matth
/
fw-daemon
mirror of https://github.com/subgraph/fw-daemon
1
1
Fork 0
Code Releases Activity

Changed SOCKS/Tor credential randomization so it only occurs if username and password are empty.

Browse Source
shw_dev
shw 7 years ago
parent de4f6ac206
commit acf62b63d1
2 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File

13
sgfw/policy.go
Unescape View File

@ -395,6 +395,11 @@ func printPacket(pkt *nfqueue.NFQPacket, hostname string, pinfo *procsnitch.Info
}
func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
if basicAllowPacket(pkt) {
pkt.Accept()
return
}
isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil
if isudp {
srcport, _ := getPacketUDPPorts(pkt)
@ -422,7 +427,6 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
return
} */
ppath := "*"
strictness := procsnitch.MATCH_STRICT
@ -451,11 +455,11 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
}
}
log.Debugf("filterPacket [%s] %s", ppath, printPacket(pkt, fw.dns.Lookup(dstip, pinfo.Pid), nil))
if basicAllowPacket(pkt) {
/* if basicAllowPacket(pkt) {
pkt.Accept()
//log.Notice("XXX: passed basicallowpacket")
return
}
*/
policy := fw.PolicyForPath(ppath)
//log.Notice("XXX: flunked basicallowpacket; policy = ", policy)
policy.processPacket(pkt, pinfo, optstring)
@ -662,7 +666,8 @@ func basicAllowPacket(pkt *nfqueue.NFQPacket) bool {
dstip.IsLinkLocalMulticast() ||
(pkt.Packet.Layer(layers.LayerTypeTCP) == nil &&
pkt.Packet.Layer(layers.LayerTypeUDP) == nil &&
pkt.Packet.Layer(layers.LayerTypeICMPv4) == nil)
pkt.Packet.Layer(layers.LayerTypeICMPv4) == nil &&
pkt.Packet.Layer(layers.LayerTypeICMPv6) == nil)
}
func getPacketIPAddrs(pkt *nfqueue.NFQPacket) (net.IP, net.IP) {

10
sgfw/socks_server_chain.go
Unescape View File

@ -158,10 +158,12 @@ func (c *socksChainSession) sessionWorker() {
return
}
// Randomize username and password to force a new TOR circuit with each connection
rndbytes := []byte("sgfw" + strconv.Itoa(int(time.Now().UnixNano()) ^ os.Getpid()))
c.req.Auth.Uname = rndbytes
c.req.Auth.Passwd = rndbytes
if len(c.req.Auth.Uname) == 0 && len(c.req.Auth.Passwd) == 0 {
// Randomize username and password to force a new TOR circuit with each connection
rndbytes := []byte("sgfw" + strconv.Itoa(int(time.Now().UnixNano()) ^ os.Getpid()))
c.req.Auth.Uname = rndbytes
c.req.Auth.Passwd = rndbytes
}
switch c.req.Cmd {
case CommandTorResolve, CommandTorResolvePTR:

Write Preview
Loading…
Cancel
Save