ++ } 1.239 ++ strncpy(target,domain,strlen(domain)+1); 1.240 ++ strcat(target,suffix); 1.241 ++ 1.242 ++ result = getaddrinfo(target,NULL,NULL,&res); 1.243 ++ if (result == 0) //Result is defined 1.244 ++ { 1.245 ++ freeaddrinfo(res); 1.246 ++ return 1; 1.247 ++ } 1.248 ++ //If anything fails (DNS server not reachable, any problem in the resolution, 1.249 ++ //let's not block anything. 1.250 ++ return 0; 1.251 ++} 1.252 ++ 1.253 ++int blocked_by_dnsbl(char *domain, char *suffix) 1.254 ++{ 1.255 ++ char *dn=domain; 1.256 ++ while ((dn !=NULL) && (strchr(dn,'.')!=NULL)) //No need to lookup "com.black.uribl.com" 1.257 ++ { 1.258 ++ if (is_blacklisted(dn,suffix)) 1.259 ++ return(1); 1.260 ++ dn=strip_fqdn(dn); 1.261 ++ } 1.262 ++ return 0; 1.263 ++} 1.264 ++ 1.265 ++ 1.266 + #if __STDC__ 1.267 + char *sgAclAccess(struct Source *src, struct Acl *acl, struct SquidInfo *req) 1.268 + #else 1.269 +@@ -2397,6 +2491,16 @@ 1.270 + } 1.271 + continue; 1.272 + } 1.273 ++ // http://www.yahoo.fr/ 172.16.2.32 - GET 1.274 ++ if(aclpass->type == ACL_TYPE_DNSBL){ 1.275 ++ if (req->dot) 1.276 ++ continue; 1.277 ++ if (blocked_by_dnsbl(req->domain, aclpass->dns_suffix)){ 1.278 ++ access=0; 1.279 ++ break; 1.280 ++ } 1.281 ++ continue; 1.282 ++ } 1.283 + if(aclpass->dest->domainlistDb != NULL){ 1.284 + result = defined(aclpass->dest->domainlistDb, req->domain, &dbdata); 1.285 + if(result != DB_NOTFOUND) {