/* usrFwHomegwRules.c  - Sample firewall rules for Home/SOHO Gateway *//* Copyright 2004-2005 Wind River Systems, Inc. */#include "copyright_wrs.h"/*modification history--------------------01l,28sep05,zhu  Added rate limit with host tracking and HTTP content filter                 Removed rule for website blocking by keyword01k,17jun05,svk  Fix compilation warnings01j,27may05,svk  Replace fwStringSearch() with fastStrSearch()01i,26apr05,zhu  Removed deprecated header files01i,05apr05,myz  added fwExtIpOptsCheck01h,29mar05,svk  Replace usage of Tornado with Workbench01g,06apr04,svk  Send TCP RST for unsolicited SYN-ACK packets01f,01apr04,svk  Add rules for basic DoS protection01e,19mar04,svk  add MAC address filtering01d,18mar04,svk  reorganize, add rules to allow inbound services01c,17mar04,svk  add rules for spoofing protection01b,15mar04,svk  add rule for website blocking by keyword01a,06mar04,svk  created*//* DESCRIPTIONThis file supplies sample firewall rules for a Home/SOHO Gateway. The filtering policy is described below:- All hosts on private network are trusted; all hosts on public network  are untrusted.- All services are available on hosts in the public network. - Only specifically configured services (FTP, HTTP, TELNET, SMTP, POP3)  can be offered by hosts in the private network. Other than these   services, hosts on the public network can not initiate new connections   to the hosts on the private network.- No services are available on the Gateway. That means hosts on the public  network can not initiate new connections to the Gateway.- Allow FTP clients in Normal (Active) mode on the private network to   talk to FTP servers on the public network.  - Block anonymous pings from the public network.- Allow only specified list of private host MAC Addresses to access   the Gateway.- In addition, protect the Gateway and private network from some   Denial of Service (DoS) attacks from the untrusted public network by:  1. Rejecting packets with spoofed source IP addresses (protects     against LAND attack, and others that use reserved/private source      IP addresses).  2. Rejecting IP Directed Broadcast packets (protects against Smurf      and Fraggle type flooding attacks).  3. Rejecting packets with illegal TCP flag combinations (protects     against Xmas scan, NULL scan, and similar types of port scanning).  4. Rejecting or Reassembling fragmented packets (protects against     fragmentation based attacks such as Ping of death, Jolt, sPing,     Teardrop, Newtear, Bonk, Boink, etc.).ASSUMPTION:It is assumed that the Firewall has been already been initialized and configured to:- Initialize the logging facility.- Enable logging for IP Filter.- Initialize the Stateful inspection.- Install RX MAC Filter on the Gateway private interface.- Enable logging for MAC Filter.You can use the Workbench Kernel Editor to initialize and configure the Firewall. Alternately, for a sample Firewall initialization and configuration code, refer to:  target/src/wrn/firewall/sample/usrFwStartup.c*//* includes */#include <vxWorks.h>#include <netconf.h>#include <stdio.h>#include <string.h>#include <strSearchLib.h>#include "wrn/firewall/fwLib.h"#include "netinet/ip.h"#include "netinet/tcp.h"#include "netinet/ip_icmp.h"/* defines */#define MACADDR_LEN      6  /* number of bytes in MAC address */#define MACADDRSTR_MAX  17  /* max length of MAC address string */#define FRAG_ACCEPT      0  /* allow fragments from public network */#define FRAG_REJECT      1  /* reject fragments from public network */#define FRAG_REASSEMBLE  2  /* reassemble fragments from public network */#define TCP_FLAGS_ALL    (TH_FIN | TH_SYN | TH_RST | TH_PUSH | \                          TH_ACK | TH_URG)  /* all TCP flags */                          #define FTPS_PORT       21  /* FTP service port */#define HTTPS_PORT      80  /* HTTP service port */#define TELNETS_PORT    23  /* TELNET service port */#define SMTPS_PORT      25  /* SMTP service port */#define POPS_PORT      110  /* POP3 service port */#define OPT_LEN_MAX     40  /* maximum IP option length */#define OPT_TYPE_INX     0  /* index to IP option type */#define OPT_LEN_INX      1  /* index to IP option length */#define INVALID_PACKET_ACTION  (FW_REJECT)  /* action on invalid packets */ /* locals *//****************** Configuration Section Start ***************************//* * This is the only part of this file you need to edit to configure the * firewall rules for your environment. *//* Network interfaces */LOCAL char * publicIfName  = "motfcc";  /* public interface name */LOCAL int    publicIfUnit  = 1;         /* public interface unit number */LOCAL char * privateIfName = "motscc";  /* private interface name */LOCAL int    privateIfUnit = 0;         /* private interface unit number */LOCAL char * loIfName      = "lo";      /* loopback interface name */LOCAL int    loIfUnit      = 0;         /* loopback interface unit number *//* Gateway IP address */LOCAL char * publicGwAddr   = "147.11.1.254"; /* gateway public IP address *//* Public network Broadcast address */LOCAL char * publicBcastAddr = "147.11.1.255"; /* public net broadcast addr *//* IP address range of private network */LOCAL char * privateStartAddr = "192.124.127.1";   /* private net start addr */LOCAL char * privateEndAddr   = "192.124.127.254"; /* private net end addr   *//* Block Spoofed packets from public network */LOCAL BOOL spoofingBlock = TRUE;   /* block packets with spoofed source IP */                                   /* addresses from public network        *//* Block IP Directed Broadcast from public network */                                    LOCAL BOOL directedBcastBlock = TRUE; /* block directed broadcast packets */                                       /* from public network              *//* How to handle fragmented packets from public network */LOCAL BOOL fragmentsAction = FRAG_REJECT; /* reject/reassemble/accept      */                                          /* fragments from public network *//* Block packets with illegal TCP flags from public network */LOCAL BOOL badTcpFlagsBlock = TRUE;  /* block packets with illegal TCP */                                     /* flag combinations              *//* Block source routed packets from public network */LOCAL BOOL sourceRouteBlock = TRUE; /* block source routed packets from */		                    /* public network *//* HTTP Content filter */LOCAL BOOL httpContentFilter = FALSE; /* set to TRUE to enable HTTP */                                      /* content filtering          */LOCAL BOOL urlBlock = FALSE; /* set to TRUE to block HTTP URLs based on */                             /* the two lists below */                              /* List of specific URLs to be blocked */LOCAL char * urlBlockList[] =    {    "www.badwebsite.com",    "www.somewebsite.com/badpage",    NULL    /* last entry _must_ be NULL */    };    /* List of keywords in URLs to be blocked */LOCAL char * keywordsInUrlBlockList[] =    {    "bad",    "sleaz",    NULL    /* last entry _must_ be NULL */    };                               /* Block access to Web Proxy Servers in public network */LOCAL BOOL proxyBlock = FALSE; /* block hosts in private network from        */			       /* accessing proxy servers in public network. */			       /* Prevents users in private network from     */			       /* circumventing Firewall's content filtering *//* Block Java Applets */LOCAL BOOL javaAppletBlock = FALSE; /* block access to pubic web sites */				    /* containing Java Applets         *//* Block Active X Controls */LOCAL BOOL activeXBlock = FALSE; /* block access to public web sites */				 /* containing Active X controls     *//* Block Cookies */LOCAL BOOL cookieBlock = FALSE; /* block cookies from being sent to public */				/* web servers                             *//* * Services offered from private network for hosts in public network * * NOTE! For security reasons, typically this is used only with NAT so * that externally the services appear to be available from the Gateway. */LOCAL BOOL inFtpsAllow    = FALSE; /* allow FTP service inside private net */LOCAL BOOL inHttpsAllow   = FALSE; /* allow HTTP service inside private net */LOCAL BOOL inTelnetsAllow = FALSE; /* allow Telnet service inside private net */LOCAL BOOL inSmtpsAllow   = FALSE; /* allow SMTP service inside private net */LOCAL BOOL inPopsAllow    = FALSE; /* allow POP service inside private net *//* Private host offering the above services */LOCAL char * privateServerAddr = NULL; /* private host offering services *//* * MAC Address Filter */ LOCAL BOOL listedMacsAllow = FALSE; /* allow only MAC Addresses listed below */                                    /* to access Gateway private interface   */                                   /* List of private host MAC Addresses allowed to access the Gateway */LOCAL char * macsAllow[] =    {    "00:01:02:03:04:05",    "0a:0b:0c:d0:e0:f0",    NULL    /* last entry _must_ be NULL */    };/* DoS Flood Protection */LOCAL BOOL synFloodProtect = TRUE; /* enable TCP SYN flood protection */LOCAL UINT32 synFloodRate = 200; /* packets/sec - drop SYN packets arriving */                                 /* from public network faster than this rate*/LOCAL BOOL udpFloodProtect = TRUE; /* enable UDP flood protection */LOCAL UINT32 udpFloodRate = 200;  /* packets/sec - drop UDP packets arriving  */                                  /* from public network faster than this rate*/LOCAL BOOL pingFloodProtect = TRUE; /* enable PING flood protection */LOCAL UINT32 pingFloodRate = 200; /* packets/sec - drop Ping packets arriving */                                  /* from public network faster than this rate*//* Logging */LOCAL UINT32 pktLogLen = 40; /* number of bytes in packet to log *//****************** Configuration Section End ****************************//* forward declarations */LOCAL STATUS listedMacsAllowRulesSet();LOCAL STATUS protectionRulesSet();LOCAL STATUS spoofingRulesSet();LOCAL STATUS directedBcastRulesSet();LOCAL STATUS fragmentsRulesSet();LOCAL STATUS badTcpFlagsRulesSet();LOCAL STATUS forwardRulesSet();LOCAL STATUS inGatewayRulesSet();LOCAL STATUS outRulesSet();LOCAL STATUS inFtpsAllowRulesSet();LOCAL STATUS inHttpsAllowRulesSet();LOCAL STATUS inTelnetsAllowRulesSet();LOCAL STATUS inSmtpsAllowRulesSet();LOCAL STATUS inPopsAllowRulesSet();    LOCAL STATUS sourceRouteBlockRulesSet();LOCAL UINT32 sourceRouteBlocker (FW_LOC_TYPE, void *, struct mbuf *, void *);LOCAL STATUS contentFilterRulesSet(void *); LOCAL STATUS floodProtectRulesSet();    /***************************************************************************** usrFwHomegwRules - Set firewall rules for Home Gateway** RETURNS: OK (success), or ERROR (failure)*/STATUS usrFwHomegwRules()    {        /* Sanity check */    if ((privateIfName == NULL) || (publicIfName == NULL))        {        printf("Must specify private and public interface to continue!\n");        return ERROR;        }    /*     * Rules to allow only listed private host MAC Addresses to access      * the Gateway      */        if (listedMacsAllow == TRUE)        {        if (listedMacsAllowRulesSet() == ERROR)            return ERROR;        }    /*     * Rules to protect both gateway and private network from      * bad/invalid IP packets incoming from public network     */    if ((spoofingBlock == TRUE) || (directedBcastBlock == TRUE) ||        (fragmentsAction != FRAG_ACCEPT) || (badTcpFlagsBlock == TRUE))        {             if (protectionRulesSet() == ERROR)                return ERROR;        }    /*     * Rules for forwarded IP packets     * i.e., Public network <---> Private network     */             if (forwardRulesSet() == ERROR)        return ERROR;    /*     * Rules for incoming IP packets to gateway itself     * i.e., Public/Private network ---> Gateway     */            if (inGatewayRulesSet() == ERROR)        return ERROR;            /*     * Rules for all outgoing IP packets     */         if (outRulesSet() == ERROR)        return ERROR;                     return OK;    }/***************************************************************************** listedMacsAllowRulesSet - Set firewall rules to allow only listed private* host MAC Addresses access the Gateway** RETURNS: OK (success), or ERROR (failure)*/LOCAL STATUS listedMacsAllowRulesSet()    {    char ** pMacsAllow;    char macBuf[MACADDRSTR_MAX + 1];    char * token;    UINT8 mac[MACADDR_LEN];    int i;    /*     * Set the default action of the MAC RX Filter to reject. Only     * listed MAC addresses are allowed.     */        if (fwMacFilterDefaultSet(FW_MAC_FILTER_RX, FW_REJECT | FW_LOG,                              NULL, NULL) == ERROR)        {        printf("MAC: Failed to set default action\n");        return ERROR;        }         /* Add each listed MAC Address to the MAC Filter cache */            for (pMacsAllow = macsAllow; *pMacsAllow != NULL; pMacsAllow++)        {        /* Convert the MAC Address from string to binary format */                 if (strlen(*pMacsAllow) > MACADDRSTR_MAX)            {            printf("MAC: Invalid MAC Address string %s\n", *pMacsAllow);            return ERROR;            }                    strcpy(macBuf, *pMacsAllow);        for (token = strtok(macBuf, ":"), i = 0;              (token != NULL) && (i < MACADDR_LEN);              token = strtok(NULL, ":"), i++)            {            mac[i] = (UINT8) strtol(token, (char **)NULL, 16);            }        if (i != MACADDR_LEN)            {            printf("MAC: Invalid MAC Address string %s\n", macBuf);            return ERROR;                        }                    /* Add the MAC Address to the cache */                if (fwMacCacheAdd(FW_MAC_FILTER_RX, mac, TRUE) == ERROR)