public override void OnDeInit()
{
base.OnDeInit();
if (IsVistaOrNewer())
{
Wfp.Stop();
}
}
public void RemoveAllRules()
{
lock (m_rules)
{
foreach (WfpItem item in m_rules.Values)
{
Wfp.RemoveItem(item);
}
m_rules.Clear();
}
}
/*
* public override void OnRecoveryLoad(XmlElement root)
* {
* base.OnRecoveryLoad(root);
*
* if (root.HasAttribute("ids"))
* {
* string list = root.GetAttribute("ids");
* string[] ids = list.Split(';');
* foreach(string id in ids)
* {
* ulong nid;
* if(ulong.TryParse(id, out nid))
* Wfp.RemoveItemId(nid);
* }
* }
* }
*
* public override void OnRecoverySave(XmlElement root)
* {
* base.OnRecoverySave(root);
*
* lock (m_rules)
* {
* string list = "";
* foreach (WfpItem item in m_rules.Values)
* {
* foreach (ulong id in item.FirewallIds)
* list += id.ToString() + ";";
* }
* root.SetAttributeNode("ids", list);
* }
* }
*/
public void AddRule(string code, XmlElement xmlRule)
{
lock (m_rules)
{
if (m_rules.ContainsKey(code))
{
throw new Exception("Unexpected: NetLock WFP rule '" + code + "' already exists");
}
WfpItem item = Wfp.AddItem(code, xmlRule);
m_rules[code] = item;
}
}
public override void OnRecovery()
{
base.OnRecovery();
if (IsVistaOrNewer())
{
if (Wfp.ClearPendingRules())
{
Engine.Instance.Logs.Log(LogType.Warning, Messages.WfpRecovery);
}
}
}
public override void AllowInterface(string id)
{
base.AllowInterface(id);
AddRule("netlock_allow_interface_" + id + "_ipv4", Wfp.CreateItemAllowInterface("NetLock - Interface - Allow " + id + " - IPv4", id, "ipv4"));
/*
* // TOFIX: Must be enabled in future when IPv6 support is well tested.
* // Remember: May fail at WFP side with a "Unknown interface" because network interface with IPv6 disabled have Ipv6IfIndex == 0.
* if (Engine.Instance.Storage.GetLower("ipv6.mode") != "disable")
* AddRule("netlock_allow_interface_" + id + "_ipv6", Wfp.CreateItemAllowInterface("NetLock - Interface - Allow " + id + " - IPv6", id, "ipv6"));
*/
}
public override bool OnIpV6Do()
{
if (Engine.Instance.Storage.GetLower("ipv6.mode") == "disable")
{
if ((IsVistaOrNewer()) && (Engine.Instance.Storage.GetBool("windows.wfp")))
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "IPv6 - Block");
xmlRule.SetAttribute("layer", "ipv6");
xmlRule.SetAttribute("action", "block");
XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf1);
XmlIf1.SetAttribute("field", "ip_local_interface");
XmlIf1.SetAttribute("match", "not_equal");
XmlIf1.SetAttribute("interface", "loopback");
Wfp.AddItem("ipv6_block_all", xmlRule);
Engine.Instance.Logs.Log(LogType.Verbose, Messages.IpV6DisabledWpf);
}
if (Engine.Instance.Storage.GetBool("windows.ipv6.os_disable"))
{
// http://support.microsoft.com/kb/929852
m_oldIpV6 = Registry.GetValue("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\TCPIP6\\Parameters", "DisabledComponents", "");
if (Conversions.ToUInt32(m_oldIpV6, 0) == 0) // 0 is the Windows default if the key doesn't exist.
{
m_oldIpV6 = 0;
}
if (Conversions.ToUInt32(m_oldIpV6, 0) == 17) // Nothing to do
{
m_oldIpV6 = null;
}
else
{
UInt32 newValue = 17;
Registry.SetValue("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\TCPIP6\\Parameters", "DisabledComponents", newValue, RegistryValueKind.DWord);
Engine.Instance.Logs.Log(LogType.Verbose, Messages.IpV6DisabledOs);
Recovery.Save();
}
}
base.OnIpV6Do();
}
return(true);
}
public void RemoveRule(string code)
{
lock (m_rules)
{
if (m_rules.ContainsKey(code) == false)
{
return;
}
//throw new Exception("Unexpected: NetLock WFP rule '" + code + "' doesn't exists");
WfpItem item = m_rules[code];
m_rules.Remove(code);
Wfp.RemoveItem(item);
}
}
public override bool OnDnsSwitchRestore()
{
DnsForceRestore();
bool DnsPermitExists = false;
DnsPermitExists = DnsPermitExists | Wfp.RemoveItem("dns_permit_openvpn");
DnsPermitExists = DnsPermitExists | Wfp.RemoveItem("dns_permit_tap");
DnsPermitExists = DnsPermitExists | Wfp.RemoveItem("dns_block_all");
if (DnsPermitExists)
{
Engine.Instance.Logs.Log(LogType.Verbose, Messages.DnsLockDeactivatedWpf);
}
base.OnDnsSwitchRestore();
return(true);
}
public override bool OnIpV6Restore()
{
if (m_oldIpV6 != null)
{
Registry.SetValue("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\TCPIP6\\Parameters", "DisabledComponents", m_oldIpV6, RegistryValueKind.DWord);
m_oldIpV6 = null;
Engine.Instance.Logs.Log(LogType.Verbose, Messages.IpV6RestoredOs);
}
if (Wfp.RemoveItem("ipv6_block_all"))
{
Engine.Instance.Logs.Log(LogType.Verbose, Messages.IpV6RestoredWpf);
}
base.OnIpV6Restore();
return(true);
}
public override void Activation()
{
base.Activation();
// Block All
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "NetLock - Block All");
xmlRule.SetAttribute("layer", "all");
xmlRule.SetAttribute("action", "block");
AddRule("netlock_block_all", xmlRule);
}
// Allow Eddie / OpenVPN / Stunnel / Plink
AddRule("netlock_allow_eddie", Wfp.CreateItemAllowProgram("NetLock - Private - Allow Eddie", Platform.Instance.GetExecutablePath()));
// Allow loopback
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "NetLock - Allow loopback");
xmlRule.SetAttribute("layer", "all");
xmlRule.SetAttribute("action", "permit");
XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf1);
XmlIf1.SetAttribute("field", "ip_local_interface");
XmlIf1.SetAttribute("match", "equal");
XmlIf1.SetAttribute("interface", "loopback");
AddRule("netlock_allow_loopback", xmlRule);
}
if (Engine.Instance.Storage.GetBool("netlock.allow_ping") == true)
{
// Allow ICMP
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "NetLock - Allow ICMP");
xmlRule.SetAttribute("layer", "all");
xmlRule.SetAttribute("action", "permit");
XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf1);
XmlIf1.SetAttribute("field", "ip_protocol");
XmlIf1.SetAttribute("match", "equal");
XmlIf1.SetAttribute("protocol", "icmp");
AddRule("netlock_allow_icmp", xmlRule);
}
}
if (Engine.Instance.Storage.GetBool("netlock.allow_private") == true)
{
AddRule("netlock_allow_ipv4_local1", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Local Subnet 1 - IPv4", new IpAddressRange("192.168.0.0/255.255.0.0")));
AddRule("netlock_allow_ipv4_local2", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Local Subnet 2 - IPv4", new IpAddressRange("172.16.0.0/255.240.0.0")));
AddRule("netlock_allow_ipv4_local3", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Local Subnet 3 - IPv4", new IpAddressRange("10.0.0.0/255.0.0.0")));
AddRule("netlock_allow_ipv4_multicast", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Multicast - IPv4", new IpAddressRange("224.0.0.0/255.255.255.0")));
AddRule("netlock_allow_ipv4_ssdp", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Simple Service Discovery Protocol address", new IpAddressRange("239.255.255.250/255.255.255.255")));
AddRule("netlock_allow_ipv4_slp", Wfp.CreateItemAllowAddress("NetLock - Private - Allow Service Location Protocol", new IpAddressRange("239.255.255.253/255.255.255.255")));
}
// Without this, Windows stay in 'Identifying network...' and OpenVPN in 'Waiting TUN to come up'.
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "NetLock - Allow ICMP");
xmlRule.SetAttribute("layer", "all");
xmlRule.SetAttribute("action", "permit");
XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf1);
XmlIf1.SetAttribute("field", "ip_protocol");
XmlIf1.SetAttribute("match", "equal");
XmlIf1.SetAttribute("protocol", "udp");
XmlElement XmlIf2 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf2);
XmlIf2.SetAttribute("field", "ip_local_port");
XmlIf2.SetAttribute("match", "equal");
XmlIf2.SetAttribute("port", "68");
XmlElement XmlIf3 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf3);
XmlIf3.SetAttribute("field", "ip_remote_port");
XmlIf3.SetAttribute("match", "equal");
XmlIf3.SetAttribute("port", "67");
AddRule("netlock_allow_dhcp", xmlRule);
}
OnUpdateIps();
}
public override void AllowProgram(string path, string name, string guid)
{
base.AllowProgram(path, name, guid);
AddRule("netlock_allow_program_" + guid, Wfp.CreateItemAllowProgram("NetLock - Program - Allow " + name, path));
}
public override bool OnDnsSwitchDo(string dns)
{
string[] dnsArray = dns.Split(',');
if ((Engine.Instance.Storage.GetBool("windows.dns.lock")) && (IsVistaOrNewer()) && (Engine.Instance.Storage.GetBool("windows.wfp")))
{
// This is not required yet, but will be required in Eddie 3.
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "Dns - Allow port 53 of OpenVPN");
xmlRule.SetAttribute("layer", "all");
xmlRule.SetAttribute("action", "permit");
XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf1);
XmlIf1.SetAttribute("field", "ip_remote_port");
XmlIf1.SetAttribute("match", "equal");
XmlIf1.SetAttribute("port", "53");
XmlElement XmlIf2 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf2);
XmlIf2.SetAttribute("field", "ale_app_id");
XmlIf2.SetAttribute("match", "equal");
XmlIf2.SetAttribute("path", Software.OpenVpnPath);
Wfp.AddItem("dns_permit_openvpn", xmlRule);
}
{
// TOFIX: Missing IPv6 equivalent. Must be done in future when IPv6 support is well tested.
// Remember: May fail at WFP side with a "Unknown interface" because network interface with IPv6 disabled have Ipv6IfIndex == 0.
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "Dns - Allow port 53 on TAP - IPv4");
xmlRule.SetAttribute("layer", "ipv4");
xmlRule.SetAttribute("action", "permit");
XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf1);
XmlIf1.SetAttribute("field", "ip_remote_port");
XmlIf1.SetAttribute("match", "equal");
XmlIf1.SetAttribute("port", "53");
XmlElement XmlIf2 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf2);
XmlIf2.SetAttribute("field", "ip_local_interface");
XmlIf2.SetAttribute("match", "equal");
XmlIf2.SetAttribute("interface", Engine.Instance.ConnectedVpnInterfaceId);
Wfp.AddItem("dns_permit_tap", xmlRule);
}
{
XmlDocument xmlDocRule = new XmlDocument();
XmlElement xmlRule = xmlDocRule.CreateElement("rule");
xmlRule.SetAttribute("name", "Dns - Block port 53");
xmlRule.SetAttribute("layer", "all");
xmlRule.SetAttribute("action", "block");
XmlElement XmlIf1 = xmlDocRule.CreateElement("if");
xmlRule.AppendChild(XmlIf1);
XmlIf1.SetAttribute("field", "ip_remote_port");
XmlIf1.SetAttribute("match", "equal");
XmlIf1.SetAttribute("port", "53");
Wfp.AddItem("dns_block_all", xmlRule);
}
Engine.Instance.Logs.Log(LogType.Verbose, Messages.DnsLockActivatedWpf);
}
string mode = Engine.Instance.Storage.GetLower("dns.mode");
if (mode == "auto")
{
try
{
ManagementClass objMC = new ManagementClass("Win32_NetworkAdapterConfiguration");
ManagementObjectCollection objMOC = objMC.GetInstances();
foreach (ManagementObject objMO in objMOC)
{
/*
* if (!((bool)objMO["IPEnabled"]))
* continue;
*/
string guid = objMO["SettingID"] as string;
bool skip = true;
if ((Engine.Instance.Storage.GetBool("windows.dns.lock")) && (Engine.Instance.Storage.GetBool("windows.dns.force_all_interfaces")))
{
skip = false;
}
if (guid == Engine.Instance.ConnectedVpnInterfaceId)
{
skip = false;
}
if (skip == false)
{
bool ipEnabled = (bool)objMO["IPEnabled"];
NetworkManagerDnsEntry entry = new NetworkManagerDnsEntry();
entry.Guid = guid;
entry.Description = objMO["Description"] as string;
entry.Dns = objMO["DNSServerSearchOrder"] as string[];
entry.AutoDns = ((Registry.GetValue("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\" + entry.Guid, "NameServer", "") as string) == "");
if (entry.Dns == null)
{
continue;
}
if (entry.AutoDns == false) // Added 2.11
{
if (String.Join(",", entry.Dns) == dns)
{
continue;
}
}
//string descFrom = (entry.AutoDns ? "Automatic" : String.Join(",", detectedDns));
string descFrom = (entry.AutoDns ? "automatic":"manual") + " (" + String.Join(",", entry.Dns) + ")";
Engine.Instance.Logs.Log(LogType.Verbose, Messages.Format(Messages.NetworkAdapterDnsDone, entry.Description, descFrom, dns));
ManagementBaseObject objSetDNSServerSearchOrder = objMO.GetMethodParameters("SetDNSServerSearchOrder");
objSetDNSServerSearchOrder["DNSServerSearchOrder"] = dnsArray;
objMO.InvokeMethod("SetDNSServerSearchOrder", objSetDNSServerSearchOrder, null);
m_listOldDns.Add(entry);
}
}
}
catch (Exception e)
{
Engine.Instance.Logs.Log(e);
}
Recovery.Save();
}
base.OnDnsSwitchDo(dns);
return(true);
}