wok-current diff squidguard/stuff/squidGuard-1.4-dnsbl.patch @ rev 20663

updated sc-im (0.6.0 -> 0.7.0)
author Hans-G?nter Theisgen
date Tue Jan 15 14:45:17 2019 +0100 (2019-01-15)
parents
children
line diff
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/squidguard/stuff/squidGuard-1.4-dnsbl.patch	Tue Jan 15 14:45:17 2019 +0100
     1.3 @@ -0,0 +1,282 @@
     1.4 +diff -Naurb squidGuard-1.4/doc/configuration.html squidGuard-1.4-dnsbl/doc/configuration.html
     1.5 +--- squidGuard-1.4/doc/configuration.html	2007-11-16 17:58:32.000000000 +0100
     1.6 ++++ squidGuard-1.4-dnsbl/doc/configuration.html	2009-03-04 18:07:15.000000000 +0100
     1.7 +@@ -1630,6 +1630,15 @@
     1.8 +      "<B><TT>^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}($|[:/])</TT></B>".
     1.9 +     </DD>
    1.10 +     <DT>
    1.11 ++     <B>dnsbl</B>
    1.12 ++    </DT>
    1.13 ++    <DD>
    1.14 ++     <B>!dnsbl</B> can be used to dynamically check domain names against
    1.15 ++     DNS-based blacklists, such as black.uribl.com, which is the default.
    1.16 ++     The DNS blacklist can be set to another domain by setting
    1.17 ++     !dnsbl:your.blacklist.domain.com
    1.18 ++    </DD>
    1.19 ++    <DT>
    1.20 +      <B>any</B>
    1.21 +     </DT>
    1.22 +     <DD>
    1.23 +@@ -2419,6 +2428,9 @@
    1.24 +    even if they would match a blocking regex:
    1.25 +    <BR>
    1.26 +    &nbsp;<TT><B>+</B></TT> limiting the usage of IP-address URLs:
    1.27 ++   <BR>
    1.28 ++   &nbsp;<TT><B>+</B></TT> blocking sites known to be part of the
    1.29 ++   black.uribl.com DNS blacklist.
    1.30 +   </P>
    1.31 +
    1.32 +   <TT>
    1.33 +@@ -2442,7 +2454,7 @@
    1.34 +
    1.35 +      acl {
    1.36 + 	 default {
    1.37 +-	     pass local good !in-addr !porn all
    1.38 ++	     pass local good !in-addr !porn !dnsbl:black.uribl.com all
    1.39 + 	     redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u
    1.40 + 	 }
    1.41 +      }
    1.42 +diff -Naurb squidGuard-1.4/doc/configuration.txt squidGuard-1.4-dnsbl/doc/configuration.txt
    1.43 +--- squidGuard-1.4/doc/configuration.txt	2007-11-16 17:58:32.000000000 +0100
    1.44 ++++ squidGuard-1.4-dnsbl/doc/configuration.txt	2009-03-04 18:09:39.000000000 +0100
    1.45 +@@ -637,6 +637,12 @@
    1.46 +                 "^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9
    1.47 +                 ]\{1,3\}($|[:/])".
    1.48 +
    1.49 ++        dnsbl
    1.50 ++                !dnsbl can be used to dynamically check domain names against
    1.51 ++                DNS-based blacklists, such as black.uribl.com, which is the default.
    1.52 ++                The DNS blacklist can be set to another domain by setting
    1.53 ++                !dnsbl:your.blacklist.domain.com
    1.54 ++
    1.55 +         any
    1.56 +                 matches any URL and is a fast equivalent to the
    1.57 +                 expression ".*".
    1.58 +@@ -1052,6 +1058,7 @@
    1.59 +     + ensuring local and good sites are passed even if they would match a
    1.60 +    blocking regex:
    1.61 +     + limiting the usage of IP-address URLs:
    1.62 ++    + blocking sites known to be part of the black.uribl.com DNS blacklist:
    1.63 +      logdir /usr/local/squidGuard/log
    1.64 +      dbhome /usr/local/squidGuard/db
    1.65 +
    1.66 +@@ -1071,7 +1078,7 @@
    1.67 +
    1.68 +      acl {
    1.69 +          default {
    1.70 +-             pass local good !in-addr !porn all
    1.71 ++             pass local good !in-addr !porn !dnsbl:black.uribl.com all
    1.72 +              redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&
    1.73 + clientuser=%i&clientgroup=%s&url=%u
    1.74 +          }
    1.75 +diff -Naurb squidGuard-1.4/doc/extended.html squidGuard-1.4-dnsbl/doc/extended.html
    1.76 +--- squidGuard-1.4/doc/extended.html	2007-11-16 17:58:37.000000000 +0100
    1.77 ++++ squidGuard-1.4-dnsbl/doc/extended.html	2009-03-04 18:15:59.000000000 +0100
    1.78 +@@ -168,6 +168,34 @@
    1.79 + </pre>
    1.80 + </td></tr></table>
    1.81 + <br><br>
    1.82 ++
    1.83 ++<li> <a name=notIP> <b>Using online DNS blacklists</b></a><br><br>
    1.84 ++Several DNS based databases can be used to block domain names referrenced in
    1.85 ++blacklists. First choose which database you would like to trust (some well known
    1.86 ++are : http://www.uribl.com/, or http://www.surbl.org/).
    1.87 ++Be aware that this will raise several DNS requests every time squidGuard
    1.88 ++receives a request to filter. SquidGuard will not cache any DNS result, so make
    1.89 ++sure your DNS server does, and mesure the performance impact before using on
    1.90 ++production.
    1.91 ++To get squidGuard to request DNS dynamically and block listed domain names, just use :
    1.92 ++<br><br>
    1.93 ++<table width="75%" cellpadding="0" cellspacing="0" style="background-color: #f2fff0; border: solid 1px #2299bf;">
    1.94 ++<tr>
    1.95 ++<td style="background-color: #77afaf; border-bottom: 1px solid #888;"> <font size="-1" color=white>Blocking domain names referenced in a DNS blacklist</font>
    1.96 ++</td></tr>
    1.97 ++<tr>
    1.98 ++<td>
    1.99 ++<pre> acl {
   1.100 ++        default {
   1.101 ++                pass !dnsbl:black.uribl.com all
   1.102 ++                redirect http://localhost/block.html
   1.103 ++        }
   1.104 ++ }
   1.105 ++</pre>
   1.106 ++</td></tr>
   1.107 ++</table>
   1.108 ++<br><br>
   1.109 ++
   1.110 + <li><a name=blocklog><b>Logging blocked access tries</b></a>
   1.111 + <br><br>
   1.112 + It may be of interest who is accessing blocked sites. To track that
   1.113 +diff -Naurb squidGuard-1.4/doc/extended.txt squidGuard-1.4-dnsbl/doc/extended.txt
   1.114 +--- squidGuard-1.4/doc/extended.txt	2007-11-16 17:58:32.000000000 +0100
   1.115 ++++ squidGuard-1.4-dnsbl/doc/extended.txt	2009-03-04 18:18:01.000000000 +0100
   1.116 +@@ -100,6 +100,29 @@
   1.117 + 172.16.12.0/255.255.255.0
   1.118 + 10.5.3.1/28
   1.119 +
   1.120 ++     Using online DNS blacklists
   1.121 ++   Several DNS based databases can be used to block domain names referrenced in
   1.122 ++   blacklists. First choose which database you would like to trust (some well known
   1.123 ++   are : http://www.uribl.com/, or http://www.surbl.org/).
   1.124 ++   Be aware that this will raise several DNS requests every time squidGuard
   1.125 ++   receives a request to filter. SquidGuard will not cache any DNS result, so make
   1.126 ++   sure your DNS server does, and mesure the performance impact before using on
   1.127 ++   production.
   1.128 ++   To get squidGuard to request DNS dynamically and block listed domain names, just use :
   1.129 ++acl {
   1.130 ++        default {
   1.131 ++                pass !dnsbl:black.uribl.com all
   1.132 ++                redirect http://localhost/block.html
   1.133 ++        }
   1.134 ++}
   1.135 ++
   1.136 ++
   1.137 ++
   1.138 ++
   1.139 ++
   1.140 ++
   1.141 ++
   1.142 ++
   1.143 +      Logging blocked access tries
   1.144 +    It may be of interest who is accessing blocked sites. To track that
   1.145 +    down you can add a log directive to your src or dest definitions in
   1.146 +diff -Naurb squidGuard-1.4/src/sg.h.in squidGuard-1.4-dnsbl/src/sg.h.in
   1.147 +--- squidGuard-1.4/src/sg.h.in	2007-11-16 17:58:32.000000000 +0100
   1.148 ++++ squidGuard-1.4-dnsbl/src/sg.h.in	2009-03-04 17:38:32.000000000 +0100
   1.149 +@@ -68,6 +68,7 @@
   1.150 + #define ACL_TYPE_DEFAULT    1
   1.151 + #define ACL_TYPE_TERMINATOR 2
   1.152 + #define ACL_TYPE_INADDR     3
   1.153 ++#define ACL_TYPE_DNSBL      4
   1.154 +
   1.155 + #define REQUEST_TYPE_REWRITE    1
   1.156 + #define REQUEST_TYPE_REDIRECT   2
   1.157 +@@ -301,6 +302,7 @@
   1.158 +
   1.159 + struct AclDest {
   1.160 +   char *name;
   1.161 ++  char *dns_suffix;
   1.162 +   struct Destination *dest;
   1.163 +   int    access;
   1.164 +   int    type;
   1.165 +diff -Naurb squidGuard-1.4/src/sg.y.in squidGuard-1.4-dnsbl/src/sg.y.in
   1.166 +--- squidGuard-1.4/src/sg.y.in	2008-05-17 20:25:18.000000000 +0200
   1.167 ++++ squidGuard-1.4-dnsbl/src/sg.y.in	2009-03-22 21:43:08.000000000 +0100
   1.168 +@@ -2253,6 +2274,7 @@
   1.169 +      int allowed;
   1.170 + #endif
   1.171 + {
   1.172 ++  char *subval = NULL;
   1.173 +   struct Destination *dest = NULL;
   1.174 +   struct sgRewrite *rewrite = NULL;
   1.175 +   struct AclDest *acldest;
   1.176 +@@ -2264,6 +2286,9 @@
   1.177 +       allowed=0;
   1.178 +     else if(!strcmp(value,"in-addr")){
   1.179 +       type = ACL_TYPE_INADDR;
   1.180 ++    } else if (!strncmp(value,"dnsbl",5)) {
   1.181 ++      subval = strstr(value,":");
   1.182 ++      type = ACL_TYPE_DNSBL;
   1.183 +     } else {
   1.184 +       if((dest = sgDestFindName(value)) == NULL){
   1.185 + 	sgLogFatalError("%s: ACL destination %s is not defined in configfile %s",
   1.186 +@@ -2278,6 +2303,25 @@
   1.187 +     acldest->dest = dest;
   1.188 +     acldest->access = allowed;
   1.189 +     acldest->type = type;
   1.190 ++    if (type == ACL_TYPE_DNSBL)
   1.191 ++    {
   1.192 ++      if ((subval==NULL) || (subval[1])=='\0')//Config does not define which dns domain to use
   1.193 ++      {
   1.194 ++	acldest->dns_suffix = (char *) sgCalloc(1,strlen(".black.uribl.com")+1);
   1.195 ++	strcpy(acldest->dns_suffix, ".black.uribl.com");
   1.196 ++      }else{
   1.197 ++	subval=subval+1;
   1.198 ++	if (strspn(subval,".-abcdefghijklmnopqrstuvwxyz0123456789") !=
   1.199 ++	  					     strlen(subval)  )
   1.200 ++	  {
   1.201 ++	    sgLogFatalError("%s: provided dnsbl \"%s\" doesn't look like a valid domain suffix",
   1.202 ++	                    progname,subval);
   1.203 ++	  }
   1.204 ++	acldest->dns_suffix = (char *) sgCalloc(1,strlen(subval)+1);
   1.205 ++	strcpy(acldest->dns_suffix, ".");
   1.206 ++	strcat(acldest->dns_suffix,subval);
   1.207 ++      }
   1.208 ++    }
   1.209 +     acldest->next = NULL;
   1.210 +     if(lastAcl->pass == NULL){
   1.211 +       lastAcl->pass = acldest;
   1.212 +@@ -2365,6 +2409,56 @@
   1.213 +   return acl;
   1.214 + }
   1.215 +
   1.216 ++char *strip_fqdn(char *domain)
   1.217 ++{
   1.218 ++  char *result;
   1.219 ++  result=strstr(domain,".");
   1.220 ++  if (result == NULL)
   1.221 ++    return NULL;
   1.222 ++  return (result+1);
   1.223 ++}
   1.224 ++
   1.225 ++int is_blacklisted(char *domain, char *suffix)
   1.226 ++{
   1.227 ++  char target[MAX_BUF];
   1.228 ++  struct addrinfo *res;
   1.229 ++  int result;
   1.230 ++  //Copying domain to target
   1.231 ++  if (strlen(domain)+strlen(suffix)+1>MAX_BUF)
   1.232 ++  {
   1.233 ++    //Buffer overflow risk - just return and accept
   1.234 ++@NOLOG1@
   1.235 ++    if( globalDebug == 1 ) { sgLogError("dnsbl : too long domain name - accepting without actual check"); }
   1.236 ++@NOLOG2@
   1.237 ++    return(0);
   1.238 ++  }
   1.239 ++  strncpy(target,domain,strlen(domain)+1);
   1.240 ++  strcat(target,suffix);
   1.241 ++
   1.242 ++  result = getaddrinfo(target,NULL,NULL,&res);
   1.243 ++  if (result == 0) //Result is defined
   1.244 ++  {
   1.245 ++    freeaddrinfo(res);
   1.246 ++    return 1;
   1.247 ++  }
   1.248 ++  //If anything fails (DNS server not reachable, any problem in the resolution,
   1.249 ++  //let's not block anything.
   1.250 ++  return 0;
   1.251 ++}
   1.252 ++
   1.253 ++int blocked_by_dnsbl(char *domain, char *suffix)
   1.254 ++{
   1.255 ++  char *dn=domain;
   1.256 ++  while ((dn !=NULL) && (strchr(dn,'.')!=NULL)) //No need to lookup "com.black.uribl.com"
   1.257 ++  {
   1.258 ++    if (is_blacklisted(dn,suffix))
   1.259 ++      return(1);
   1.260 ++    dn=strip_fqdn(dn);
   1.261 ++  }
   1.262 ++  return 0;
   1.263 ++}
   1.264 ++
   1.265 ++
   1.266 + #if __STDC__
   1.267 + char *sgAclAccess(struct Source *src, struct Acl *acl, struct SquidInfo *req)
   1.268 + #else
   1.269 +@@ -2397,6 +2491,16 @@
   1.270 + 	}
   1.271 + 	continue;
   1.272 +       }
   1.273 ++      // http://www.yahoo.fr/ 172.16.2.32 - GET
   1.274 ++      if(aclpass->type == ACL_TYPE_DNSBL){
   1.275 ++	if (req->dot)
   1.276 ++	  continue;
   1.277 ++	if (blocked_by_dnsbl(req->domain, aclpass->dns_suffix)){
   1.278 ++	  access=0;
   1.279 ++	  break;
   1.280 ++	}
   1.281 ++	continue;
   1.282 ++      }
   1.283 +       if(aclpass->dest->domainlistDb != NULL){
   1.284 + 	result = defined(aclpass->dest->domainlistDb, req->domain, &dbdata);
   1.285 +        if(result != DB_NOTFOUND) {