public override void Activation()
{
base.Activation();
// Block All
if (Engine.Instance.Storage.Get("netlock.incoming") == "block")
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "NetLock - In - Block All");
xmlRule.SetAttribute("layer", "all-in");
xmlRule.SetAttribute("action", "block");
AddRule("netlock_in_block_all", xmlRule);
}
if (Engine.Instance.Storage.Get("netlock.outgoing") == "block")
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "NetLock - Out - Block All");
xmlRule.SetAttribute("layer", "all-out");
xmlRule.SetAttribute("action", "block");
AddRule("netlock_out_block_all", xmlRule);
}
// Allow Eddie / OpenVPN / Stunnel / Plink
AddRule("netlock_allow_eddie", Wfp.CreateItemAllowProgram("NetLock - Allow Eddie", Platform.Instance.GetExecutablePath()));
if (Engine.Instance.Storage.GetLower("proxy.mode") == "tor")
{
string path = TorControl.GetTorExecutablePath();
if (path != "")
{
AddRule("netlock_allow_tor", Wfp.CreateItemAllowProgram("NetLock - Allow Tor", path));
}
}
// Allow loopback
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "NetLock - Allow loopback");
xmlRule.SetAttribute("layer", "all");
xmlRule.SetAttribute("action", "permit");
XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf1);
XmlIf1.SetAttribute("field", "ip_local_interface");
XmlIf1.SetAttribute("match", "equal");
XmlIf1.SetAttribute("interface", "loopback");
AddRule("netlock_allow_loopback", xmlRule);
}
if (Engine.Instance.Storage.GetBool("netlock.allow_ping") == true)
{
// Allow ICMP
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "NetLock - Allow ICMP");
xmlRule.SetAttribute("layer", "all");
xmlRule.SetAttribute("action", "permit");
XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf1);
XmlIf1.SetAttribute("field", "ip_protocol");
XmlIf1.SetAttribute("match", "equal");
XmlIf1.SetAttribute("protocol", "icmp");
AddRule("netlock_allow_icmp", xmlRule);
}
}
if (Engine.Instance.Storage.GetBool("netlock.allow_private") == true)
{
AddRule("netlock_allow_ipv4_local1", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Local Subnet 1 - IPv4", new IpAddress("192.168.0.0/255.255.0.0")));
AddRule("netlock_allow_ipv4_local2", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Local Subnet 2 - IPv4", new IpAddress("172.16.0.0/255.240.0.0")));
AddRule("netlock_allow_ipv4_local3", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Local Subnet 3 - IPv4", new IpAddress("10.0.0.0/255.0.0.0")));
AddRule("netlock_allow_ipv4_multicast", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Multicast - IPv4", new IpAddress("224.0.0.0/255.255.255.0")));
AddRule("netlock_allow_ipv4_ssdp", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Simple Service Discovery Protocol address", new IpAddress("239.255.255.250/255.255.255.255")));
AddRule("netlock_allow_ipv4_slp", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Service Location Protocol", new IpAddress("239.255.255.253/255.255.255.255")));
}
// Without this, Windows stay in 'Identifying network...' and OpenVPN in 'Waiting TUN to come up'. // Note 2018: don't occur in Win10?
if (Engine.Instance.Storage.GetBool("netlock.allow_dhcp") == true)
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "NetLock - Allow DHCP");
xmlRule.SetAttribute("layer", "all");
xmlRule.SetAttribute("action", "permit");
XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf1);
XmlIf1.SetAttribute("field", "ip_protocol");
XmlIf1.SetAttribute("match", "equal");
XmlIf1.SetAttribute("protocol", "udp");
XmlElement XmlIf2 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf2);
XmlIf2.SetAttribute("field", "ip_local_port");
XmlIf2.SetAttribute("match", "equal");
XmlIf2.SetAttribute("port", "68");
XmlElement XmlIf3 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf3);
XmlIf3.SetAttribute("field", "ip_remote_port");
XmlIf3.SetAttribute("match", "equal");
XmlIf3.SetAttribute("port", "67");
AddRule("netlock_allow_dhcp", xmlRule);
}
OnUpdateIps();
}
public override void Activation()
{
base.Activation();
try
{
// Service
{
ServiceController service = null;
try
{
service = new ServiceController("MpsSvc");
m_serviceStatus = (service.Status == ServiceControllerStatus.Running);
if (m_serviceStatus == false)
{
TimeSpan timeout = TimeSpan.FromMilliseconds(10000);
service.Start();
service.WaitForStatus(ServiceControllerStatus.Running, timeout);
}
}
catch (Exception e)
{
if (e.Message.Contains("MpsSvc"))
{
throw new Exception(LanguageManager.GetText("NetworkLockWindowsFirewallUnableToStartService"));
}
else
{
throw e;
}
}
finally
{
if (service != null)
{
service.Dispose();
}
}
}
// If 'winfirewall_rules_original.airvpn' doesn't exists, create it. It's a general backup of the first time.
// We create this kind of file in Windows System directory, because it's system critical data, and to allow it to survive between re-installation of the software.
string rulesBackupFirstTime = Engine.Instance.GetPathInData("winfirewall_rules_original.wfw");
if (Platform.Instance.FileExists(rulesBackupFirstTime) == false)
{
NetShAdvFirewall("export \"" + SystemShell.EscapePath(rulesBackupFirstTime) + "\"");
}
string rulesBackupSession = Engine.Instance.GetPathInData("winfirewall_rules_backup.wfw");
if (Platform.Instance.FileExists(rulesBackupSession))
{
Platform.Instance.FileDelete(rulesBackupSession);
}
NetShAdvFirewall("export \"" + SystemShell.EscapePath(rulesBackupSession) + "\"");
if (Platform.Instance.FileExists(rulesBackupSession) == false)
{
throw new Exception(LanguageManager.GetText("NetworkLockWindowsFirewallBackupFailed"));
}
foreach (NetworkLockWindowsFirewallProfile profile in Profiles)
{
profile.Fetch();
}
foreach (NetworkLockWindowsFirewallProfile profile in Profiles)
{
if (profile.State == false)
{
profile.StateOn();
}
/*
* if (profile.Notifications == true)
* {
* profile.NotifyOff();
* }
*/
}
// Disable all notifications
NetShAdvFirewall("set allprofiles settings inboundusernotification disable");
NetShAdvFirewall("firewall delete rule name=all");
// Windows Firewall don't work with logical path (a path that contain hardlink)
NetShAdvFirewall("firewall add rule name=\"Eddie - Out - Program Eddie\" dir=out action=allow program=\"" + SystemShell.EscapePath(Platform.Instance.FileGetPhysicalPath(Platform.Instance.GetExecutablePath())) + "\" enable=yes");
if (Engine.Instance.Storage.GetLower("proxy.mode") == "tor")
{
string path = TorControl.GetTorExecutablePath();
if (path != "")
{
NetShAdvFirewall("firewall add rule name=\"Eddie - Out - Program Tor\" dir=out action=allow program=\"" + SystemShell.EscapePath(Platform.Instance.FileGetPhysicalPath(path)) + "\" enable=yes");
}
}
// Adding rules are slow, so force at least curl
if (Platform.Instance.FetchUrlInternal() == false)
{
NetShAdvFirewall("firewall add rule name=\"Eddie - Out - Program curl\" dir=out action=allow program=\"" + SystemShell.EscapePath(Platform.Instance.FileGetPhysicalPath(Software.GetTool("curl").Path)) + "\" enable=yes");
}
if (Engine.Instance.Storage.GetBool("netlock.allow_ping") == true)
{
NetShAdvFirewall("firewall add rule name=\"Eddie - In - ICMP IPv4\" dir=in action=allow protocol=icmpv4:8,any");
NetShAdvFirewall("firewall add rule name=\"Eddie - In - ICMP IPv6\" dir=in action=allow protocol=icmpv6:8,any");
NetShAdvFirewall("firewall add rule name=\"Eddie - Out - ICMP IPv4\" dir=out action=allow protocol=icmpv4:8,any");
NetShAdvFirewall("firewall add rule name=\"Eddie - Out - ICMP IPv6\" dir=out action=allow protocol=icmpv6:8,any");
}
// Exec("netsh advfirewall firewall add rule name=\"Eddie - IPv6 Block - Low\" dir=out remoteip=0000::/1 action=allow");
// Exec("netsh advfirewall firewall add rule name=\"Eddie - IPv6 Block - High\" dir=out remoteip=8000::/1 action=allow");
if (Engine.Instance.Storage.GetBool("netlock.allow_private") == true)
{
NetShAdvFirewall("firewall add rule name=\"Eddie - In - AllowLocal\" dir=in action=allow remoteip=LocalSubnet");
NetShAdvFirewall("firewall add rule name=\"Eddie - Out - AllowLocal\" dir=out action=allow remoteip=LocalSubnet");
NetShAdvFirewall("firewall add rule name=\"Eddie - Out - AllowMulticast\" dir=out action=allow remoteip=224.0.0.0/24");
NetShAdvFirewall("firewall add rule name=\"Eddie - Out - AllowSimpleServiceDiscoveryProtocol\" dir=out action=allow remoteip=239.255.255.250/32");
NetShAdvFirewall("firewall add rule name=\"Eddie - Out - ServiceLocationProtocol\" dir=out action=allow remoteip=239.255.255.253/32");
}
// This is not optimal, it maybe also allow LAN traffic, but we can't find a better alternative (interfacetype=ras don't work) and WinFirewall method must be deprecated.
NetShAdvFirewall("firewall add rule name=\"Eddie - In - AllowVPN\" dir=in action=allow localip=10.0.0.0/8");
NetShAdvFirewall("firewall add rule name=\"Eddie - Out - AllowVPN\" dir=out action=allow localip=10.0.0.0/8");
// Without this, Windows stay in 'Identifying network...' and OpenVPN in 'Waiting TUN to come up'.
NetShAdvFirewall("firewall add rule name=\"Eddie - Out - DHCP\" dir=out action=allow protocol=UDP localport=68 remoteport=67 program=\"%SystemRoot%\\system32\\svchost.exe\" service=\"dhcp\"");
string cmd = "set allprofiles firewallpolicy ";
if (Engine.Instance.Storage.Get("netlock.incoming") == "allow")
{
cmd += "allowinbound";
}
else
{
cmd += "blockinbound";
}
cmd += ",";
if (Engine.Instance.Storage.Get("netlock.outgoing") == "allow")
{
cmd += "allowoutbound";
}
else
{
cmd += "blockoutbound";
}
NetShAdvFirewall(cmd);
m_activated = true; // To avoid OnUpdateIps before this moment
OnUpdateIps();
}
catch (Exception ex)
{
Deactivation();
throw new Exception(ex.Message);
}
}
