matth
/
fw-daemon
mirror of https://github.com/subgraph/fw-daemon
1
1
Fork 0
Code Releases Activity

Changed SOCKS/Tor credential randomization so it only occurs if username and password are empty.

Browse Source
shw_dev
shw 9 years ago
parent de4f6ac206
commit acf62b63d1
2 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File

13
sgfw/policy.go
Unescape View File

@ -395,6 +395,11 @@ func printPacket(pkt *nfqueue.NFQPacket, hostname string, pinfo *procsnitch.Info
} }
func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) { func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
if basicAllowPacket(pkt) {
pkt.Accept()
return
}
isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil
if isudp { if isudp {
srcport, _ := getPacketUDPPorts(pkt) srcport, _ := getPacketUDPPorts(pkt)
@ -422,7 +427,6 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
return return
} */ } */
ppath := "*" ppath := "*"
strictness := procsnitch.MATCH_STRICT strictness := procsnitch.MATCH_STRICT
@ -451,11 +455,11 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
} }
} }
log.Debugf("filterPacket [%s] %s", ppath, printPacket(pkt, fw.dns.Lookup(dstip, pinfo.Pid), nil)) log.Debugf("filterPacket [%s] %s", ppath, printPacket(pkt, fw.dns.Lookup(dstip, pinfo.Pid), nil))
if basicAllowPacket(pkt) { /* if basicAllowPacket(pkt) {
pkt.Accept() pkt.Accept()
//log.Notice("XXX: passed basicallowpacket")
return return
} }
*/
policy := fw.PolicyForPath(ppath) policy := fw.PolicyForPath(ppath)
//log.Notice("XXX: flunked basicallowpacket; policy = ", policy) //log.Notice("XXX: flunked basicallowpacket; policy = ", policy)
policy.processPacket(pkt, pinfo, optstring) policy.processPacket(pkt, pinfo, optstring)
@ -662,7 +666,8 @@ func basicAllowPacket(pkt *nfqueue.NFQPacket) bool {
dstip.IsLinkLocalMulticast() || dstip.IsLinkLocalMulticast() ||
(pkt.Packet.Layer(layers.LayerTypeTCP) == nil && (pkt.Packet.Layer(layers.LayerTypeTCP) == nil &&
pkt.Packet.Layer(layers.LayerTypeUDP) == nil && pkt.Packet.Layer(layers.LayerTypeUDP) == nil &&
pkt.Packet.Layer(layers.LayerTypeICMPv4) == nil) pkt.Packet.Layer(layers.LayerTypeICMPv4) == nil &&
pkt.Packet.Layer(layers.LayerTypeICMPv6) == nil)
} }
func getPacketIPAddrs(pkt *nfqueue.NFQPacket) (net.IP, net.IP) { func getPacketIPAddrs(pkt *nfqueue.NFQPacket) (net.IP, net.IP) {

10
sgfw/socks_server_chain.go
Unescape View File

@ -158,10 +158,12 @@ func (c *socksChainSession) sessionWorker() {
return return
} }
// Randomize username and password to force a new TOR circuit with each connection if len(c.req.Auth.Uname) == 0 && len(c.req.Auth.Passwd) == 0 {
rndbytes := []byte("sgfw" + strconv.Itoa(int(time.Now().UnixNano()) ^ os.Getpid())) // Randomize username and password to force a new TOR circuit with each connection
c.req.Auth.Uname = rndbytes rndbytes := []byte("sgfw" + strconv.Itoa(int(time.Now().UnixNano()) ^ os.Getpid()))
c.req.Auth.Passwd = rndbytes c.req.Auth.Uname = rndbytes
c.req.Auth.Passwd = rndbytes
}
switch c.req.Cmd { switch c.req.Cmd {
case CommandTorResolve, CommandTorResolvePTR: case CommandTorResolve, CommandTorResolvePTR:

Write Preview
Loading…
Cancel
Save