public async Task Firewall_With_Single_CIDR_And_Request_With_Invalid_IP_Returns_AccessDenied()
{
var isSuccess = false;
var allowedIpAddress = IPAddress.Parse("174.74.115.210");
var cidrNotations = new List <CIDRNotation> {
CIDRNotation.Parse("174.74.115.192/28")
};
var firewall = new FirewallMiddleware(
async(innerCtx) =>
{
isSuccess = true;
await innerCtx.Response.WriteAsync("Success!");
},
FirewallRulesEngine
.DenyAllAccess()
.ExceptFromIPAddressRanges(cidrNotations),
logger: null);
var httpContext = new DefaultHttpContext();
httpContext.Connection.RemoteIpAddress = allowedIpAddress;
await firewall.Invoke(httpContext);
Assert.Equal(StatusCodes.Status403Forbidden, httpContext.Response.StatusCode);
Assert.False(isSuccess);
}
public void Contains_WithValidIp_ReturnsTrue(string cidr, string ip)
{
var cidrNotation = CIDRNotation.Parse(cidr);
var ipAddress = IPAddress.Parse(ip);
Assert.True(cidrNotation.Contains(ipAddress));
}
public void Contains_WithOutOfRangeIp_ReturnsFalse(string cidr, string ip)
{
var cidrNotation = CIDRNotation.Parse(cidr);
var ipAddress = IPAddress.Parse(ip);
Assert.False(cidrNotation.Contains(ipAddress));
}
public static bool TryParse(string ip, out CIDRNotation notation)
{
if (string.IsNullOrEmpty(ip))
{
notation = null; return(false);
}
var parts = ip.Split('/');
if (parts.Length != 2)
{
notation = null; return(false);
}
var isValid = IPAddress.TryParse(parts[0], out var address);
if (!isValid)
{
notation = null; return(false);
}
var maskBits = Convert.ToInt32(parts[1], 10);
var maxMaskBit = address.AddressFamily == AddressFamily.InterNetwork ? 32 : 128;
if (maskBits < 0 || maskBits > maxMaskBit)
{
notation = null; return(false);
}
notation = new CIDRNotation(address, maskBits);
return(true);
}
public void SetIpAllowList(List <string> ips)
{
var ipList = new List <IPAddress>();
var ipNotation = new List <CIDRNotation>();
foreach (var ip in ips)
{
if (ip.Contains("/"))
{
if (CIDRNotation.TryParse(ip, out CIDRNotation notation))
{
ipNotation.Add(notation);
}
}
else
{
if (IPAddress.TryParse(ip, out IPAddress address))
{
ipList.Add(address);
}
}
}
_whiteList = ipList;
_whiteNotation = ipNotation;
}
public void Configure(IApplicationBuilder app)
{
var allowedIPs =
new List <IPAddress>
{
IPAddress.Parse("10.20.30.40"),
IPAddress.Parse("1.2.3.4"),
IPAddress.Parse("5.6.7.8")
};
var allowedCIDRs =
new List <CIDRNotation>
{
CIDRNotation.Parse("110.40.88.12/28"),
CIDRNotation.Parse("88.77.99.11/8")
};
app.UseFirewall(
FirewallRulesEngine
.DenyAllAccess()
.ExceptFromIPAddressRanges(allowedCIDRs)
.ExceptFromIPAddresses(allowedIPs));
app.Run(async(context) =>
{
await context.Response.WriteAsync("Hello World!");
});
}
public void Parse_WithValidString_ParsesCorrectObject(
string value, string expectedIpAddress, int expectedMaskBits)
{
var cidrNotation = CIDRNotation.Parse(value);
Assert.Equal(expectedIpAddress, cidrNotation.Address.ToString());
Assert.Equal(expectedMaskBits, cidrNotation.MaskBits);
Assert.Equal(value, cidrNotation.ToString());
}
static void Main(string[] args)
{
var proxyServer = new FirewallTcpProxyServer(IPEndPoint.Parse("192.168.31.1:80"));
proxyServer.OnConnected += (session) =>
{
Console.WriteLine("New Connection");
};
proxyServer.Start().Wait();
Console.WriteLine($"Port: {proxyServer.ListenPort}");
proxyServer.UpdateAllowCidrList(new CIDRNotation[] { CIDRNotation.Parse("0.0.0.0/0") });
Console.Read();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseForwardedHeaders(
new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor,
ForwardLimit = 1
}
);
// Register Firewall after error handling and forwarded headers,
// but before other middleware:
var allowedIPAddresses =
new List <IPAddress>
{
IPAddress.Parse("10.20.30.40"),
IPAddress.Parse("1.2.3.4"),
IPAddress.Parse("5.6.7.8")
};
var allowedIPAddressRanges =
new List <CIDRNotation>
{
CIDRNotation.Parse("110.40.88.12/28"),
CIDRNotation.Parse("88.77.99.11/8")
};
app.UseFirewall(
FirewallRulesEngine
.DenyAllAccess()
.ExceptFromCountries(new [] { CountryCode.FK })
.ExceptFromIPAddressRanges(allowedIPAddressRanges)
.ExceptFromIPAddresses(allowedIPAddresses)
.ExceptFromCloudflare()
.ExceptFromLocalhost(),
accessDeniedDelegate:
ctx =>
{
ctx.Response.StatusCode = StatusCodes.Status403Forbidden;
return(ctx.Response.WriteAsync("Forbidden"));
});
app.Run(async(context) =>
{
await context.Response.WriteAsync("Hello World!");
});
}
public async Task Firewall_With_Multiple_IPs_And_CIDRs_And_Request_With_Invalid_IP_Returns_AccessDenied(string ip)
{
var isSuccess = false;
var allowedIpAddress = IPAddress.Parse(ip);
var allowedIpAddresses = new List <IPAddress>
{
IPAddress.Parse("1.2.3.4"),
IPAddress.Parse("10.20.30.40"),
IPAddress.Parse("50.6.70.8")
};
var cidrNotations = new List <CIDRNotation>
{
CIDRNotation.Parse("2803:f800::/32"),
CIDRNotation.Parse("2c0f:f248::/32"),
CIDRNotation.Parse("103.21.244.0/22"),
CIDRNotation.Parse("141.101.64.0/18"),
CIDRNotation.Parse("172.64.0.0/13")
};
var firewall = new FirewallMiddleware(
async(innerCtx) =>
{
isSuccess = true;
await innerCtx.Response.WriteAsync("Success!");
},
FirewallRulesEngine
.DenyAllAccess()
.ExceptFromIPAddresses(allowedIpAddresses)
.ExceptFromIPAddressRanges(cidrNotations),
logger: null);
var httpContext = new DefaultHttpContext();
httpContext.Connection.RemoteIpAddress = allowedIpAddress;
await firewall.Invoke(httpContext);
Assert.Equal(StatusCodes.Status403Forbidden, httpContext.Response.StatusCode);
Assert.False(isSuccess);
}
public void Parse_WithNull_ThrowsException()
{
Assert.Throws <ArgumentException>(() => CIDRNotation.Parse(null));
}
public void Parse_WithInvalidString_ThrowsException(string value)
{
Assert.Throws <ArgumentException>(() => CIDRNotation.Parse(value));
}
public void Parse_WithWhitespaceString_ThrowsException()
{
Assert.Throws <ArgumentException>(() => CIDRNotation.Parse(" "));
}
private async Task <IEnumerable <CIDRNotation> > GetServiceAllowRuleCIDRNotation(int serviceId, int?serviceForwardTargetId = null)
{
var rules = await ListServiceAllowRule(serviceId, serviceForwardTargetId);
List <CIDRNotation> result = new List <CIDRNotation>();
foreach (var rule in rules)
{
try
{
switch (rule.Type)
{
case ServiceAllowRuleTypes.CIDR:
result.Add(CIDRNotation.Parse(rule.Cidr));
break;
case ServiceAllowRuleTypes.CIDR_GROUP:
result.AddRange((await _cidrGroupService.GetCidrGroup(rule.CidrGroupId.Value)).CidrList.Select(CIDRNotation.Parse));
break;
case ServiceAllowRuleTypes.USER:
var ip = await _userService.GetUserIP(rule.UserId.Value);
if (ip == null)
{
break;
}
result.Add(CIDRNotation.Parse(ip.ToString() + "/" + (ip.GetAddressBytes().Length * 8)));
if (IPAddress.IsLoopback(ip))
{
result.Add(CIDRNotation.Parse("::1/128"));
result.Add(CIDRNotation.Parse("127.0.0.1/32"));
}
else
{
if (ip.IsIPv4MappedToIPv6)
{
var ipv4 = ip.MapToIPv4();
result.Add(CIDRNotation.Parse(ipv4.ToString() + "/" + (ipv4.GetAddressBytes().Length * 8)));
}
}
break;
case ServiceAllowRuleTypes.USER_GROUP:
var userlist = await _userGroupService.ListUserGroupMember(rule.UserGroupId.Value);
foreach (var user in userlist)
{
var userIp = await _userService.GetUserIP(user.Id);
if (userIp == null)
{
continue;
}
result.Add(CIDRNotation.Parse(userIp.ToString() + "/" + (userIp.GetAddressBytes().Length * 8)));
if (IPAddress.IsLoopback(userIp))
{
result.Add(CIDRNotation.Parse("::1/128"));
result.Add(CIDRNotation.Parse("127.0.0.1/32"));
}
else
{
if (userIp.IsIPv4MappedToIPv6)
{
var ipv4 = userIp.MapToIPv4();
result.Add(CIDRNotation.Parse(ipv4.ToString() + "/" + (ipv4.GetAddressBytes().Length * 8)));
}
}
}
break;
}
}
catch { }
}
return(result);
}
