From fc1c72658f6f264e8983cb09ceee258309b78461 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Mon, 23 Nov 2020 20:25:34 +0100 Subject: firewall: add allow rule for tunnel service process even when no blocking is required This is essential for allowing incoming connections. Reported-by: /u/Julien_Madagascar on Reddit Signed-off-by: Jason A. Donenfeld --- tunnel/addressconfig.go | 8 ++++-- tunnel/firewall/blocker.go | 72 ++++++++++++++++++++++++---------------------- 2 files changed, 42 insertions(+), 38 deletions(-) (limited to 'tunnel') diff --git a/tunnel/addressconfig.go b/tunnel/addressconfig.go index 571da9d1..d2667e21 100644 --- a/tunnel/addressconfig.go +++ b/tunnel/addressconfig.go @@ -180,6 +180,7 @@ func configureInterface(family winipcfg.AddressFamily, conf *conf.Config, tun *t } func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error { + doNotRestrict := true if len(conf.Peers) == 1 { nextallowedip: for _, allowedip := range conf.Peers[0].AllowedIPs { @@ -189,10 +190,11 @@ func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error { continue nextallowedip } } - log.Println("Enabling firewall rules") - return firewall.EnableFirewall(tun.LUID(), conf.Interface.DNS) + doNotRestrict = false + break } } } - return nil + log.Println("Enabling firewall rules") + return firewall.EnableFirewall(tun.LUID(), doNotRestrict, conf.Interface.DNS) } diff --git a/tunnel/firewall/blocker.go b/tunnel/firewall/blocker.go index eb3c149d..b32a90e1 100644 --- a/tunnel/firewall/blocker.go +++ b/tunnel/firewall/blocker.go @@ -101,7 +101,7 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) { return bo, nil } -func EnableFirewall(luid uint64, restrictToDNSServers []net.IP) error { +func EnableFirewall(luid uint64, doNotRestrict bool, restrictToDNSServers []net.IP) error { if wfpSession != 0 { return errors.New("The firewall has already been enabled") } @@ -122,49 +122,51 @@ func EnableFirewall(luid uint64, restrictToDNSServers []net.IP) error { return wrapErr(err) } - if len(restrictToDNSServers) > 0 { - err = blockDNS(restrictToDNSServers, session, baseObjects, 15, 14) + if !doNotRestrict { + if len(restrictToDNSServers) > 0 { + err = blockDNS(restrictToDNSServers, session, baseObjects, 15, 14) + if err != nil { + return wrapErr(err) + } + } + + err = permitLoopback(session, baseObjects, 13) if err != nil { return wrapErr(err) } - } - err = permitLoopback(session, baseObjects, 13) - if err != nil { - return wrapErr(err) - } - - err = permitTunInterface(session, baseObjects, 12, luid) - if err != nil { - return wrapErr(err) - } + err = permitTunInterface(session, baseObjects, 12, luid) + if err != nil { + return wrapErr(err) + } - err = permitDHCPIPv4(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } + err = permitDHCPIPv4(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } - err = permitDHCPIPv6(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } + err = permitDHCPIPv6(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } - err = permitNdp(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } + err = permitNdp(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } - /* TODO: actually evaluate if this does anything and if we need this. It's layer 2; our other rules are layer 3. - * In other words, if somebody complains, try enabling it. For now, keep it off. - err = permitHyperV(session, baseObjects, 12) - if err != nil { - return wrapErr(err) - } - */ + /* TODO: actually evaluate if this does anything and if we need this. It's layer 2; our other rules are layer 3. + * In other words, if somebody complains, try enabling it. For now, keep it off. + err = permitHyperV(session, baseObjects, 12) + if err != nil { + return wrapErr(err) + } + */ - err = blockAll(session, baseObjects, 0) - if err != nil { - return wrapErr(err) + err = blockAll(session, baseObjects, 0) + if err != nil { + return wrapErr(err) + } } return nil -- cgit v1.2.3-59-g8ed1b