I want to add a cron job to update my host file with a bad actor host file (basically malicious ads and bad websites) to black hole them, rather than updating the local host files of each computer I wanted to do it on the router. I found a script that would work to do this, but it was held up because wget isn’t install on the version of BSD that is install with PFSense.
I tried installing it via pkg_get but apprently that’s been depricated so I tried using pkg install, but it wasn’t able to find it, then when I tried searching for it nothing came back. So finely I tried: pkg add http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/gwget-1.0.4_11.txz
and got this error:
pkg: wrong architecture: FreeBSD:10:amd64 instead of FreeBSD:11:amd64
When i do some searching for that error I’m getting solutions saying I should recompile the kernel. I feel like that may be a bit too far too soon, if anyone else has had this problem, or knows if indeed the solution is recompiling the kernel (i’d just re-install pfsense), please let me know.
As a follow up, curl isn’t installed by default either. Here’s a copy of the bash script I’m trying to run.
#!/bin/sh
## blackhole.sh
## Adapted for pfSense from Tomato WAN Up script v3.3 by haarp
TMPFILE="/tmp/dnsmasq.work" ## dnsmasq temporary file
GENFILE="/usr/local/etc/dnsmasq.d/dnsmasq.custom" ## dnsmasq custom config
SOURCES=""
SOURCES="$SOURCES http://winhelp2002.mvps.org/hosts.txt"
SOURCES="$SOURCES http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext"
#SOURCES="$SOURCES http://hosts-file.net/ad_servers.asp"
SOURCES="$SOURCES http://hosts-file.net/.%5Cad_servers.txt"
##SOURCES="$SOURCES http://hostsfile.mine.nu/Hosts"
##SOURCES="$SOURCES http://sysctl.org/cameleon/hosts"
SOURCES="$SOURCES http://adaway.org/hosts.txt"
##SOURCES="$SOURCES http://hosts-file.net/download/hosts.txt"
#SOURCES="$SOURCES http://hosts-file.net/hphosts-partial.asp"
SOURCES="$SOURCES http://www.malwaredomainlist.com/hostslist/hosts.txt"
## Blacklist additional sites (add inside quotes, space-separated)
##BLACKLIST="google-analytics.com"
## Whitelist sites from blocking (add inside quotes, space-separated)
WHITELIST=""
echo "Download starting"
until ping -q -c1 google.com >/dev/null; do
echo "Waiting for internet"
sleep 5
done
echo -n "" > $TMPFILE
for s in $SOURCES; do
{ (wget $s -O - || elog "Failed: $s") | \
tr -d "\r" | \
sed -e '/^[[:alnum:]:]/!d' | \
awk '{print $2}' | \
sed -e '/^localhost$/d' >> $TMPFILE
} &
done
wait
if [ -s $TMPFILE ]; then
echo "Download finished"
else
echo "Failed: Download unsuccessful, aborting"
rm $TMPFILE
exit 1
fi
echo "Generating $TMPFILE"
for b in $BLACKLIST; do
echo "$b" >> $TMPFILE
done
for w in $WHITELIST; do
sed -i -e "/$w/d" $TMPFILE
done
sort -u $TMPFILE -o $TMPFILE ## Sort and remove duplicates
awk '{print "address=/"$0"/127.0.0.1/"}' $TMPFILE > $GENFILE ## format file for dnsmasq ... address=/domain-name/127.0.0.1
echo "Config generated, $(wc -l < $GENFILE) unique hosts to block"
echo "Restarting dnsmasq"
service dnsmasq restart
echo "Deleting $TMPFILE to free memory"
rm $TMPFILE
I was hoping that Suricata were serve the same purpose, but it doesn’t block content really, goatse, two girls one cup that sort of stuff. I’m not interested in censoring the network per say, but stuff like that and shady ad networks are all over the place, and I wanted to block those at least. All of the sources are routing to 0.0.0.0 so it should prevent any browsing of the sites, which in turn should prevent any application vulnerabilities.
I’m going to try downloading the package and rehashing it,
i.e. pkg add http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/wget-1.19.5.txz ; rehash
I’m guessing that re-compiles it for 11 instead of 10?
That seemed to have worked, I’m not getting the wget error anymore, I’m getting bunch more errors with the script, but at least I’m not missing the command I needed >.<