public void CheckCommonRuleProperties(INetFwRule3 rule)
{
Assert.NotNull(rule);
Assert.Equal(NET_FW_ACTION_.NET_FW_ACTION_ALLOW, rule.Action);
Assert.Equal(NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_OUT, rule.Direction);
Assert.Equal(true, rule.Enabled);
Assert.Equal(FirewallManager.GetFormattedLocalUserSid(Username), rule.LocalUserAuthorizedList);
}
public static void BlockAllInbound(string ruleName, string windowsUserName)
{
INetFwPolicy2 firewallPolicy = (INetFwPolicy2)Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FwPolicy2"));
// This type is only available in Windows Server 2012
INetFwRule3 rule = ((INetFwRule3)Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FwRule")));
rule.Name = ruleName;
rule.Action = NET_FW_ACTION_.NET_FW_ACTION_BLOCK;
rule.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN;
rule.Enabled = true;
string userSid = GetLocalUserSid(windowsUserName);
rule.LocalUserAuthorizedList = String.Format(CultureInfo.InvariantCulture, "D:(A;;CC;;;{0})", userSid);
firewallPolicy.Rules.Add(rule);
}
public static bool LoadRule(FirewallRule rule, INetFwRule2 entry)
{
try
{
INetFwRule3 entry3 = entry as INetFwRule3;
rule.BinaryPath = entry.ApplicationName;
rule.ServiceTag = entry.serviceName;
if (entry3 != null)
{
rule.AppSID = entry3.LocalAppPackageId;
}
// Note: while LocalAppPackageId and serviceName can be set at the same timea universall App can not be started as a service
ProgramID progID;
if (entry.ApplicationName != null && entry.ApplicationName.Equals("System", StringComparison.OrdinalIgnoreCase))
{
progID = ProgramID.NewID(ProgramID.Types.System);
}
// Win10
else if (entry3 != null && entry3.LocalAppPackageId != null)
{
if (entry.serviceName != null)
{
throw new ArgumentException("Firewall paremeter conflict");
}
progID = ProgramID.NewAppID(entry3.LocalAppPackageId, entry.ApplicationName);
}
//
else if (entry.serviceName != null)
{
progID = ProgramID.NewSvcID(entry.serviceName, entry.ApplicationName);
}
else if (entry.ApplicationName != null)
{
progID = ProgramID.NewProgID(entry.ApplicationName);
}
else // if nothing is configured than its a global roule
{
progID = ProgramID.NewID(ProgramID.Types.Global);
}
rule.ProgID = Priv10Engine.AdjustProgID(progID);
// https://docs.microsoft.com/en-us/windows/desktop/api/netfw/nn-netfw-inetfwrule
rule.Name = entry.Name;
rule.Grouping = entry.Grouping;
rule.Description = entry.Description;
//rule.ProgramPath = entry.ApplicationName;
//rule.ServiceName = entry.serviceName;
rule.Enabled = entry.Enabled;
switch (entry.Direction)
{
case NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN: rule.Direction = FirewallRule.Directions.Inbound; break;
case NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_OUT: rule.Direction = FirewallRule.Directions.Outboun; break;
}
switch (entry.Action)
{
case NET_FW_ACTION_.NET_FW_ACTION_ALLOW: rule.Action = FirewallRule.Actions.Allow; break;
case NET_FW_ACTION_.NET_FW_ACTION_BLOCK: rule.Action = FirewallRule.Actions.Block; break;
}
rule.Profile = entry.Profiles;
if (entry.InterfaceTypes.Equals("All", StringComparison.OrdinalIgnoreCase))
{
rule.Interface = (int)FirewallRule.Interfaces.All;
}
else
{
rule.Interface = 0;
if (entry.InterfaceTypes.IndexOf("Lan", StringComparison.OrdinalIgnoreCase) != -1)
{
rule.Interface |= (int)FirewallRule.Interfaces.Lan;
}
if (entry.InterfaceTypes.IndexOf("Wireless", StringComparison.OrdinalIgnoreCase) != -1)
{
rule.Interface |= (int)FirewallRule.Interfaces.Wireless;
}
if (entry.InterfaceTypes.IndexOf("RemoteAccess", StringComparison.OrdinalIgnoreCase) != -1)
{
rule.Interface |= (int)FirewallRule.Interfaces.RemoteAccess;
}
}
rule.Protocol = entry.Protocol;
/*The localAddrs parameter consists of one or more comma-delimited tokens specifying the local addresses from which the application can listen for traffic. "*" is the default value. Valid tokens include:
*
* "*" indicates any local address. If present, this must be the only token included.
* "Defaultgateway"
* "DHCP"
* "WINS"
* "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
* A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
* A valid IPv6 address.
* An IPv4 address range in the format of "start address - end address" with no spaces included.
* An IPv6 address range in the format of "start address - end address" with no spaces included.*/
switch (rule.Protocol)
{
case (int)FirewallRule.KnownProtocols.ICMP:
case (int)FirewallRule.KnownProtocols.ICMPv6:
rule.SetIcmpTypesAndCodes(entry.IcmpTypesAndCodes);
break;
case (int)FirewallRule.KnownProtocols.TCP:
case (int)FirewallRule.KnownProtocols.UDP:
// , separated number or range 123-456
rule.LocalPorts = entry.LocalPorts;
rule.RemotePorts = entry.RemotePorts;
break;
}
rule.LocalAddresses = entry.LocalAddresses;
rule.RemoteAddresses = entry.RemoteAddresses;
// https://docs.microsoft.com/de-de/windows/desktop/api/icftypes/ne-icftypes-net_fw_edge_traversal_type_
//EdgeTraversal = (int)(Entry.EdgeTraversal ? NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_ALLOW : NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_DENY);
rule.EdgeTraversal = entry.EdgeTraversalOptions;
if (entry3 != null)
{
/*
* string s0 = entry3.LocalAppPackageId // 8
* string s1 = entry3.RemoteUserAuthorizedList; // 7
* string s2 = entry3.RemoteMachineAuthorizedList; // 7
* string s3 = entry3.LocalUserAuthorizedList; // 8
* string s4 = entry3.LocalUserOwner; // 8
* int i1 = entry3.SecureFlags; // ??
*/
}
}
catch (Exception err)
{
Priv10Logger.LogError("Reading Firewall Rule failed {0}", err.ToString());
return(false);
}
return(true);
}
public static bool SaveRule(FirewallRule rule, INetFwRule2 entry)
{
try
{
entry.EdgeTraversalOptions = (int)NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_DENY;
INetFwRule3 entry3 = entry as INetFwRule3;
entry.ApplicationName = rule.BinaryPath;
entry.serviceName = rule.ServiceTag;
if (entry3 != null)
{
entry3.LocalAppPackageId = rule.AppSID;
}
/*
* switch (rule.ProgID.Type)
* {
* case ProgramID.Types.Global:
* entry.ApplicationName = null;
* break;
* case ProgramID.Types.System:
* entry.ApplicationName = "System";
* break;
* default:
* if (rule.ProgID.Path != null && rule.ProgID.Path.Length > 0)
* entry.ApplicationName = rule.ProgID.Path;
* break;
* }
*
* if (rule.ProgID.Type == ProgramID.Types.App)
* entry3.LocalAppPackageId = rule.ProgID.GetPackageSID();
* else
* entry3.LocalAppPackageId = null;
*
* if (rule.ProgID.Type == ProgramID.Types.Service)
* entry.serviceName = rule.ProgID.GetServiceId();
* else
* entry.serviceName = null;
*/
entry.Name = rule.Name;
entry.Grouping = rule.Grouping;
entry.Description = rule.Description;
entry.Enabled = rule.Enabled;
switch (rule.Direction)
{
case FirewallRule.Directions.Inbound: entry.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN; break;
case FirewallRule.Directions.Outboun: entry.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_OUT; break;
}
switch (rule.Action)
{
case FirewallRule.Actions.Allow: entry.Action = NET_FW_ACTION_.NET_FW_ACTION_ALLOW; break;
case FirewallRule.Actions.Block: entry.Action = NET_FW_ACTION_.NET_FW_ACTION_BLOCK; break;
}
entry.Profiles = rule.Profile;
if (rule.Interface == (int)FirewallRule.Interfaces.All)
{
entry.InterfaceTypes = "All";
}
else
{
List <string> interfaces = new List <string>();
if ((rule.Interface & (int)FirewallRule.Interfaces.Lan) != 0)
{
interfaces.Add("Lan");
}
if ((rule.Interface & (int)FirewallRule.Interfaces.Wireless) != 0)
{
interfaces.Add("Wireless");
}
if ((rule.Interface & (int)FirewallRule.Interfaces.RemoteAccess) != 0)
{
interfaces.Add("RemoteAccess");
}
entry.InterfaceTypes = string.Join(",", interfaces.ToArray().Reverse());
}
// Note: if this is not cleared protocol change may trigger an exception
if (entry.LocalPorts != null)
{
entry.LocalPorts = null;
}
if (entry.RemotePorts != null)
{
entry.RemotePorts = null;
}
if (entry.IcmpTypesAndCodes != null)
{
entry.IcmpTypesAndCodes = null;
}
// Note: protocol must be set early enough or other sets will cause errors!
entry.Protocol = rule.Protocol;
switch (rule.Protocol)
{
case (int)FirewallRule.KnownProtocols.ICMP:
case (int)FirewallRule.KnownProtocols.ICMPv6:
entry.IcmpTypesAndCodes = rule.GetIcmpTypesAndCodes();
break;
case (int)FirewallRule.KnownProtocols.TCP:
case (int)FirewallRule.KnownProtocols.UDP:
entry.LocalPorts = rule.LocalPorts;
entry.RemotePorts = rule.RemotePorts;
break;
}
if (rule.EdgeTraversal != (int)NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_DEFER_TO_USER)
{
entry.LocalAddresses = rule.LocalAddresses;
entry.RemoteAddresses = rule.RemoteAddresses;
}
entry.EdgeTraversalOptions = rule.EdgeTraversal;
if (entry3 != null)
{
/*
* string s0 = entry3.LocalAppPackageId // 8
* string s1 = entry3.RemoteUserAuthorizedList; // 7
* string s2 = entry3.RemoteMachineAuthorizedList; // 7
* string s3 = entry3.LocalUserAuthorizedList; // 8
* string s4 = entry3.LocalUserOwner; // 8
* int i1 = entry3.SecureFlags; // ??
*/
}
}
catch (Exception err)
{
Priv10Logger.LogError("Firewall Rule Commit failed {0}", err.ToString());
return(false);
}
return(true);
}
// ReSharper disable once SuggestBaseTypeForParameter
internal FirewallWASRuleWin8(INetFwRule3 rule) : base(rule)
{
}
internal StandardRuleWin8(INetFwRule3 rule) : base(rule)
{
}
public static bool SaveRule(FirewallRule rule, INetFwRule2 entry)
{
try
{
entry.EdgeTraversalOptions = (int)NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_DENY;
#if win10
INetFwRule3 entry3 = entry as INetFwRule3;
#endif
switch (rule.mID.Type)
{
case ProgramList.Types.Global:
entry.ApplicationName = null;
break;
case ProgramList.Types.System:
entry.ApplicationName = "System";
break;
default:
if (rule.mID.Path != null && rule.mID.Path.Length > 0)
{
entry.ApplicationName = rule.mID.Path;
}
break;
}
if (rule.mID.Type == ProgramList.Types.Service)
{
entry.serviceName = rule.mID.Name;
}
else
{
entry.serviceName = null;
}
#if win10
if (rule.mID.Type == ProgramList.Types.App)
{
entry3.LocalAppPackageId = rule.mID.Name;
}
else
{
entry3.LocalAppPackageId = null;
}
#endif
entry.Name = rule.Name;
entry.Grouping = rule.Grouping;
entry.Description = rule.Description;
//entry.ApplicationName = rule.ProgramPath;
//entry.serviceName = rule.ServiceName;
entry.Enabled = rule.Enabled;
switch (rule.Direction)
{
case Firewall.Directions.Inbound: entry.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN; break;
case Firewall.Directions.Outboun: entry.Direction = NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_OUT; break;
}
switch (rule.Action)
{
case Firewall.Actions.Allow: entry.Action = NET_FW_ACTION_.NET_FW_ACTION_ALLOW; break;
case Firewall.Actions.Block: entry.Action = NET_FW_ACTION_.NET_FW_ACTION_BLOCK; break;
}
entry.Profiles = rule.Profile;
if (rule.Interface == (int)Firewall.Interfaces.All)
{
entry.InterfaceTypes = "All";
}
else
{
List <string> interfaces = new List <string>();
if ((rule.Interface & (int)Firewall.Interfaces.Lan) != 0)
{
interfaces.Add("Lan");
}
if ((rule.Interface & (int)Firewall.Interfaces.Wireless) != 0)
{
interfaces.Add("Wireless");
}
if ((rule.Interface & (int)Firewall.Interfaces.RemoteAccess) != 0)
{
interfaces.Add("RemoteAccess");
}
entry.InterfaceTypes = string.Join(",", interfaces.ToArray().Reverse());
}
// Note: if this is not cleared protocol change may trigger an exception
if (entry.LocalPorts != null)
{
entry.LocalPorts = null;
}
if (entry.RemotePorts != null)
{
entry.RemotePorts = null;
}
if (entry.IcmpTypesAndCodes != null)
{
entry.IcmpTypesAndCodes = null;
}
// Note: protocol must be set early enough or other sets will cause errors!
entry.Protocol = rule.Protocol;
switch (rule.Protocol)
{
case (int)FirewallRule.KnownProtocols.ICMP:
case (int)FirewallRule.KnownProtocols.ICMPv6:
entry.IcmpTypesAndCodes = rule.IcmpTypesAndCodes;
break;
case (int)FirewallRule.KnownProtocols.TCP:
case (int)FirewallRule.KnownProtocols.UDP:
entry.LocalPorts = rule.LocalPorts;
entry.RemotePorts = rule.RemotePorts;
break;
}
if (rule.EdgeTraversal != (int)NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_DEFER_TO_USER)
{
entry.LocalAddresses = rule.LocalAddresses;
entry.RemoteAddresses = rule.RemoteAddresses;
}
entry.EdgeTraversalOptions = rule.EdgeTraversal;
#if win10
if (entry3 != null)
{
//entry3.LocalAppPackageId = rule.AppID;
/*entry3.LocalAppPackageId;
* entry3.RemoteMachineAuthorizedList;
* entry3.LocalUserAuthorizedList;
* entry3.LocalUserOwner;
* entry3.SecureFlags;*/
}
#endif
}
catch (Exception err)
{
AppLog.Line("Firewall Rule Commit failed {0}", err.ToString());
return(false);
}
return(true);
}
public static bool LoadRule(FirewallRule rule, INetFwRule2 entry)
{
try
{
#if win10
INetFwRule3 entry3 = entry as INetFwRule3;
#endif
ProgramList.Types type;
string path = entry.ApplicationName;
string name = null;
if (path != null && path.Equals("System", StringComparison.OrdinalIgnoreCase))
{
type = ProgramList.Types.System;
}
else if (entry.serviceName != null)
{
type = ProgramList.Types.Service;
name = entry.serviceName;
}
#if win10
else if (entry3 != null && entry3.LocalAppPackageId != null)
{
type = ProgramList.Types.App;
name = entry3.LocalAppPackageId;
}
#endif
else if (path != null)
{
type = ProgramList.Types.Program;
}
else
{
type = ProgramList.Types.Global;
}
rule.mID = new ProgramList.ID(type, path, name);
// https://docs.microsoft.com/en-us/windows/desktop/api/netfw/nn-netfw-inetfwrule
rule.Name = entry.Name;
rule.Grouping = entry.Grouping;
rule.Description = entry.Description;
//rule.ProgramPath = entry.ApplicationName;
//rule.ServiceName = entry.serviceName;
rule.Enabled = entry.Enabled;
switch (entry.Direction)
{
case NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_IN: rule.Direction = Firewall.Directions.Inbound; break;
case NET_FW_RULE_DIRECTION_.NET_FW_RULE_DIR_OUT: rule.Direction = Firewall.Directions.Outboun; break;
}
switch (entry.Action)
{
case NET_FW_ACTION_.NET_FW_ACTION_ALLOW: rule.Action = Firewall.Actions.Allow; break;
case NET_FW_ACTION_.NET_FW_ACTION_BLOCK: rule.Action = Firewall.Actions.Block; break;
}
rule.Profile = entry.Profiles;
if (entry.InterfaceTypes.Equals("All", StringComparison.OrdinalIgnoreCase))
{
rule.Interface = (int)Firewall.Interfaces.All;
}
else
{
rule.Interface = (int)Firewall.Interfaces.None;
if (entry.InterfaceTypes.IndexOf("Lan", StringComparison.OrdinalIgnoreCase) != -1)
{
rule.Interface |= (int)Firewall.Interfaces.Lan;
}
if (entry.InterfaceTypes.IndexOf("Wireless", StringComparison.OrdinalIgnoreCase) != -1)
{
rule.Interface |= (int)Firewall.Interfaces.Wireless;
}
if (entry.InterfaceTypes.IndexOf("RemoteAccess", StringComparison.OrdinalIgnoreCase) != -1)
{
rule.Interface |= (int)Firewall.Interfaces.RemoteAccess;
}
}
rule.Protocol = entry.Protocol;
/*The localAddrs parameter consists of one or more comma-delimited tokens specifying the local addresses from which the application can listen for traffic. "*" is the default value. Valid tokens include:
*
* "*" indicates any local address. If present, this must be the only token included.
* "Defaultgateway"
* "DHCP"
* "WINS"
* "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
* A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
* A valid IPv6 address.
* An IPv4 address range in the format of "start address - end address" with no spaces included.
* An IPv6 address range in the format of "start address - end address" with no spaces included.*/
switch (rule.Protocol)
{
case (int)FirewallRule.KnownProtocols.ICMP:
case (int)FirewallRule.KnownProtocols.ICMPv6:
//The icmpTypesAndCodes parameter is a list of ICMP types and codes separated by semicolon. "*" indicates all ICMP types and codes.
rule.IcmpTypesAndCodes = entry.IcmpTypesAndCodes;
break;
case (int)FirewallRule.KnownProtocols.TCP:
case (int)FirewallRule.KnownProtocols.UDP:
// , separated number or range 123-456
rule.LocalPorts = entry.LocalPorts;
rule.RemotePorts = entry.RemotePorts;
break;
}
rule.LocalAddresses = entry.LocalAddresses;
rule.RemoteAddresses = entry.RemoteAddresses;
// https://docs.microsoft.com/de-de/windows/desktop/api/icftypes/ne-icftypes-net_fw_edge_traversal_type_
//EdgeTraversal = (int)(Entry.EdgeTraversal ? NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_ALLOW : NET_FW_EDGE_TRAVERSAL_TYPE_.NET_FW_EDGE_TRAVERSAL_TYPE_DENY);
rule.EdgeTraversal = entry.EdgeTraversalOptions;
#if win10
if (entry3 != null)
{
//rule.AppID = entry3.LocalAppPackageId;
/*string s1 = entry3.LocalAppPackageId;
* string s2 = entry3.RemoteMachineAuthorizedList;
* string s3 = entry3.LocalUserAuthorizedList;
* string s4 = entry3.LocalUserOwner;
* int i1 = entry3.SecureFlags;*/
}
#endif
}
catch (Exception err)
{
AppLog.Line("Reading Firewall Rule failed {0}", err.ToString());
return(false);
}
return(true);
}
internal StandardRuleWin8(INetFwRule3 rule) : base(rule)
{
UnderlyingObjectV3 = rule;
}
