public FirewallRule Clone()
{
FirewallRule rule = new FirewallRule(mID);
rule.Name = Name;
rule.Grouping = Grouping;
rule.Description = Description;
rule.Enabled = Enabled;
rule.Action = Action;
rule.Direction = Direction;
rule.Profile = Profile;
rule.Protocol = Protocol;
rule.Interface = Interface;
rule.LocalPorts = LocalPorts;
rule.LocalAddresses = LocalAddresses;
rule.RemoteAddresses = RemoteAddresses;
rule.RemotePorts = RemotePorts;
rule.IcmpTypesAndCodes = IcmpTypesAndCodes;
rule.EdgeTraversal = EdgeTraversal;
rule.Expiration = Expiration;
return(rule);
}
public bool RemoveRule(FirewallRule rule)
{
NetFwRule FwRule;
if (!Rules.TryGetValue(rule.guid, out FwRule))
{
return(true); // tne rule is already gone
}
try
{
// Note: if this is not set to null renam may fail as well as other sets :/
FwRule.Entry.EdgeTraversalOptions = (int)NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_DENY;
// Note: the removal is done byname, howeever multiple rules may have the same name, WTF, so we set a temporary unique name
FwRule.Entry.Name = "***_to_be_deleted_***"; // todo add rand string
NetFwPolicy.Rules.Remove(FwRule.Entry.Name);
Rules.Remove(rule.guid);
}
catch (Exception err)
{
Priv10Logger.LogError("Failed to Remove rule: " + err.Message);
return(false);
}
return(true);
}
public FirewallRule Duplicate()
{
FirewallRule rule = new FirewallRule();
rule.Assign(this);
return(rule);
}
public List <FirewallRule> LoadRules()
{
RuleCounter = 0;
Rules.Clear();
List <FirewallRule> rules = new List <FirewallRule>();
try
{
int Count = NetFwPolicy.Rules.Count;
foreach (INetFwRule2 entry in NetFwPolicy.Rules)
{
FirewallRule rule = new FirewallRule();
if (LoadRule(rule, entry))
{
rule.Index = Count - ++RuleCounter;
rule.guid = Guid.NewGuid().ToString("B");
Rules.Add(rule.guid, new NetFwRule()
{
Entry = entry, Rule = rule
});
rules.Add(rule);
}
}
}
catch // firewall service is deisabled :/
{
return(null);
}
return(rules);
}
public void Assign(FirewallRule rule)
{
this.guid = rule.guid;
this.Index = rule.Index;
this.BinaryPath = rule.BinaryPath;
this.ServiceTag = rule.ServiceTag;
this.AppSID = rule.AppSID;
this.ProgID = rule.ProgID;
this.Name = rule.Name;
this.Grouping = rule.Grouping;
this.Description = rule.Description;
this.Enabled = rule.Enabled;
this.Action = rule.Action;
this.Direction = rule.Direction;
this.Profile = rule.Profile;
this.Protocol = rule.Protocol;
this.Interface = rule.Interface;
this.LocalPorts = rule.LocalPorts;
this.LocalAddresses = rule.LocalAddresses;
this.RemoteAddresses = rule.RemoteAddresses;
this.RemotePorts = rule.RemotePorts;
this.IcmpTypesAndCodes = rule.IcmpTypesAndCodes;
this.EdgeTraversal = rule.EdgeTraversal;
// todo: xxx
}
public bool RemoveRule(FirewallRule rule, bool silent = false)
{
INetFwRule2 entry;
if (!mAllRules.TryGetValue(rule.guid, out entry))
{
return(true); // tne rule is already gone
}
if (!RemoveRule(entry))
{
return(false);
}
var prog = App.engine.programs.GetProgram(rule.mID);
if (prog != null)
{
prog.Rules.Remove(rule.guid);
if (!silent)
{
App.engine.NotifyChange(prog);
}
}
return(true);
}
public FirewallRule.Actions LookupRuleAction(FirewallEvent FwEvent, NetworkMonitor.AdapterInfo NicInfo)
{
int BlockRules = 0;
int AllowRules = 0;
foreach (FirewallRule rule in Rules.Values)
{
if (!rule.Enabled)
{
continue;
}
if (rule.Direction != FwEvent.Direction)
{
continue;
}
if (rule.Protocol != (int)NetFunc.KnownProtocols.Any && FwEvent.Protocol != rule.Protocol)
{
continue;
}
if (((int)NicInfo.Profile & rule.Profile) == 0)
{
continue;
}
if (rule.Interface != (int)FirewallRule.Interfaces.All && (int)NicInfo.Type != rule.Interface)
{
continue;
}
if (!FirewallRule.MatchEndpoint(rule.RemoteAddresses, rule.RemotePorts, FwEvent.RemoteAddress, FwEvent.RemotePort, NicInfo))
{
continue;
}
if (!FirewallRule.MatchEndpoint(rule.LocalAddresses, rule.LocalPorts, FwEvent.RemoteAddress, FwEvent.RemotePort, NicInfo))
{
continue;
}
if (rule.Action == FirewallRule.Actions.Allow)
{
AllowRules++;
}
else if (rule.Action == FirewallRule.Actions.Block)
{
BlockRules++;
}
}
// Note: block rules take precedence
if (BlockRules > 0)
{
return(FirewallRule.Actions.Block);
}
if (AllowRules > 0)
{
return(FirewallRule.Actions.Allow);
}
return(FirewallRule.Actions.Undefined);
}
public bool UpdateRule(FirewallRule rule, UInt64 expiration = 0)
{
List <byte[]> args = new List <byte[]>();
args.Add(PutRule(rule));
args.Add(PutUInt64(expiration));
List <byte[]> ret = RemoteExec("UpdateRule", args);
return(ret != null?GetBool(ret[0]) : false);
}
public bool RemoveRule(FirewallRule rule)
{
List <byte[]> args = new List <byte[]>();
args.Add(PutStr(rule.guid));
args.Add(PutProgID(rule.ProgID)); // we tell the progid so that we dont need to check all programs
List <byte[]> ret = RemoteExec("RemoveRule", args);
return(ret != null?GetBool(ret[0]) : false);
}
public bool LoadRules(bool CleanUp = false)
{
if (App.engine.appMgr != null)
{
App.engine.appMgr.LoadApps();
}
foreach (Program prog in App.engine.programs.Progs.Values)
{
prog.Rules.Clear();
}
mAllRules.Clear();
List <INetFwRule2> entries = new List <INetFwRule2>();
try
{
foreach (INetFwRule2 entry in mFirewallPolicy.Rules)
{
entries.Add(entry);
}
}
catch // firewall service is deisabled :/
{
return(false);
}
foreach (INetFwRule2 entry in entries)
{
if (CleanUp && entry.Name.Contains(FirewallRule.TempRulePrefix))
{
AppLog.Line("Cleaning Up temporary rule: {0}", entry.Name);
RemoveRule(entry);
continue;
}
FirewallRule rule = new FirewallRule();
if (FirewallRule.LoadRule(rule, entry))
{
mAllRules.Add(rule.guid, entry);
Program process = App.engine.programs.GetProgram(rule.mID, true);
process.Rules.Add(rule.guid, rule);
}
}
foreach (Program prog in App.engine.programs.Progs.Values)
{
EvaluateRules(prog, false);
}
App.engine.NotifyChange(null);
return(true);
}
public int SetRuleApproval(Priv10Engine.ApprovalMode Mode, FirewallRule rule)
{
List <byte[]> args = new List <byte[]>();
args.Add(PutStr(Mode));
args.Add(PutStr(rule != null ? rule.guid : null)); // null means all rules
args.Add(PutProgID(rule != null ? rule.ProgID : null)); // we tell the progid so that we dont need to check all programs
List <byte[]> ret = RemoteExec("SetRuleApproval", args);
return(ret != null?GetInt(ret[0]) : 0);
}
public static bool MatchEndpoint(string Addresses, string Ports, IPAddress Address, UInt16 Port, NetworkMonitor.AdapterInfo NicInfo = null)
{
if (!FirewallRule.IsEmptyOrStar(Ports) && !MatchPort(Port, Ports))
{
return(false);
}
if (Address != null && !FirewallRule.IsEmptyOrStar(Addresses) && !MatchAddress(Address, Addresses, NicInfo))
{
return(false);
}
return(true);
}
public static FirewallRule MakeBlockRule(ProgramList.ID id, Firewall.Directions direction, long expiration = 0)
{
FirewallRule rule = new FirewallRule(id);
rule.Name = MakeRuleName(BlockAllName, expiration != 0);
rule.Grouping = RuleGroup;
rule.Action = Firewall.Actions.Block;
rule.Direction = direction;
rule.Enabled = true;
rule.Expiration = expiration;
return(rule);
}
public static FirewallRule MakeBlockInetRule(ProgramList.ID id, Firewall.Directions direction, long expiration = 0)
{
FirewallRule rule = new FirewallRule(id);
rule.Name = MakeRuleName(BlockInet, expiration != 0);
rule.Grouping = RuleGroup;
rule.Action = Firewall.Actions.Block;
rule.Direction = direction;
rule.Enabled = true;
rule.RemoteAddresses = NetFunc.GetNonLocalNet();
rule.Expiration = expiration;
return(rule);
}
public static FirewallRule MakeAllowLanRule(ProgramList.ID id, Firewall.Directions direction, long expiration = 0)
{
FirewallRule rule = new FirewallRule(id);
rule.Name = MakeRuleName(AllowLan, expiration != 0);
rule.Grouping = RuleGroup;
rule.Action = Firewall.Actions.Allow;
rule.Direction = direction;
rule.Enabled = true;
rule.RemoteAddresses = "LocalSubnet";
rule.Expiration = expiration;
return(rule);
}
public FirewallRuleEx(FirewallRuleEx other, FirewallRule rule)
{
this.State = other.State;
//this.Changed = other.Changed;
this.LastChangedTime = other.LastChangedTime;
this.ChangedCount = other.ChangedCount;
this.Expiration = other.Expiration;
this.Backup = other.Backup;
this.Assign(rule);
}
public bool UpdateRule(FirewallRule rule, bool silent = false)
{
bool bAdd = (rule.guid == Guid.Empty);
try
{
INetFwRule2 entry;
if (bAdd)
{
entry = (INetFwRule2)Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FWRule"));
}
else if (!mAllRules.TryGetValue(rule.guid, out entry))
{
AppLog.Line("Failed Updating rule: ruls is not longer present");
return(false);
}
if (!FirewallRule.SaveRule(rule, entry))
{
return(false);
}
Program prog = App.engine.programs.GetProgram(rule.mID, true);
if (bAdd)
{
mFirewallPolicy.Rules.Add(entry);
rule.guid = Guid.NewGuid();
mAllRules.Add(rule.guid, entry);
}
else
{
prog.Rules.Remove(rule.guid);
}
prog.Rules.Add(rule.guid, rule);
if (!silent)
{
App.engine.NotifyChange(prog);
}
}
catch (Exception err)
{
AppLog.Line("Failed to Write rule: " + err.Message);
return(false);
}
return(true);
}
public bool BlockInternet(bool bBlock)
{
bool ret = true;
Program prog = App.engine.programs.GetProgram(new ProgramList.ID(ProgramList.Types.Global), true);
if (bBlock)
{
ret &= UpdateRule(FirewallRule.MakeBlockRule(prog.GetMainID(), Directions.Inbound), true);
ret &= UpdateRule(FirewallRule.MakeBlockRule(prog.GetMainID(), Directions.Outboun), true);
}
else
{
ClearRules(prog, false);
}
return(ret);
}
public bool UpdateRule(FirewallRule rule)
{
bool bAdd = (rule.guid == null);
try
{
NetFwRule FwRule;
if (bAdd)
{
FwRule = new NetFwRule()
{
Entry = (INetFwRule2)Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FWRule")), Rule = rule
}
}
;
else if (!Rules.TryGetValue(rule.guid, out FwRule))
{
Priv10Logger.LogError("Failed Updating rule: ruls is not longer present");
return(false);
}
else
{
FwRule.Rule = rule;
}
if (!SaveRule(rule, FwRule.Entry))
{
return(false);
}
if (bAdd)
{
NetFwPolicy.Rules.Add(FwRule.Entry);
rule.Index = RuleCounter++;
rule.guid = Guid.NewGuid().ToString("B");
Rules.Add(rule.guid, FwRule);
}
}
catch (Exception err)
{
Priv10Logger.LogError("Failed to Write rule: " + err.Message);
return(false);
}
return(true);
}
public override bool Load(XmlNode entryNode)
{
if (!base.Load(entryNode))
{
return(false);
}
foreach (XmlNode node in entryNode.ChildNodes)
{
if (node.Name == "State")
{
Enum.TryParse <States>(node.InnerText, out State);
}
//else if (node.Name == "Changed")
// bool.TryParse(node.InnerText, out Changed);
else if (node.Name == "LastChangedTime")
{
DateTime.TryParse(node.InnerText, out LastChangedTime);
}
else if (node.Name == "ChangedCount")
{
int.TryParse(node.InnerText, out ChangedCount);
}
else if (node.Name == "Expiration")
{
UInt64.TryParse(node.InnerText, out Expiration);
}
else if (node.Name == "Backup")
{
Backup = new FirewallRule(ProgID);
if (!Backup.Load(node))
{
Backup = null;
}
}
}
return(true);
}
public bool UpdateRule(FirewallRule rule)
{
return(mDispatcher.Invoke(new Func <bool>(() => {
if (rule.guid == Guid.Empty)
{
if (rule.Direction == Firewall.Directions.Bidirectiona)
{
FirewallRule copy = rule.Clone();
copy.Direction = Firewall.Directions.Inbound;
if (!firewall.UpdateRule(copy))
{
return false;
}
rule.Direction = Firewall.Directions.Outboun;
}
}
return firewall.UpdateRule(rule);
})));
}
public bool ApplyRule(Program prog, FirewallRule rule, UInt64 expiration = 0)
{
if (!UpdateRule(rule)) // if the rule is new i.e. guid == null this call will set a new unique guid and add the rule to the global list
{
return(false);
}
FirewallRuleEx ruleEx;
if (!prog.Rules.TryGetValue(rule.guid, out ruleEx))
{
ruleEx = new FirewallRuleEx();
ruleEx.ProgID = FirewallRuleEx.GetIdFromRule(rule);
prog.Rules.Add(rule.guid, ruleEx);
}
ruleEx.Expiration = expiration;
ruleEx.SetApplied();
ruleEx.Assign(rule);
return(true);
}
public bool UpdateRule(FirewallRule rule, UInt64 expiration = 0)
{
return(RemoteExec("UpdateRule", new object[2] {
rule, expiration
}, false));
}
public bool RemoveRule(FirewallRule rule)
{
return(RemoteExec("RemoveRule", rule, false));
}
public void EvaluateRules(Program prog, bool apply)
{
String InetRanges = NetFunc.GetNonLocalNet();
prog.config.CurAccess = Program.Config.AccessLevels.Unconfigured;
bool StrictTest = false;
if (prog.Rules.Count > 0)
{
SortedDictionary <ProgramList.ID, RuleStat> RuleStats = new SortedDictionary <ProgramList.ID, RuleStat>();
int enabledCound = 0;
foreach (FirewallRule rule in prog.Rules.Values.ToList())
{
RuleStat Stat;
if (!RuleStats.TryGetValue(rule.mID, out Stat))
{
Stat = new RuleStat();
RuleStats.Add(rule.mID, Stat);
}
if (!rule.Enabled)
{
continue;
}
enabledCound++;
if (!IsEmptyOrStar(rule.LocalAddresses))
{
continue;
}
if (!IsEmptyOrStar(rule.LocalPorts) || !IsEmptyOrStar(rule.RemotePorts))
{
continue;
}
if (!IsEmptyOrStar(rule.IcmpTypesAndCodes))
{
continue;
}
bool AllProts = (rule.Protocol == (int)NetFunc.KnownProtocols.Any);
bool InetProts = AllProts || (rule.Protocol == (int)FirewallRule.KnownProtocols.TCP) || (rule.Protocol == (int)FirewallRule.KnownProtocols.UDP);
if (!InetProts)
{
continue;
}
if (rule.Profile != (int)Profiles.All && (rule.Profile != ((int)Profiles.Public | (int)Profiles.Private | (int)Profiles.Domain)))
{
continue;
}
if (rule.Interface != (int)Interfaces.All)
{
continue;
}
if (IsEmptyOrStar(rule.RemoteAddresses))
{
if (rule.Action == Actions.Allow && InetProts)
{
Stat.AllowAll |= ((int)rule.Direction);
}
else if (rule.Action == Actions.Block && AllProts)
{
Stat.BlockAll |= ((int)rule.Direction);
}
}
else if (rule.RemoteAddresses == InetRanges)
{
if (rule.Action == Actions.Block && AllProts)
{
Stat.BlockInet |= ((int)rule.Direction);
}
}
else if (rule.RemoteAddresses == "LocalSubnet")
{
if (rule.Action == Actions.Allow && InetProts)
{
Stat.AllowLan |= ((int)rule.Direction);
}
}
RuleStats[rule.mID] = Stat;
}
RuleStat MergedStat = RuleStats.Values.ElementAt(0);
for (int i = 1; i < RuleStats.Count; i++)
{
RuleStat Stat = RuleStats.Values.ElementAt(i);
MergedStat.AllowAll &= Stat.AllowAll;
MergedStat.BlockAll &= Stat.BlockAll;
MergedStat.AllowLan &= Stat.AllowLan;
MergedStat.BlockInet &= Stat.BlockInet;
}
if ((MergedStat.BlockAll & (int)Directions.Outboun) != 0 && (!StrictTest || (MergedStat.BlockAll & (int)Directions.Inbound) != 0))
{
prog.config.CurAccess = Program.Config.AccessLevels.BlockAccess;
}
else if ((MergedStat.AllowAll & (int)Directions.Outboun) != 0 && (!StrictTest || (MergedStat.AllowAll & (int)Directions.Inbound) != 0))
{
prog.config.CurAccess = Program.Config.AccessLevels.FullAccess;
}
else if ((MergedStat.AllowLan & (int)Directions.Outboun) != 0 && (!StrictTest || ((MergedStat.AllowLan & (int)Directions.Inbound) != 0 && (MergedStat.AllowLan & (int)Directions.Inbound) != 0)))
{
prog.config.CurAccess = Program.Config.AccessLevels.LocalOnly;
}
else if (enabledCound > 0)
{
prog.config.CurAccess = Program.Config.AccessLevels.CustomConfig;
}
}
if (!apply || prog.config.NetAccess == Program.Config.AccessLevels.Unconfigured || prog.config.NetAccess == Program.Config.AccessLevels.CustomConfig)
{
return;
}
if (prog.config.NetAccess == prog.config.CurAccess)
{
return;
}
if (prog.config.NetAccess != Program.Config.AccessLevels.CustomConfig)
{
DisableUserRules(prog);
}
ClearPrivRules(prog);
foreach (ProgramList.ID id in prog.IDs)
{
for (int i = 1; i <= 2; i++)
{
Directions direction = (Directions)i;
switch (prog.config.NetAccess)
{
case Program.Config.AccessLevels.FullAccess:
// add and enable allow all rule
UpdateRule(FirewallRule.MakeAllowRule(id, direction), true);
break;
case Program.Config.AccessLevels.LocalOnly:
// create block rule only of we operate in blacklist mode
//if (GetFilteringMode() == FilteringModes.BlackList)
//{
//add and enable block rules for the internet
UpdateRule(FirewallRule.MakeBlockInetRule(id, direction), true);
//}
//add and enable allow rules for the lan
UpdateRule(FirewallRule.MakeAllowLanRule(id, direction), true);
break;
case Program.Config.AccessLevels.BlockAccess:
// add and enable broad block rules
UpdateRule(FirewallRule.MakeBlockRule(id, direction), true);
break;
}
}
}
prog.config.CurAccess = prog.config.NetAccess;
App.engine.NotifyChange(prog);
}
public static bool SaveRule(FirewallRule rule, INetFwRule2 entry)
{
try
{
entry.EdgeTraversalOptions = (int)NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_DENY;
INetFwRule3 entry3 = entry as INetFwRule3;
entry.ApplicationName = rule.BinaryPath;
entry.serviceName = rule.ServiceTag;
if (entry3 != null)
{
entry3.LocalAppPackageId = rule.AppSID;
}
/*
* switch (rule.ProgID.Type)
* {
* case ProgramID.Types.Global:
* entry.ApplicationName = null;
* break;
* case ProgramID.Types.System:
* entry.ApplicationName = "System";
* break;
* default:
* if (rule.ProgID.Path != null && rule.ProgID.Path.Length > 0)
* entry.ApplicationName = rule.ProgID.Path;
* break;
* }
*
* if (rule.ProgID.Type == ProgramID.Types.App)
* entry3.LocalAppPackageId = rule.ProgID.GetPackageSID();
* else
* entry3.LocalAppPackageId = null;
*
* if (rule.ProgID.Type == ProgramID.Types.Service)
* entry.serviceName = rule.ProgID.GetServiceId();
* else
* entry.serviceName = null;
*/
entry.Name = rule.Name;
entry.Grouping = rule.Grouping;
entry.Description = rule.Description;
entry.Enabled = rule.Enabled;
switch (rule.Direction)
{
case FirewallRule.Directions.Inbound: entry.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN; break;
case FirewallRule.Directions.Outboun: entry.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_OUT; break;
}
switch (rule.Action)
{
case FirewallRule.Actions.Allow: entry.Action = NET_FW_ACTION_.NET_FW_ACTION_ALLOW; break;
case FirewallRule.Actions.Block: entry.Action = NET_FW_ACTION_.NET_FW_ACTION_BLOCK; break;
}
entry.Profiles = rule.Profile;
if (rule.Interface == (int)FirewallRule.Interfaces.All)
{
entry.InterfaceTypes = "All";
}
else
{
List <string> interfaces = new List <string>();
if ((rule.Interface & (int)FirewallRule.Interfaces.Lan) != 0)
{
interfaces.Add("Lan");
}
if ((rule.Interface & (int)FirewallRule.Interfaces.Wireless) != 0)
{
interfaces.Add("Wireless");
}
if ((rule.Interface & (int)FirewallRule.Interfaces.RemoteAccess) != 0)
{
interfaces.Add("RemoteAccess");
}
entry.InterfaceTypes = string.Join(",", interfaces.ToArray().Reverse());
}
// Note: if this is not cleared protocol change may trigger an exception
if (entry.LocalPorts != null)
{
entry.LocalPorts = null;
}
if (entry.RemotePorts != null)
{
entry.RemotePorts = null;
}
if (entry.IcmpTypesAndCodes != null)
{
entry.IcmpTypesAndCodes = null;
}
// Note: protocol must be set early enough or other sets will cause errors!
entry.Protocol = rule.Protocol;
switch (rule.Protocol)
{
case (int)FirewallRule.KnownProtocols.ICMP:
case (int)FirewallRule.KnownProtocols.ICMPv6:
entry.IcmpTypesAndCodes = rule.GetIcmpTypesAndCodes();
break;
case (int)FirewallRule.KnownProtocols.TCP:
case (int)FirewallRule.KnownProtocols.UDP:
entry.LocalPorts = rule.LocalPorts;
entry.RemotePorts = rule.RemotePorts;
break;
}
if (rule.EdgeTraversal != (int)NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_DEFER_TO_USER)
{
entry.LocalAddresses = rule.LocalAddresses;
entry.RemoteAddresses = rule.RemoteAddresses;
}
entry.EdgeTraversalOptions = rule.EdgeTraversal;
if (entry3 != null)
{
/*
* string s0 = entry3.LocalAppPackageId // 8
* string s1 = entry3.RemoteUserAuthorizedList; // 7
* string s2 = entry3.RemoteMachineAuthorizedList; // 7
* string s3 = entry3.LocalUserAuthorizedList; // 8
* string s4 = entry3.LocalUserOwner; // 8
* int i1 = entry3.SecureFlags; // ??
*/
}
}
catch (Exception err)
{
Priv10Logger.LogError("Firewall Rule Commit failed {0}", err.ToString());
return(false);
}
return(true);
}
public void ApplyRules(ProgramSet progSet, UInt64 expiration = 0)
{
EvaluateRules(progSet, true);
if (progSet.config.NetAccess == ProgramConfig.AccessLevels.Unconfigured)
{
return;
}
if (progSet.config.NetAccess == progSet.config.CurAccess)
{
return;
}
foreach (Program prog in progSet.Programs.Values)
{
ClearRules(prog, progSet.config.NetAccess != ProgramConfig.AccessLevels.CustomConfig);
if (progSet.config.NetAccess == ProgramConfig.AccessLevels.CustomConfig)
{
continue; // dont create any rules
}
for (int i = 1; i <= 2; i++)
{
FirewallRule.Directions direction = (FirewallRule.Directions)i;
if ((progSet.config.NetAccess == ProgramConfig.AccessLevels.InBoundAccess && direction != FirewallRule.Directions.Inbound) ||
(progSet.config.NetAccess == ProgramConfig.AccessLevels.OutBoundAccess && direction != FirewallRule.Directions.Outbound))
{
continue;
}
switch (progSet.config.NetAccess)
{
case ProgramConfig.AccessLevels.FullAccess:
case ProgramConfig.AccessLevels.InBoundAccess:
case ProgramConfig.AccessLevels.OutBoundAccess:
{
// add and enable allow all rule
FirewallRule rule = new FirewallRule();
FirewallRuleEx.SetProgID(rule, prog.ID);
rule.Name = MakeRuleName(AllowAllName, expiration != 0, prog.Description);
rule.Grouping = RuleGroup;
rule.Action = FirewallRule.Actions.Allow;
rule.Direction = direction;
rule.Enabled = true;
ApplyRule(prog, rule, expiration);
break;
}
case ProgramConfig.AccessLevels.LocalOnly:
{
// create block rule only of we operate in blacklist mode
//if (GetFilteringMode() == FilteringModes.BlackList)
//{
//add and enable block rules for the internet
FirewallRule rule1 = new FirewallRule();
FirewallRuleEx.SetProgID(rule1, prog.ID);
rule1.Name = MakeRuleName(BlockInet, expiration != 0, prog.Description);
rule1.Grouping = RuleGroup;
rule1.Action = FirewallRule.Actions.Block;
rule1.Direction = direction;
rule1.Enabled = true;
if (UwpFunc.IsWindows7OrLower)
{
rule1.RemoteAddresses = GetSpecialNet(FirewallRule.AddrKeywordIntErnet);
}
else
{
rule1.RemoteAddresses = FirewallRule.AddrKeywordIntErnet;
}
ApplyRule(prog, rule1, expiration);
//}
//add and enable allow rules for the lan
FirewallRule rule2 = new FirewallRule();
FirewallRuleEx.SetProgID(rule2, prog.ID);
rule2.Name = MakeRuleName(AllowLan, expiration != 0, prog.Description);
rule2.Grouping = RuleGroup;
rule2.Action = FirewallRule.Actions.Allow;
rule2.Direction = direction;
rule2.Enabled = true;
//rule.RemoteAddresses = FirewallRule.GetSpecialNet(FirewallRule.AddrKeywordLocalSubnet);
rule2.RemoteAddresses = FirewallRule.AddrKeywordLocalSubnet;
ApplyRule(prog, rule2, expiration);
break;
}
case ProgramConfig.AccessLevels.BlockAccess:
{
// add and enable broad block rules
FirewallRule rule = new FirewallRule();
FirewallRuleEx.SetProgID(rule, prog.ID);
rule.Name = MakeRuleName(BlockAllName, expiration != 0, prog.Description);
rule.Grouping = RuleGroup;
rule.Action = FirewallRule.Actions.Block;
rule.Direction = direction;
rule.Enabled = true;
ApplyRule(prog, rule, expiration);
break;
}
}
}
}
progSet.config.CurAccess = progSet.config.NetAccess;
App.engine.OnRulesUpdated(progSet);
}
public void EvaluateRules(ProgramSet progSet, bool StrictTest = false)
{
String InetRanges = FirewallRule.AddrKeywordIntErnet;
if (UwpFunc.IsWindows7OrLower)
{
InetRanges = GetSpecialNet(InetRanges);
}
progSet.config.CurAccess = ProgramConfig.AccessLevels.Unconfigured;
SortedDictionary <ProgramID, RuleStat> RuleStats = new SortedDictionary <ProgramID, RuleStat>();
int enabledCound = 0;
foreach (Program prog in progSet.Programs.Values)
{
RuleStat Stat = new RuleStat();
foreach (FirewallRule rule in prog.Rules.Values)
{
if (!rule.Enabled)
{
continue;
}
enabledCound++;
if (!FirewallRule.IsEmptyOrStar(rule.LocalAddresses))
{
continue;
}
if (!FirewallRule.IsEmptyOrStar(rule.LocalPorts) || !FirewallRule.IsEmptyOrStar(rule.RemotePorts))
{
continue;
}
if (rule.IcmpTypesAndCodes != null && rule.IcmpTypesAndCodes.Length > 0)
{
continue;
}
bool AllProts = (rule.Protocol == (int)NetFunc.KnownProtocols.Any);
bool InetProts = AllProts || (rule.Protocol == (int)FirewallRule.KnownProtocols.TCP) || (rule.Protocol == (int)FirewallRule.KnownProtocols.UDP);
if (!InetProts)
{
continue;
}
//if (rule.Profile != (int)FirewallRule.Profiles.All && (rule.Profile != ((int)FirewallRule.Profiles.Public | (int)FirewallRule.Profiles.Private | (int)FirewallRule.Profiles.Domain)))
// continue;
if (rule.Interface != (int)FirewallRule.Interfaces.All)
{
continue;
}
if (FirewallRule.IsEmptyOrStar(rule.RemoteAddresses))
{
if (rule.Action == FirewallRule.Actions.Allow && InetProts)
{
Stat.AllowAll.Add(rule.Profile, rule.Direction);
}
else if (rule.Action == FirewallRule.Actions.Block && AllProts)
{
Stat.BlockAll.Add(rule.Profile, rule.Direction);
}
}
else if (rule.RemoteAddresses == InetRanges)
{
if (rule.Action == FirewallRule.Actions.Block && AllProts)
{
Stat.BlockInet.Add(rule.Profile, rule.Direction);
}
}
else if (rule.RemoteAddresses == FirewallRule.AddrKeywordLocalSubnet)
{
if (rule.Action == FirewallRule.Actions.Allow && InetProts)
{
Stat.AllowLan.Add(rule.Profile, rule.Direction);
}
}
}
RuleStats.Add(prog.ID, Stat);
}
if (RuleStats.Count == 0 || enabledCound == 0)
{
return;
}
RuleStat MergedStat = RuleStats.Values.First();
for (int i = 1; i < RuleStats.Count; i++)
{
RuleStat Stat = RuleStats.Values.ElementAt(i);
MergedStat.AllowAll.Merge(Stat.AllowAll);
MergedStat.BlockAll.Merge(Stat.BlockAll);
MergedStat.AllowLan.Merge(Stat.AllowLan);
MergedStat.BlockInet.Merge(Stat.BlockInet);
}
if (MergedStat.BlockAll.IsOutbound(IgnoreDomain) && (!StrictTest || MergedStat.BlockAll.IsInbound(IgnoreDomain)))
{
progSet.config.CurAccess = ProgramConfig.AccessLevels.BlockAccess;
}
//else if (MergedStat.AllowAll.IsOutbound(SkipDomain) && (!StrictTest || MergedStat.AllowAll.IsInbound(SkipDomain)))
else if (MergedStat.AllowAll.IsOutbound(IgnoreDomain) && MergedStat.AllowAll.IsInbound(IgnoreDomain))
{
progSet.config.CurAccess = ProgramConfig.AccessLevels.FullAccess;
}
else if (MergedStat.AllowLan.IsOutbound(IgnoreDomain) && (!StrictTest || (MergedStat.AllowLan.IsInbound(IgnoreDomain) && MergedStat.AllowLan.IsInbound(IgnoreDomain))))
{
progSet.config.CurAccess = ProgramConfig.AccessLevels.LocalOnly;
}
else if (MergedStat.AllowAll.IsOutbound(IgnoreDomain))
{
progSet.config.CurAccess = ProgramConfig.AccessLevels.OutBoundAccess;
}
else if (MergedStat.AllowAll.IsInbound(IgnoreDomain))
{
progSet.config.CurAccess = ProgramConfig.AccessLevels.InBoundAccess;
}
else if (enabledCound > 0)
{
progSet.config.CurAccess = ProgramConfig.AccessLevels.CustomConfig;
}
}
public int SetRuleApproval(Priv10Engine.ApprovalMode Mode, FirewallRule rule)
{
return(RemoteExec("SetRuleApproval", new object[2] {
Mode, rule
}, 0));
}
public static bool LoadRule(FirewallRule rule, INetFwRule2 entry)
{
try
{
INetFwRule3 entry3 = entry as INetFwRule3;
rule.BinaryPath = entry.ApplicationName;
rule.ServiceTag = entry.serviceName;
if (entry3 != null)
{
rule.AppSID = entry3.LocalAppPackageId;
}
// Note: while LocalAppPackageId and serviceName can be set at the same timea universall App can not be started as a service
ProgramID progID;
if (entry.ApplicationName != null && entry.ApplicationName.Equals("System", StringComparison.OrdinalIgnoreCase))
{
progID = ProgramID.NewID(ProgramID.Types.System);
}
// Win10
else if (entry3 != null && entry3.LocalAppPackageId != null)
{
if (entry.serviceName != null)
{
throw new ArgumentException("Firewall paremeter conflict");
}
progID = ProgramID.NewAppID(entry3.LocalAppPackageId, entry.ApplicationName);
}
//
else if (entry.serviceName != null)
{
progID = ProgramID.NewSvcID(entry.serviceName, entry.ApplicationName);
}
else if (entry.ApplicationName != null)
{
progID = ProgramID.NewProgID(entry.ApplicationName);
}
else // if nothing is configured than its a global roule
{
progID = ProgramID.NewID(ProgramID.Types.Global);
}
rule.ProgID = Priv10Engine.AdjustProgID(progID);
// https://docs.microsoft.com/en-us/windows/desktop/api/netfw/nn-netfw-inetfwrule
rule.Name = entry.Name;
rule.Grouping = entry.Grouping;
rule.Description = entry.Description;
//rule.ProgramPath = entry.ApplicationName;
//rule.ServiceName = entry.serviceName;
rule.Enabled = entry.Enabled;
switch (entry.Direction)
{
case NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN: rule.Direction = FirewallRule.Directions.Inbound; break;
case NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_OUT: rule.Direction = FirewallRule.Directions.Outboun; break;
}
switch (entry.Action)
{
case NET_FW_ACTION_.NET_FW_ACTION_ALLOW: rule.Action = FirewallRule.Actions.Allow; break;
case NET_FW_ACTION_.NET_FW_ACTION_BLOCK: rule.Action = FirewallRule.Actions.Block; break;
}
rule.Profile = entry.Profiles;
if (entry.InterfaceTypes.Equals("All", StringComparison.OrdinalIgnoreCase))
{
rule.Interface = (int)FirewallRule.Interfaces.All;
}
else
{
rule.Interface = 0;
if (entry.InterfaceTypes.IndexOf("Lan", StringComparison.OrdinalIgnoreCase) != -1)
{
rule.Interface |= (int)FirewallRule.Interfaces.Lan;
}
if (entry.InterfaceTypes.IndexOf("Wireless", StringComparison.OrdinalIgnoreCase) != -1)
{
rule.Interface |= (int)FirewallRule.Interfaces.Wireless;
}
if (entry.InterfaceTypes.IndexOf("RemoteAccess", StringComparison.OrdinalIgnoreCase) != -1)
{
rule.Interface |= (int)FirewallRule.Interfaces.RemoteAccess;
}
}
rule.Protocol = entry.Protocol;
/*The localAddrs parameter consists of one or more comma-delimited tokens specifying the local addresses from which the application can listen for traffic. "*" is the default value. Valid tokens include:
*
* "*" indicates any local address. If present, this must be the only token included.
* "Defaultgateway"
* "DHCP"
* "WINS"
* "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
* A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
* A valid IPv6 address.
* An IPv4 address range in the format of "start address - end address" with no spaces included.
* An IPv6 address range in the format of "start address - end address" with no spaces included.*/
switch (rule.Protocol)
{
case (int)FirewallRule.KnownProtocols.ICMP:
case (int)FirewallRule.KnownProtocols.ICMPv6:
rule.SetIcmpTypesAndCodes(entry.IcmpTypesAndCodes);
break;
case (int)FirewallRule.KnownProtocols.TCP:
case (int)FirewallRule.KnownProtocols.UDP:
// , separated number or range 123-456
rule.LocalPorts = entry.LocalPorts;
rule.RemotePorts = entry.RemotePorts;
break;
}
rule.LocalAddresses = entry.LocalAddresses;
rule.RemoteAddresses = entry.RemoteAddresses;
// https://docs.microsoft.com/de-de/windows/desktop/api/icftypes/ne-icftypes-net_fw_edge_traversal_type_
//EdgeTraversal = (int)(Entry.EdgeTraversal ? NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_ALLOW : NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_DENY);
rule.EdgeTraversal = entry.EdgeTraversalOptions;
if (entry3 != null)
{
/*
* string s0 = entry3.LocalAppPackageId // 8
* string s1 = entry3.RemoteUserAuthorizedList; // 7
* string s2 = entry3.RemoteMachineAuthorizedList; // 7
* string s3 = entry3.LocalUserAuthorizedList; // 8
* string s4 = entry3.LocalUserOwner; // 8
* int i1 = entry3.SecureFlags; // ??
*/
}
}
catch (Exception err)
{
Priv10Logger.LogError("Reading Firewall Rule failed {0}", err.ToString());
return(false);
}
return(true);
}
