📄 usrfwhomegwrules.c
字号:
{ printf("MAC: Failed to add Mac Addr to cache\n"); return ERROR; } } return OK; } /***************************************************************************** protectionRulesSet - Set firewall rules to protect both gateway and * private network from bad/invalid IP packets incoming from public network** RETURNS: OK (success), or ERROR (failure)*/LOCAL STATUS protectionRulesSet() { void * groupId; /* * The pre-input filter location sees ALL packets (local/forwarded) * incoming to any network interface. Therefore, this filter * location is ideal for setting rules to protect both the * gateway and private network from bad/illegal packets incoming * from public network. * * Set the default action for pre-input filter location to accept. * The input and forward filter location will be responsible for * dropping all unwanted incoming packets. */ if (fwRuleFilterInstall(FW_PREIN_LOC, FW_ACCEPT, NULL, NULL, NULL, 0) == ERROR) { printf("PRE-IN: Failed to install Rule Filter!\n"); return ERROR; } /* Group to accept ALL packets from private network (it is trusted) */ groupId = fwRuleGroupCreate(FW_PREIN_LOC, "Trusted Packets from Private Network", pktLogLen); if (groupId == NULL) { printf("PRE:PRI: Can't create rule group\n"); return ERROR; } if (fwRuleFieldSet(groupId, FW_FIELD_NETIF, (UINT32) privateIfName, privateIfUnit, 0, 0) == ERROR) { printf("PRE:PRI: Failed to set netif\n"); return ERROR; } if (fwRuleFieldSet(groupId, FW_FIELD_ACTION, FW_ACCEPT) == ERROR) { printf("PRE:PRI: Failed to set action\n"); return ERROR; } /* * Since all the packets incoming from private network have been * accepted, all the rules below apply to packets incoming from * public network. */ if (spoofingBlock == TRUE) { /* Reject packets with spoofed source IP addresses */ if (spoofingRulesSet() == ERROR) return ERROR; } if (directedBcastBlock == TRUE) { /* Reject IP Directed Broadcast */ if (directedBcastRulesSet() == ERROR) return ERROR; } if (badTcpFlagsBlock == TRUE) { /* Reject packets with illegal TCP flag combinations */ if (badTcpFlagsRulesSet() == ERROR) return ERROR; } if (synFloodProtect == TRUE || udpFloodProtect == TRUE || pingFloodProtect == TRUE) { /* Reject TCP SYN or UDP or Ping flood packets */ if (floodProtectRulesSet() == ERROR) return ERROR; } if (fragmentsAction != FRAG_ACCEPT) { /* Reject or Reassemble fragments */ if (fragmentsRulesSet() == ERROR) return ERROR; } if (sourceRouteBlock == TRUE) { /* Reject packets with IP source routing option */ if (sourceRouteBlockRulesSet() == ERROR) return ERROR; } return OK; }/***************************************************************************** spoofingRulesSet - Set firewall rules to reject packets with spoofed* source IP addresses.** RETURNS: OK (success), or ERROR (failure)*/ LOCAL STATUS spoofingRulesSet() { void * groupId; void * ruleId; /* Group to reject packets with spoofed source IP addresses */ groupId = fwRuleGroupCreate(FW_PREIN_LOC, "Spoofed packets from Public Network", pktLogLen); if (groupId == NULL) { printf("PRE:SPOOF: Can't create rule group\n"); return ERROR; } /* Rule to block packets from Historical Broadcast addresses */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:SPOOF1: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) "0.0.0.0", (UINT32) "0.255.255.255", (UINT32) NULL, (UINT32) NULL) == ERROR) { printf("PRE:SPOOF1: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:SPOOF1: Failed to set action\n"); return ERROR; } /* Rule to block packets from RFC 1918 Class A private addresses */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:SPOOF2: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) "10.0.0.0", (UINT32) "10.255.255.255", (UINT32) NULL, (UINT32) NULL) == ERROR) { printf("PRE:SPOOF2: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:SPOOF2: Failed to set action\n"); return ERROR; } /* Rule to block packets from loopback addresses */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:SPOOF3: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) "127.0.0.0", (UINT32) "127.255.255.255", (UINT32) NULL, (UINT32) NULL) == ERROR) { printf("PRE:SPOOF3: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:SPOOF3: Failed to set action\n"); return ERROR; } /* Rule to block packets from Link Local addresses */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:SPOOF4: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) "169.254.0.0", (UINT32) "169.254.255.255", (UINT32) NULL, (UINT32) NULL) == ERROR) { printf("PRE:SPOOF4: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:SPOOF4: Failed to set action\n"); return ERROR; } /* Rule to block packets from RFC 1918 Class B private addresses */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:SPOOF5: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) "172.16.0.0", (UINT32) "172.31.255.255", (UINT32) NULL, (UINT32) NULL) == ERROR) { printf("PRE:SPOOF5: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:SPOOF5: Failed to set action\n"); return ERROR; } /* Rule to block packets from TEST-NET addresses */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:SPOOF6: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) "192.0.2.0", (UINT32) "192.0.2.255", (UINT32) NULL, (UINT32) NULL) == ERROR) { printf("PRE:SPOOF6: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:SPOOF6: Failed to set action\n"); return ERROR; } /* Rule to block packets from RFC 1918 Class C private addresses */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:SPOOF7: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) "192.168.0.0", (UINT32) "192.168.255.255", (UINT32) NULL, (UINT32) NULL) == ERROR) { printf("PRE:SPOOF7: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:SPOOF7: Failed to set action\n"); return ERROR; } /* Rule to block packets from Class D Multicast addresses */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:SPOOF8: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) "224.0.0.0", (UINT32) "239.255.255.255", (UINT32) NULL, (UINT32) NULL) == ERROR) { printf("PRE:SPOOF8: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:SPOOF8: Failed to set action\n"); return ERROR; } /* Rule to block packets from Class E Reserved addresses */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:SPOOF9: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) "240.0.0.0", (UINT32) "247.255.255.255", (UINT32) NULL, (UINT32) NULL) == ERROR) { printf("PRE:SPOOF9: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:SPOOF9: Failed to set action\n"); return ERROR; } /* Rule to block packets from Unallocated and Broadcast addresses */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:SPOOF10: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) "248.0.0.0", (UINT32) "255.255.255.255", (UINT32) NULL, (UINT32) NULL) == ERROR) { printf("PRE:SPOOF10: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:SPOOF10: Failed to set action\n"); return ERROR; } /* Rule to block packets claiming to be from our own private network */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:SPOOF11: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) privateStartAddr, (UINT32) privateEndAddr, (UINT32) NULL, (UINT32) NULL) == ERROR) { printf("PRE:SPOOF11: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:SPOOF11: Failed to set action\n"); return ERROR; } /* Rule to block packets claiming to be from gateway's public address */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:SPOOF12: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) publicGwAddr, (UINT32) publicGwAddr, (UINT32) NULL, (UINT32) NULL) == ERROR) { printf("PRE:SPOOF12: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:SPOOF12: Failed to set action\n"); return ERROR; } return OK; }/***************************************************************************** directedBcastRulesSet - Set firewall rules to reject IP Directed * Broadcast. ** RETURNS: OK (success), or ERROR (failure)*/LOCAL STATUS directedBcastRulesSet() { void * groupId; void * ruleId; /* * Reject IP Directed Broadcast. This ensures your network can not * be used as a Broadcast Amplification site to flood other networks * with DoS attacks such as the Smurf/Fraggle. */ ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -