diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-03 17:57:12 +0200 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-03 18:35:38 +0200 |
| commit | eaaacc6b3281090000d1b00387921aa13d61ef9e (patch) | |
| tree | a24fc22b32fd12ddd161fdcb37589091084c1e60 /service/firewall/blocker.go | |
| parent | firewall: since DNS is a blacklist, we have to exclude our own interface (diff) | |
| download | wireguard-windows-eaaacc6b3281090000d1b00387921aa13d61ef9e.tar.xz wireguard-windows-eaaacc6b3281090000d1b00387921aa13d61ef9e.zip | |
firewall: only use one list
Unless you use complicated rights veto rules, WFP's policy is that
between sublayers, block always outweighs allow. It's easier, therefore,
to simply weight a single sublayer correctly, with allow rules having
heavier weight than block rules.
This basically means that we have to be careful that DNS isn't a subset
of some allow rule. One place where this would be a problem are the
permitLan* rules, which we don't use anyway, and so this commit nukes
them.
Another place would be if somebody is using a localhost/loopback resolver
for whatever reason. This is probably a "low risk" sort of thing, but we
may want to fix this by ordering the dns block just in front of the
loopback permit.
The other place is in the wireguard.exe tunnel service itself, which
does DNS lookups. Since right now we mostly enforce one-tunnel-at-a-
time, this isn't really a problem. But later if we allow nested
tunneling, it means that the DNS lookup in a second tunnel can
potentially escape the DNS server of the first tunnel. We can address
this problem later, perhaps with fancier security descriptors that we
shuffle around depending on which state the tunnel is in. And on the
bright side, this change allows people to run WireGuard over port 53
itself, which is generally a desirable thing.
Diffstat (limited to '')
| -rw-r--r-- | service/firewall/blocker.go | 61 |
1 files changed, 8 insertions, 53 deletions
diff --git a/service/firewall/blocker.go b/service/firewall/blocker.go index 8ef26278..d709da4d 100644 --- a/service/firewall/blocker.go +++ b/service/firewall/blocker.go @@ -18,9 +18,8 @@ type wfpObjectInstaller func(uintptr) error // Fundamental WireGuard specific WFP objects. // type baseObjects struct { - provider windows.GUID - whitelist windows.GUID - blacklist windows.GUID + provider windows.GUID + filters windows.GUID } var wfpSession uintptr @@ -56,19 +55,12 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) { Data4: [8]byte{0x8f, 0x92, 0x29, 0xd7, 0x8a, 0x8d, 0x29, 0xd3}, } // {FE3DB7F8-4658-4DE5-8DA9-CE5086A8266B} - whitelistGuid := windows.GUID{ + filtersGuid := windows.GUID{ Data1: 0xfe3db7f8, Data2: 0x4658, Data3: 0x4de5, Data4: [8]byte{0x8d, 0xa9, 0xce, 0x50, 0x86, 0xa8, 0x26, 0x6b}, } - // {CE1DD58F-A7BF-46BD-B048-9C5518346CE9} - blacklistGuid := windows.GUID{ - Data1: 0xce1dd58f, - Data2: 0xa7bf, - Data3: 0x46bd, - Data4: [8]byte{0xb0, 0x48, 0x9c, 0x55, 0x18, 0x34, 0x6c, 0xe9}, - } // // Register provider. @@ -90,38 +82,17 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) { } // - // Register whitelist sublayer. + // Register filters sublayer. // { - displayData, err := createWtFwpmDisplayData0("WireGuard whitelist", "Permissive filters") + displayData, err := createWtFwpmDisplayData0("WireGuard filters", "Permissive and blocking filters") if err != nil { return nil, wrapErr(err) } sublayer := wtFwpmSublayer0{ - subLayerKey: whitelistGuid, + subLayerKey: filtersGuid, displayData: *displayData, providerKey: &providerGuid, - weight: ^uint16(0), - } - err = fwpmSubLayerAdd0(session, &sublayer, 0) - if err != nil { - return nil, wrapErr(err) - } - } - - // - // Register blacklist sublayer. - // - { - displayData, err := createWtFwpmDisplayData0("WireGuard blacklist", "Blocking filters") - if err != nil { - return nil, wrapErr(err) - } - sublayer := wtFwpmSublayer0{ - subLayerKey: blacklistGuid, - displayData: *displayData, - providerKey: &providerGuid, - weight: (^uint16(0)) - 1, } err = fwpmSubLayerAdd0(session, &sublayer, 0) if err != nil { @@ -131,8 +102,7 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) { return &baseObjects{ providerGuid, - whitelistGuid, - blacklistGuid, + filtersGuid, }, nil } @@ -167,21 +137,6 @@ func EnableFirewall(luid uint64, restrictDNS bool, restrictAll bool) error { return wrapErr(err) } - /* We actually don't want to allow lan explicitly. This is controlled by the restrictAll rule. - * TODO: consider removing those functions or just rethinking about how this all works. - - err = permitLanIpv4(session, baseObjects) - if err != nil { - return wrapErr(err) - } - - err = permitLanIpv6(session, baseObjects) - if err != nil { - return wrapErr(err) - } - - */ - err = permitDhcpIpv4(session, baseObjects) if err != nil { return wrapErr(err) @@ -198,7 +153,7 @@ func EnableFirewall(luid uint64, restrictDNS bool, restrictAll bool) error { } if restrictDNS { - err = blockDnsNonTun(session, baseObjects, luid) + err = blockDnsUnmatched(session, baseObjects) if err != nil { return wrapErr(err) } |