public void TestSingle()
{
using (var ctx = new Context())
{
int localPort = 80;
IPAddress remoteAddress = IPAddress.Parse("192.168.1.1");
int remotePort = 128;
int protocol = 6;
string record = $"X\tYes\tAllow\t{localPort}\t{remoteAddress}\t{remotePort}\t{protocol}";
WindowsFirewallRule rule = WindowsFirewallRuleParser.ParseRecord(
WindowsFirewallRuleParserTest.HeaderIndex,
record,
'\t');
var packetVars = new WindowsFirewallPacketVariables(ctx);
Solver s = ctx.MkSolver();
s.Assert(rule.Matches(ctx, packetVars));
Status result = s.Check();
Assert.AreEqual(Status.SATISFIABLE, result);
var packet = new WindowsFirewallPacket(s.Model);
Assert.AreEqual(remoteAddress, packet.SourceAddress);
Assert.AreEqual(remotePort, packet.SourcePort);
Assert.AreEqual(localPort, packet.DestinationPort);
Assert.AreEqual(protocol, packet.Protocol);
}
}
public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
// lists local firewall policies and rules
// by default, only "deny" result are output unless "-full" is passed
var directionArgs = new List <string>();
var protocolsArgs = new List <string>();
var actionArgs = new List <string>();
var profileArgs = new List <string>();
foreach (var arg in args)
{
if (arg.ToLower().Equals("allow"))
{
actionArgs.Add("Allow");
}
else if (arg.ToLower().Equals("deny") || arg.ToLower().Equals("block"))
{
actionArgs.Add("Block");
}
else if (arg.ToLower().Equals("tcp"))
{
protocolsArgs.Add("TCP");
}
else if (arg.ToLower().Equals("udp"))
{
protocolsArgs.Add("UDP");
}
else if (arg.ToLower().Equals("in"))
{
directionArgs.Add("In");
}
else if (arg.ToLower().Equals("out"))
{
directionArgs.Add("Out");
}
else if (arg.ToLower().Equals("domain"))
{
profileArgs.Add("Domain");
}
else if (arg.ToLower().Equals("private"))
{
profileArgs.Add("Private");
}
else if (arg.ToLower().Equals("public"))
{
profileArgs.Add("Public");
}
}
WriteHost(Runtime.FilterResults ? "Collecting Windows Firewall Non-standard Rules\n\n" : "Collecting all Windows Firewall Rules\n\n");
// Translates Windows protocol numbers to strings
var protocols = new Dictionary <string, string>()
{
{ "0", "HOPOPT" }, { "1", "ICMP" }, { "2", "IGMP" }, { "3", "GGP" }, { "4", "IPv4" }, { "5", "ST" }, { "6", "TCP" }, { "7", "CBT" }, { "8", "EGP" }, { "9", "IGP" }, { "10", "BBN-RCC-MON" }, { "11", "NVP-II" }, { "12", "PUP" }, { "13", "ARGUS" }, { "14", "EMCON" }, { "15", "XNET" }, { "16", "CHAOS" }, { "17", "UDP" }, { "18", "MUX" }, { "19", "DCN-MEAS" }, { "20", "HMP" }, { "21", "PRM" }, { "22", "XNS-IDP" }, { "23", "TRUNK-1" }, { "24", "TRUNK-2" }, { "25", "LEAF-1" }, { "26", "LEAF-2" }, { "27", "RDP" }, { "28", "IRTP" }, { "29", "ISO-TP4" }, { "30", "NETBLT" }, { "31", "MFE-NSP" }, { "32", "MERIT-INP" }, { "33", "DCCP" }, { "34", "3PC" }, { "35", "IDPR" }, { "36", "XTP" }, { "37", "DDP" }, { "38", "IDPR-CMTP" }, { "39", "TP++" }, { "40", "IL" }, { "41", "IPv6" }, { "42", "SDRP" }, { "43", "IPv6-Route" }, { "44", "IPv6-Frag" }, { "45", "IDRP" }, { "46", "RSVP" }, { "47", "GRE" }, { "48", "DSR" }, { "49", "BNA" }, { "50", "ESP" }, { "51", "AH" }, { "52", "I-NLSP" }, { "53", "SWIPE" }, { "54", "NARP" }, { "55", "MOBILE" }, { "56", "TLSP" }, { "57", "SKIP" }, { "58", "IPv6-ICMP" }, { "59", "IPv6-NoNxt" }, { "60", "IPv6-Opts" }, { "61", "any host" }, { "62", "CFTP" }, { "63", "any local" }, { "64", "SAT-EXPAK" }, { "65", "KRYPTOLAN" }, { "66", "RVD" }, { "67", "IPPC" }, { "68", "any distributed file system" }, { "69", "SAT-MON" }, { "70", "VISA" }, { "71", "IPCV" }, { "72", "CPNX" }, { "73", "CPHB" }, { "74", "WSN" }, { "75", "PVP" }, { "76", "BR-SAT-MON" }, { "77", "SUN-ND" }, { "78", "WB-MON" }, { "79", "WB-EXPAK" }, { "80", "ISO-IP" }, { "81", "VMTP" }, { "82", "SECURE-VMTP" }, { "83", "VINES" }, { "84", "TTP" }, { "85", "NSFNET-IGP" }, { "86", "DGP" }, { "87", "TCF" }, { "88", "EIGRP" }, { "89", "OSPFIGP" }, { "90", "Sprite-RPC" }, { "91", "LARP" }, { "92", "MTP" }, { "93", "AX.25" }, { "94", "IPIP" }, { "95", "MICP" }, { "96", "SCC-SP" }, { "97", "ETHERIP" }, { "98", "ENCAP" }, { "99", "any private encryption scheme" }, { "100", "GMTP" }, { "101", "IFMP" }, { "102", "PNNI" }, { "103", "PIM" }, { "104", "ARIS" }, { "105", "SCPS" }, { "106", "QNX" }, { "107", "A/N" }, { "108", "IPComp" }, { "109", "SNP" }, { "110", "Compaq-Peer" }, { "111", "IPX-in-IP" }, { "112", "VRRP" }, { "113", "PGM" }, { "114", "0-hop" }, { "115", "L2TP" }, { "116", "DDX" }, { "117", "IATP" }, { "118", "STP" }, { "119", "SRP" }, { "120", "UTI" }, { "121", "SMP" }, { "122", "SM" }, { "123", "PTP" }, { "124", "ISIS" }, { "125", "FIRE" }, { "126", "CRTP" }, { "127", "CRUDP" }, { "128", "SSCOPMCE" }, { "129", "IPLT" }, { "130", "SPS" }, { "131", "PIPE" }, { "132", "SCTP" }, { "133", "FC" }, { "134", "RSVP-E2E-IGNORE" }, { "135", "Mobility" }, { "136", "UDPLite" }, { "137", "MPLS-in-IP" }, { "138", "manet" }, { "139", "HIP" }, { "140", "Shim6" }, { "141", "WESP" }, { "142", "ROHC" }, { "143", "Unassigned" }, { "253", "Experimentation" }, { "254", "Experimentation" }, { "255", "Reserved" }
};
// base locations to search
// omitted - @"SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy"
string[] ruleLocations = { @"SOFTWARE\Policies\Microsoft\WindowsFirewall", @"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy" };
foreach (var ruleLocation in ruleLocations)
{
var FirewallRules = ThisRunTime.GetValues(RegistryHive.LocalMachine, String.Format("{0}\\FirewallRules", ruleLocation));
if (FirewallRules != null)
{
var output = new WindowsFirewallDTO(ruleLocation);
var DomainProfileEnabled = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, String.Format("{0}\\DomainProfile", ruleLocation), "EnableFirewall");
if (DomainProfileEnabled != null)
{
output.Domain.Present = true;
var DomainProfileInboundAction = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, String.Format("{0}\\DomainProfile", ruleLocation), "DefaultInboundAction");
var DomainProfileOutboundAction = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, String.Format("{0}\\DomainProfile", ruleLocation), "DefaultOutboundAction");
var DomainProfileDisableNotifications = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, String.Format("{0}\\DomainProfile", ruleLocation), "DisableNotifications");
output.Domain.Enabled = DomainProfileEnabled == 1;
if (DomainProfileEnabled != null)
{
if (DomainProfileDisableNotifications != null)
{
output.Domain.DisableNotifications = DomainProfileDisableNotifications == 1;
}
if (DomainProfileInboundAction != null)
{
output.Domain.DefaultInboundAction = (FirewallAction)DomainProfileInboundAction;
}
if (DomainProfileOutboundAction != null)
{
output.Domain.DefaultOutboundAction = (FirewallAction)DomainProfileOutboundAction;
}
}
}
var PublicProfileEnabled = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, String.Format("{0}\\PublicProfile", ruleLocation), "EnableFirewall");
if (PublicProfileEnabled != null)
{
output.Public.Present = true;
var PublicProfileInboundAction = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, String.Format("{0}\\PublicProfile", ruleLocation), "DefaultInboundAction");
var PublicProfileOutboundAction = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, String.Format("{0}\\PublicProfile", ruleLocation), "DefaultOutboundAction");
var PublicProfileDisableNotifications = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, String.Format("{0}\\PublicProfile", ruleLocation), "DisableNotifications");
output.Public.Enabled = PublicProfileEnabled == 1;
if (PublicProfileDisableNotifications != null)
{
output.Public.DisableNotifications = PublicProfileDisableNotifications == 1;
}
if (PublicProfileInboundAction != null)
{
output.Public.DefaultInboundAction = (FirewallAction)PublicProfileInboundAction;
}
if (PublicProfileOutboundAction != null)
{
output.Public.DefaultOutboundAction = (FirewallAction)PublicProfileOutboundAction;
}
}
var PrivateProfileEnabled = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, String.Format("{0}\\PrivateProfile", ruleLocation), "EnableFirewall");
if (PrivateProfileEnabled != null)
{
output.Private.Present = true;
var PrivateProfileInboundAction = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, String.Format("{0}\\PrivateProfile", ruleLocation), "DefaultInboundAction");
var PrivateProfileOutboundAction = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, String.Format("{0}\\PrivateProfile", ruleLocation), "DefaultOutboundAction");
var PrivateProfileDisableNotifications = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, String.Format("{0}\\PrivateProfile", ruleLocation), "DisableNotifications");
output.Private.Enabled = PrivateProfileEnabled == 1;
if (PrivateProfileDisableNotifications != null)
{
output.Private.DisableNotifications = PrivateProfileDisableNotifications == 1;
}
if (PrivateProfileInboundAction != null)
{
output.Private.DefaultInboundAction = (FirewallAction)PrivateProfileInboundAction;
}
if (PrivateProfileOutboundAction != null)
{
output.Private.DefaultOutboundAction = (FirewallAction)PrivateProfileOutboundAction;
}
}
var StandardProfileEnabled = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, String.Format("{0}\\StandardProfile", ruleLocation), "EnableFirewall");
if (StandardProfileEnabled != null)
{
output.Standard.Present = true;
var StandardProfileInboundAction = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, String.Format("{0}\\StandardProfile", ruleLocation), "DefaultInboundAction");
var StandardProfileOutboundAction = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, String.Format("{0}\\StandardProfile", ruleLocation), "DefaultOutboundAction");
var StandardProfileDisableNotifications = ThisRunTime.GetDwordValue(RegistryHive.LocalMachine, String.Format("{0}\\StandardProfile", ruleLocation), "DisableNotifications");
output.Standard.Enabled = StandardProfileEnabled == 1;
if (StandardProfileDisableNotifications != null)
{
output.Standard.DisableNotifications = StandardProfileDisableNotifications == 1;
}
if (StandardProfileInboundAction != null)
{
output.Standard.DefaultInboundAction = (FirewallAction)StandardProfileInboundAction;
}
if (StandardProfileOutboundAction != null)
{
output.Standard.DefaultOutboundAction = (FirewallAction)StandardProfileOutboundAction;
}
}
foreach (var kvp in FirewallRules)
{
var rule = new WindowsFirewallRule();
var props = ((string)kvp.Value).Split('|');
foreach (var prop in props)
{
var onv = prop.Split('=');
// The first argument is the version number, which doesn't have a value. That number should not be parsed
if (onv.Length == 1)
{
continue;
}
string key = onv[0], value = onv[1];
switch (onv[0])
{
case "Action":
rule.Action = value;
break;
case "Active":
break;
case "Dir":
rule.Direction = value;
break;
case "Protocol":
rule.Protocol = protocols[value];
break;
case "Name":
rule.Name = value;
break;
case "Desc":
rule.Description = value;
break;
case "App":
rule.ApplicationName = value;
break;
case "Profile":
rule.Profiles = value;
break;
case "RPort":
rule.RemotePorts = value;
break;
case "LPort":
rule.LocalPorts = value;
break;
case "RA4":
rule.RemoteAddresses = value;
break;
case "LA4":
rule.LocalAddresses = value;
break;
}
}
if (
!Runtime.FilterResults ||
(
(
((actionArgs.Count == 0 && protocolsArgs.Count == 0 && directionArgs.Count == 0 && profileArgs.Count == 0) &&
!rule.Name.StartsWith("@") &&
!rule.Name.Equals("Shell Input Application") &&
rule.Action.Equals("Block"))
) ||
(
(actionArgs.Contains("Allow") && (rule.Action == "Allow")) ||
(actionArgs.Contains("Block") && (rule.Action == "Block")) ||
(protocolsArgs.Contains("TCP") && (rule.Protocol == "TCP")) ||
(protocolsArgs.Contains("UDP") && (rule.Protocol == "UDP")) ||
(directionArgs.Contains("In") && (rule.Direction == "In")) ||
(directionArgs.Contains("Out") && (rule.Direction == "Out")) ||
(profileArgs.Contains("Domain") && (rule.Profiles.Trim() == "Domain")) ||
(profileArgs.Contains("Private") && (rule.Profiles.Trim() == "Private")) ||
(profileArgs.Contains("Public") && (rule.Profiles.Trim() == "Public"))
)
)
)
{
output.Rules.Add(rule);
}
}
yield return(output);
}
}
}
