vikarti.anatra/safing-portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster synced 2025-09-02 18:49:14 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #470 from safing/feature/use-p2p-filter-lists

Browse source 
Use P2P filter lists when blocking P2P connections
This commit is contained in:
Daniel 2021-12-13 14:00:13 +01:00 committed by GitHub
commit 2677a2ae31
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 31 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
firewall/master.go
View file

@ -243,31 +243,45 @@ func checkEndpointListsForSystemResolverDNSRequests(ctx context.Context, conn *n
return false return false
} }
var p2pFilterLists = []string{"17-P2P"}
func checkConnectionType(ctx context.Context, conn *network.Connection, p *profile.LayeredProfile, _ packet.Packet) bool { func checkConnectionType(ctx context.Context, conn *network.Connection, p *profile.LayeredProfile, _ packet.Packet) bool {
switch { switch {
case conn.Type != network.IPConnection: // Block incoming connection, if not from localhost.
case p.BlockInbound() && conn.Inbound &&
// Decider only applies to IP connections. !conn.Entity.IPScope.IsLocalhost():
return false
case conn.Inbound &&
!conn.Entity.IPScope.IsLocalhost() &&
p.BlockInbound():
// BlockInbound does not apply to the Localhost scope.
conn.Drop("inbound connections blocked", profile.CfgOptionBlockInboundKey) conn.Drop("inbound connections blocked", profile.CfgOptionBlockInboundKey)
return true return true
case conn.Entity.IPScope.IsGlobal() && // Check for P2P and related connections.
conn.Entity.Domain == "" && case p.BlockP2P() && !conn.Inbound:
p.BlockP2P(): switch {
// Block anything that is in the P2P filter list.
case conn.Entity.MatchLists(p2pFilterLists):
conn.Block("P2P assistive infrastructure blocked based on filter list", profile.CfgOptionBlockP2PKey)
return true
// BlockP2P only applies to the Global scope. // Remaining P2P deciders only apply to IP connections.
case conn.Type != network.IPConnection:
return false
// Block well known ports of P2P assistive infrastructure.
case conn.Entity.DstPort() == 3478 || // STUN/TURN
conn.Entity.DstPort() == 5349: // STUN/TURN over TLS/DTLS
conn.Block("P2P assistive infrastructure blocked based on port", profile.CfgOptionBlockP2PKey)
return true
// Block direct connections with not previous DNS request.
case conn.Entity.IPScope.IsGlobal() &&
conn.Entity.Domain == "":
conn.Block("direct connections (P2P) blocked", profile.CfgOptionBlockP2PKey) conn.Block("direct connections (P2P) blocked", profile.CfgOptionBlockP2PKey)
return true return true
default: default:
return false
}
default:
return false return false
} }
} }