?? usrfwhomegwrules.c
字號:
printf("OUT-PUB: Failed to set netif\n"); return ERROR; } if (fwRuleFieldSet(groupId, FW_FIELD_STATE, FW_CONN_INITIATOR, FW_CONN_STATE_ALL) == ERROR) { printf("OUT-PUB: Failed to set state\n"); return ERROR; } if (fwRuleFieldSet(groupId, FW_FIELD_ACTION, FW_ACCEPT) == ERROR) { printf("OUT-PUB: Failed to set action\n"); return ERROR; } return OK; }/***************************************************************************** contentFilterRulesSet - Set rule to block HTTP traffic based on content** RETURNS: OK (success), or ERROR (failure)*/LOCAL STATUS contentFilterRulesSet ( void * groupId ) { void * ruleId; static void * svcHdl; static void * pUrlDesc; char ** pUrls = (char **) urlBlockList; char ** pKeywords = (char **) keywordsInUrlBlockList; ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("WEB: Can't create rule\n"); return ERROR; } /* Create a firewall rule to intercept the outbound HTTP traffic. */ if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, HTTPS_PORT, HTTPS_PORT, 0, 0, 0) == ERROR) { printf("WEB: Failed to set TCP fields\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_USER_ACTION) == ERROR) { printf("WEB: Failed to set action\n"); return ERROR; } /* create a service container */ svcHdl = fwExtSvcCreate(); /* create a empty URL database */ pUrlDesc = fwUrlListCreate(); /* add URL pathes and keywords */ if ((urlBlock == TRUE) && (pUrls != NULL)) { for (; *pUrls != NULL; pUrls++) { fwUrlAdd(pUrlDesc,*pUrls,FW_URL_SPECIFIC_PATH); } } if ((urlBlock == TRUE) && (pKeywords != NULL)) { for (; *pKeywords != NULL; pKeywords++) { fwUrlAdd(pUrlDesc,*pKeywords,FW_URL_KEYWORD); } } /* * Register the URL filter, proxy filter, Java Applet filter, * activeX control filter and the cookie filter */ if (urlBlock == TRUE) fwExtSvcReg(svcHdl,"URL filter",fwUrlFilter,(void *)pUrlDesc, FW_REJECT); if (proxyBlock == TRUE) fwExtSvcReg(svcHdl,"Filter Proxy",fwProxyFilter,NULL,FW_REJECT); if (javaAppletBlock == TRUE) fwExtSvcReg(svcHdl,"Block Java Applet",fwJavaAppletFilter,NULL, FW_REJECT); if (activeXBlock == TRUE) fwExtSvcReg(svcHdl,"Block ActiveX",fwActiveXFilter,NULL, FW_REJECT); if (cookieBlock == TRUE) fwExtSvcReg(svcHdl,"Cookie Block",fwCookieFilter,NULL,0); /* Install the service process function to the given firewall rule */ if (fwExtHandlerInstall(ruleId, NULL, fwExtSvcProcess, svcHdl, NULL) == ERROR) { printf("Content: Failed to install extension handler\n"); return ERROR; } return OK; } /***************************************************************************** inFtpsAllowRulesSet - Set firewall rule(s) allow FTP service offered* by a private host.** RETURNS: OK (success), or ERROR (failure)*/LOCAL STATUS inFtpsAllowRulesSet ( void * groupId ) { void * ruleId; /* Sanity check */ if (privateServerAddr == NULL) { printf("Address of private host offering service not specified!n"); return ERROR; } /* Rule to allow FTP traffic to the private host offering service */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("FTPS: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) NULL, (UINT32) NULL, (UINT32) privateServerAddr, (UINT32) privateServerAddr) == ERROR) { printf("FTPS: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, FTPS_PORT, FTPS_PORT, 0, 0, 0) == ERROR) { printf("FTPS: Failed to set TCP fields\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_ACCEPT | FW_LOG) == ERROR) { printf("FTPS: Failed to set action\n"); return ERROR; } return OK; }/***************************************************************************** inHttpsAllowRulesSet - Set firewall rule(s) allow HTTP service offered* by a private host.** RETURNS: OK (success), or ERROR (failure)*/LOCAL STATUS inHttpsAllowRulesSet ( void * groupId ) { void * ruleId; /* Sanity check */ if (privateServerAddr == NULL) { printf("Address of private host offering service not specified!n"); return ERROR; } /* Rule to allow HTTP traffic to the private host offering service */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("HTTPS: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) NULL, (UINT32) NULL, (UINT32) privateServerAddr, (UINT32) privateServerAddr) == ERROR) { printf("HTTPS: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, HTTPS_PORT, HTTPS_PORT, 0, 0, 0) == ERROR) { printf("HTTPS: Failed to set TCP fields\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_ACCEPT | FW_LOG) == ERROR) { printf("HTTPS: Failed to set action\n"); return ERROR; } return OK; }/***************************************************************************** inTelnetsAllowRulesSet - Set firewall rule(s) allow TELNET service offered* by a private host.** RETURNS: OK (success), or ERROR (failure)*/ LOCAL STATUS inTelnetsAllowRulesSet ( void * groupId ) { void * ruleId; /* Sanity check */ if (privateServerAddr == NULL) { printf("Address of private host offering service not specified!n"); return ERROR; } /* Rule to allow TELNET traffic to the private host offering service */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("TELS: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) NULL, (UINT32) NULL, (UINT32) privateServerAddr, (UINT32) privateServerAddr) == ERROR) { printf("TELS: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, TELNETS_PORT, TELNETS_PORT, 0, 0, 0) == ERROR) { printf("TELS: Failed to set TCP fields\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_ACCEPT | FW_LOG) == ERROR) { printf("TELS: Failed to set action\n"); return ERROR; } return OK; }/***************************************************************************** inSmtpsAllowRulesSet - Set firewall rule(s) allow SMTP service offered* by a private host.** RETURNS: OK (success), or ERROR (failure)*/ LOCAL STATUS inSmtpsAllowRulesSet ( void * groupId ) { void * ruleId; /* Sanity check */ if (privateServerAddr == NULL) { printf("Address of private host offering service not specified!n"); return ERROR; } /* Rule to allow SMTP traffic to the private host offering service */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("SMTPS: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) NULL, (UINT32) NULL, (UINT32) privateServerAddr, (UINT32) privateServerAddr) == ERROR) { printf("SMTPS: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, SMTPS_PORT, SMTPS_PORT, 0, 0, 0) == ERROR) { printf("SMTPS: Failed to set TCP fields\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_ACCEPT | FW_LOG) == ERROR) { printf("SMTPS: Failed to set action\n"); return ERROR; } return OK; }/***************************************************************************** inPopsAllowRulesSet - Set firewall rule(s) allow POP3 service offered* by a private host.** RETURNS: OK (success), or ERROR (failure)*/ LOCAL STATUS inPopsAllowRulesSet ( void * groupId ) { void * ruleId; /* Sanity check */ if (privateServerAddr == NULL) { printf("Address of private host offering service not specified!n"); return ERROR; } /* Rule to allow POP3 traffic to the private host offering service */ ruleId = fwRuleCreate(groupId); if (ruleId == NULL) { printf("POPS: Can't create rule\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_IPADDRSTR, (UINT32) NULL, (UINT32) NULL, (UINT32) privateServerAddr, (UINT32) privateServerAddr) == ERROR) { printf("POPS: Failed to set IP addr\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_TCP, 0, 0, POPS_PORT, POPS_PORT, 0, 0, 0) == ERROR) { printf("POPS: Failed to set TCP fields\n"); return ERROR; } if (fwRuleFieldSet(ruleId, FW_FIELD_ACTION, FW_ACCEPT | FW_LOG) == ERROR) { printf("POPS: Failed to set action\n"); return ERROR; } return OK; }/***************************************************************************** sourceRouteBlockRulesSet - Set firewall rule to block packets with the* IP source routing option.** IP source routing can be used to specify a direct route to a destination* and a return path back to the sender. The route could involve the use of* other routers or hosts that normally would not be used to forward packets* to the destination. This option can be used to trick Firewalls into* allowing connections from hosts that otherwise would not be allowed. It* can lead to breakins and intruder activity.** RETURNS: OK (success), or ERROR (failure)*/LOCAL STATUS sourceRouteBlockRulesSet() { void * groupId; /* Group to reject IP source routed packets */ groupId = fwRuleGroupCreate(FW_PREIN_LOC, "Source Routed packets from Public Network", pktLogLen); if (groupId == NULL) { printf("PRE:SRCRT: Can't create rule group\n"); return ERROR; } /* Applies only if IP options are present - i.e., IP header len > 20 */ if (fwRuleFieldSet(groupId, FW_FIELD_HDRLEN, 20, FW_GT_OP) == ERROR) { printf("PRE:SRCRT Failed to set IP header length field\n"); re?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -