From d4f316e65a4637a9c224c92bd2cc495e88c48304 Mon Sep 17 00:00:00 2001 From: Patrick Pacher Date: Tue, 20 Sep 2022 09:16:23 +0200 Subject: [PATCH] incoming: force block by default, apply default action and allow LAN per rules --- firewall/master.go | 10 ---------- profile/config.go | 6 +++--- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/firewall/master.go b/firewall/master.go index 33e96305..fdcddd9f 100644 --- a/firewall/master.go +++ b/firewall/master.go @@ -54,7 +54,6 @@ var defaultDeciders = []deciderFn{ checkBypassPrevention, checkFilterLists, checkCustomFilterList, - dropInbound, checkDomainHeuristics, checkAutoPermitRelated, } @@ -539,15 +538,6 @@ func checkDomainHeuristics(ctx context.Context, conn *network.Connection, p *pro return false } -func dropInbound(_ context.Context, conn *network.Connection, _ *profile.LayeredProfile, _ packet.Packet) bool { - // implicit default=block for inbound - if conn.Inbound { - conn.Drop("incoming connection blocked by default", profile.CfgOptionServiceEndpointsKey) - return true - } - return false -} - func checkAutoPermitRelated(_ context.Context, conn *network.Connection, p *profile.LayeredProfile, _ packet.Packet) bool { // Auto permit is disabled for default action permit. if p.DefaultAction() == profile.DefaultActionPermit { diff --git a/profile/config.go b/profile/config.go index a9d705e6..7f04b940 100644 --- a/profile/config.go +++ b/profile/config.go @@ -292,11 +292,11 @@ Important: DNS Requests are only matched against domain and filter list rules, a cfgStringArrayOptions[CfgOptionEndpointsKey] = cfgOptionEndpoints // Service Endpoint Filter List - defaultIncomingRulesValue := []string{"+ Localhost"} + defaultIncomingRulesValue := []string{"+ LAN"} err = config.Register(&config.Option{ Name: "Incoming Rules", Key: CfgOptionServiceEndpointsKey, - Description: "Rules that apply to incoming network connections. Cannot overrule Network Scopes and Connection Types (see above). Also note that the default action for incoming connections is to always block.", + Description: "Rules that apply to incoming network connections. Cannot overrule Network Scopes and Connection Types (see above).", Help: rulesHelp, Sensitive: true, OptType: config.OptTypeStringArray, @@ -494,7 +494,7 @@ Important: DNS Requests are only matched against domain and filter list rules, a Key: CfgOptionBlockInboundKey, Description: "Connections initiated towards your device from the LAN or Internet. This will usually only be the case if you are running a network service or are using peer to peer software. Is stronger than Rules (see below).", OptType: config.OptTypeInt, - DefaultValue: status.SecurityLevelOff, + DefaultValue: status.SecurityLevelsAll, PossibleValues: status.AllSecurityLevelValues, Annotations: config.Annotations{ config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,