mirrors/fort
1
0
Fork 0
mirror of https://github.com/tnodir/fort synced 2024-11-15 03:56:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Driver: "Stop Traffic" is effective, when "Filter Enabled" is turned on.

Browse Source
This commit is contained in:
Nodir Temirkhodjaev 2021-03-09 17:25:35 +03:00
parent d792191549
commit dc5384e333
2 changed files with 55 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
README.md
View File

@ -50,12 +50,13 @@ Filtered apps will be shown in the "Blocked" tab.
#### Filtering steps: #### Filtering steps:
1) If **address** is 127.* or 255.255.255.255 and "Filter Local Addresses" is turned off, then _**PERMIT**_ 1) If **address** is 127.* or 255.255.255.255 and "Filter Local Addresses" is turned off, then _**PERMIT**_
2) If "Stop Traffic" is turned on, then _**BLOCK**_ 2) If "Filter Enabled" is turned off, then _**PERMIT**_
3) If "Filter Enabled" is turned off or **address** is not from "Internet Addresses", then _**PERMIT**_ 3) If "Stop Traffic" is turned on, then _**BLOCK**_
4) If "Stop Internet Traffic" is turned on, then _**BLOCK**_ 4) If **address** is not from "Internet Addresses", then _**PERMIT**_
5) If **address** is not from "Allowed Internet Addresses", then _**BLOCK**_ 5) If "Stop Internet Traffic" is turned on, then _**BLOCK**_
6) If **app path** is allowed, then _**PERMIT**_ 6) If **address** is not from "Allowed Internet Addresses", then _**BLOCK**_
7) Log about blocked event and _**BLOCK**_ 7) If **app path** is allowed, then _**PERMIT**_
8) Log about blocked event and _**BLOCK**_
## Code Quality Monitor ## Code Quality Monitor

94
src/driver/fortdrv.c
View File

@ -109,44 +109,45 @@ static void fort_callout_classify_v4(const FWPS_INCOMING_VALUES0 *inFixedValues,
const FORT_CONF_FLAGS conf_flags = conf_ref->conf.flags; const FORT_CONF_FLAGS conf_flags = conf_ref->conf.flags;
if (conf_flags.stop_traffic)
goto block;
UCHAR block_reason = FORT_BLOCK_REASON_UNKNOWN;
BOOL blocked = TRUE;
if (!conf_flags.filter_enabled) {
if (conf_flags.log_stat && conf_flags.log_stat_no_filter) {
blocked = FALSE;
} else
goto permit;
}
if (!fort_conf_ip_is_inet(&conf_ref->conf,
(fort_conf_zones_ip_included_func *) fort_conf_zones_ip_included, &g_device->conf,
remote_ip))
goto permit;
if (blocked && conf_flags.stop_inet_traffic)
goto block;
const UINT32 process_id = (UINT32) inMetaValues->processId; const UINT32 process_id = (UINT32) inMetaValues->processId;
const UINT32 path_len = const UINT32 path_len =
inMetaValues->processPath->size - sizeof(WCHAR); /* chop terminating zero */ inMetaValues->processPath->size - sizeof(WCHAR); /* chop terminating zero */
const PVOID path = inMetaValues->processPath->data; const PVOID path = inMetaValues->processPath->data;
if (blocked UCHAR block_reason = FORT_BLOCK_REASON_UNKNOWN;
&& !fort_conf_ip_inet_included(&conf_ref->conf, BOOL blocked = TRUE;
if (conf_flags.filter_enabled) {
if (conf_flags.stop_traffic)
goto end;
if (!fort_conf_ip_is_inet(&conf_ref->conf,
(fort_conf_zones_ip_included_func *) fort_conf_zones_ip_included, (fort_conf_zones_ip_included_func *) fort_conf_zones_ip_included,
&g_device->conf, remote_ip)) { &g_device->conf, remote_ip)) {
block_reason = FORT_BLOCK_REASON_IP_INET; blocked = FALSE; /* permit (LAN) */
goto block_log; goto end;
}
if (conf_flags.stop_inet_traffic)
goto end;
if (!fort_conf_ip_inet_included(&conf_ref->conf,
(fort_conf_zones_ip_included_func *) fort_conf_zones_ip_included,
&g_device->conf, remote_ip)) {
block_reason = FORT_BLOCK_REASON_IP_INET;
goto end;
}
} else {
blocked = FALSE; /* permit (Filter Disabled) */
if (!(conf_flags.log_stat && conf_flags.log_stat_no_filter))
goto end;
} }
FORT_APP_FLAGS app_flags = FORT_APP_FLAGS app_flags =
fort_conf_app_find(&conf_ref->conf, path, path_len, fort_conf_exe_find); fort_conf_app_find(&conf_ref->conf, path, path_len, fort_conf_exe_find);
if (!blocked || (app_flags.v == 0 && conf_flags.allow_all_new) if (!blocked /* collect traffic, when Filter Disabled */
|| (app_flags.v == 0 && conf_flags.allow_all_new) /* collect new Blocked Programs */
|| !fort_conf_app_blocked(&conf_ref->conf, app_flags, &block_reason)) { || !fort_conf_app_blocked(&conf_ref->conf, app_flags, &block_reason)) {
if (conf_flags.log_stat) { if (conf_flags.log_stat) {
const UINT64 flow_id = inMetaValues->flowHandle; const UINT64 flow_id = inMetaValues->flowHandle;
@ -167,7 +168,8 @@ static void fort_callout_classify_v4(const FWPS_INCOMING_VALUES0 *inFixedValues,
if (!NT_SUCCESS(status)) { if (!NT_SUCCESS(status)) {
if (status == FORT_STATUS_FLOW_BLOCK) { if (status == FORT_STATUS_FLOW_BLOCK) {
block_reason = FORT_BLOCK_REASON_REAUTH; block_reason = FORT_BLOCK_REASON_REAUTH;
goto block_log; blocked = TRUE;
goto end;
} }
DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL,
@ -178,7 +180,7 @@ static void fort_callout_classify_v4(const FWPS_INCOMING_VALUES0 *inFixedValues,
} }
} }
blocked = FALSE; blocked = FALSE; /* permit */
} }
if (app_flags.v == 0 && (conf_flags.allow_all_new || conf_flags.log_blocked) if (app_flags.v == 0 && (conf_flags.allow_all_new || conf_flags.log_blocked)
@ -193,28 +195,28 @@ static void fort_callout_classify_v4(const FWPS_INCOMING_VALUES0 *inFixedValues,
} }
} }
if (!blocked) end:
goto permit; if (blocked) {
/* Log the blocked connection */
if (block_reason != FORT_BLOCK_REASON_UNKNOWN && conf_flags.log_blocked_ip) {
const UINT32 local_ip = inFixedValues->incomingValue[localIpField].value.uint32;
const UINT16 local_port = inFixedValues->incomingValue[localPortField].value.uint16;
const UINT16 remote_port = inFixedValues->incomingValue[remotePortField].value.uint16;
const IPPROTO ip_proto =
(IPPROTO) inFixedValues->incomingValue[ipProtoField].value.uint8;
block_log: fort_buffer_blocked_ip_write(&g_device->buffer, inbound, block_reason, ip_proto,
if (conf_flags.log_blocked_ip) { local_port, remote_port, local_ip, remote_ip, process_id, path_len, path, &irp,
const UINT32 local_ip = inFixedValues->incomingValue[localIpField].value.uint32; &info);
const UINT16 local_port = inFixedValues->incomingValue[localPortField].value.uint16; }
const UINT16 remote_port = inFixedValues->incomingValue[remotePortField].value.uint16;
const IPPROTO ip_proto = (IPPROTO) inFixedValues->incomingValue[ipProtoField].value.uint8;
fort_buffer_blocked_ip_write(&g_device->buffer, inbound, block_reason, ip_proto, local_port, /* Block the connection */
remote_port, local_ip, remote_ip, process_id, path_len, path, &irp, &info); fort_callout_classify_block(classifyOut);
} else {
/* Allow the connection */
fort_callout_classify_permit(filter, classifyOut);
} }
block:
fort_callout_classify_block(classifyOut);
goto end;
permit:
fort_callout_classify_permit(filter, classifyOut);
end:
fort_conf_ref_put(&g_device->conf, conf_ref); fort_conf_ref_put(&g_device->conf, conf_ref);
if (irp != NULL) { if (irp != NULL) {