📄 usrfwhomegwrules.c
字号:
1, FW_SRC_TRK_ON, 57) == ERROR) { printf("PRE:FLOOD2: Failed to set rate limit rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:FLOOD2: Failed to set action\n"); return ERROR; } } if (pingFloodProtect == TRUE) { /* Rule to block ping flood */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("PRE:FLOOD3: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ICMP, ICMP_ECHO, 0) == ERROR) { printf("PRE:FLOOD3: Can't set ICMP field\n"); return ERROR; } /* Rate limit per host up to 57 hosts */ if (fwRuleFieldSet(ruleId, FW_FIELD_RATELIMIT, FW_GT_OP, pingFloodRate, 1, FW_SRC_TRK_ON, 57) == ERROR) { printf("PRE:FLOOD3: Failed to set rate limit rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_REJECT) == ERROR) { printf("PRE:FLOOD3: Failed to set action\n"); return ERROR; } } return OK; } /***************************************************************************** forwardRulesSet - Set firewall rules for forwarded packets** RETURNS: OK (success), or ERROR (failure)*/LOCAL STATUS forwardRulesSet() { void * groupId1; void * groupId2; void * groupId3; void * ruleId; FW_SERVICE_DESC extServiceDesc; /* * Set the default action for ALL forwarded packets (from any * network interface) to reject */ if (fwRuleFilterInstall(FW_FORW_LOC, FW_REJECT, NULL, NULL, NULL, 0) == ERROR) { printf("FWD: Failed to install Rule Filter!\n"); return ERROR; } /* * Packets forwarded from Public network to Private network */ /* Group for Public --> Private packets */ groupId1 = fwRuleGroupCreate(FW_FORW_LOC, "Packets Forwarded from Public to Private", pktLogLen); if (groupId1 == NULL) { printf("FWD-PUB: Can't create rule group\n"); return ERROR; } if (fwRuleFieldSet(groupId1, FW_FIELD_NETIF, (UINT32) publicIfName, publicIfUnit, (UINT32) privateIfName, privateIfUnit) == ERROR) { printf("FWD-PUB: Failed to set netif\n"); return ERROR; } /* Rule to allow packets that are part of established connections */ ruleId = fwRuleCreate(groupId1); if (ruleId == NULL) { printf("FWD-PUB: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_STATE, FW_CONN_RESPONDER, FW_CONN_STATE_ESTABLISHED) == ERROR) { printf("FWD-PUB: Failed to set state\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_ACCEPT | FW_LOG) == ERROR) { printf("FWD-PUB: Failed to set action\n"); return ERROR; } /* Rule(s) to allow FTP Service on the private network */ if (inFtpsAllow == TRUE) { if (inFtpsAllowRulesSet(groupId1) == ERROR) return ERROR; } /* Rule(s) to allow HTTP Service on the private network */ if (inHttpsAllow == TRUE) { if (inHttpsAllowRulesSet(groupId1) == ERROR) return ERROR; } /* Rule(s) to allow Telnet Service on the private network */ if (inTelnetsAllow == TRUE) { if (inTelnetsAllowRulesSet(groupId1) == ERROR) return ERROR; } /* Rule(s) to allow SMTP Service on the private network */ if (inSmtpsAllow == TRUE) { if (inSmtpsAllowRulesSet(groupId1) == ERROR) return ERROR; } /* Rule(s) to allow POP Service on the private network */ if (inPopsAllow == TRUE) { if (inPopsAllowRulesSet(groupId1) == ERROR) return ERROR; } /* * Packets forwarded from Private network to Public network */ /* Group for Private --> Public packets */ groupId2 = fwRuleGroupCreate(FW_FORW_LOC, "Packets Forwarded from Private to Public", pktLogLen); if (groupId2 == NULL) { printf("FWD-PRI: Can't create rule group\n"); return ERROR; } if (fwRuleFieldSet(groupId2, FW_FIELD_NETIF, (UINT32) privateIfName, privateIfUnit, (UINT32) publicIfName, publicIfUnit) == ERROR) { printf("FWD-PRI: Failed to set netif\n"); return ERROR; } /* Rule to block HTTP traffic based on content */ if (httpContentFilter == TRUE) { if (contentFilterRulesSet(groupId2) == ERROR) return ERROR; } /* Rule to accept all other packets */ ruleId = fwRuleCreate(groupId2); if (ruleId == NULL) { printf("FWD-PRI: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_ACCEPT) == ERROR) { printf("FWD-PRI: Failed to set action\n"); return ERROR; } /* * For FTP Client on Private Network to talk to FTP Server on Public * Network in NORMAL (Active) mode, attach an extension handler * to the above rule to: * * a) inspect payload of FTP control channel to look for PORT command * b) get the client port of the FTP data channel * c) create rules to allow the incoming FTP data channel connection */ extServiceDesc.proto = IPPROTO_TCP; extServiceDesc.srcPort = 0; extServiceDesc.dstPort = FTPS_PORT; if (fwExtHandlerInstall(ruleId, &extServiceDesc, fwExtFtpHandler, NULL, NULL) == ERROR) { printf("FWD-PRI: Failed to install FTP ext handler for Client\n"); return ERROR; } if (inFtpsAllow == TRUE) { /* * For FTP Server on Private Network to talk to FTP Client on Public * Network in Passive mode, attach an extension handler to the * above rule to: * * a) inspect payload of FTP control channel to look for PASV command * b) get the server port of the FTP data channel * c) create rules to allow the incoming FTP data channel connection */ extServiceDesc.proto = IPPROTO_TCP; extServiceDesc.srcPort = FTPS_PORT; extServiceDesc.dstPort = 0; if (fwExtHandlerInstall(ruleId, &extServiceDesc, fwExtFtpHandler, NULL, NULL) == ERROR) { printf("FWD-PRI: Failed to install FTP ext handler for Server\n"); return ERROR; } } /* * Packets sent in response to rejected packets at Public interface. * * At pre-input filter location, in addition to rejecting packets you * can also choose to send a TCP Reset or an ICMP packet in response * to the rejected packet. These packets will go through the * Forward filter location, and need to be allowed. */ /* Group to allow response to rejected packets from public interface */ groupId3 = fwRuleGroupCreate(FW_FORW_LOC, "Response to Rejected packets from Public Interface", pktLogLen); if (groupId3 == NULL) { printf("FWD-RESP: Can't create rule group\n"); return ERROR; } if (fwRuleFieldSet(groupId3, FW_FIELD_NETIF, (UINT32) publicIfName, publicIfUnit, (UINT32) publicIfName, publicIfUnit) == ERROR) { printf("FWD-RESP: Failed to set netif\n"); return ERROR; } if (fwRuleFieldSet(groupId3, FW_FIELD_ACTION, FW_ACCEPT) == ERROR) { printf("FWD-RESP: Failed to set action\n"); return ERROR; } return OK; } /***************************************************************************** inGatewayRulesSet - Set firewall rules for packets incoming to* gateway itself** RETURNS: OK (success), or ERROR (failure)*/LOCAL STATUS inGatewayRulesSet() { void * groupId1; void * groupId2; void * groupId3; /* * Set the default action for ALL incoming packets to Gateway * (from any network interface) to reject */ if (fwRuleFilterInstall(FW_IN_LOC, FW_REJECT, NULL, NULL, NULL, 0) == ERROR) { printf("IN: Failed to install Rule Filter!\n"); return ERROR; } /* Group to allow packets ONLY if they are part of established connection */ groupId1 = fwRuleGroupCreate(FW_IN_LOC, "Packets from Public to Gateway", pktLogLen); if (groupId1 == NULL) { printf("IN-PUB: Can't create rule group\n"); return ERROR; } if (fwRuleFieldSet(groupId1, FW_FIELD_NETIF, (UINT32) publicIfName, publicIfUnit, 0, 0) == ERROR) { printf("IN-PUB: Failed to set netif\n"); return ERROR; } if (fwRuleFieldSet(groupId1, FW_FIELD_STATE, FW_CONN_RESPONDER, FW_CONN_STATE_ESTABLISHED) == ERROR) { printf("IN-PUB: Failed to set state\n"); return ERROR; } if (fwRuleFieldSet(groupId1, FW_FIELD_ACTION, FW_ACCEPT | FW_LOG) == ERROR) { printf("IN-PUB: Failed to set action\n"); return ERROR; } /* Group to allow ALL packets from private network */ groupId2 = fwRuleGroupCreate(FW_IN_LOC, "Packets from Private to Gateway", pktLogLen); if (groupId2 == NULL) { printf("IN-PRI: Can't create rule group\n"); return ERROR; } if (fwRuleFieldSet(groupId2, FW_FIELD_NETIF, (UINT32) privateIfName, privateIfUnit, 0, 0) == ERROR) { printf("IN-PRI: Failed to set netif\n"); return ERROR; } if (fwRuleFieldSet(groupId2, FW_FIELD_ACTION, FW_ACCEPT) == ERROR) { printf("IN-PRI: Failed to set action\n"); return ERROR; } /* Group to allow ALL packets from Loopback interface */ groupId3 = fwRuleGroupCreate(FW_IN_LOC, "Packets from Loopback Interface", pktLogLen); if (groupId3 == NULL) { printf("IN-LO: Can't create rule group\n"); return ERROR; } if (fwRuleFieldSet(groupId3, FW_FIELD_NETIF, (UINT32) loIfName, loIfUnit, 0, 0) == ERROR) { printf("IN-LO: Failed to set netif\n"); return ERROR; } if (fwRuleFieldSet(groupId3, FW_FIELD_ACTION, FW_ACCEPT) == ERROR) { printf("IN-LO: Failed to set action\n"); return ERROR; } return OK; } /***************************************************************************** outRulesSet - Set firewall rules for all outgoing packets ** RETURNS: OK (success), or ERROR (failure)*/LOCAL STATUS outRulesSet() { void * groupId; /* * Set the default action for ALL outgoing packets (to any * network interface) to accept for performance */ if (fwRuleFilterInstall(FW_OUT_LOC, FW_ACCEPT, NULL, NULL, NULL, 0) == ERROR) { printf("OUT: Failed to install Rule Filter!\n"); return ERROR; } /* * Group to allow ALL packets outgoing to the public network * and keep state */ groupId = fwRuleGroupCreate(FW_OUT_LOC, "Outgoing Packets to Public Network", pktLogLen); if (groupId == NULL) { printf("OUT-PUB: Can't create rule group\n"); return ERROR; } if (fwRuleFieldSet(groupId, FW_FIELD_NETIF, 0, 0, (UINT32) publicIfName, publicIfUnit) == ERROR) {⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -