📄 usrfwhomegwrules.c
字号:
/* Group to reject Directed Broadcast */ groupId = fwRuleGroupCreate(FW_PREIN_LOC, "Directed Broadcast packets from Public Network", pktLogLen); if (groupId == NULL) { printf("PRE:BCAST: Can't create rule group\n"); return ERROR; } /* Rule to block packets to limited broadcast address */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:BCAST1: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) NULL, (UINT32) NULL, (UINT32) "255.255.255.255", (UINT32) "255.255.255.255") == ERROR) { printf("PRE:BCAST1: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:BCAST1: Failed to set action\n"); return ERROR; } /* Rule to block packets to public network broadcast address */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:BCAST2: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) NULL, (UINT32) NULL, (UINT32) publicBcastAddr, (UINT32) publicBcastAddr) == ERROR) { printf("PRE:BCAST2: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:BCAST2: Failed to set action\n"); return ERROR; } return OK; }/***************************************************************************** fragmentsRulesSet - Set firewall rules for rejecting or reassembling* fragmented packets** RETURNS: OK (success), or ERROR (failure)*/LOCAL STATUS fragmentsRulesSet() { void * groupId; /* Group to reject or reassemble fragments */ groupId = fwRuleGroupCreate(FW_PREIN_LOC, "Fragments from Public Network", pktLogLen); if (groupId == NULL) { printf("PRE:FRAG: Can't create rule group\n"); return ERROR; } if (fwRuleFieldSet(groupId, FW_FIELD_FRAG, TRUE) == ERROR) { printf("PRE:FRAG: Failed set frag field\n"); return ERROR; } if (fwRuleFieldSet(groupId, FW_FIELD_ACTION, (fragmentsAction == FRAG_REASSEMBLE)? FW_FRAG_REASSEMBLE : FW_REJECT | FW_LOG) == ERROR) { printf("PRE:FRAG: Failed set action\n"); return ERROR; } return OK; }/***************************************************************************** badTcpFlagsRulesSet - Set firewall rules to reject TCP packets with* illegal TCP flag combinations** RETURNS: OK (success), or ERROR (failure)*/ LOCAL STATUS badTcpFlagsRulesSet() { void * groupId; void * ruleId; /* Group to reject packets with illegal TCP flag combinations */ groupId = fwRuleGroupCreate(FW_PREIN_LOC, "Illegal TCP flag combinations from Public Network", pktLogLen); if (groupId == NULL) { printf("PRE:FLAG: Can't create rule group\n"); return ERROR; } if (fwRuleFieldSet(groupId, FW_FIELD_TCP, 0,0,0,0,0,0,0) == ERROR) { printf("PRE:FLAG: Can't set TCP field\n"); return ERROR; } /* Rule to block packets with all flags set - XMAS Scan */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:FLAG1: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, 0, 0, TCP_FLAGS_ALL, TCP_FLAGS_ALL, FW_AND_OP) == ERROR) { printf("PRE:FLAG1: Can't set TCP field\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:FLAG1: Failed to set action\n"); return ERROR; } /* Rule to block packets with no flags set - NULL Scan */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:FLAG2: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, 0, 0, 0, TCP_FLAGS_ALL, FW_AND_OP) == ERROR) { printf("PRE:FLAG2: Can't set TCP field\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:FLAG2: Failed to set action\n"); return ERROR; } /* Rule to block packets with SYN and FIN set */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:FLAG3: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, 0, 0, TH_SYN | TH_FIN, TH_SYN | TH_FIN, FW_AND_OP) == ERROR) { printf("PRE:FLAG3: Can't set TCP field\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:FLAG3: Failed to set action\n"); return ERROR; } /* Rule to block packets with SYN and RST set */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:FLAG4: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, 0, 0, TH_SYN | TH_RST, TH_SYN | TH_RST, FW_AND_OP) == ERROR) { printf("PRE:FLAG4: Can't set TCP field\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:FLAG4: Failed to set action\n"); return ERROR; } /* Rule to block packets with FIN and RST set */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:FLAG5: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, 0, 0, TH_RST | TH_FIN, TH_RST | TH_FIN, FW_AND_OP) == ERROR) { printf("PRE:FLAG5: Can't set TCP field\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:FLAG5: Failed to set action\n"); return ERROR; } /* Rule to block packets with FIN set, but ACK not set */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:FLAG6: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, 0, 0, TH_FIN, TH_FIN | TH_ACK, FW_AND_OP) == ERROR) { printf("PRE:FLAG6: Can't set TCP field\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:FLAG6: Failed to set action\n"); return ERROR; } /* Rule to block packets with PUSH set, but ACK not set */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:FLAG7: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, 0, 0, TH_PUSH, TH_PUSH | TH_ACK, FW_AND_OP) == ERROR) { printf("PRE:FLAG7: Can't set TCP field\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:FLAG7: Failed to set action\n"); return ERROR; } /* Rule to block packets with URG set, but ACK not set */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:FLAG8: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, 0, 0, TH_URG, TH_URG | TH_ACK, FW_AND_OP) == ERROR) { printf("PRE:FLAG8: Can't set TCP field\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:FLAG8: Failed to set action\n"); return ERROR; } /* Rule to send TCP Reset to unsolicited SYN-ACK packets */ /* * NOTE: In a TCP SYN Flood attack, the attacker sends the server * a SYN packet from a spoofed IP address. The server replies with * a SYN-ACK and waits for the final SYN-ACK-ACK. If the spoofed IP * address is our gateway public address or our private network * address, stateful inspection rules would silently drop the * unsolicited SYN-ACK packet from the server. Therefore, the server * will never get the SYN-ACK-ACK and it will typically wait and * retransmit, thereby consuming resources. If the attacker floods * the server with spoofed SYN packets, it can crash/hang the server. * * To avoid this, do the right thing and sent a RST back. */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:FLAG9: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, 0, 0, TH_SYN | TH_ACK, TH_SYN | TH_ACK, FW_AND_OP) == ERROR) { printf("PRE:FLAG9: Can't set TCP field\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_STATE, FW_CONN_RESPONDER, FW_CONN_STATE_NEW) == ERROR) { printf("PRE:FLAG9: Can't set state\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT | FW_TCP_RESET) == ERROR) { printf("PRE:FLAG9: Can't set action\n"); return ERROR; } return OK; } /***************************************************************************** floodProtectRulesSet - Set firewall rules for flood protection** RETURNS: OK (success), or ERROR (failure)*/LOCAL STATUS floodProtectRulesSet() { void * groupId; void * ruleId; /* Group for flood protection*/ groupId = fwRuleGroupCreate(FW_PREIN_LOC, "Flood Protection from Public Network", pktLogLen); if (groupId == NULL) { printf("PRE:FLOOD: Can't create rule group\n"); return ERROR; } if (synFloodProtect == TRUE) { /* Rule to block TCP SYN flood */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:FLOOD1: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, 0, 0, TH_SYN, TCP_FLAGS_ALL, FW_AND_OP) == ERROR) { printf("PRE:FLOOD1: Can't set TCP field\n"); return ERROR; } /* Rate limit per host up to 57 hosts */ if (fwRuleFieldSet(ruleId, FW_FIELD_RATELIMIT, FW_GT_OP, synFloodRate, 1, FW_SRC_TRK_ON, 57) == ERROR) { printf("PRE:FLOOD1: Failed to set rate limit rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:FLOOD1: Failed to set action\n"); return ERROR; } } if (udpFloodProtect == TRUE) { /* Rule to block UDP flood */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:FLOOD2: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_UDP, 0, 0, 0, 0) == ERROR) { printf("PRE:FLOOD2: Can't set UDP field\n"); return ERROR; } /* Rate limit per host up to 57 hosts */ if (fwRuleFieldSet(ruleId, FW_FIELD_RATELIMIT, FW_GT_OP, udpFloodRate, ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -