Merge pull request #189 from safing/feature/improve-firewall-blocking

Improve firewall blocking

firewall/interception.go

@@ -2,6 +2,7 @@ package firewall
 
 import (
 	"context"
+	"net"
 	"os"
 	"sync/atomic"
 	"time"
@@ -29,6 +30,9 @@ var (
 	packetsBlocked  = new(uint64)
 	packetsDropped  = new(uint64)
 	packetsFailed   = new(uint64)
+
+	blockedIPv4 = net.IPv4(0, 0, 0, 17)
+	blockedIPv6 = net.ParseIP("::17")
 )
 
 func init() {
@@ -84,6 +88,11 @@ func handlePacket(ctx context.Context, pkt packet.Packet) {
 func fastTrackedPermit(pkt packet.Packet) (handled bool) {
 	meta := pkt.Info()
 
+	// Check for blocked IP
+	if meta.Dst.Equal(blockedIPv4) || meta.Dst.Equal(blockedIPv6) {
+		_ = pkt.PermanentBlock()
+	}
+
 	switch meta.Protocol {
 	case packet.ICMP:
 		// Always permit ICMP.

firewall/master.go

@@ -44,9 +44,9 @@ var deciders = []deciderFn{
 	checkPortmasterConnection,
 	checkSelfCommunication,
 	checkConnectionType,
-	checkConnectivityDomain,
 	checkConnectionScope,
 	checkEndpointLists,
+	checkConnectivityDomain,
 	checkBypassPrevention,
 	checkFilterLists,
 	dropInbound,

nameserver/nsutil/nsutil.go

@@ -58,9 +58,9 @@ func ZeroIP(msgs ...string) ResponderFunc {
 
 			switch question.Qtype {
 			case dns.TypeA:
-				rr, err = dns.NewRR(question.Name + " 0 IN A 0.0.0.0")
+				rr, err = dns.NewRR(question.Name + " 1 IN A 0.0.0.17")
 			case dns.TypeAAAA:
-				rr, err = dns.NewRR(question.Name + " 0 IN AAAA ::")
+				rr, err = dns.NewRR(question.Name + " 1 IN AAAA ::17")
 			}
 
 			switch {
@@ -100,9 +100,9 @@ func Localhost(msgs ...string) ResponderFunc {
 
 			switch question.Qtype {
 			case dns.TypeA:
-				rr, err = dns.NewRR("localhost. 0 IN A 127.0.0.1")
+				rr, err = dns.NewRR("localhost. 1 IN A 127.0.0.1")
 			case dns.TypeAAAA:
-				rr, err = dns.NewRR("localhost. 0 IN AAAA ::1")
+				rr, err = dns.NewRR("localhost. 1 IN AAAA ::1")
 			}
 
 			switch {