Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane

From: ValdikSS <iam <at> valdikss.org.ru>
Subject: [PATCH] Update --block-outside-dns to work on Windows Vista
Newsgroups: gmane.network.openvpn.devel
Date: Friday 15th January 2016 23:35:38 UTC (over 2 years ago)
Windows Vista doesn't support non-equal matching of application name, it is
available only since Windows 7.
This commit splits 2 filtering conditions with non-equal matching to 2
filters each with 1 filtering
condition: permit IPv4 (first filter) and IPv6 (second filter) port 53
traffic from openvpn.exe
instead of blocking all non-openvpn.exe traffic on port 53 for both
protocols.
---
 src/openvpn/win32.c | 35 +++++++++++++++++++++++++++--------
 1 file changed, 27 insertions(+), 8 deletions(-)

diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
index a01121b..e21870c 100644
--- a/src/openvpn/win32.c
+++ b/src/openvpn/win32.c
@@ -1222,13 +1222,14 @@ win_wfp_block_dns (const NET_IFINDEX index)
     /* Prepare filter. */
     Filter.subLayerKey = SubLayer.subLayerKey;
     Filter.displayData.name = FIREWALL_NAME;
-    Filter.weight.type = FWP_EMPTY;
+    Filter.weight.type = FWP_UINT8;
+    Filter.weight.uint8 = 0xF;
     Filter.filterCondition = Condition;
     Filter.numFilterConditions = 2;
 
-    /* First filter. Block IPv4 DNS queries except from OpenVPN itself. */
+    /* First filter. Permit IPv4 DNS queries from OpenVPN itself. */
     Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
-    Filter.action.type = FWP_ACTION_BLOCK;
+    Filter.action.type = FWP_ACTION_PERMIT;
 
     Condition[0].fieldKey = FWPM_CONDITION_IP_REMOTE_PORT;
     Condition[0].matchType = FWP_MATCH_EQUAL;
@@ -1236,26 +1237,44 @@ win_wfp_block_dns (const NET_IFINDEX index)
     Condition[0].conditionValue.uint16 = 53;
 
     Condition[1].fieldKey = FWPM_CONDITION_ALE_APP_ID;
-    Condition[1].matchType = FWP_MATCH_NOT_EQUAL;
+    Condition[1].matchType = FWP_MATCH_EQUAL;
     Condition[1].conditionValue.type = FWP_BYTE_BLOB_TYPE;
     Condition[1].conditionValue.byteBlob = openvpnblob;
 
     /* Add filter condition to our interface. */
     if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid))
         goto err;
-    dmsg (D_LOW, "Filter (Block IPv4 DNS) added with ID=%I64d", filterid);
+    dmsg (D_LOW, "Filter (Permit OpenVPN IPv4 DNS) added with ID=%I64d",
filterid);
 
-    /* Second filter. Block IPv6 DNS queries except from OpenVPN itself.
*/
+    /* Second filter. Permit IPv6 DNS queries from OpenVPN itself. */
     Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
 
     /* Add filter condition to our interface. */
     if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid))
         goto err;
+    dmsg (D_LOW, "Filter (Permit OpenVPN IPv6 DNS) added with ID=%I64d",
filterid);
+
+    /* Third filter. Block all IPv4 DNS queries. */
+    Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
+    Filter.action.type = FWP_ACTION_BLOCK;
+    Filter.weight.type = FWP_EMPTY;
+    Filter.numFilterConditions = 1;
+
+    if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid))
+        goto err;
+    dmsg (D_LOW, "Filter (Block IPv4 DNS) added with ID=%I64d", filterid);
+
+    /* Forth filter. Block all IPv6 DNS queries. */
+    Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
+
+    if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid))
+        goto err;
     dmsg (D_LOW, "Filter (Block IPv6 DNS) added with ID=%I64d", filterid);
 
-    /* Third filter. Permit IPv4 DNS queries from TAP. */
+    /* Fifth filter. Permit IPv4 DNS queries from TAP. */
     Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
     Filter.action.type = FWP_ACTION_PERMIT;
+    Filter.numFilterConditions = 2;
 
     Condition[1].fieldKey = FWPM_CONDITION_IP_LOCAL_INTERFACE;
     Condition[1].matchType = FWP_MATCH_EQUAL;
@@ -1267,7 +1286,7 @@ win_wfp_block_dns (const NET_IFINDEX index)
         goto err;
     dmsg (D_LOW, "Filter (Permit IPv4 DNS queries from TAP) added with
ID=%I64d", filterid);
 
-    /* Forth filter. Permit IPv6 DNS queries from TAP. */
+    /* Sixth filter. Permit IPv6 DNS queries from TAP. */
     Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
 
     /* Add filter condition to our interface. */
-- 
2.7.0


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
 
CD: 13ms