Changed SOCKS/Tor credential randomization so it only occurs if username and password are empty.

sgfw/policy.go

@@ -395,6 +395,11 @@ func printPacket(pkt *nfqueue.NFQPacket, hostname string, pinfo *procsnitch.Info
 }
 
 func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
+	if basicAllowPacket(pkt) {
+		pkt.Accept()
+		return
+	}
+
 	isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil
 	if isudp {
 		srcport, _ := getPacketUDPPorts(pkt)
@@ -422,7 +427,6 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
 		return
 	} */
 
-
 	ppath := "*"
 	strictness := procsnitch.MATCH_STRICT
 
@@ -451,11 +455,11 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
 		}
 	}
 	log.Debugf("filterPacket [%s] %s", ppath, printPacket(pkt, fw.dns.Lookup(dstip, pinfo.Pid), nil))
-	if basicAllowPacket(pkt) {
+/*	if basicAllowPacket(pkt) {
 		pkt.Accept()
-//log.Notice("XXX: passed basicallowpacket")
 		return
 	}
+*/
 	policy := fw.PolicyForPath(ppath)
 //log.Notice("XXX: flunked basicallowpacket; policy = ", policy)
 	policy.processPacket(pkt, pinfo, optstring)
@@ -662,7 +666,8 @@ func basicAllowPacket(pkt *nfqueue.NFQPacket) bool {
 		dstip.IsLinkLocalMulticast() ||
 		(pkt.Packet.Layer(layers.LayerTypeTCP) == nil &&
 		 pkt.Packet.Layer(layers.LayerTypeUDP) == nil &&
-		 pkt.Packet.Layer(layers.LayerTypeICMPv4) == nil)
+		 pkt.Packet.Layer(layers.LayerTypeICMPv4) == nil &&
+		 pkt.Packet.Layer(layers.LayerTypeICMPv6) == nil)
 }
 
 func getPacketIPAddrs(pkt *nfqueue.NFQPacket) (net.IP, net.IP) {

sgfw/socks_server_chain.go

@@ -158,10 +158,12 @@ func (c *socksChainSession) sessionWorker() {
 		return
 	}
 
+	if len(c.req.Auth.Uname) == 0 && len(c.req.Auth.Passwd) == 0 {
 		// Randomize username and password to force a new TOR circuit with each connection
 		rndbytes := []byte("sgfw" + strconv.Itoa(int(time.Now().UnixNano()) ^ os.Getpid()))
 		c.req.Auth.Uname = rndbytes
 		c.req.Auth.Passwd = rndbytes
+	}
 
 	switch c.req.Cmd {
 	case CommandTorResolve, CommandTorResolvePTR: