wok annotate squidguard/stuff/squidGuard-1.4-dnsbl.patch @ rev 22036

updated tiptop (2.2 -> 2.3.1)
author Hans-G?nter Theisgen
date Mon Oct 21 15:30:09 2019 +0100 (2019-10-21)
parents
children
rev   line source
erjo@16710 1 diff -Naurb squidGuard-1.4/doc/configuration.html squidGuard-1.4-dnsbl/doc/configuration.html
erjo@16710 2 --- squidGuard-1.4/doc/configuration.html 2007-11-16 17:58:32.000000000 +0100
erjo@16710 3 +++ squidGuard-1.4-dnsbl/doc/configuration.html 2009-03-04 18:07:15.000000000 +0100
erjo@16710 4 @@ -1630,6 +1630,15 @@
erjo@16710 5 "<B><TT>^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}($|[:/])</TT></B>".
erjo@16710 6 </DD>
erjo@16710 7 <DT>
erjo@16710 8 + <B>dnsbl</B>
erjo@16710 9 + </DT>
erjo@16710 10 + <DD>
erjo@16710 11 + <B>!dnsbl</B> can be used to dynamically check domain names against
erjo@16710 12 + DNS-based blacklists, such as black.uribl.com, which is the default.
erjo@16710 13 + The DNS blacklist can be set to another domain by setting
erjo@16710 14 + !dnsbl:your.blacklist.domain.com
erjo@16710 15 + </DD>
erjo@16710 16 + <DT>
erjo@16710 17 <B>any</B>
erjo@16710 18 </DT>
erjo@16710 19 <DD>
erjo@16710 20 @@ -2419,6 +2428,9 @@
erjo@16710 21 even if they would match a blocking regex:
erjo@16710 22 <BR>
erjo@16710 23 &nbsp;<TT><B>+</B></TT> limiting the usage of IP-address URLs:
erjo@16710 24 + <BR>
erjo@16710 25 + &nbsp;<TT><B>+</B></TT> blocking sites known to be part of the
erjo@16710 26 + black.uribl.com DNS blacklist.
erjo@16710 27 </P>
erjo@16710 28
erjo@16710 29 <TT>
erjo@16710 30 @@ -2442,7 +2454,7 @@
erjo@16710 31
erjo@16710 32 acl {
erjo@16710 33 default {
erjo@16710 34 - pass local good !in-addr !porn all
erjo@16710 35 + pass local good !in-addr !porn !dnsbl:black.uribl.com all
erjo@16710 36 redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u
erjo@16710 37 }
erjo@16710 38 }
erjo@16710 39 diff -Naurb squidGuard-1.4/doc/configuration.txt squidGuard-1.4-dnsbl/doc/configuration.txt
erjo@16710 40 --- squidGuard-1.4/doc/configuration.txt 2007-11-16 17:58:32.000000000 +0100
erjo@16710 41 +++ squidGuard-1.4-dnsbl/doc/configuration.txt 2009-03-04 18:09:39.000000000 +0100
erjo@16710 42 @@ -637,6 +637,12 @@
erjo@16710 43 "^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9
erjo@16710 44 ]\{1,3\}($|[:/])".
erjo@16710 45
erjo@16710 46 + dnsbl
erjo@16710 47 + !dnsbl can be used to dynamically check domain names against
erjo@16710 48 + DNS-based blacklists, such as black.uribl.com, which is the default.
erjo@16710 49 + The DNS blacklist can be set to another domain by setting
erjo@16710 50 + !dnsbl:your.blacklist.domain.com
erjo@16710 51 +
erjo@16710 52 any
erjo@16710 53 matches any URL and is a fast equivalent to the
erjo@16710 54 expression ".*".
erjo@16710 55 @@ -1052,6 +1058,7 @@
erjo@16710 56 + ensuring local and good sites are passed even if they would match a
erjo@16710 57 blocking regex:
erjo@16710 58 + limiting the usage of IP-address URLs:
erjo@16710 59 + + blocking sites known to be part of the black.uribl.com DNS blacklist:
erjo@16710 60 logdir /usr/local/squidGuard/log
erjo@16710 61 dbhome /usr/local/squidGuard/db
erjo@16710 62
erjo@16710 63 @@ -1071,7 +1078,7 @@
erjo@16710 64
erjo@16710 65 acl {
erjo@16710 66 default {
erjo@16710 67 - pass local good !in-addr !porn all
erjo@16710 68 + pass local good !in-addr !porn !dnsbl:black.uribl.com all
erjo@16710 69 redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&
erjo@16710 70 clientuser=%i&clientgroup=%s&url=%u
erjo@16710 71 }
erjo@16710 72 diff -Naurb squidGuard-1.4/doc/extended.html squidGuard-1.4-dnsbl/doc/extended.html
erjo@16710 73 --- squidGuard-1.4/doc/extended.html 2007-11-16 17:58:37.000000000 +0100
erjo@16710 74 +++ squidGuard-1.4-dnsbl/doc/extended.html 2009-03-04 18:15:59.000000000 +0100
erjo@16710 75 @@ -168,6 +168,34 @@
erjo@16710 76 </pre>
erjo@16710 77 </td></tr></table>
erjo@16710 78 <br><br>
erjo@16710 79 +
erjo@16710 80 +<li> <a name=notIP> <b>Using online DNS blacklists</b></a><br><br>
erjo@16710 81 +Several DNS based databases can be used to block domain names referrenced in
erjo@16710 82 +blacklists. First choose which database you would like to trust (some well known
erjo@16710 83 +are : http://www.uribl.com/, or http://www.surbl.org/).
erjo@16710 84 +Be aware that this will raise several DNS requests every time squidGuard
erjo@16710 85 +receives a request to filter. SquidGuard will not cache any DNS result, so make
erjo@16710 86 +sure your DNS server does, and mesure the performance impact before using on
erjo@16710 87 +production.
erjo@16710 88 +To get squidGuard to request DNS dynamically and block listed domain names, just use :
erjo@16710 89 +<br><br>
erjo@16710 90 +<table width="75%" cellpadding="0" cellspacing="0" style="background-color: #f2fff0; border: solid 1px #2299bf;">
erjo@16710 91 +<tr>
erjo@16710 92 +<td style="background-color: #77afaf; border-bottom: 1px solid #888;"> <font size="-1" color=white>Blocking domain names referenced in a DNS blacklist</font>
erjo@16710 93 +</td></tr>
erjo@16710 94 +<tr>
erjo@16710 95 +<td>
erjo@16710 96 +<pre> acl {
erjo@16710 97 + default {
erjo@16710 98 + pass !dnsbl:black.uribl.com all
erjo@16710 99 + redirect http://localhost/block.html
erjo@16710 100 + }
erjo@16710 101 + }
erjo@16710 102 +</pre>
erjo@16710 103 +</td></tr>
erjo@16710 104 +</table>
erjo@16710 105 +<br><br>
erjo@16710 106 +
erjo@16710 107 <li><a name=blocklog><b>Logging blocked access tries</b></a>
erjo@16710 108 <br><br>
erjo@16710 109 It may be of interest who is accessing blocked sites. To track that
erjo@16710 110 diff -Naurb squidGuard-1.4/doc/extended.txt squidGuard-1.4-dnsbl/doc/extended.txt
erjo@16710 111 --- squidGuard-1.4/doc/extended.txt 2007-11-16 17:58:32.000000000 +0100
erjo@16710 112 +++ squidGuard-1.4-dnsbl/doc/extended.txt 2009-03-04 18:18:01.000000000 +0100
erjo@16710 113 @@ -100,6 +100,29 @@
erjo@16710 114 172.16.12.0/255.255.255.0
erjo@16710 115 10.5.3.1/28
erjo@16710 116
erjo@16710 117 + Using online DNS blacklists
erjo@16710 118 + Several DNS based databases can be used to block domain names referrenced in
erjo@16710 119 + blacklists. First choose which database you would like to trust (some well known
erjo@16710 120 + are : http://www.uribl.com/, or http://www.surbl.org/).
erjo@16710 121 + Be aware that this will raise several DNS requests every time squidGuard
erjo@16710 122 + receives a request to filter. SquidGuard will not cache any DNS result, so make
erjo@16710 123 + sure your DNS server does, and mesure the performance impact before using on
erjo@16710 124 + production.
erjo@16710 125 + To get squidGuard to request DNS dynamically and block listed domain names, just use :
erjo@16710 126 +acl {
erjo@16710 127 + default {
erjo@16710 128 + pass !dnsbl:black.uribl.com all
erjo@16710 129 + redirect http://localhost/block.html
erjo@16710 130 + }
erjo@16710 131 +}
erjo@16710 132 +
erjo@16710 133 +
erjo@16710 134 +
erjo@16710 135 +
erjo@16710 136 +
erjo@16710 137 +
erjo@16710 138 +
erjo@16710 139 +
erjo@16710 140 Logging blocked access tries
erjo@16710 141 It may be of interest who is accessing blocked sites. To track that
erjo@16710 142 down you can add a log directive to your src or dest definitions in
erjo@16710 143 diff -Naurb squidGuard-1.4/src/sg.h.in squidGuard-1.4-dnsbl/src/sg.h.in
erjo@16710 144 --- squidGuard-1.4/src/sg.h.in 2007-11-16 17:58:32.000000000 +0100
erjo@16710 145 +++ squidGuard-1.4-dnsbl/src/sg.h.in 2009-03-04 17:38:32.000000000 +0100
erjo@16710 146 @@ -68,6 +68,7 @@
erjo@16710 147 #define ACL_TYPE_DEFAULT 1
erjo@16710 148 #define ACL_TYPE_TERMINATOR 2
erjo@16710 149 #define ACL_TYPE_INADDR 3
erjo@16710 150 +#define ACL_TYPE_DNSBL 4
erjo@16710 151
erjo@16710 152 #define REQUEST_TYPE_REWRITE 1
erjo@16710 153 #define REQUEST_TYPE_REDIRECT 2
erjo@16710 154 @@ -301,6 +302,7 @@
erjo@16710 155
erjo@16710 156 struct AclDest {
erjo@16710 157 char *name;
erjo@16710 158 + char *dns_suffix;
erjo@16710 159 struct Destination *dest;
erjo@16710 160 int access;
erjo@16710 161 int type;
erjo@16710 162 diff -Naurb squidGuard-1.4/src/sg.y.in squidGuard-1.4-dnsbl/src/sg.y.in
erjo@16710 163 --- squidGuard-1.4/src/sg.y.in 2008-05-17 20:25:18.000000000 +0200
erjo@16710 164 +++ squidGuard-1.4-dnsbl/src/sg.y.in 2009-03-22 21:43:08.000000000 +0100
erjo@16710 165 @@ -2253,6 +2274,7 @@
erjo@16710 166 int allowed;
erjo@16710 167 #endif
erjo@16710 168 {
erjo@16710 169 + char *subval = NULL;
erjo@16710 170 struct Destination *dest = NULL;
erjo@16710 171 struct sgRewrite *rewrite = NULL;
erjo@16710 172 struct AclDest *acldest;
erjo@16710 173 @@ -2264,6 +2286,9 @@
erjo@16710 174 allowed=0;
erjo@16710 175 else if(!strcmp(value,"in-addr")){
erjo@16710 176 type = ACL_TYPE_INADDR;
erjo@16710 177 + } else if (!strncmp(value,"dnsbl",5)) {
erjo@16710 178 + subval = strstr(value,":");
erjo@16710 179 + type = ACL_TYPE_DNSBL;
erjo@16710 180 } else {
erjo@16710 181 if((dest = sgDestFindName(value)) == NULL){
erjo@16710 182 sgLogFatalError("%s: ACL destination %s is not defined in configfile %s",
erjo@16710 183 @@ -2278,6 +2303,25 @@
erjo@16710 184 acldest->dest = dest;
erjo@16710 185 acldest->access = allowed;
erjo@16710 186 acldest->type = type;
erjo@16710 187 + if (type == ACL_TYPE_DNSBL)
erjo@16710 188 + {
erjo@16710 189 + if ((subval==NULL) || (subval[1])=='\0')//Config does not define which dns domain to use
erjo@16710 190 + {
erjo@16710 191 + acldest->dns_suffix = (char *) sgCalloc(1,strlen(".black.uribl.com")+1);
erjo@16710 192 + strcpy(acldest->dns_suffix, ".black.uribl.com");
erjo@16710 193 + }else{
erjo@16710 194 + subval=subval+1;
erjo@16710 195 + if (strspn(subval,".-abcdefghijklmnopqrstuvwxyz0123456789") !=
erjo@16710 196 + strlen(subval) )
erjo@16710 197 + {
erjo@16710 198 + sgLogFatalError("%s: provided dnsbl \"%s\" doesn't look like a valid domain suffix",
erjo@16710 199 + progname,subval);
erjo@16710 200 + }
erjo@16710 201 + acldest->dns_suffix = (char *) sgCalloc(1,strlen(subval)+1);
erjo@16710 202 + strcpy(acldest->dns_suffix, ".");
erjo@16710 203 + strcat(acldest->dns_suffix,subval);
erjo@16710 204 + }
erjo@16710 205 + }
erjo@16710 206 acldest->next = NULL;
erjo@16710 207 if(lastAcl->pass == NULL){
erjo@16710 208 lastAcl->pass = acldest;
erjo@16710 209 @@ -2365,6 +2409,56 @@
erjo@16710 210 return acl;
erjo@16710 211 }
erjo@16710 212
erjo@16710 213 +char *strip_fqdn(char *domain)
erjo@16710 214 +{
erjo@16710 215 + char *result;
erjo@16710 216 + result=strstr(domain,".");
erjo@16710 217 + if (result == NULL)
erjo@16710 218 + return NULL;
erjo@16710 219 + return (result+1);
erjo@16710 220 +}
erjo@16710 221 +
erjo@16710 222 +int is_blacklisted(char *domain, char *suffix)
erjo@16710 223 +{
erjo@16710 224 + char target[MAX_BUF];
erjo@16710 225 + struct addrinfo *res;
erjo@16710 226 + int result;
erjo@16710 227 + //Copying domain to target
erjo@16710 228 + if (strlen(domain)+strlen(suffix)+1>MAX_BUF)
erjo@16710 229 + {
erjo@16710 230 + //Buffer overflow risk - just return and accept
erjo@16710 231 +@NOLOG1@
erjo@16710 232 + if( globalDebug == 1 ) { sgLogError("dnsbl : too long domain name - accepting without actual check"); }
erjo@16710 233 +@NOLOG2@
erjo@16710 234 + return(0);
erjo@16710 235 + }
erjo@16710 236 + strncpy(target,domain,strlen(domain)+1);
erjo@16710 237 + strcat(target,suffix);
erjo@16710 238 +
erjo@16710 239 + result = getaddrinfo(target,NULL,NULL,&res);
erjo@16710 240 + if (result == 0) //Result is defined
erjo@16710 241 + {
erjo@16710 242 + freeaddrinfo(res);
erjo@16710 243 + return 1;
erjo@16710 244 + }
erjo@16710 245 + //If anything fails (DNS server not reachable, any problem in the resolution,
erjo@16710 246 + //let's not block anything.
erjo@16710 247 + return 0;
erjo@16710 248 +}
erjo@16710 249 +
erjo@16710 250 +int blocked_by_dnsbl(char *domain, char *suffix)
erjo@16710 251 +{
erjo@16710 252 + char *dn=domain;
erjo@16710 253 + while ((dn !=NULL) && (strchr(dn,'.')!=NULL)) //No need to lookup "com.black.uribl.com"
erjo@16710 254 + {
erjo@16710 255 + if (is_blacklisted(dn,suffix))
erjo@16710 256 + return(1);
erjo@16710 257 + dn=strip_fqdn(dn);
erjo@16710 258 + }
erjo@16710 259 + return 0;
erjo@16710 260 +}
erjo@16710 261 +
erjo@16710 262 +
erjo@16710 263 #if __STDC__
erjo@16710 264 char *sgAclAccess(struct Source *src, struct Acl *acl, struct SquidInfo *req)
erjo@16710 265 #else
erjo@16710 266 @@ -2397,6 +2491,16 @@
erjo@16710 267 }
erjo@16710 268 continue;
erjo@16710 269 }
erjo@16710 270 + // http://www.yahoo.fr/ 172.16.2.32 - GET
erjo@16710 271 + if(aclpass->type == ACL_TYPE_DNSBL){
erjo@16710 272 + if (req->dot)
erjo@16710 273 + continue;
erjo@16710 274 + if (blocked_by_dnsbl(req->domain, aclpass->dns_suffix)){
erjo@16710 275 + access=0;
erjo@16710 276 + break;
erjo@16710 277 + }
erjo@16710 278 + continue;
erjo@16710 279 + }
erjo@16710 280 if(aclpass->dest->domainlistDb != NULL){
erjo@16710 281 result = defined(aclpass->dest->domainlistDb, req->domain, &dbdata);
erjo@16710 282 if(result != DB_NOTFOUND) {