wok-current view squidguard/stuff/squidGuard-1.4-dnsbl.patch @ rev 18326
docbook-xsl: missing file
author | Xander Ziiryanoff <psychomaniak@xakep.ru> |
---|---|
date | Tue Sep 08 13:06:01 2015 +0200 (2015-09-08) |
parents | |
children |
line source
1 diff -Naurb squidGuard-1.4/doc/configuration.html squidGuard-1.4-dnsbl/doc/configuration.html
2 --- squidGuard-1.4/doc/configuration.html 2007-11-16 17:58:32.000000000 +0100
3 +++ squidGuard-1.4-dnsbl/doc/configuration.html 2009-03-04 18:07:15.000000000 +0100
4 @@ -1630,6 +1630,15 @@
5 "<B><TT>^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}($|[:/])</TT></B>".
6 </DD>
7 <DT>
8 + <B>dnsbl</B>
9 + </DT>
10 + <DD>
11 + <B>!dnsbl</B> can be used to dynamically check domain names against
12 + DNS-based blacklists, such as black.uribl.com, which is the default.
13 + The DNS blacklist can be set to another domain by setting
14 + !dnsbl:your.blacklist.domain.com
15 + </DD>
16 + <DT>
17 <B>any</B>
18 </DT>
19 <DD>
20 @@ -2419,6 +2428,9 @@
21 even if they would match a blocking regex:
22 <BR>
23 <TT><B>+</B></TT> limiting the usage of IP-address URLs:
24 + <BR>
25 + <TT><B>+</B></TT> blocking sites known to be part of the
26 + black.uribl.com DNS blacklist.
27 </P>
29 <TT>
30 @@ -2442,7 +2454,7 @@
32 acl {
33 default {
34 - pass local good !in-addr !porn all
35 + pass local good !in-addr !porn !dnsbl:black.uribl.com all
36 redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u
37 }
38 }
39 diff -Naurb squidGuard-1.4/doc/configuration.txt squidGuard-1.4-dnsbl/doc/configuration.txt
40 --- squidGuard-1.4/doc/configuration.txt 2007-11-16 17:58:32.000000000 +0100
41 +++ squidGuard-1.4-dnsbl/doc/configuration.txt 2009-03-04 18:09:39.000000000 +0100
42 @@ -637,6 +637,12 @@
43 "^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9
44 ]\{1,3\}($|[:/])".
46 + dnsbl
47 + !dnsbl can be used to dynamically check domain names against
48 + DNS-based blacklists, such as black.uribl.com, which is the default.
49 + The DNS blacklist can be set to another domain by setting
50 + !dnsbl:your.blacklist.domain.com
51 +
52 any
53 matches any URL and is a fast equivalent to the
54 expression ".*".
55 @@ -1052,6 +1058,7 @@
56 + ensuring local and good sites are passed even if they would match a
57 blocking regex:
58 + limiting the usage of IP-address URLs:
59 + + blocking sites known to be part of the black.uribl.com DNS blacklist:
60 logdir /usr/local/squidGuard/log
61 dbhome /usr/local/squidGuard/db
63 @@ -1071,7 +1078,7 @@
65 acl {
66 default {
67 - pass local good !in-addr !porn all
68 + pass local good !in-addr !porn !dnsbl:black.uribl.com all
69 redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&
70 clientuser=%i&clientgroup=%s&url=%u
71 }
72 diff -Naurb squidGuard-1.4/doc/extended.html squidGuard-1.4-dnsbl/doc/extended.html
73 --- squidGuard-1.4/doc/extended.html 2007-11-16 17:58:37.000000000 +0100
74 +++ squidGuard-1.4-dnsbl/doc/extended.html 2009-03-04 18:15:59.000000000 +0100
75 @@ -168,6 +168,34 @@
76 </pre>
77 </td></tr></table>
78 <br><br>
79 +
80 +<li> <a name=notIP> <b>Using online DNS blacklists</b></a><br><br>
81 +Several DNS based databases can be used to block domain names referrenced in
82 +blacklists. First choose which database you would like to trust (some well known
83 +are : http://www.uribl.com/, or http://www.surbl.org/).
84 +Be aware that this will raise several DNS requests every time squidGuard
85 +receives a request to filter. SquidGuard will not cache any DNS result, so make
86 +sure your DNS server does, and mesure the performance impact before using on
87 +production.
88 +To get squidGuard to request DNS dynamically and block listed domain names, just use :
89 +<br><br>
90 +<table width="75%" cellpadding="0" cellspacing="0" style="background-color: #f2fff0; border: solid 1px #2299bf;">
91 +<tr>
92 +<td style="background-color: #77afaf; border-bottom: 1px solid #888;"> <font size="-1" color=white>Blocking domain names referenced in a DNS blacklist</font>
93 +</td></tr>
94 +<tr>
95 +<td>
96 +<pre> acl {
97 + default {
98 + pass !dnsbl:black.uribl.com all
99 + redirect http://localhost/block.html
100 + }
101 + }
102 +</pre>
103 +</td></tr>
104 +</table>
105 +<br><br>
106 +
107 <li><a name=blocklog><b>Logging blocked access tries</b></a>
108 <br><br>
109 It may be of interest who is accessing blocked sites. To track that
110 diff -Naurb squidGuard-1.4/doc/extended.txt squidGuard-1.4-dnsbl/doc/extended.txt
111 --- squidGuard-1.4/doc/extended.txt 2007-11-16 17:58:32.000000000 +0100
112 +++ squidGuard-1.4-dnsbl/doc/extended.txt 2009-03-04 18:18:01.000000000 +0100
113 @@ -100,6 +100,29 @@
114 172.16.12.0/255.255.255.0
115 10.5.3.1/28
117 + Using online DNS blacklists
118 + Several DNS based databases can be used to block domain names referrenced in
119 + blacklists. First choose which database you would like to trust (some well known
120 + are : http://www.uribl.com/, or http://www.surbl.org/).
121 + Be aware that this will raise several DNS requests every time squidGuard
122 + receives a request to filter. SquidGuard will not cache any DNS result, so make
123 + sure your DNS server does, and mesure the performance impact before using on
124 + production.
125 + To get squidGuard to request DNS dynamically and block listed domain names, just use :
126 +acl {
127 + default {
128 + pass !dnsbl:black.uribl.com all
129 + redirect http://localhost/block.html
130 + }
131 +}
132 +
133 +
134 +
135 +
136 +
137 +
138 +
139 +
140 Logging blocked access tries
141 It may be of interest who is accessing blocked sites. To track that
142 down you can add a log directive to your src or dest definitions in
143 diff -Naurb squidGuard-1.4/src/sg.h.in squidGuard-1.4-dnsbl/src/sg.h.in
144 --- squidGuard-1.4/src/sg.h.in 2007-11-16 17:58:32.000000000 +0100
145 +++ squidGuard-1.4-dnsbl/src/sg.h.in 2009-03-04 17:38:32.000000000 +0100
146 @@ -68,6 +68,7 @@
147 #define ACL_TYPE_DEFAULT 1
148 #define ACL_TYPE_TERMINATOR 2
149 #define ACL_TYPE_INADDR 3
150 +#define ACL_TYPE_DNSBL 4
152 #define REQUEST_TYPE_REWRITE 1
153 #define REQUEST_TYPE_REDIRECT 2
154 @@ -301,6 +302,7 @@
156 struct AclDest {
157 char *name;
158 + char *dns_suffix;
159 struct Destination *dest;
160 int access;
161 int type;
162 diff -Naurb squidGuard-1.4/src/sg.y.in squidGuard-1.4-dnsbl/src/sg.y.in
163 --- squidGuard-1.4/src/sg.y.in 2008-05-17 20:25:18.000000000 +0200
164 +++ squidGuard-1.4-dnsbl/src/sg.y.in 2009-03-22 21:43:08.000000000 +0100
165 @@ -2253,6 +2274,7 @@
166 int allowed;
167 #endif
168 {
169 + char *subval = NULL;
170 struct Destination *dest = NULL;
171 struct sgRewrite *rewrite = NULL;
172 struct AclDest *acldest;
173 @@ -2264,6 +2286,9 @@
174 allowed=0;
175 else if(!strcmp(value,"in-addr")){
176 type = ACL_TYPE_INADDR;
177 + } else if (!strncmp(value,"dnsbl",5)) {
178 + subval = strstr(value,":");
179 + type = ACL_TYPE_DNSBL;
180 } else {
181 if((dest = sgDestFindName(value)) == NULL){
182 sgLogFatalError("%s: ACL destination %s is not defined in configfile %s",
183 @@ -2278,6 +2303,25 @@
184 acldest->dest = dest;
185 acldest->access = allowed;
186 acldest->type = type;
187 + if (type == ACL_TYPE_DNSBL)
188 + {
189 + if ((subval==NULL) || (subval[1])=='\0')//Config does not define which dns domain to use
190 + {
191 + acldest->dns_suffix = (char *) sgCalloc(1,strlen(".black.uribl.com")+1);
192 + strcpy(acldest->dns_suffix, ".black.uribl.com");
193 + }else{
194 + subval=subval+1;
195 + if (strspn(subval,".-abcdefghijklmnopqrstuvwxyz0123456789") !=
196 + strlen(subval) )
197 + {
198 + sgLogFatalError("%s: provided dnsbl \"%s\" doesn't look like a valid domain suffix",
199 + progname,subval);
200 + }
201 + acldest->dns_suffix = (char *) sgCalloc(1,strlen(subval)+1);
202 + strcpy(acldest->dns_suffix, ".");
203 + strcat(acldest->dns_suffix,subval);
204 + }
205 + }
206 acldest->next = NULL;
207 if(lastAcl->pass == NULL){
208 lastAcl->pass = acldest;
209 @@ -2365,6 +2409,56 @@
210 return acl;
211 }
213 +char *strip_fqdn(char *domain)
214 +{
215 + char *result;
216 + result=strstr(domain,".");
217 + if (result == NULL)
218 + return NULL;
219 + return (result+1);
220 +}
221 +
222 +int is_blacklisted(char *domain, char *suffix)
223 +{
224 + char target[MAX_BUF];
225 + struct addrinfo *res;
226 + int result;
227 + //Copying domain to target
228 + if (strlen(domain)+strlen(suffix)+1>MAX_BUF)
229 + {
230 + //Buffer overflow risk - just return and accept
231 +@NOLOG1@
232 + if( globalDebug == 1 ) { sgLogError("dnsbl : too long domain name - accepting without actual check"); }
233 +@NOLOG2@
234 + return(0);
235 + }
236 + strncpy(target,domain,strlen(domain)+1);
237 + strcat(target,suffix);
238 +
239 + result = getaddrinfo(target,NULL,NULL,&res);
240 + if (result == 0) //Result is defined
241 + {
242 + freeaddrinfo(res);
243 + return 1;
244 + }
245 + //If anything fails (DNS server not reachable, any problem in the resolution,
246 + //let's not block anything.
247 + return 0;
248 +}
249 +
250 +int blocked_by_dnsbl(char *domain, char *suffix)
251 +{
252 + char *dn=domain;
253 + while ((dn !=NULL) && (strchr(dn,'.')!=NULL)) //No need to lookup "com.black.uribl.com"
254 + {
255 + if (is_blacklisted(dn,suffix))
256 + return(1);
257 + dn=strip_fqdn(dn);
258 + }
259 + return 0;
260 +}
261 +
262 +
263 #if __STDC__
264 char *sgAclAccess(struct Source *src, struct Acl *acl, struct SquidInfo *req)
265 #else
266 @@ -2397,6 +2491,16 @@
267 }
268 continue;
269 }
270 + // http://www.yahoo.fr/ 172.16.2.32 - GET
271 + if(aclpass->type == ACL_TYPE_DNSBL){
272 + if (req->dot)
273 + continue;
274 + if (blocked_by_dnsbl(req->domain, aclpass->dns_suffix)){
275 + access=0;
276 + break;
277 + }
278 + continue;
279 + }
280 if(aclpass->dest->domainlistDb != NULL){
281 result = defined(aclpass->dest->domainlistDb, req->domain, &dbdata);
282 if(result != DB_NOTFOUND) {