Beispiel #1
0
        public override void OnDeInit()
        {
            base.OnDeInit();

            if (IsVistaOrNewer())
            {
                Wfp.Stop();
            }
        }
Beispiel #2
0
 public void RemoveAllRules()
 {
     lock (m_rules)
     {
         foreach (WfpItem item in m_rules.Values)
         {
             Wfp.RemoveItem(item);
         }
         m_rules.Clear();
     }
 }
Beispiel #3
0
        /*
         *      public override void OnRecoveryLoad(XmlElement root)
         *      {
         *              base.OnRecoveryLoad(root);
         *
         *  if (root.HasAttribute("ids"))
         *  {
         *      string list = root.GetAttribute("ids");
         *      string[] ids = list.Split(';');
         *      foreach(string id in ids)
         *      {
         *          ulong nid;
         *          if(ulong.TryParse(id, out nid))
         *              Wfp.RemoveItemId(nid);
         *      }
         *  }
         *      }
         *
         *      public override void OnRecoverySave(XmlElement root)
         *      {
         *              base.OnRecoverySave(root);
         *
         *  lock (m_rules)
         *  {
         *      string list = "";
         *      foreach (WfpItem item in m_rules.Values)
         *      {
         *          foreach (ulong id in item.FirewallIds)
         *              list += id.ToString() + ";";
         *      }
         *      root.SetAttributeNode("ids", list);
         *  }
         * }
         */

        public void AddRule(string code, XmlElement xmlRule)
        {
            lock (m_rules)
            {
                if (m_rules.ContainsKey(code))
                {
                    throw new Exception("Unexpected: NetLock WFP rule '" + code + "' already exists");
                }
                WfpItem item = Wfp.AddItem(code, xmlRule);
                m_rules[code] = item;
            }
        }
Beispiel #4
0
        public override void OnRecovery()
        {
            base.OnRecovery();

            if (IsVistaOrNewer())
            {
                if (Wfp.ClearPendingRules())
                {
                    Engine.Instance.Logs.Log(LogType.Warning, Messages.WfpRecovery);
                }
            }
        }
Beispiel #5
0
        public override void AllowInterface(string id)
        {
            base.AllowInterface(id);

            AddRule("netlock_allow_interface_" + id + "_ipv4", Wfp.CreateItemAllowInterface("NetLock - Interface - Allow " + id + " - IPv4", id, "ipv4"));

            /*
             * // TOFIX: Must be enabled in future when IPv6 support is well tested.
             * // Remember: May fail at WFP side with a "Unknown interface" because network interface with IPv6 disabled have Ipv6IfIndex == 0.
             * if (Engine.Instance.Storage.GetLower("ipv6.mode") != "disable")
             *  AddRule("netlock_allow_interface_" + id + "_ipv6", Wfp.CreateItemAllowInterface("NetLock - Interface - Allow " + id + " - IPv6", id, "ipv6"));
             */
        }
Beispiel #6
0
        public override bool OnIpV6Do()
        {
            if (Engine.Instance.Storage.GetLower("ipv6.mode") == "disable")
            {
                if ((IsVistaOrNewer()) && (Engine.Instance.Storage.GetBool("windows.wfp")))
                {
                    XmlDocument xmlDocRule = new XmlDocument();
                    XmlElement  xmlRule    = xmlDocRule.CreateElement("rule");
                    xmlRule.SetAttribute("name", "IPv6 - Block");
                    xmlRule.SetAttribute("layer", "ipv6");
                    xmlRule.SetAttribute("action", "block");
                    XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
                    xmlRule.AppendChild(XmlIf1);
                    XmlIf1.SetAttribute("field", "ip_local_interface");
                    XmlIf1.SetAttribute("match", "not_equal");
                    XmlIf1.SetAttribute("interface", "loopback");
                    Wfp.AddItem("ipv6_block_all", xmlRule);

                    Engine.Instance.Logs.Log(LogType.Verbose, Messages.IpV6DisabledWpf);
                }

                if (Engine.Instance.Storage.GetBool("windows.ipv6.os_disable"))
                {
                    // http://support.microsoft.com/kb/929852

                    m_oldIpV6 = Registry.GetValue("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\TCPIP6\\Parameters", "DisabledComponents", "");
                    if (Conversions.ToUInt32(m_oldIpV6, 0) == 0) // 0 is the Windows default if the key doesn't exist.
                    {
                        m_oldIpV6 = 0;
                    }

                    if (Conversions.ToUInt32(m_oldIpV6, 0) == 17) // Nothing to do
                    {
                        m_oldIpV6 = null;
                    }
                    else
                    {
                        UInt32 newValue = 17;
                        Registry.SetValue("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\TCPIP6\\Parameters", "DisabledComponents", newValue, RegistryValueKind.DWord);

                        Engine.Instance.Logs.Log(LogType.Verbose, Messages.IpV6DisabledOs);

                        Recovery.Save();
                    }
                }

                base.OnIpV6Do();
            }

            return(true);
        }
Beispiel #7
0
 public void RemoveRule(string code)
 {
     lock (m_rules)
     {
         if (m_rules.ContainsKey(code) == false)
         {
             return;
         }
         //throw new Exception("Unexpected: NetLock WFP rule '" + code + "' doesn't exists");
         WfpItem item = m_rules[code];
         m_rules.Remove(code);
         Wfp.RemoveItem(item);
     }
 }
Beispiel #8
0
        public override bool OnDnsSwitchRestore()
        {
            DnsForceRestore();

            bool DnsPermitExists = false;

            DnsPermitExists = DnsPermitExists | Wfp.RemoveItem("dns_permit_openvpn");
            DnsPermitExists = DnsPermitExists | Wfp.RemoveItem("dns_permit_tap");
            DnsPermitExists = DnsPermitExists | Wfp.RemoveItem("dns_block_all");
            if (DnsPermitExists)
            {
                Engine.Instance.Logs.Log(LogType.Verbose, Messages.DnsLockDeactivatedWpf);
            }

            base.OnDnsSwitchRestore();

            return(true);
        }
Beispiel #9
0
        public override bool OnIpV6Restore()
        {
            if (m_oldIpV6 != null)
            {
                Registry.SetValue("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\TCPIP6\\Parameters", "DisabledComponents", m_oldIpV6, RegistryValueKind.DWord);
                m_oldIpV6 = null;

                Engine.Instance.Logs.Log(LogType.Verbose, Messages.IpV6RestoredOs);
            }

            if (Wfp.RemoveItem("ipv6_block_all"))
            {
                Engine.Instance.Logs.Log(LogType.Verbose, Messages.IpV6RestoredWpf);
            }

            base.OnIpV6Restore();

            return(true);
        }
Beispiel #10
0
        public override void Activation()
        {
            base.Activation();

            // Block All
            {
                XmlDocument xmlDocRule = new XmlDocument();
                XmlElement  xmlRule    = xmlDocRule.CreateElement("rule");
                xmlRule.SetAttribute("name", "NetLock - Block All");
                xmlRule.SetAttribute("layer", "all");
                xmlRule.SetAttribute("action", "block");
                AddRule("netlock_block_all", xmlRule);
            }

            // Allow Eddie / OpenVPN / Stunnel / Plink
            AddRule("netlock_allow_eddie", Wfp.CreateItemAllowProgram("NetLock - Private - Allow Eddie", Platform.Instance.GetExecutablePath()));

            // Allow loopback
            {
                XmlDocument xmlDocRule = new XmlDocument();
                XmlElement  xmlRule    = xmlDocRule.CreateElement("rule");
                xmlRule.SetAttribute("name", "NetLock - Allow loopback");
                xmlRule.SetAttribute("layer", "all");
                xmlRule.SetAttribute("action", "permit");
                XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
                xmlRule.AppendChild(XmlIf1);
                XmlIf1.SetAttribute("field", "ip_local_interface");
                XmlIf1.SetAttribute("match", "equal");
                XmlIf1.SetAttribute("interface", "loopback");
                AddRule("netlock_allow_loopback", xmlRule);
            }

            if (Engine.Instance.Storage.GetBool("netlock.allow_ping") == true)
            {
                // Allow ICMP
                {
                    XmlDocument xmlDocRule = new XmlDocument();
                    XmlElement  xmlRule    = xmlDocRule.CreateElement("rule");
                    xmlRule.SetAttribute("name", "NetLock - Allow ICMP");
                    xmlRule.SetAttribute("layer", "all");
                    xmlRule.SetAttribute("action", "permit");
                    XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
                    xmlRule.AppendChild(XmlIf1);
                    XmlIf1.SetAttribute("field", "ip_protocol");
                    XmlIf1.SetAttribute("match", "equal");
                    XmlIf1.SetAttribute("protocol", "icmp");
                    AddRule("netlock_allow_icmp", xmlRule);
                }
            }

            if (Engine.Instance.Storage.GetBool("netlock.allow_private") == true)
            {
                AddRule("netlock_allow_ipv4_local1", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Local Subnet 1 - IPv4", new IpAddressRange("192.168.0.0/255.255.0.0")));
                AddRule("netlock_allow_ipv4_local2", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Local Subnet 2 - IPv4", new IpAddressRange("172.16.0.0/255.240.0.0")));
                AddRule("netlock_allow_ipv4_local3", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Local Subnet 3 - IPv4", new IpAddressRange("10.0.0.0/255.0.0.0")));
                AddRule("netlock_allow_ipv4_multicast", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Multicast - IPv4", new IpAddressRange("224.0.0.0/255.255.255.0")));
                AddRule("netlock_allow_ipv4_ssdp", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Simple Service Discovery Protocol address", new IpAddressRange("239.255.255.250/255.255.255.255")));
                AddRule("netlock_allow_ipv4_slp", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Service Location Protocol", new IpAddressRange("239.255.255.253/255.255.255.255")));
            }

            // Without this, Windows stay in 'Identifying network...' and OpenVPN in 'Waiting TUN to come up'.
            {
                XmlDocument xmlDocRule = new XmlDocument();
                XmlElement  xmlRule    = xmlDocRule.CreateElement("rule");
                xmlRule.SetAttribute("name", "NetLock - Allow ICMP");
                xmlRule.SetAttribute("layer", "all");
                xmlRule.SetAttribute("action", "permit");

                XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
                xmlRule.AppendChild(XmlIf1);
                XmlIf1.SetAttribute("field", "ip_protocol");
                XmlIf1.SetAttribute("match", "equal");
                XmlIf1.SetAttribute("protocol", "udp");

                XmlElement XmlIf2 = xmlDocRule.CreateElement("if");
                xmlRule.AppendChild(XmlIf2);
                XmlIf2.SetAttribute("field", "ip_local_port");
                XmlIf2.SetAttribute("match", "equal");
                XmlIf2.SetAttribute("port", "68");

                XmlElement XmlIf3 = xmlDocRule.CreateElement("if");
                xmlRule.AppendChild(XmlIf3);
                XmlIf3.SetAttribute("field", "ip_remote_port");
                XmlIf3.SetAttribute("match", "equal");
                XmlIf3.SetAttribute("port", "67");

                AddRule("netlock_allow_dhcp", xmlRule);
            }

            OnUpdateIps();
        }
Beispiel #11
0
        public override void AllowProgram(string path, string name, string guid)
        {
            base.AllowProgram(path, name, guid);

            AddRule("netlock_allow_program_" + guid, Wfp.CreateItemAllowProgram("NetLock - Program - Allow " + name, path));
        }
Beispiel #12
0
        public override bool OnDnsSwitchDo(string dns)
        {
            string[] dnsArray = dns.Split(',');

            if ((Engine.Instance.Storage.GetBool("windows.dns.lock")) && (IsVistaOrNewer()) && (Engine.Instance.Storage.GetBool("windows.wfp")))
            {
                // This is not required yet, but will be required in Eddie 3.
                {
                    XmlDocument xmlDocRule = new XmlDocument();
                    XmlElement  xmlRule    = xmlDocRule.CreateElement("rule");
                    xmlRule.SetAttribute("name", "Dns - Allow port 53 of OpenVPN");
                    xmlRule.SetAttribute("layer", "all");
                    xmlRule.SetAttribute("action", "permit");
                    XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
                    xmlRule.AppendChild(XmlIf1);
                    XmlIf1.SetAttribute("field", "ip_remote_port");
                    XmlIf1.SetAttribute("match", "equal");
                    XmlIf1.SetAttribute("port", "53");
                    XmlElement XmlIf2 = xmlDocRule.CreateElement("if");
                    xmlRule.AppendChild(XmlIf2);
                    XmlIf2.SetAttribute("field", "ale_app_id");
                    XmlIf2.SetAttribute("match", "equal");
                    XmlIf2.SetAttribute("path", Software.OpenVpnPath);
                    Wfp.AddItem("dns_permit_openvpn", xmlRule);
                }

                {
                    // TOFIX: Missing IPv6 equivalent. Must be done in future when IPv6 support is well tested.
                    // Remember: May fail at WFP side with a "Unknown interface" because network interface with IPv6 disabled have Ipv6IfIndex == 0.
                    XmlDocument xmlDocRule = new XmlDocument();
                    XmlElement  xmlRule    = xmlDocRule.CreateElement("rule");
                    xmlRule.SetAttribute("name", "Dns - Allow port 53 on TAP - IPv4");
                    xmlRule.SetAttribute("layer", "ipv4");
                    xmlRule.SetAttribute("action", "permit");
                    XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
                    xmlRule.AppendChild(XmlIf1);
                    XmlIf1.SetAttribute("field", "ip_remote_port");
                    XmlIf1.SetAttribute("match", "equal");
                    XmlIf1.SetAttribute("port", "53");
                    XmlElement XmlIf2 = xmlDocRule.CreateElement("if");
                    xmlRule.AppendChild(XmlIf2);
                    XmlIf2.SetAttribute("field", "ip_local_interface");
                    XmlIf2.SetAttribute("match", "equal");
                    XmlIf2.SetAttribute("interface", Engine.Instance.ConnectedVpnInterfaceId);
                    Wfp.AddItem("dns_permit_tap", xmlRule);
                }
                {
                    XmlDocument xmlDocRule = new XmlDocument();
                    XmlElement  xmlRule    = xmlDocRule.CreateElement("rule");
                    xmlRule.SetAttribute("name", "Dns - Block port 53");
                    xmlRule.SetAttribute("layer", "all");
                    xmlRule.SetAttribute("action", "block");
                    XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
                    xmlRule.AppendChild(XmlIf1);
                    XmlIf1.SetAttribute("field", "ip_remote_port");
                    XmlIf1.SetAttribute("match", "equal");
                    XmlIf1.SetAttribute("port", "53");
                    Wfp.AddItem("dns_block_all", xmlRule);
                }

                Engine.Instance.Logs.Log(LogType.Verbose, Messages.DnsLockActivatedWpf);
            }

            string mode = Engine.Instance.Storage.GetLower("dns.mode");

            if (mode == "auto")
            {
                try
                {
                    ManagementClass            objMC  = new ManagementClass("Win32_NetworkAdapterConfiguration");
                    ManagementObjectCollection objMOC = objMC.GetInstances();

                    foreach (ManagementObject objMO in objMOC)
                    {
                        /*
                         *                      if (!((bool)objMO["IPEnabled"]))
                         *                              continue;
                         */
                        string guid = objMO["SettingID"] as string;

                        bool skip = true;

                        if ((Engine.Instance.Storage.GetBool("windows.dns.lock")) && (Engine.Instance.Storage.GetBool("windows.dns.force_all_interfaces")))
                        {
                            skip = false;
                        }
                        if (guid == Engine.Instance.ConnectedVpnInterfaceId)
                        {
                            skip = false;
                        }

                        if (skip == false)
                        {
                            bool ipEnabled = (bool)objMO["IPEnabled"];

                            NetworkManagerDnsEntry entry = new NetworkManagerDnsEntry();

                            entry.Guid        = guid;
                            entry.Description = objMO["Description"] as string;
                            entry.Dns         = objMO["DNSServerSearchOrder"] as string[];

                            entry.AutoDns = ((Registry.GetValue("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\" + entry.Guid, "NameServer", "") as string) == "");

                            if (entry.Dns == null)
                            {
                                continue;
                            }

                            if (entry.AutoDns == false) // Added 2.11
                            {
                                if (String.Join(",", entry.Dns) == dns)
                                {
                                    continue;
                                }
                            }

                            //string descFrom = (entry.AutoDns ? "Automatic" : String.Join(",", detectedDns));
                            string descFrom = (entry.AutoDns ? "automatic":"manual") + " (" + String.Join(",", entry.Dns) + ")";
                            Engine.Instance.Logs.Log(LogType.Verbose, Messages.Format(Messages.NetworkAdapterDnsDone, entry.Description, descFrom, dns));

                            ManagementBaseObject objSetDNSServerSearchOrder = objMO.GetMethodParameters("SetDNSServerSearchOrder");
                            objSetDNSServerSearchOrder["DNSServerSearchOrder"] = dnsArray;
                            objMO.InvokeMethod("SetDNSServerSearchOrder", objSetDNSServerSearchOrder, null);

                            m_listOldDns.Add(entry);
                        }
                    }
                }
                catch (Exception e)
                {
                    Engine.Instance.Logs.Log(e);
                }

                Recovery.Save();
            }

            base.OnDnsSwitchDo(dns);

            return(true);
        }