vikarti.anatra/safing-portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster synced 2025-09-02 02:29:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

incoming: force block by default, apply default action and allow LAN per rules

Browse source
This commit is contained in:
Patrick Pacher 2022-09-20 09:16:23 +02:00
parent 2388c1b036
commit d4f316e65a
No known key found for this signature in database
GPG key ID: E8CD2DA160925A6D
2 changed files with 3 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
firewall/master.go
View file

@ -54,7 +54,6 @@ var defaultDeciders = []deciderFn{
checkBypassPrevention, checkBypassPrevention,
checkFilterLists, checkFilterLists,
checkCustomFilterList, checkCustomFilterList,
dropInbound,
checkDomainHeuristics, checkDomainHeuristics,
checkAutoPermitRelated, checkAutoPermitRelated,
} }
@ -539,15 +538,6 @@ func checkDomainHeuristics(ctx context.Context, conn *network.Connection, p *pro
return false return false
} }
func dropInbound(_ context.Context, conn *network.Connection, _ *profile.LayeredProfile, _ packet.Packet) bool {
// implicit default=block for inbound
if conn.Inbound {
conn.Drop("incoming connection blocked by default", profile.CfgOptionServiceEndpointsKey)
return true
}
return false
}
func checkAutoPermitRelated(_ context.Context, conn *network.Connection, p *profile.LayeredProfile, _ packet.Packet) bool { func checkAutoPermitRelated(_ context.Context, conn *network.Connection, p *profile.LayeredProfile, _ packet.Packet) bool {
// Auto permit is disabled for default action permit. // Auto permit is disabled for default action permit.
if p.DefaultAction() == profile.DefaultActionPermit { if p.DefaultAction() == profile.DefaultActionPermit {

6
profile/config.go
View file

@ -292,11 +292,11 @@ Important: DNS Requests are only matched against domain and filter list rules, a
cfgStringArrayOptions[CfgOptionEndpointsKey] = cfgOptionEndpoints cfgStringArrayOptions[CfgOptionEndpointsKey] = cfgOptionEndpoints
// Service Endpoint Filter List // Service Endpoint Filter List
defaultIncomingRulesValue := []string{"+ Localhost"} defaultIncomingRulesValue := []string{"+ LAN"}
err = config.Register(&config.Option{ err = config.Register(&config.Option{
Name: "Incoming Rules", Name: "Incoming Rules",
Key: CfgOptionServiceEndpointsKey, Key: CfgOptionServiceEndpointsKey,
Description: "Rules that apply to incoming network connections. Cannot overrule Network Scopes and Connection Types (see above). Also note that the default action for incoming connections is to always block.", Description: "Rules that apply to incoming network connections. Cannot overrule Network Scopes and Connection Types (see above).",
Help: rulesHelp, Help: rulesHelp,
Sensitive: true, Sensitive: true,
OptType: config.OptTypeStringArray, OptType: config.OptTypeStringArray,
@ -494,7 +494,7 @@ Important: DNS Requests are only matched against domain and filter list rules, a
Key: CfgOptionBlockInboundKey, Key: CfgOptionBlockInboundKey,
Description: "Connections initiated towards your device from the LAN or Internet. This will usually only be the case if you are running a network service or are using peer to peer software. Is stronger than Rules (see below).", Description: "Connections initiated towards your device from the LAN or Internet. This will usually only be the case if you are running a network service or are using peer to peer software. Is stronger than Rules (see below).",
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
DefaultValue: status.SecurityLevelOff, DefaultValue: status.SecurityLevelsAll,
PossibleValues: status.AllSecurityLevelValues, PossibleValues: status.AllSecurityLevelValues,
Annotations: config.Annotations{ Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,