-
Notifications
You must be signed in to change notification settings - Fork 2
/
createBlockingRPZone.sh
114 lines (98 loc) · 3.16 KB
/
createBlockingRPZone.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/bin/sh
#############################################################
# This scripts transforms the pfBlockerNG DNS Blacklist #
# to a custom named config, that can be included #
#############################################################
# Documentation can be found here: #
# https://github.com/gewuerzgurke84/pfSense-blockerNG2named #
#############################################################
#
# Source Directoy: Directory holding pfBlockerNG feeds
#
sourceFilePattern="/var/db/pfblockerng/dnsbl/*.txt"
#
# Whitelist File: Never point zones from this whitelist to blocklist
#
whitelistFile="/root/createBlockingRPZoneWhitelist.txt"
#
# Destination Directories: Destination bind/named zone file
#
destZoneFilenameInChroot="/cf/named/etc/namedb/fuck.ads.zone"
#
# Destination Virtual IP (please use the same Virtual IP as configured in pfBlockerNG)
#
destVIP=10.10.10.1
#
# Restart named (Y/N)
#
restartNamed="N"
#
# Write zone file
#
echo "# Creating zone file ($destZoneFilenameInChroot)"
cat > $destZoneFilenameInChroot <<EOF
\$TTL 60
@ IN SOA localhost. root.localhost. (
2015082801 ; serial number YYMMDDNN
28800 ; refresh 8 hours
7200 ; retry 2 hours
864000 ; expire 10 days
86400 ) ; min ttl 1 day
NS localhost.
localhost A 127.0.0.1
EOF
#
# Clear
#
echo > /tmp/.pfBlockerToBind.1
#
# Collect fqdns and ensure named compatibility
#
echo "# Collecting configured pfBlockerNG DNS Blacklist Files ($sourceFilePattern)"
for blockFile in $sourceFilePattern
do
echo "## Processing $blockFile"
# Format of file is "local-data: "<fqdn> IN a <virtual dnsblip>""
# We filter out names that make named complain by violating the grammar
# and length restrictions of RFC1035. This awk script is an incremental
# improvement on the original grep filtering, but it really needs to be
# a proper regex match describing the RFC1035 grammar rather than a
# filter that looks for specific bad patterns from the blacklist names.
awk 'BEGIN { FS = ": " } length($2) < 256 && ! ( /[@_]/ || /\"-/ || /\.-/ || /-\./) { gsub("\"","",$2); print $2;}' $blockFile >> /tmp/.pfBlockerToBind.1
done
#
# Remove entries from whitelist (regexp)
#
if [ -f "$whitelistFile" ]; then
echo "# Apply whitelist ($whitelistFile)"
while read line
do
if [ ! -f "/tmp/.pfBlockerToBind.2" ]; then
cat /tmp/.pfBlockerToBind.1 |egrep -v $line > /tmp/.pfBlockerToBind.2
else
cat /tmp/.pfBlockerToBind.2 |egrep -v $line > /tmp/.pfBlockerToBind.n
mv /tmp/.pfBlockerToBind.n /tmp/.pfBlockerToBind.2
fi
done < $whitelistFile
else
echo "# Whitelist not found ($whitelistFile)"
mv /tmp/.pfBlockerToBind.1 /tmp/.pfBlockerToBind.2
fi
#
# Build resulting RP zone file
#
echo "# Build RP Zone File"
cat /tmp/.pfBlockerToBind.2 >> $destZoneFilenameInChroot
#
# Cleanup
#
rm /tmp/.pfBlockerToBind.1
rm /tmp/.pfBlockerToBind.2
#
# Restart named
#
if [ "$restartNamed" == "Y" ]; then
echo "# Restarting named"
service named.sh restart
fi
echo "# Finished"