diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-03 22:31:28 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-03 22:31:28 +0200 |
commit | bccc3143be26cdf886b30552bccaaf04c6436257 (patch) | |
tree | 908077471349f7a568df529ea2c0e236f7e249b7 /service/firewall/blocker.go | |
parent | ui: fix thundering herd problem in importing/deleting (diff) | |
download | wireguard-windows-bccc3143be26cdf886b30552bccaaf04c6436257.tar.xz wireguard-windows-bccc3143be26cdf886b30552bccaaf04c6436257.zip |
firewall: block dns before allowing localhost
This prevents DNS leaks from people who have a localhost resolver doing
something funky.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'service/firewall/blocker.go')
-rw-r--r-- | service/firewall/blocker.go | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/service/firewall/blocker.go b/service/firewall/blocker.go index d709da4d..507c8946 100644 --- a/service/firewall/blocker.go +++ b/service/firewall/blocker.go @@ -122,45 +122,45 @@ func EnableFirewall(luid uint64, restrictDNS bool, restrictAll bool) error { return wrapErr(err) } - err = permitTunInterface(session, baseObjects, luid) + err = permitTunInterface(session, baseObjects, 15, luid) if err != nil { return wrapErr(err) } - err = permitWireGuardService(session, baseObjects) + err = permitWireGuardService(session, baseObjects, 15) if err != nil { return wrapErr(err) } - err = permitLoopback(session, baseObjects) + err = permitDhcpIpv4(session, baseObjects, 15) if err != nil { return wrapErr(err) } - err = permitDhcpIpv4(session, baseObjects) + err = permitDhcpIpv6(session, baseObjects, 15) if err != nil { return wrapErr(err) } - err = permitDhcpIpv6(session, baseObjects) - if err != nil { - return wrapErr(err) - } - - err = permitNdp(session, baseObjects) + err = permitNdp(session, baseObjects, 15) if err != nil { return wrapErr(err) } if restrictDNS { - err = blockDnsUnmatched(session, baseObjects) + err = blockDns(session, baseObjects, 14) if err != nil { return wrapErr(err) } } + err = permitLoopback(session, baseObjects, 13) + if err != nil { + return wrapErr(err) + } + if restrictAll { - err = blockAllUnmatched(session, baseObjects) + err = blockAll(session, baseObjects, 0) if err != nil { return wrapErr(err) } |