static void MakeOutRule(string text)
{
if (text.StartsWith("http://"))
{
text = text.Replace("http://", "");
}
if (text.StartsWith("https://"))
{
text = text.Replace("https://", "");
}
IPAddress addr = null;
if (!IPAddress.TryParse(text, out addr))
{
return;
}
FwOutRule rule = new FwOutRule(addr);
if (CheckRule(rule))
{
if (!MakeSubNetRules(rule))
{
log.WI("Adding new rule for IP [" + rule.RemoteAddresses + "]");
AddFwRule(rule);
outRules.Add(rule);
}
}
else
{
log.WI("Rule for IP [" + rule.RemoteAddresses + "] or subnet already exists. Skipped");
}
}
static void LoadOutRules()
{
INetFwPolicy2 firewallPolicy = (INetFwPolicy2)Activator.CreateInstance(
Type.GetTypeFromProgID("HNetCfg.FwPolicy2"));
List <INetFwRule> rules = new List <INetFwRule>();
foreach (var ruleObj in firewallPolicy.Rules)
{
if (ruleObj is INetFwRule)
{
rules.Add(ruleObj as INetFwRule);
}
}
foreach (var fwRule in rules)
{
if (fwRule.Direction == NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_OUT &&
fwRule.Name.StartsWith(AppName))
{
var rule = new FwOutRule(fwRule);
if (CheckRule(rule))
{
outRules.Add(rule);
}
else
{
firewallPolicy.Rules.Remove(fwRule.Name);
log.WI("Removed duplicate rule for IP [" + rule.RemoteAddresses + "]");
}
}
}
}
public FwOutRule(FwOutRule rule)
: this(rule.Text)
{
ApplicationName = rule.ApplicationName;
Name = rule.Name;
Description = rule.Description;
_remoteAddresses = rule.RemoteAddresses;
_mask = rule._mask;
}
public FwOutRule(FwOutRule rule)
: this()
{
Action = rule.Action;
ApplicationName = rule.ApplicationName;
Description = rule.Description;
Enabled = rule.Enabled;
Name = rule.Name;
RemoteAddresses = rule.RemoteAddresses;
Enabled = true;
}
static bool CheckRule(FwOutRule rule)
{
if (outRules.Exists(r => r.RemoteAddresses.StartsWith(rule.RemoteAddresses)))
{
return(false);
}
if (outRules.Exists(r => !r.IsIPRule && r.SubNet == rule.SubNet))
{
return(false);
}
return(true);
}
static void AddFwRule(FwOutRule rule)
{
INetFwRule firewallRule = (INetFwRule)Activator.CreateInstance(
Type.GetTypeFromProgID("HNetCfg.FWRule"));
firewallRule.Action = rule.Action;
firewallRule.Description = rule.Description;
firewallRule.Direction = rule.Direction;
firewallRule.Enabled = rule.Enabled;
firewallRule.InterfaceTypes = "All";
firewallRule.Name = rule.Name;
firewallRule.RemoteAddresses = rule.RemoteAddresses;
if (!string.IsNullOrEmpty(rule.ApplicationName))
{
firewallRule.ApplicationName = rule.ApplicationName;
}
INetFwPolicy2 firewallPolicy = (INetFwPolicy2)Activator.CreateInstance(
Type.GetTypeFromProgID("HNetCfg.FwPolicy2"));
firewallPolicy.Rules.Add(firewallRule);
}
static bool MakeSubNetRules(FwOutRule rule)
{
if (rule.IsIPRule && !outRules.Exists(r => !r.IsIPRule && r.SubNet == rule.SubNet))
{
var cnt = outRules.Count(r => r.Name != rule.Name && r.SubNet == rule.SubNet);
if (cnt > 0)
{
var sRule = new FwOutRule(rule);
sRule.RemoteAddresses = rule.SubNet + "0/255.255.255.0";
sRule.Name = string.Format("{0} Used to block an SubNet [{1}]",
AppName, sRule.RemoteAddresses);
log.WI("Adding new rule for SubNet [" + sRule.RemoteAddresses + "]");
AddFwRule(sRule);
outRules.Add(sRule);
return(true);
}
}
return(false);
}
static bool IsWhiteRule(FwOutRule rule)
{
if (rule.RemoteAddresses.StartsWith("0.0."))
{
return true;
}
if ((string.IsNullOrEmpty(rule.ApplicationName) || rule.ApplicationName == "*")
&& outWhiteIPRules.Exists(r => r.IsInclude(rule)))
{
return true;
}
return false;
}
static void AddWhiteListRule(FwOutRule rule)
{
if (!outWhiteIPs.Contains(rule.IPStr))
{
log.WI("Rule for [" + rule.RemoteAddresses + "] added to White List");
outWhiteIPs.Add(rule.IPStr);
}
outWhiteIPRules.Add(rule);
var restartDNS = false;
IPHostEntry entry = GetDomain(rule);
if (entry != null && !outWhiteDomains.Contains(entry.HostName))
{
if (CheckDomain(entry.HostName))
{
log.WI("Rule for Domain [" + entry.HostName + "] added to White List");
outWhiteDomains.Add(entry.HostName);
restartDNS = true;
}
}
SaveWhiteLists();
if (restartDNS)
{
// insure that BIND does not block this domain anymore
LoadBindAssHoles();
}
}
static void AddFwRule(FwOutRule rule)
{
INetFwRule firewallRule = (INetFwRule)Activator.CreateInstance(
Type.GetTypeFromProgID("HNetCfg.FWRule"));
firewallRule.Action = rule.Action;
firewallRule.Description = rule.Description;
firewallRule.Direction = rule.Direction;
firewallRule.Enabled = rule.Enabled;
firewallRule.InterfaceTypes = "All";
firewallRule.Name = rule.Name;
firewallRule.RemoteAddresses = rule.RemoteAddresses;
if (!string.IsNullOrEmpty(rule.ApplicationName))
{
firewallRule.ApplicationName = rule.ApplicationName;
}
INetFwPolicy2 firewallPolicy = (INetFwPolicy2)Activator.CreateInstance(
Type.GetTypeFromProgID("HNetCfg.FwPolicy2"));
firewallPolicy.Rules.Add(firewallRule);
}
public static void SplitRule(FwOutRule sr, FwOutRule ir)
{
if (!sr.IsIPRule)
{
var newRules = new List<FwOutRule>();
if (!SplitSubnetRule(sr, ir, ref newRules))
{
throw new Exception("Cannot split SubNet rule!");
}
outRules.Remove(sr);
foreach (var nr in newRules)
{
if (CheckRule(nr))
{
AddFwRule(nr);
outRules.Add(nr);
log.WI("Added new rule for [" + nr.RemoteAddresses + "]");
}
}
}
RemoveFwRule(sr);
}
public static void LoadOutRulesFile(string fileName, bool withDomains = false)
{
var remoteAddrs = LoadFiles(fileName);
foreach (var ra in remoteAddrs)
{
FwOutRule rule = new FwOutRule(new FwRuleText(ra), ra);
if (CheckRule(rule))
{
AddFwRule(rule);
outRules.Add(rule);
}
if (IsWhiteRule(rule) && IsRuleExists(rule))
{
RemoveFwRule(rule);
}
}
if (withDomains)
{
throw new NotImplementedException();
}
}
static void MakeOutRule(string text, bool clear, bool addToWhiteList)
{
if (text.StartsWith("http://")) text = text.Replace("http://", "");
if (text.StartsWith("https://")) text = text.Replace("https://", "");
if (text.StartsWith("www.")) text = text.Replace("www.", "");
bool isIPRange = false;
IPAddress[] addrs = null;
IList<uint[]> rangeAddrs = null;
if (IsIPRange(text))
{
isIPRange = true;
rangeAddrs = GetIPRangeAddress(text);
addrs = rangeAddrs.Select(ra => new IPAddress(ra[0])).ToArray();
}
else
{
try
{
addrs = Dns.GetHostAddresses(text);
}
catch (Exception) { }
}
if (addrs != null)
{
for (int i = 0; i < addrs.Length; i++)
{
var addr = addrs[i];
if (addr.AddressFamily == AddressFamily.InterNetworkV6)
{
continue;
}
FwOutRule rule = null;
if (isIPRange)
{
rule = new FwOutRule(new FwRuleText(text), (uint)addr.Address, rangeAddrs[i][1]);
}
else
{
rule = new FwOutRule(new FwRuleText(text), addr);
}
var exists = IsRuleExists(rule);
var isWhite = IsWhiteRule(rule);
if (exists && isWhite)
{
log.WI("White List rule bloked!!! [" + rule.RemoteAddresses + "].");
var sameRules = outRules.Where(r => r.IsInclude(rule)).ToList();
foreach (var sr in sameRules)
{
if (IsRuleExists(sr))
{
SplitRule(sr, rule);
}
}
}
if (clear)
{
if (exists)
{
var sameRules = outRules.Where(r => r.IsInclude(rule)).ToList();
foreach (var sr in sameRules)
{
if (IsRuleExists(sr))
{
SplitRule(sr, rule);
}
}
}
if (!isWhite && addToWhiteList)
{
AddWhiteListRule(rule);
}
}
else
{
if (!exists && !isWhite)
{
if (checkWhoIs && !isIPRange)
{
if (!checkWhoIsDlg(rule.IPStr))
{
continue;
}
}
if (!MakeSubNetRules(rule))
{
log.WI(string.Format("Adding new rule for [{0}].", rule.RemoteAddresses));
AddFwRule(rule);
outRules.Add(rule);
}
if (!isIPRange)
{
var entry = GetDomain(rule);
if (entry != null)
{
DisableDNS(entry.HostName);
}
}
continue;
}
if (isWhite)
{
log.WI("Rule for [" + rule.RemoteAddresses + "] is already in White List. Skipped");
continue;
}
if (exists)
{
log.WI("Rule for [" + rule.RemoteAddresses + "] is already exists. Skipped");
continue;
}
}
}
if (!isIPRange)
{
DisableDNS(text);
}
}
}
public bool IsInclude(FwOutRule rule)
{
if (rule.IP == IP)
{
return true;
}
var wildCard = ~_mask;
if ((IP | wildCard) == (rule.IP | wildCard))
{
return true;
}
//var ruleWildCard = ~rule._mask;
//if ((IP | ruleWildCard) == (rule.IP | ruleWildCard))
//{
// return true;
//}
return false;
}
static bool SplitSubnetRule(FwOutRule sr, FwOutRule ir, ref List<FwOutRule> rules)
{
if (sr == null && sr.IsIPRule)
{
throw new ArgumentException(nameof(sr));
}
if (ir.ReversedEndIP < sr.ReversedStartIP || ir.ReversedStartIP > sr.ReversedEndIP)
{
return false;
}
rules.Clear();
var fsRIP = sr.ReversedStartIP;
var feRIP = ir.ReversedStartIP - 1;
var lsRIP = ir.ReversedEndIP + 1;
var leRIP = sr.ReversedEndIP;
if (fsRIP <= feRIP)
{
var fRange = new List<uint[]>();
FwOutRule.GetMaskedIPRange(FwOutRule.ReverseIP(fsRIP),
FwOutRule.ReverseIP(feRIP), out fRange);
if (fRange.Count > 0)
{
rules.AddRange(fRange.Select(im => new FwOutRule(FwRuleText.Empty, im[0], im[1])));
}
}
if (lsRIP <= leRIP)
{
var lRange = new List<uint[]>();
FwOutRule.GetMaskedIPRange(FwOutRule.ReverseIP(lsRIP),
FwOutRule.ReverseIP(leRIP), out lRange);
if (lRange.Count > 0)
{
rules.AddRange(lRange.Select(im => new FwOutRule(FwRuleText.Empty, im[0], im[1])));
}
}
return rules.Count > 0;
}
static void RemoveFwRule(FwOutRule rule)
{
INetFwPolicy2 firewallPolicy = (INetFwPolicy2)Activator.CreateInstance(
Type.GetTypeFromProgID("HNetCfg.FwPolicy2"));
firewallPolicy.Rules.Remove(rule.Name);
firewallPolicy.Rules.Remove(rule.OldName1);
firewallPolicy.Rules.Remove(rule.OldName2);
firewallPolicy.Rules.Remove(rule.OldName3);
log.WI("Removed rule for [" + rule.RemoteAddresses + "]", false);
}
private static bool MergeSubNetRulesImpl(IList<FwOutRule> rules, IList<FwOutRule> outr, bool listOnly = false)
{
var res = true;
var rangeList = new List<FwOutRule>();
for (int i = 0; i < rules.Count - 1; i++)
{
var curr = rules[i];
var next = rules[i + 1];
if (curr.ReversedEndIP + 1 == next.ReversedStartIP)
{
if (rangeList.Count == 0)
{
rangeList.Add(curr);
}
rangeList.Add(next);
}
else
{
if (rangeList.Count != 0)
{
var firstRule = rangeList.First();
var startIP = firstRule.StartIP;
var endIP = rangeList.Last().EndIP;
var maskedRange = new List<uint[]>();
if (!FwOutRule.GetMaskedIPRange(startIP, endIP, out maskedRange))
{
throw new Exception("GetMaskedIPRange failed");
}
if (maskedRange.Count == 0 || maskedRange.Count >= rangeList.Count)
{
// nothing to optimize
rangeList.Clear();
continue;
}
try
{
foreach (var im in maskedRange)
{
var unionRule = new FwOutRule(new FwRuleText(firstRule.IPAddr), im[0], im[1]);
if (!listOnly)
{
log.WI(string.Format("Adding new union rule for [{0}].", unionRule.RemoteAddresses));
AddFwRule(unionRule);
}
outr.Add(unionRule);
}
foreach (var or in rangeList)
{
if (!listOnly) RemoveFwRule(or);
outr.Remove(or);
}
res = false;
}
catch (Exception ex)
{
log.WI("Failed to create union rule, error: " + ex.Message, false);
}
rangeList.Clear();
}
}
}
return res;
}
static bool MakeSubNetRules(FwOutRule rule)
{
if (rule.IsIPRule && !outRules.Exists(r => !r.IsIPRule && r.IsInclude(rule)))
{
var subnetMask = (uint)0xFFFFFF;
if (outRules.Count(r => r.IsIPRule
&& r.IP != rule.IP
&& (r.IP & subnetMask) == (rule.IP & subnetMask)) > 0)
{
var sRule = new FwOutRule(rule);
var ipBytes = rule.IPAddr.GetAddressBytes();
sRule.UpdateRemoteAddresses(sRule.IP & subnetMask, subnetMask);
log.WI("Adding new rule for [" + sRule.RemoteAddresses + "]");
AddFwRule(sRule);
outRules.Add(sRule);
return true;
}
}
return false;
}
static bool IsRuleExists(FwOutRule rule)
{
if (outRules.Exists(r => r.IsInclude(rule)))
{
return true;
}
return false;
}
static void LoadOutRules()
{
INetFwPolicy2 firewallPolicy = (INetFwPolicy2)Activator.CreateInstance(
Type.GetTypeFromProgID("HNetCfg.FwPolicy2"));
List<INetFwRule> rules = new List<INetFwRule>();
foreach (var ruleObj in firewallPolicy.Rules)
{
if (ruleObj is INetFwRule)
{
rules.Add(ruleObj as INetFwRule);
}
}
foreach (var fwRule in rules)
{
if (fwRule.Direction == NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_OUT
&& fwRule.Name.StartsWith(AppName))
{
var rule = new FwOutRule(fwRule);
if (CheckRule(rule))
{
outRules.Add(rule);
}
else
{
RemoveFwRule(rule);
}
}
}
}
public static IPHostEntry GetDomain(FwOutRule rule)
{
IPHostEntry entry = null;
try
{
entry = Dns.GetHostEntry(rule.IPAddr);
}
catch (Exception ex)
{
log.WI(ex.Message + "[" + rule.IPStr + "]");
}
if (entry == null && !rule.Text.IsIPText)
{
try
{
var text = rule.Text.Str;
if (!text.Contains(Uri.SchemeDelimiter))
{
text = string.Concat(Uri.UriSchemeHttp, Uri.SchemeDelimiter, text);
}
Uri uri = new Uri(text);
var domain = uri.DnsSafeHost;
if (!string.IsNullOrEmpty(domain))
{
entry = new IPHostEntry()
{
HostName = domain,
AddressList = new IPAddress[] { rule.IPAddr }
};
}
}
catch (Exception ex)
{
log.WI(ex.Message);
}
}
return entry;
}
static bool CheckRule(FwOutRule rule)
{
return !IsRuleExists(rule) && !IsWhiteRule(rule);
}
