usrfwhomegwrules.c

firewall PNE 3.3 source code, running at more than vxworks6.x version.

        printf("OUT-PUB: Failed to set netif\n");
        return ERROR;
        }
    if (fwRuleFieldSet(groupId, FW_FIELD_STATE, FW_CONN_INITIATOR,
                       FW_CONN_STATE_ALL) == ERROR)
        {
        printf("OUT-PUB: Failed to set state\n");
        return ERROR;
        }
    if (fwRuleFieldSet(groupId, FW_FIELD_ACTION, FW_ACCEPT) == ERROR)
        {
        printf("OUT-PUB: Failed to set action\n");
        return ERROR;
        }   
            
    return OK;
    }

/***************************************************************************
*
* contentFilterRulesSet - Set rule to block HTTP traffic based on content
*
* RETURNS: OK (success), or ERROR (failure)
*/

LOCAL STATUS contentFilterRulesSet
    (
    void * groupId
    )
    {
    void * ruleId;
    static void * svcHdl;
    static void * pUrlDesc;    
    char ** pUrls = (char **) urlBlockList;
    char ** pKeywords = (char **) keywordsInUrlBlockList;
        
    ruleId = fwRuleCreate(groupId);
    if (ruleId == NULL)
        {
        printf("WEB: Can't create rule\n");
        return ERROR;
        }
        
    /* Create a firewall rule to intercept the outbound HTTP traffic. */
    
    if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, HTTPS_PORT, HTTPS_PORT, 
                       0, 0, 0) == ERROR)
        {
        printf("WEB: Failed to set TCP fields\n");
        return ERROR;
        }
         
    if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_USER_ACTION) == ERROR)
        {
        printf("WEB: Failed to set action\n");
        return ERROR;
        }  
        
    /* create a service container */

    svcHdl = fwExtSvcCreate();

    /* create a empty URL database */

    pUrlDesc = fwUrlListCreate();

    /* add URL pathes and keywords */
    
    if ((urlBlock == TRUE) && (pUrls != NULL))
        {
        for (; *pUrls != NULL; pUrls++)
            {
            fwUrlAdd(pUrlDesc,*pUrls,FW_URL_SPECIFIC_PATH);            
            }
        }   

    if ((urlBlock == TRUE) && (pKeywords != NULL))
        {
        for (; *pKeywords != NULL; pKeywords++)
            {
            fwUrlAdd(pUrlDesc,*pKeywords,FW_URL_KEYWORD);            
            }
        }  

    /* 
     * Register the URL filter, proxy filter, Java Applet filter,
     * activeX control filter and the cookie filter
     */
    if (urlBlock == TRUE)
        fwExtSvcReg(svcHdl,"URL filter",fwUrlFilter,(void *)pUrlDesc,
		    FW_REJECT);
    if (proxyBlock == TRUE)        
        fwExtSvcReg(svcHdl,"Filter Proxy",fwProxyFilter,NULL,FW_REJECT);
    if (javaAppletBlock == TRUE)        
        fwExtSvcReg(svcHdl,"Block Java Applet",fwJavaAppletFilter,NULL,
                    FW_REJECT);
    if (activeXBlock == TRUE)                    
        fwExtSvcReg(svcHdl,"Block ActiveX",fwActiveXFilter,NULL,
                    FW_REJECT);
    if (cookieBlock == TRUE)                    
        fwExtSvcReg(svcHdl,"Cookie Block",fwCookieFilter,NULL,0);

    /* Install the service process function to the given firewall rule */

    if (fwExtHandlerInstall(ruleId, NULL, fwExtSvcProcess, svcHdl, NULL) 
        == ERROR)
        {
        printf("Content: Failed to install extension handler\n");
        return ERROR;
        }    

    return OK;              
    }
		
/***************************************************************************
*
* inFtpsAllowRulesSet - Set firewall rule(s) allow FTP service offered
* by a private host.
*
* RETURNS: OK (success), or ERROR (failure)
*/

LOCAL STATUS inFtpsAllowRulesSet
    (
    void * groupId
    )
    {
    void * ruleId;
    
    /* Sanity check */
    
    if (privateServerAddr == NULL)
        {
        printf("Address of private host offering service not specified!n");
        return ERROR;
        }

    /* Rule to allow FTP traffic to the private host offering service */
        
    ruleId = fwRuleCreate(groupId);
    if (ruleId == NULL)
        {
        printf("FTPS: Can't create rule\n");
        return ERROR;
        }
    if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, 
                   (UINT32) NULL, (UINT32) NULL,
                   (UINT32) privateServerAddr, (UINT32) privateServerAddr)
        == ERROR)
        {
        printf("FTPS: Failed to set IP addr\n");
        return ERROR;
        }                   
    if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, FTPS_PORT, FTPS_PORT, 
                       0, 0, 0) == ERROR)
        {
        printf("FTPS: Failed to set TCP fields\n");
        return ERROR;
        }
    if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_ACCEPT | FW_LOG) == ERROR)
        {
        printf("FTPS: Failed to set action\n");
        return ERROR;
        }  
        
    return OK;
    }

/***************************************************************************
*
* inHttpsAllowRulesSet - Set firewall rule(s) allow HTTP service offered
* by a private host.
*
* RETURNS: OK (success), or ERROR (failure)
*/

LOCAL STATUS inHttpsAllowRulesSet
    (
    void * groupId
    )
    {
    void * ruleId;

    /* Sanity check */
    
    if (privateServerAddr == NULL)
        {
        printf("Address of private host offering service not specified!n");
        return ERROR;
        }

    /* Rule to allow HTTP traffic to the private host offering service */
        
    ruleId = fwRuleCreate(groupId);
    if (ruleId == NULL)
        {
        printf("HTTPS: Can't create rule\n");
        return ERROR;
        }
    if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, 
                   (UINT32) NULL, (UINT32) NULL,
                   (UINT32) privateServerAddr, (UINT32) privateServerAddr)
        == ERROR)
        {
        printf("HTTPS: Failed to set IP addr\n");
        return ERROR;
        }                   
    if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, HTTPS_PORT, HTTPS_PORT, 
                       0, 0, 0) == ERROR)
        {
        printf("HTTPS: Failed to set TCP fields\n");
        return ERROR;
        }
    if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_ACCEPT | FW_LOG) == ERROR)
        {
        printf("HTTPS: Failed to set action\n");
        return ERROR;
        }  
            
    return OK;
    }

/***************************************************************************
*
* inTelnetsAllowRulesSet - Set firewall rule(s) allow TELNET service offered
* by a private host.
*
* RETURNS: OK (success), or ERROR (failure)
*/
    
LOCAL STATUS inTelnetsAllowRulesSet
    (
    void * groupId
    )
    {
    void * ruleId;

    /* Sanity check */
    
    if (privateServerAddr == NULL)
        {
        printf("Address of private host offering service not specified!n");
        return ERROR;
        }

    /* Rule to allow TELNET traffic to the private host offering service */
        
    ruleId = fwRuleCreate(groupId);
    if (ruleId == NULL)
        {
        printf("TELS: Can't create rule\n");
        return ERROR;
        }
    if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, 
                   (UINT32) NULL, (UINT32) NULL,
                   (UINT32) privateServerAddr, (UINT32) privateServerAddr)
        == ERROR)
        {
        printf("TELS: Failed to set IP addr\n");
        return ERROR;
        }                   
    if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, 
               TELNETS_PORT, TELNETS_PORT, 0, 0, 0) == ERROR)
        {
        printf("TELS: Failed to set TCP fields\n");
        return ERROR;
        }
    if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_ACCEPT | FW_LOG) == ERROR)
        {
        printf("TELS: Failed to set action\n");
        return ERROR;
        }  
            
    return OK;
    }

/***************************************************************************
*
* inSmtpsAllowRulesSet - Set firewall rule(s) allow SMTP service offered
* by a private host.
*
* RETURNS: OK (success), or ERROR (failure)
*/
    
LOCAL STATUS inSmtpsAllowRulesSet
    (
    void * groupId
    )
    {
    void * ruleId;

    /* Sanity check */
    
    if (privateServerAddr == NULL)
        {
        printf("Address of private host offering service not specified!n");
        return ERROR;
        }

    /* Rule to allow SMTP traffic to the private host offering service */
        
    ruleId = fwRuleCreate(groupId);
    if (ruleId == NULL)
        {
        printf("SMTPS: Can't create rule\n");
        return ERROR;
        }
    if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, 
                   (UINT32) NULL, (UINT32) NULL,
                   (UINT32) privateServerAddr, (UINT32) privateServerAddr)
        == ERROR)
        {
        printf("SMTPS: Failed to set IP addr\n");
        return ERROR;
        }                   
    if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, SMTPS_PORT, SMTPS_PORT, 
               0, 0, 0) == ERROR)
        {
        printf("SMTPS: Failed to set TCP fields\n");
        return ERROR;
        }
    if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_ACCEPT | FW_LOG) == ERROR)
        {
        printf("SMTPS: Failed to set action\n");
        return ERROR;
        }  
            
    return OK;
    }

/***************************************************************************
*
* inPopsAllowRulesSet - Set firewall rule(s) allow POP3 service offered
* by a private host.
*
* RETURNS: OK (success), or ERROR (failure)
*/
    
LOCAL STATUS inPopsAllowRulesSet
    (
    void * groupId
    )
    {
    void * ruleId;

    /* Sanity check */
    
    if (privateServerAddr == NULL)
        {
        printf("Address of private host offering service not specified!n");
        return ERROR;
        }

    /* Rule to allow POP3 traffic to the private host offering service */
        
    ruleId = fwRuleCreate(groupId);
    if (ruleId == NULL)
        {
        printf("POPS: Can't create rule\n");
        return ERROR;
        }
    if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, 
                   (UINT32) NULL, (UINT32) NULL,
                   (UINT32) privateServerAddr, (UINT32) privateServerAddr)
        == ERROR)
        {
        printf("POPS: Failed to set IP addr\n");
        return ERROR;
        }                   
    if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, POPS_PORT, POPS_PORT, 
                       0, 0, 0) == ERROR)
        {
        printf("POPS: Failed to set TCP fields\n");
        return ERROR;
        }
    if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_ACCEPT | FW_LOG) == ERROR)
        {
        printf("POPS: Failed to set action\n");
        return ERROR;
        }  
            
    return OK;
    }

/***************************************************************************
*
* sourceRouteBlockRulesSet - Set firewall rule to block packets with the
* IP source routing option.
*
* IP source routing can be used to specify a direct route to a destination
* and a return path back to the sender. The route could involve the use of
* other routers or hosts that normally would not be used to forward packets
* to the destination. This option can be used to trick Firewalls into
* allowing connections from hosts that otherwise would not be allowed. It
* can lead to breakins and intruder activity.
*
* RETURNS: OK (success), or ERROR (failure)
*/

LOCAL STATUS sourceRouteBlockRulesSet()
    {
    void * groupId;

    /* Group to reject IP source routed packets */
    
    groupId = fwRuleGroupCreate(FW_PREIN_LOC, 
                                "Source Routed packets from Public Network",
                                pktLogLen);
    if (groupId == NULL)
        {
        printf("PRE:SRCRT: Can't create rule group\n");
        return ERROR;
        }  
        
    /* Applies only if IP options are present - i.e., IP header len > 20 */
    
    if (fwRuleFieldSet(groupId, FW_FIELD_HDRLEN, 20, FW_GT_OP) == ERROR)
        {
        printf("PRE:SRCRT Failed to set IP header length field\n");
        re