firewall: only allow specified dns servers

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2019-05-13 12:01:08 +0200
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2019-05-13 14:32:54 +0200
commit: 515b5b6481b03165095cc4868ca8a86987cab8fa (patch)
tree: 3c5351afadf0b7bdcad3c85422f4e49b351f19ab /service/firewall/rules.go
parent: ui: always do WM_SIZING hack in confview (diff)
download: wireguard-windows-515b5b6481b03165095cc4868ca8a86987cab8fa.tar.xz
wireguard-windows-515b5b6481b03165095cc4868ca8a86987cab8fa.zip
1 files changed, 162 insertions, 27 deletions
diff --git a/service/firewall/rules.go b/service/firewall/rules.go
index 2a9eb11a..bab3ed2b 100644
--- a/service/firewall/rules.go
+++ b/service/firewall/rules.go
@@ -6,8 +6,12 @@
 package firewall
 
 import (
+	"encoding/binary"
+	"errors"
 	"golang.org/x/sys/windows"
 	"golang.zx2c4.com/wireguard/windows/version"
+	"net"
+	"runtime"
 	"unsafe"
 )
 
@@ -984,42 +988,46 @@ func blockAll(session uintptr, baseObjects *baseObjects, weight uint8) error {
 	return nil
 }
 
-// Block all DNS except what is matched by a permissive rule.
-func blockDns(session uintptr, baseObjects *baseObjects, weight uint8) error {
-	var conditions [3]wtFwpmFilterCondition0
+// Block all DNS traffic except towards specified DNS servers.
+func blockDns(except []net.IP, session uintptr, baseObjects *baseObjects, weightAllow uint8, weightDeny uint8) error {
+	if weightDeny <= weightAllow {
+		return errors.New("The allow weight must be greater than the deny weight")
+	}
 
-	conditions[0] = wtFwpmFilterCondition0{
-		fieldKey:  cFWPM_CONDITION_IP_REMOTE_PORT,
-		matchType: cFWP_MATCH_EQUAL,
-		conditionValue: wtFwpConditionValue0{
-			_type: cFWP_UINT16,
-			value: uintptr(53),
+	denyConditions := []wtFwpmFilterCondition0{
+		{
+			fieldKey:  cFWPM_CONDITION_IP_REMOTE_PORT,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_UINT16,
+				value: uintptr(53),
+			},
 		},
-	}
-	conditions[1] = wtFwpmFilterCondition0{
-		fieldKey:  cFWPM_CONDITION_IP_PROTOCOL,
-		matchType: cFWP_MATCH_EQUAL,
-		conditionValue: wtFwpConditionValue0{
-			_type: cFWP_UINT8,
-			value: uintptr(cIPPROTO_UDP),
+		{
+			fieldKey:  cFWPM_CONDITION_IP_PROTOCOL,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_UINT8,
+				value: uintptr(cIPPROTO_UDP),
+			},
 		},
-	}
-	// Repeat the condition type for logical OR.
-	conditions[2] = wtFwpmFilterCondition0{
-		fieldKey:  cFWPM_CONDITION_IP_PROTOCOL,
-		matchType: cFWP_MATCH_EQUAL,
-		conditionValue: wtFwpConditionValue0{
-			_type: cFWP_UINT8,
-			value: uintptr(cIPPROTO_TCP),
+		// Repeat the condition type for logical OR.
+		{
+			fieldKey:  cFWPM_CONDITION_IP_PROTOCOL,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_UINT8,
+				value: uintptr(cIPPROTO_TCP),
+			},
 		},
 	}
 
 	filter := wtFwpmFilter0{
 		providerKey:         &baseObjects.provider,
 		subLayerKey:         baseObjects.filters,
-		weight:              filterWeight(weight),
-		numFilterConditions: uint32(len(conditions)),
-		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])),
+		weight:              filterWeight(weightDeny),
+		numFilterConditions: uint32(len(denyConditions)),
+		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&denyConditions[0])),
 		action: wtFwpmAction0{
 			_type: cFWP_ACTION_BLOCK,
 		},
@@ -1099,5 +1107,132 @@ func blockDns(session uintptr, baseObjects *baseObjects, weight uint8) error {
 		}
 	}
 
+	allowConditionsV4 := make([]wtFwpmFilterCondition0, 0, len(denyConditions)+len(except))
+	allowConditionsV4 = append(allowConditionsV4, denyConditions...)
+	for _, ip := range except {
+		ip4 := ip.To4()
+		if ip4 == nil {
+			continue
+		}
+		allowConditionsV4 = append(allowConditionsV4, wtFwpmFilterCondition0{
+			fieldKey:  cFWPM_CONDITION_IP_REMOTE_ADDRESS,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_UINT32,
+				value: uintptr(binary.BigEndian.Uint32(ip4)),
+			},
+		})
+	}
+
+	storedPointers := make([]*wtFwpByteArray16, 0, len(except))
+	allowConditionsV6 := make([]wtFwpmFilterCondition0, 0, len(denyConditions)+len(except))
+	allowConditionsV6 = append(allowConditionsV6, denyConditions...)
+	for _, ip := range except {
+		if ip.To4() != nil {
+			continue
+		}
+		var address wtFwpByteArray16
+		copy(address.byteArray16[:], ip)
+		allowConditionsV6 = append(allowConditionsV6, wtFwpmFilterCondition0{
+			fieldKey:  cFWPM_CONDITION_IP_REMOTE_ADDRESS,
+			matchType: cFWP_MATCH_EQUAL,
+			conditionValue: wtFwpConditionValue0{
+				_type: cFWP_BYTE_ARRAY16_TYPE,
+				value: uintptr(unsafe.Pointer(&address)),
+			},
+		})
+		storedPointers = append(storedPointers, &address)
+	}
+
+	filter = wtFwpmFilter0{
+		providerKey:         &baseObjects.provider,
+		subLayerKey:         baseObjects.filters,
+		weight:              filterWeight(weightAllow),
+		numFilterConditions: uint32(len(allowConditionsV4)),
+		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&allowConditionsV4[0])),
+		action: wtFwpmAction0{
+			_type: cFWP_ACTION_PERMIT,
+		},
+	}
+
+	filterId = uint64(0)
+
+	//
+	// #5 Allow IPv4 outbound DNS.
+	//
+	{
+		displayData, err := createWtFwpmDisplayData0("Allow DNS outbound (IPv4)", "")
+		if err != nil {
+			return wrapErr(err)
+		}
+
+		filter.displayData = *displayData
+		filter.layerKey = cFWPM_LAYER_ALE_AUTH_CONNECT_V4
+
+		err = fwpmFilterAdd0(session, &filter, 0, &filterId)
+		if err != nil {
+			return wrapErr(err)
+		}
+	}
+
+	//
+	// #6 Allow IPv4 inbound DNS.
+	//
+	{
+		displayData, err := createWtFwpmDisplayData0("Allow DNS inbound (IPv4)", "")
+		if err != nil {
+			return wrapErr(err)
+		}
+
+		filter.displayData = *displayData
+		filter.layerKey = cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
+
+		err = fwpmFilterAdd0(session, &filter, 0, &filterId)
+		if err != nil {
+			return wrapErr(err)
+		}
+	}
+
+	filter.filterCondition = (*wtFwpmFilterCondition0)(unsafe.Pointer(&allowConditionsV6[0]))
+	filter.numFilterConditions = uint32(len(allowConditionsV6))
+
+	//
+	// #7 Allow IPv6 outbound DNS.
+	//
+	{
+		displayData, err := createWtFwpmDisplayData0("Allow DNS outbound (IPv6)", "")
+		if err != nil {
+			return wrapErr(err)
+		}
+
+		filter.displayData = *displayData
+		filter.layerKey = cFWPM_LAYER_ALE_AUTH_CONNECT_V6
+
+		err = fwpmFilterAdd0(session, &filter, 0, &filterId)
+		if err != nil {
+			return wrapErr(err)
+		}
+	}
+
+	//
+	// #8 Allow IPv6 inbound DNS.
+	//
+	{
+		displayData, err := createWtFwpmDisplayData0("Allow DNS inbound (IPv6)", "")
+		if err != nil {
+			return wrapErr(err)
+		}
+
+		filter.displayData = *displayData
+		filter.layerKey = cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
+
+		err = fwpmFilterAdd0(session, &filter, 0, &filterId)
+		if err != nil {
+			return wrapErr(err)
+		}
+	}
+
+	runtime.KeepAlive(storedPointers)
+
 	return nil
 }
author	Jason A. Donenfeld <Jason@zx2c4.com>	2019-05-13 12:01:08 +0200
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2019-05-13 14:32:54 +0200
commit	515b5b6481b03165095cc4868ca8a86987cab8fa (patch)
tree	3c5351afadf0b7bdcad3c85422f4e49b351f19ab /service/firewall/rules.go
parent	ui: always do WM_SIZING hack in confview (diff)
download	wireguard-windows-515b5b6481b03165095cc4868ca8a86987cab8fa.tar.xz wireguard-windows-515b5b6481b03165095cc4868ca8a86987cab8fa.zip