firewall: block dns before allowing localhost

This prevents DNS leaks from people who have a localhost resolver doing something funky.
author: Jason A. Donenfeld <Jason@zx2c4.com> 2019-05-03 22:31:28 +0200
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2019-05-03 22:31:28 +0200
commit: 2565c14c07fbb97129834edb7c6be4741d29c508 (patch)
tree: 908077471349f7a568df529ea2c0e236f7e249b7 /service
parent: ui: fix thundering herd problem in importing/deleting (diff)
download: wireguard-windows-2565c14c07fbb97129834edb7c6be4741d29c508.tar.xz
wireguard-windows-2565c14c07fbb97129834edb7c6be4741d29c508.zip
3 files changed, 31 insertions, 38 deletions
diff --git a/service/firewall/blocker.go b/service/firewall/blocker.go
index d709da4d..507c8946 100644
--- a/service/firewall/blocker.go
+++ b/service/firewall/blocker.go
@@ -122,45 +122,45 @@ func EnableFirewall(luid uint64, restrictDNS bool, restrictAll bool) error {
 			return wrapErr(err)
 		}
 
-		err = permitTunInterface(session, baseObjects, luid)
+		err = permitTunInterface(session, baseObjects, 15, luid)
 		if err != nil {
 			return wrapErr(err)
 		}
 
-		err = permitWireGuardService(session, baseObjects)
+		err = permitWireGuardService(session, baseObjects, 15)
 		if err != nil {
 			return wrapErr(err)
 		}
 
-		err = permitLoopback(session, baseObjects)
+		err = permitDhcpIpv4(session, baseObjects, 15)
 		if err != nil {
 			return wrapErr(err)
 		}
 
-		err = permitDhcpIpv4(session, baseObjects)
+		err = permitDhcpIpv6(session, baseObjects, 15)
 		if err != nil {
 			return wrapErr(err)
 		}
 
-		err = permitDhcpIpv6(session, baseObjects)
-		if err != nil {
-			return wrapErr(err)
-		}
-
-		err = permitNdp(session, baseObjects)
+		err = permitNdp(session, baseObjects, 15)
 		if err != nil {
 			return wrapErr(err)
 		}
 
 		if restrictDNS {
-			err = blockDnsUnmatched(session, baseObjects)
+			err = blockDns(session, baseObjects, 14)
 			if err != nil {
 				return wrapErr(err)
 			}
 		}
 
+		err = permitLoopback(session, baseObjects, 13)
+		if err != nil {
+			return wrapErr(err)
+		}
+
 		if restrictAll {
-			err = blockAllUnmatched(session, baseObjects)
+			err = blockAll(session, baseObjects, 0)
 			if err != nil {
 				return wrapErr(err)
 			}
diff --git a/service/firewall/helpers.go b/service/firewall/helpers.go
index 5945d69a..f5cab009 100644
--- a/service/firewall/helpers.go
+++ b/service/firewall/helpers.go
@@ -177,17 +177,10 @@ func createWtFwpmDisplayData0(name, description string) (*wtFwpmDisplayData0, er
 	}, nil
 }
 
-func filterWeightMax() wtFwpValue0 {
+func filterWeight(weight uint8) wtFwpValue0 {
 	return wtFwpValue0{
 		_type: cFWP_UINT8,
-		value: 15,
-	}
-}
-
-func filterWeightMin() wtFwpValue0 {
-	return wtFwpValue0{
-		_type: cFWP_UINT8,
-		value: 0,
+		value: uintptr(weight),
 	}
 }
 
diff --git a/service/firewall/rules.go b/service/firewall/rules.go
index 12b70742..ab356e70 100644
--- a/service/firewall/rules.go
+++ b/service/firewall/rules.go
@@ -11,7 +11,7 @@ import (
 	"unsafe"
 )
 
-func permitTunInterface(session uintptr, baseObjects *baseObjects, ifLuid uint64) error {
+func permitTunInterface(session uintptr, baseObjects *baseObjects, weight uint8, ifLuid uint64) error {
 	ifaceCondition := wtFwpmFilterCondition0{
 		fieldKey:  cFWPM_CONDITION_IP_LOCAL_INTERFACE,
 		matchType: cFWP_MATCH_EQUAL,
@@ -24,7 +24,7 @@ func permitTunInterface(session uintptr, baseObjects *baseObjects, ifLuid uint64
 	filter := wtFwpmFilter0{
 		providerKey:         &baseObjects.provider,
 		subLayerKey:         baseObjects.filters,
-		weight:              filterWeightMax(),
+		weight:              filterWeight(weight),
 		numFilterConditions: 1,
 		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&ifaceCondition)),
 		action: wtFwpmAction0{
@@ -142,7 +142,7 @@ func getCurrentProcessAppId() (*wtFwpByteBlob, error) {
 	return appId, nil
 }
 
-func permitWireGuardService(session uintptr, baseObjects *baseObjects) error {
+func permitWireGuardService(session uintptr, baseObjects *baseObjects, weight uint8) error {
 	var conditions [2]wtFwpmFilterCondition0
 
 	//
@@ -188,7 +188,7 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error {
 	filter := wtFwpmFilter0{
 		providerKey:         &baseObjects.provider,
 		subLayerKey:         baseObjects.filters,
-		weight:              filterWeightMax(),
+		weight:              filterWeight(weight),
 		numFilterConditions: uint32(len(conditions)),
 		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions)),
 		action: wtFwpmAction0{
@@ -273,7 +273,7 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error {
 	return nil
 }
 
-func permitLoopback(session uintptr, baseObjects *baseObjects) error {
+func permitLoopback(session uintptr, baseObjects *baseObjects, weight uint8) error {
 	condition := wtFwpmFilterCondition0{
 		fieldKey:  cFWPM_CONDITION_INTERFACE_TYPE,
 		matchType: cFWP_MATCH_EQUAL,
@@ -286,7 +286,7 @@ func permitLoopback(session uintptr, baseObjects *baseObjects) error {
 	filter := wtFwpmFilter0{
 		providerKey:         &baseObjects.provider,
 		subLayerKey:         baseObjects.filters,
-		weight:              filterWeightMax(),
+		weight:              filterWeight(weight),
 		numFilterConditions: 1,
 		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&condition)),
 		action: wtFwpmAction0{
@@ -371,7 +371,7 @@ func permitLoopback(session uintptr, baseObjects *baseObjects) error {
 	return nil
 }
 
-func permitDhcpIpv4(session uintptr, baseObjects *baseObjects) error {
+func permitDhcpIpv4(session uintptr, baseObjects *baseObjects, weight uint8) error {
 	//
 	// #1 Outbound DHCP request on IPv4.
 	//
@@ -408,7 +408,7 @@ func permitDhcpIpv4(session uintptr, baseObjects *baseObjects) error {
 			providerKey:         &baseObjects.provider,
 			layerKey:            cFWPM_LAYER_ALE_AUTH_CONNECT_V4,
 			subLayerKey:         baseObjects.filters,
-			weight:              filterWeightMax(),
+			weight:              filterWeight(weight),
 			numFilterConditions: uint32(len(conditions)),
 			filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions)),
 			action: wtFwpmAction0{
@@ -455,7 +455,7 @@ func permitDhcpIpv4(session uintptr, baseObjects *baseObjects) error {
 			providerKey:         &baseObjects.provider,
 			layerKey:            cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4,
 			subLayerKey:         baseObjects.filters,
-			weight:              filterWeightMax(),
+			weight:              filterWeight(weight),
 			numFilterConditions: uint32(len(conditions)),
 			filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions)),
 			action: wtFwpmAction0{
@@ -474,7 +474,7 @@ func permitDhcpIpv4(session uintptr, baseObjects *baseObjects) error {
 	return nil
 }
 
-func permitDhcpIpv6(session uintptr, baseObjects *baseObjects) error {
+func permitDhcpIpv6(session uintptr, baseObjects *baseObjects, weight uint8) error {
 	privateNetwork := wtFwpV6AddrAndMask{[16]uint8{0xfe, 0x80}, 10}
 
 	//
@@ -527,7 +527,7 @@ func permitDhcpIpv6(session uintptr, baseObjects *baseObjects) error {
 			providerKey:         &baseObjects.provider,
 			layerKey:            cFWPM_LAYER_ALE_AUTH_CONNECT_V6,
 			subLayerKey:         baseObjects.filters,
-			weight:              filterWeightMax(),
+			weight:              filterWeight(weight),
 			numFilterConditions: uint32(len(conditions)),
 			filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions)),
 			action: wtFwpmAction0{
@@ -584,7 +584,7 @@ func permitDhcpIpv6(session uintptr, baseObjects *baseObjects) error {
 			providerKey:         &baseObjects.provider,
 			layerKey:            cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
 			subLayerKey:         baseObjects.filters,
-			weight:              filterWeightMax(),
+			weight:              filterWeight(weight),
 			numFilterConditions: uint32(len(conditions)),
 			filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions)),
 			action: wtFwpmAction0{
@@ -603,7 +603,7 @@ func permitDhcpIpv6(session uintptr, baseObjects *baseObjects) error {
 	return nil
 }
 
-func permitNdp(session uintptr, baseObjects *baseObjects) error {
+func permitNdp(session uintptr, baseObjects *baseObjects, weight uint8) error {
 
 	/* TODO: Objective is:
 	 *  icmpv6 133: must be outgoing, dst must be FF02::2/128, hop limit must be 255
@@ -634,11 +634,11 @@ func permitNdp(session uintptr, baseObjects *baseObjects) error {
 }
 
 // Block all traffic except what is explicitly permitted by other rules.
-func blockAllUnmatched(session uintptr, baseObjects *baseObjects) error {
+func blockAll(session uintptr, baseObjects *baseObjects, weight uint8) error {
 	filter := wtFwpmFilter0{
 		providerKey: &baseObjects.provider,
 		subLayerKey: baseObjects.filters,
-		weight:      filterWeightMin(),
+		weight:      filterWeight(weight),
 		action: wtFwpmAction0{
 			_type: cFWP_ACTION_BLOCK,
 		},
@@ -722,7 +722,7 @@ func blockAllUnmatched(session uintptr, baseObjects *baseObjects) error {
 }
 
 // Block all DNS except what is matched by a permissive rule.
-func blockDnsUnmatched(session uintptr, baseObjects *baseObjects) error {
+func blockDns(session uintptr, baseObjects *baseObjects, weight uint8) error {
 	condition := wtFwpmFilterCondition0{
 		fieldKey:  cFWPM_CONDITION_IP_REMOTE_PORT,
 		matchType: cFWP_MATCH_EQUAL,
@@ -735,7 +735,7 @@ func blockDnsUnmatched(session uintptr, baseObjects *baseObjects) error {
 	filter := wtFwpmFilter0{
 		providerKey:         &baseObjects.provider,
 		subLayerKey:         baseObjects.filters,
-		weight:              filterWeightMin(),
+		weight:              filterWeight(weight),
 		numFilterConditions: 1,
 		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&condition)),
 		action: wtFwpmAction0{
author	Jason A. Donenfeld <Jason@zx2c4.com>	2019-05-03 22:31:28 +0200
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2019-05-03 22:31:28 +0200
commit	2565c14c07fbb97129834edb7c6be4741d29c508 (patch)
tree	908077471349f7a568df529ea2c0e236f7e249b7 /service
parent	ui: fix thundering herd problem in importing/deleting (diff)
download	wireguard-windows-2565c14c07fbb97129834edb7c6be4741d29c508.tar.xz wireguard-windows-2565c14c07fbb97129834edb7c6be4741d29c508.zip