{*******************************************************} { } { ThdFirewall } { } { Copyright (C) 2022 kku } { } {*******************************************************} unit ThdFirewall; interface uses Tocsg.Thread, System.SysUtils, System.Classes, Winapi.Windows, Tocsg.Firewall, NetFwTypeLib_TLB; type TVpnFwConfg = record bBlkExcept, bBlkDefPort: Boolean; nBlkExtPortType: Integer; sBlkPorts, sNetCtrlType, sNetCtrlList, sNetBlkExcept: String; end; TSleepFwConfg = record sSleepList, sSleepBlockType: String; end; TNetCtrlType = (nctFalse, nctAppBlack, nctAppWhite, nctIpBlack, nctIpWhite); TThdFirewall = class(TTgThread) protected procedure Execute; override; public Constructor Create; end; implementation uses Tocsg.Exception, Tocsg.Safe, Winapi.ActiveX, Tocsg.Strings, ManagerService, Tocsg.WTS, Tocsg.Path, ManagerModel, Tocsg.Convert, Tocsg.Process, GlobalDefine, Condition, Tocsg.Network, System.Generics.Collections, System.IniFiles, Tocsg.Url, Tocsg.Trace, System.DateUtils; const // DEF_INTERNAL_PORT = '8261,8262,8263'; TOCSG_GROUP = 'Tocsg Group'; FW_NAME_POLICY_DEFAULT_INDIR = 'TocsgInternalIn'; FW_NAME_POLICY_DEFAULT_OUTDIR = 'TocsgInternalOut'; FW_NAME_POLICY_DEFAULTBLOCK_PORT = 'eCrmHomeEditionDefault'; FW_NAME_POLICY_EXTRABLOCK_PORT = 'eCrmHomeEditionExtra'; FW_NAME_POLICY_IDLE = 'eCrmHomeEditionIdle'; FW_NAME_POLICY_IDLE_SITE = 'eCrmHomeEditionSiteIdle'; FW_NAME_POLICY_IDLE_SITE2 = 'eCrmHomeEditionSiteIdl2'; FW_NAME_POLICY_CTRL = 'eCrmHomeEdition'; // FW_NAME_POLICY_BROWSER_CHROME = 'eCrmHomeEditionBchrome'; // FW_NAME_POLICY_BROWSER_EDGE = 'eCrmHomeEditionBedge'; // FW_NAME_POLICY_BROWSER_FIREFOX = 'eCrmHomeEditionBFirefox'; // FW_NAME_POLICY_BROWSER_IEXPLORER1 = 'eCrmHomeEditionBExplorer1'; // FW_NAME_POLICY_BROWSER_IEXPLORER2 = 'eCrmHomeEditionBExplorer2'; // FW_NAME_POLICY_BROWSER_OPERA = 'eCrmHomeEditionBOpera'; FW_NAME_POLICY_BROWSER_VIVALDI = 'eCrmHomeEditionBVivaldi'; { TThreadFirewall } function Get_POLICY_OUTBLOCK(aProtocol: Integer = NET_FW_IP_PROTOCOL_TCP): TFwRule; begin ZeroMemory(@Result, SizeOf(Result)); with Result do begin sGroup := TOCSG_GROUP; sDesc := 'Open Product default protocols over '; case aProtocol of NET_FW_IP_PROTOCOL_TCP : sDesc := sDesc + 'TCP'; NET_FW_IP_PROTOCOL_UDP : sDesc := sDesc + 'UDP'; NET_FW_IP_PROTOCOL_ANY : sDesc := sDesc + 'TCP/UDP'; end; nProtocol := aProtocol; nProfiles := FW_PROFILE_ANY; nAction := NET_FW_ACTION_BLOCK; nDirection := NET_FW_RULE_DIR_OUT; bEnabled := true; end; end; //function Get_POLICY_DEFAULT_INDIR: TFwRule; //begin // Result := Get_POLICY_OUTBLOCK; // with Result do // begin // sName := FW_NAME_POLICY_DEFAULT_INDIR; // sGroup := TOCSG_GROUP; // nAction := NET_FW_ACTION_ALLOW; // nDirection := NET_FW_RULE_DIR_IN; // sLocalPorts := DEF_INTERNAL_PORT; // sRemotePorts := DEF_INTERNAL_PORT; // end; //end; // //function Get_POLICY_DEFAULT_OUTDIR: TFwRule; //begin // Result := Get_POLICY_OUTBLOCK; // with Result do // begin // sName := FW_NAME_POLICY_DEFAULT_OUTDIR; // sGroup := TOCSG_GROUP; // nAction := NET_FW_ACTION_ALLOW; // sLocalPorts := DEF_INTERNAL_PORT; // sRemotePorts := DEF_INTERNAL_PORT; // end; //end; function Get_POLICY_DEFAULTBLOCK_PORT: TFwRule; begin Result := Get_POLICY_OUTBLOCK; with Result do begin sName := FW_NAME_POLICY_DEFAULTBLOCK_PORT; sRemotePorts := '20,21,23,25,69,110,119,123,143,989,990,2501,5001,9100,9101,9102,9600'; end; TTgTrace.T('기본 포트 차단 등록. Port=%s', [Result.sRemotePorts], 2); if gMgSvc <> nil then gMgSvc.SendEventLogEx(LOG_REG_BASIC_PORT_BLOCK, Result.sRemotePorts, false); end; function StrListToList(aStrList: String; aList: TStringList): Integer; var StrList: TStringList; sVal: String; i: Integer; begin Result := 0; aList.Clear; if aStrList = '' then exit; Guard(StrList, TStringList.Create); sVal := StringReplace(aStrList, ';', '|', [rfReplaceAll]); sVal := StringReplace(sVal, ' ', '|', [rfReplaceAll]); Result := SplitString(sVal, '|', aList); end; function Get_POLICY_EXTRABLOCK_PORT(bAllPortBlk: Boolean = false): TFwRule; var sPort, sBlkPorts: String; i, c, nPos, nPortPos, nPortEnd: Integer; SvrList: TStringList; begin if not bAllPortBlk then begin sBlkPorts := ''; if gMgSvc.ModePolicy.ExtraPortEnableType = PREF_PORTEX_WHITE then begin var StrList: TStringList; Guard(StrList, TStringList.Create); SplitString(StrListToCommaStr(gMgSvc.ModePolicy.BlockPortList), ',', StrList); var PortList: TList; Guard(PortList, TList.Create); // 서버 접속 포트 예외 등록 22_0729 10:58:44 kku Guard(SvrList, TStringList.Create); GetDestServerList(SvrList); nPortPos := 0; for i := 0 to SvrList.Count - 1 do begin sPort := StringReplace(SvrList[i], 'https://', '', [rfReplaceAll]); sPort := StringReplace(sPort, 'http://', '', [rfReplaceAll]); nPos := Pos(':', sPort); if nPos = 0 then continue; Delete(sPort, 1, nPos); nPos := Pos('/', sPort); if nPos = 0 then continue; SetLength(sPort, nPos - 1); c := StrToIntDef(sPort, -1); if (c <> -1) and (PortList.IndexOf(c) = -1) then begin PortList.Add(c); Inc(nPortPos); end; end; // 서버 사용 포트가 없다면 80을 기본 추가해준다. 22_0803 08:17:44 kku if (nPortPos = 0) and (PortList.IndexOf(80) = -1) then PortList.Add(80); for i := 0 to StrList.Count - 1 do begin sPort := StrList[i]; nPos := Pos('-', sPort); if nPos > 0 then begin nPortPos := StrToIntDef(Copy(sPort, 1, nPos - 1), -1); Delete(sPort, 1, nPos); nPortEnd := StrToIntDef(sPort, -1); if (nPortPos > -1) and (nPortEnd > -1) and (nPortPos < nPortEnd) then begin while nPortPos <= nPortEnd do begin if PortList.IndexOf(nPortPos) = -1 then PortList.Add(nPortPos); Inc(nPortPos); end; end; end else begin nPortPos := StrToIntDef(StrList[i], -1); if (nPortPos <> -1) and (PortList.IndexOf(nPortPos) = -1) then PortList.Add(nPortPos); end; end; PortList.Sort; // 0-65535 nPos := 0; nPortPos := 0; for i := 0 to PortList.Count - 1 do begin if (i <> (PortList.Count - 1)) and (PortList[i + 1] = (PortList[i] + 1)) then begin if nPos = 0 then begin SumString(sBlkPorts, Format('%d-%d', [nPortPos, PortList[i] - 1]), ','); nPortPos := PortList[i]; end; Inc(nPos); continue; end; if nPos <> 0 then begin Inc(nPortPos, nPos + 1); nPos := 0; end else begin if (PortList[i] <> 0) and ((PortList[i] - nPortPos) <> 1) then begin SumString(sBlkPorts, Format('%d-%d', [nPortPos, PortList[i] - 1]), ','); end else SumString(sBlkPorts, IntToStr(nPortPos), ','); nPortPos := PortList[i] + 1; end; end; Inc(nPortPos, nPos); if nPortPos < 65535 then SumString(sBlkPorts, Format('%d-65535', [nPortPos]), ','); end else sBlkPorts := StrListToCommaStr(gMgSvc.ModePolicy.BlockPortList, ',', true); if sBlkPorts = '' then sBlkPorts := '21'; end else sBlkPorts := '*'; Result := Get_POLICY_OUTBLOCK; with Result do begin sName := FW_NAME_POLICY_EXTRABLOCK_PORT; sDesc := 'Prevent extra protocols over TCP'; sRemotePorts := sBlkPorts; end; TTgTrace.T('추가 포트 차단 등록. Port=%s', [Result.sRemotePorts], 2); if gMgSvc <> nil then gMgSvc.SendEventLogEx(LOG_REG_USER_PORT_BLOCK, Result.sRemotePorts, false); end; function Get_POLICY_POLICY_IDLE: TFwRule; begin Result := Get_POLICY_OUTBLOCK; with Result do begin sName := FW_NAME_POLICY_IDLE; sRemotePorts := '80,135,445,902,912,1025,1026,1027,1028,1041,1688,3838,5357,8443,23401'; end; end; function Get_POLICY_IDLE_SITE: TFwRule; begin Result := Get_POLICY_OUTBLOCK; with Result do begin sName := FW_NAME_POLICY_IDLE_SITE; sRemotePorts := '443,3478,3479,5938,8801,8802'; sRemoteAddresses := '193.1.1.1-255.255.255.255'; end; end; function Get_POLICY_IDLE_SITE2: TFwRule; begin Result := Get_POLICY_OUTBLOCK; with Result do begin sName := FW_NAME_POLICY_IDLE_SITE2; sRemotePorts := '443,3478,3479,5938,8801,8802'; sRemoteAddresses := '20.10.10.10-110.255.255.255'; end; end; function Get_POLICY_APP(sPath: String): TFwRule; begin Result := Get_POLICY_OUTBLOCK(NET_FW_IP_PROTOCOL_ANY); with Result do begin sName := 'eCrmHE-B_' + ExtractFileName(CutFileExt(sPath)); sAppName := sPath; sDesc := 'Prevent Network Access'; // sRemotePorts := '443,80,8080,8443,135,445,902,912,1025,1026,1027,1028,1688,3838,5357,23401'; end; end; function Get_POLICY_BROWSER_VIVALDI: TFwRule; begin Result := Get_POLICY_OUTBLOCK(NET_FW_IP_PROTOCOL_ANY); with Result do begin sName := FW_NAME_POLICY_BROWSER_VIVALDI; sAppName := Format('C:\Users\%s\AppData\Local\Programs\Opera\launcher.exe', [WTS_GetCurrentUserName]); sRemotePorts := '443,80,8080,8443,135,445,902,912,1025,1026,1027,1028,1688,3838,5357,23401'; end; end; function GetSvrDestIpCommaStr: String; var EntList: TStringList; i, nPos: Integer; sVal: String; begin Result := ''; Guard(EntList, TStringList.Create); GetDestServerList(EntList); for i := 0 to EntList.Count - 1 do begin sVal := StringReplace(EntList[i], 'http://', '', [rfReplaceAll]); sVal := StringReplace(sVal, 'https://', '', [rfReplaceAll]); nPos := Pos(':', sVal); if nPos > 0 then Delete(sVal, nPos, Length(sVal) - nPos + 1); if IsValidIP(sVal) then SumString(Result, sVal, ','); end; end; procedure ConvBlockIp(sIpCommaStr: String; aDestList: TStringList; bIgrSvrDest: Boolean = true); var sIp, sStart, sVal, sEnd: String; SrcList, EntList: TStringList; i, ii, nPos: Integer; dwIp, dwNextIp: DWORD; IpList: TList; DcIpEx: TDictionary; dwBeginIp, dwEnd: DWORD; function GetIpRangeEnd(aIp: DWORD): DWORD; var c: Integer; begin if (DcIpEx.Count > 0) and DcIpEx.ContainsKey(aIp) then begin Result := GetIpRangeEnd(DcIpEx[aIp]); DcIpEx.Remove(aIp); while i < IpList.Count do begin aIp := IpList[i]; if aIp > Result then break; Inc(i); end; exit; end; c := 0; while (i + c) < IpList.Count do begin dwNextIp := IpList[i + c]; if (aIp + c + 1) <> dwNextIp then break; if (DcIpEx.Count > 0) and DcIpEx.ContainsKey(aIp) then begin Result := GetIpRangeEnd(DcIpEx[aIp]); exit; end; Inc(c); end; if c > 0 then Inc(i, c) else Inc(i); Result := aIp + c; end; begin aDestList.Clear; if sIpCommaStr = '' then exit; Guard(SrcList, TStringList.Create); Guard(EntList, TStringList.Create); SrcList.CommaText := sIpCommaStr; if SrcList.Count = 0 then exit; // 서버 IP 정보도 예외 추가 22_0526 09:32:04 kku if bIgrSvrDest then begin GetDestServerList(EntList); for i := 0 to EntList.Count - 1 do begin sVal := StringReplace(EntList[i], 'http://', '', [rfReplaceAll]); sVal := StringReplace(sVal, 'https://', '', [rfReplaceAll]); nPos := Pos(':', sVal); if nPos > 0 then Delete(sVal, nPos, Length(sVal) - nPos + 1); if IsValidIP(sVal) and (SrcList.IndexOf(sVal) = -1) then SrcList.Add(sVal); end; end; Guard(IpList, TList.Create); Guard(DcIpEx, TDictionary.Create); for i := 0 to SrcList.Count - 1 do begin sIp := SrcList[i]; nPos := Pos('-', sIp); if nPos > 0 then begin sEnd := Copy(sIp, nPos + 1, Length(sIp) - nPos); Delete(sIp, nPos, Length(sIp) - nPos + 1); if IsValidIP(sIp, false) and IsValidIP(sEnd) and (IPToDWORD(sIp) < IPToDWORD(sEnd)) then begin dwIp := IPToDWORD(sIp); if (IpList.IndexOf(dwIp) = -1) and not DcIpEx.ContainsKey(dwIp) then begin DcIpEx.Add(dwIp, IPToDWORD(sEnd)); IpList.Add(dwIp); end; end; end else begin dwIp := IPToDWORD(SrcList[i]); if (dwIp <> 0) and (IpList.IndexOf(dwIp) = -1) then IpList.Add(dwIp); end; end; IpList.Sort; sVal := ''; dwBeginIp := 0; i := 0; while i < IpList.Count do begin dwIp := IpList[i]; if dwBeginIp = dwIp then begin dwBeginIp := GetIpRangeEnd(dwIp) + 1; continue; end; dwEnd := dwIp - 1; if dwEnd = 0 then sVal := DWORDToIP(dwBeginIp) else sVal := DWORDToIP(dwBeginIp) + '-' + DWORDToIP(dwEnd); if aDestList.IndexOf(sVal) = -1 then aDestList.Add(sVal); dwBeginIp := GetIpRangeEnd(dwIp) + 1; end; sVal := DWORDToIP(dwBeginIp) + '-255.255.255.255'; if aDestList.IndexOf(sVal) = -1 then aDestList.Add(sVal); end; { TThdFirewall } Constructor TThdFirewall.Create; begin Inherited Create; if IsFirewallLowCheck then Priority := tpLowest; end; procedure TThdFirewall.Execute; const SEC_URLIP_API = 5; SEC_URLIP_NSLOOKUP = 300; var fwPolicy2: INetFwPolicy2; fwRules: INetFwRules; FwRuleList: TFwRuleEntList; PrevVpnCfg, NewVpnCfg: TVpnFwConfg; PrevSlpCfg, NewSlpCfg: TSleepFwConfg; ExcpAppIpList, FwRegAppList: TStringList; ProcList: TProcessEntList; CtrlType: TNetCtrlType; bWhiteIp: Boolean; // APP 차단, APP만 허용에서 예외 IP 처리 시 화이트 리스트로 처리하도록 체크 22_0721 14:24:09 kku // 도메인차단 dwUrlIpApiTick, dwUrlIpNslookupTick: DWORD; bUrlIpAdded: Boolean; DcUrlIps: TDictionary; procedure ExtractUrlIps; var enum: TEnumerator; IpList, ChkList: TStringList; i: Integer; dwTick: DWORD; bDoNslookup: Boolean; begin try if DcUrlIps.Count = 0 then exit; dwTick := GetTickCount; if dwUrlIpApiTick = 0 then begin dwUrlIpApiTick := dwTick; dwUrlIpNslookupTick := dwTick; exit; end; bDoNslookup := ((dwTick - dwUrlIpNslookupTick) div 1000) >= SEC_URLIP_NSLOOKUP; if bDoNslookup then begin dwUrlIpApiTick := dwTick; dwUrlIpNslookupTick := dwTick; end else begin if ((dwTick - dwUrlIpApiTick) div 1000) < SEC_URLIP_API then exit; dwUrlIpApiTick := dwTick; end; Guard(IpList, TStringList.Create); Guard(ChkList, TStringList.Create); Guard(enum, DcUrlIps.Keys.GetEnumerator); while enum.MoveNext do begin SplitString(DcUrlIps[enum.Current], ',', IpList); if bDoNslookup then SplitString(ExtractIPsFromUrl(enum.Current), ',', ChkList) else SplitString(GetHostIPsFromDomain(enum.Current), ',', ChkList); for i := 0 to ChkList.Count - 1 do if IpList.IndexOf(ChkList[i]) = -1 then begin DcUrlIps[enum.Current] := DcUrlIps[enum.Current] + ',' + ChkList[i]; _Trace('CatchIP .. URL=%s, IP=%s', [enum.Current, ChkList[i]], 2); bUrlIpAdded := true; end; end; except on E: Exception do ETgException.TraceException(Self, E, 'Fail .. ExtractUrlIps()'); end; end; function IsSameVpnCfg: Boolean; begin Result := false; with PrevVpnCfg do begin if bBlkExcept <> NewVpnCfg.bBlkExcept then exit; if bBlkDefPort <> NewVpnCfg.bBlkDefPort then exit; if nBlkExtPortType <> NewVpnCfg.nBlkExtPortType then exit; if sBlkPorts <> NewVpnCfg.sBlkPorts then exit; if sNetCtrlType <> NewVpnCfg.sNetCtrlType then exit; if sNetCtrlList <> NewVpnCfg.sNetCtrlList then exit; if sNetBlkExcept <> NewVpnCfg.sNetBlkExcept then exit; end; Result := true; end; function IsSameSlpCfg: Boolean; begin Result := false; with PrevSlpCfg do begin if sSleepList <> NewSlpCfg.sSleepList then exit; if sSleepBlockType <> NewSlpCfg.sSleepBlockType then exit; end; Result := true; end; function CheckRuleState(aEnt: PFwRuleEnt; bIsOrgBlock: Boolean): Boolean; begin // 규칙이 있지만 꺼져있거나 연결 허용, 차단이 제대로 되어 있는 체크 22_0516 16:29:02 kku Result := false; if not aEnt.bEnabled then exit; if (aEnt.nAction = NET_FW_ACTION_ALLOW) and bIsOrgBlock then exit; if (aEnt.nAction = NET_FW_ACTION_BLOCK) and not bIsOrgBlock then exit; Result := true; end; function CheckRuleState2(aEnt: PFwRuleEnt; sIp: String): Boolean; begin // IP 차단 체크 전용 Result := false; if not aEnt.bEnabled then exit; if aEnt.nAction <> NET_FW_ACTION_BLOCK then exit; if aEnt.sRemoteAddr <> sIp then exit; Result := true; end; procedure CheckAndRegApp; var i, c, n: Integer; sPath, sPName, sName, sNameHead: String; pEnt: PFwRuleEnt; FwRule: TFwRule; // DestList: TStringList; begin try if FwRegAppList.Count = 0 then exit; // Guard(DestList, TStringList.Create); sNameHead := 'eCrmHE-B_'; ProcList.UpdateProcessList; case CtrlType of nctAppBlack : begin for i := FwRegAppList.Count - 1 downto 0 do begin if Terminated or GetWorkStop then exit; sPName := FwRegAppList[i]; if CompareText(EXE_HE, sPName) = 0 then continue; pEnt := FwRuleList.GetFwRuleByName(sNameHead + CutFileExt(sPName)); if pEnt = nil then begin sPath := ProcList.GetProcPathByName(sPName); if (sPath <> '') and FileExists(sPath) then begin FwRule := Get_POLICY_APP(sPath); if ExcpAppIpList.Count > 0 then FwRule.sRemoteAddresses := ExcpAppIpList.CommaText; if AddFwRule(fwRules, FwRule) <> nil then FwRuleList.AddAddedRule(FwRule); // 중복 실행된 프로세스가 있기 때문에 이렇게 추가 성공할 룰은 체크를 위해 바로 넣어줌 // FwRegAppList.Delete(i); // 계속 체크되도록 놔둠 22_0516 16:24:58 kku Finalize(FwRule); end; end else begin // FwRegAppList.Delete(i); // 계속 체크되도록 놔둠 22_0516 16:24:58 kku // 설정이 훼손되었다면 지운다. 그러면 반복되며 다시 설정 됨 22_0516 16:37:10 kku if not CheckRuleState(pEnt, true) then RemoveFwRule(fwRules, pEnt.sName); end; end; end; nctAppWhite : begin for c := 0 to ProcList.Count - 1 do begin if Terminated or GetWorkStop then exit; sPName := ProcList[c].sModuleBaseName; if FwRegAppList.IndexOf(sPName) = -1 then begin pEnt := FwRuleList.GetFwRuleByName(sNameHead + CutFileExt(sPName)); if pEnt = nil then begin sPath := ProcList[c].sModuleFileName; if (sPath <> '') and FileExists(sPath) then begin FwRule := Get_POLICY_APP(sPath); if bWhiteIp then begin if ExcpAppIpList.Count > 0 then FwRule.sRemoteAddresses := ExcpAppIpList.CommaText; end; if AddFwRule(fwRules, FwRule) <> nil then FwRuleList.AddAddedRule(FwRule); // 중복 실행된 프로세스가 있기 때문에 이렇게 추가 성공할 룰은 체크를 위해 바로 넣어줌 Finalize(FwRule); end; end else begin // 설정이 훼손되었다면 지운다. 그러면 반복되며 다시 설정 됨 22_0516 16:37:10 kku if not CheckRuleState(pEnt, true) then RemoveFwRule(fwRules, pEnt.sName); end; end else if not bWhiteIp and (ExcpAppIpList.Count > 0) and (CompareText(EXE_HE, sPName) <> 0) then begin // 예외 IP가 있다면 차단 등록한다 22_0602 17:46:05 kku for n := 0 to ExcpAppIpList.Count - 1 do begin sName := StringReplace(ExcpAppIpList[n], '.', '', [rfReplaceAll]); sName := StringReplace(sName, '-', '', [rfReplaceAll]); sName := sNameHead + CutFileExt(sPName) + sName; pEnt := FwRuleList.GetFwRuleByName(sName); if pEnt = nil then begin sPath := ProcList[c].sModuleFileName; if (sPath <> '') and FileExists(sPath) then begin FwRule := Get_POLICY_APP(sPath); FwRule.sName := sName; FwRule.sRemoteAddresses := ExcpAppIpList[n]; if AddFwRule(fwRules, FwRule) <> nil then FwRuleList.AddAddedRule(FwRule); Finalize(FwRule); end; end; end; end; end; end; nctIpBlack : begin for c := 0 to ProcList.Count - 1 do begin if Terminated or GetWorkStop then exit; sPName := ProcList[c].sModuleBaseName; if FwRegAppList.IndexOf(sPName) = -1 then begin for n := 0 to ExcpAppIpList.Count - 1 do begin sName := StringReplace(ExcpAppIpList[n], '.', '', [rfReplaceAll]); sName := StringReplace(sName, '-', '', [rfReplaceAll]); sName := sNameHead + CutFileExt(sPName) + sName; pEnt := FwRuleList.GetFwRuleByName(sName); if pEnt = nil then begin sPath := ProcList[c].sModuleFileName; if (sPath <> '') and FileExists(sPath) then begin FwRule := Get_POLICY_APP(sPath); FwRule.sName := sName; FwRule.sRemoteAddresses := ExcpAppIpList[n]; if AddFwRule(fwRules, FwRule) <> nil then FwRuleList.AddAddedRule(FwRule); Finalize(FwRule); end; end; end; end; end; end; nctIpWhite : begin for i := FwRegAppList.Count - 1 downto 0 do begin if Terminated or GetWorkStop then exit; sPName := FwRegAppList[i]; if CompareText(EXE_HE, sPName) = 0 then continue; pEnt := FwRuleList.GetFwRuleByName(sNameHead + CutFileExt(sPName)); if pEnt = nil then begin sPath := ProcList.GetProcPathByName(sPName); if (sPath <> '') and FileExists(sPath) then begin FwRule := Get_POLICY_APP(sPath); if AddFwRule(fwRules, FwRule) <> nil then FwRuleList.AddAddedRule(FwRule); Finalize(FwRule); end; end else begin if not CheckRuleState(pEnt, true) then RemoveFwRule(fwRules, pEnt.sName); end; end; end; end; except on E: Exception do begin ExcpAppIpList.Clear; FwRegAppList.Clear; ETgException.TraceException(E, 'Fail .. CheckAndRegApp()'); end; end; end; procedure AddIpRangeToStrings(sRangeIp: String; aList: TStrings); var nPos, nRange: Integer; i, nBegin: Integer; IpClass: TStringList; sIp: String; begin nPos := Pos('/', sRangeIp); if nPos = 0 then exit; nRange := StrToIntDef(Copy(sRangeIp, nPos + 1, Length(sRangeIp) - nPos), 0); Delete(sRangeIp, nPos, Length(sRangeIp) - nPos + 1); if not IsValidIP(sRangeIp) then exit; if nRange = 0 then begin if aList.IndexOf(sRangeIp) = -1 then aList.Add(sRangeIp); exit; end; if nRange > 255 then nRange := 255; Guard(IpClass, TStringList.Create); if SplitString(sRangeIp, '.', IpClass) > 3 then begin nBegin := StrToIntDef(IpClass[3], 999); if nBegin >= nRange then begin // 범위 체크 if aList.IndexOf(sRangeIp) = -1 then aList.Add(sRangeIp); exit; end; for i := 0 to (nRange - nBegin) do begin sIp := Format('%s.%s.%s.%d', [IpClass[0], IpClass[1], IpClass[2], nBegin + i]); if aList.IndexOf(sIp) = -1 then aList.Add(sIp); if (nBegin + i) = 255 then break; end; end; end; function ConvIpRangeToFwIps(sRangeIp: String; bIgrSvrIp: Boolean = false): String; var nPos, nRange: Integer; i, nBegin: Integer; IpClass: TStringList; sIp, sSvrIp: String; begin Result := ''; nPos := Pos('/', sRangeIp); if nPos = 0 then exit; nRange := StrToIntDef(Copy(sRangeIp, nPos + 1, Length(sRangeIp) - nPos), 0); Delete(sRangeIp, nPos, Length(sRangeIp) - nPos + 1); if not IsValidIP(sRangeIp) then exit; if nRange = 0 then begin Result := sRangeIp; exit; end; if nRange > 255 then nRange := 255; Guard(IpClass, TStringList.Create); if SplitString(sRangeIp, '.', IpClass) > 3 then begin if StrToIntDef(IpClass[3], 999) < nRange then begin Result := sRangeIp + '-' + Format('%s.%s.%s.%d', [IpClass[0], IpClass[1], IpClass[2], nRange]) end else Result := sRangeIp; if bIgrSvrIp then begin // 현재 접속중인 서버 IP만 빼주자 22_0607 13:17:18 kku sSvrIp := StringReplace(gMgSvc.DestServerUrl, 'http://', '', [rfReplaceAll]); sSvrIp := StringReplace(sSvrIp, 'https://', '', [rfReplaceAll]); nPos := Pos(':', sSvrIp); if nPos > 0 then Delete(sSvrIp, nPos, Length(sSvrIp) - nPos + 1); if IsValidIP(sSvrIp) then begin nBegin := StrToIntDef(IpClass[3], 999); if nBegin >= nRange then begin Result := sRangeIp; exit; end; for i := 0 to (nRange - nBegin) do begin sIp := Format('%s.%s.%s.%d', [IpClass[0], IpClass[1], IpClass[2], nBegin + i]); if sIp = sSvrIp then begin if i = 0 then begin Result := Format('%s.%s.%s.%d-%s.%s.%s.%d', [IpClass[0], IpClass[1], IpClass[2], nBegin + 1, IpClass[0], IpClass[1], IpClass[2], nRange]); end else if i = (nRange - nBegin) then begin Result := Format('%s.%s.%s.%d-%s.%s.%s.%d', [IpClass[0], IpClass[1], IpClass[2], nBegin, IpClass[0], IpClass[1], IpClass[2], nRange - 1]); end else begin Result := Format('%s.%s.%s.%d-%s.%s.%s.%d,', [IpClass[0], IpClass[1], IpClass[2], nBegin, IpClass[0], IpClass[1], IpClass[2], nBegin + i - 1]); Result := Result + Format('%s.%s.%s.%d-%s.%s.%s.%d', [IpClass[0], IpClass[1], IpClass[2], nBegin +i + 1, IpClass[0], IpClass[1], IpClass[2], nRange]); end; break; end; if (nBegin + i) = 255 then begin Result := sRangeIp + '-' + Format('%s.%s.%s.%d', [IpClass[0], IpClass[1], IpClass[2], nRange]); break; end; end; end; end; end; end; procedure ProcessNetCtrl(aCtrlList, aExcpList: String); var FwRule: TFwRule; sIp, sEnt, sEnd, sName, sFwName: String; pEnt: PFwRuleEnt; TempList, DestList, ExcpList: TStringList; i, c, n: Integer; begin Guard(TempList, TStringList.Create); Guard(ExcpList, TStringList.Create); bWhiteIp := aExcpList.StartsWith('@WHITEIP:'); ExcpList.CommaText := StrListToCommaStr(aExcpList); case CtrlType of nctFalse : ; nctAppBlack, nctAppWhite : begin if FwRegAppList.Count > 0 then exit; FwRegAppList.CommaText := StrListToCommaStr(aCtrlList); if CtrlType = nctAppWhite then begin FwRegAppList.Add(EXE_HE); // 나 추가 FwRegAppList.Add(EXE_MG); // 나 추가 FwRegAppList.Add('svchost.exe'); // 이거까지 차단하면 DNS 서비스 동작이 멈춘다 22_0524 13:10:30 kku FwRegAppList.Add('MsMpEng.exe'); // 디펜더 관련 for i := 0 to ExcpList.Count - 1 do begin sEnt := ExcpList[i]; if (UpperCase(GetFileExt(sEnt)) = 'EXE') and (FwRegAppList.IndexOf(sEnt) = -1) then begin FwRegAppList.Add(sEnt) end else if sEnt.Contains('/') then begin // IP 범위 체크, 추가 AddIpRangeToStrings(sEnt, ExcpAppIpList); end else if IsValidIpRange(sEnt) then begin // IP 범위 체크, 추가 22_0825 15:57:05 kku if ExcpAppIpList.IndexOf(sEnt) = -1 then ExcpAppIpList.Add(sEnt); end else begin if IsValidIP(sEnt) then begin if ExcpAppIpList.IndexOf(sEnt) = -1 then ExcpAppIpList.Add(sEnt); end else begin // URL에서 IP 추출 22_0915 08:54:12 kku if not DcUrlIps.ContainsKey(sEnt) then begin sIp := ExtractIPsFromUrl(sEnt); DcUrlIps.Add(sEnt, sIp); end else sIp := DcUrlIps[sEnt]; if sIp <> '' then begin SplitString(sIp, ',', TempList); for c := 0 to TempList.Count - 1 do if ExcpAppIpList.IndexOf(TempList[c]) = -1 then ExcpAppIpList.Add(TempList[c]); end; end; end; end; // 후처리 22_0804 14:48:41 kku if bWhiteIp and (ExcpAppIpList.Count > 0) then ConvBlockIp(ExcpAppIpList.CommaText, ExcpAppIpList, false); end else if CtrlType = nctAppBlack then begin for i := 0 to ExcpList.Count - 1 do begin sEnt := ExcpList[i]; if UpperCase(GetFileExt(sEnt)) = 'EXE' then begin c := FwRegAppList.IndexOf(sEnt); if c <> -1 then FwRegAppList.Delete(c); end else if sEnt.Contains('/') then begin // IP 범위 체크, 추가 AddIpRangeToStrings(sEnt, ExcpAppIpList); end else if IsValidIpRange(sEnt) then begin // IP 범위 체크, 추가 22_0825 15:57:05 kku if ExcpAppIpList.IndexOf(sEnt) = -1 then ExcpAppIpList.Add(sEnt); end else begin if IsValidIP(sEnt) then begin if ExcpAppIpList.IndexOf(sEnt) = -1 then ExcpAppIpList.Add(sEnt); end else begin // URL에서 IP 추출 22_0915 08:54:12 kku if not DcUrlIps.ContainsKey(sEnt) then begin sIp := ExtractIPsFromUrl(sEnt); DcUrlIps.Add(sEnt, sIp); end else sIp := DcUrlIps[sEnt]; if sIp <> '' then begin SplitString(sIp, ',', TempList); for c := 0 to TempList.Count - 1 do if ExcpAppIpList.IndexOf(TempList[c]) = -1 then ExcpAppIpList.Add(TempList[c]); end; end; end; end; c := FwRegAppList.IndexOf(EXE_HE); if c <> -1 then FwRegAppList.Delete(c); // 후처리 22_0804 14:48:41 kku if ExcpAppIpList.Count > 0 then ConvBlockIp(ExcpAppIpList.CommaText, ExcpAppIpList, false); end; CheckAndRegApp; end; nctIpBlack : begin Guard(DestList, TStringList.Create); DestList.CommaText := StrListToCommaStr(aCtrlList); if (aExcpList <> '') and aExcpList.ToUpper.Contains('.EXE') then begin // APP 예외 정책이 있으면 if FwRegAppList.Count = 0 then begin ExcpAppIpList.Clear; for i := 0 to DestList.Count - 1 do begin sEnt := DestList[i]; if sEnt.Contains('/') then begin sIp := ConvIpRangeToFwIps(sEnt); if sIp <> '' then ExcpAppIpList.Add(sIp); end else if IsValidIpRange(sEnt) then begin sIp := sEnt; n := Pos('-', sIp); if n > 0 then begin sEnd := Copy(sIp, n + 1, Length(sIp) - n); Delete(sIp, n, Length(sIp) - n + 1); if IsValidIP(sIp, false) and IsValidIP(sEnd) and (IPToDWORD(sIp) < IPToDWORD(sEnd)) then ExcpAppIpList.Add(sEnt); end; end else begin if IsValidIP(sEnt) then begin if ExcpAppIpList.IndexOf(sEnt) = -1 then ExcpAppIpList.Add(sEnt); end else begin // URL에서 IP 추출 22_0915 08:54:12 kku if not DcUrlIps.ContainsKey(sEnt) then begin sIp := ExtractIPsFromUrl(sEnt); DcUrlIps.Add(sEnt, sIp); end else sIp := DcUrlIps[sEnt]; if sIp <> '' then begin SplitString(sIp, ',', TempList); for c := 0 to TempList.Count - 1 do if ExcpAppIpList.IndexOf(TempList[c]) = -1 then ExcpAppIpList.Add(TempList[c]); end; end; end; end; FwRegAppList.Add(EXE_HE); FwRegAppList.Add(EXE_MG); DestList.CommaText := StrListToCommaStr(aExcpList); for i := 0 to DestList.Count - 1 do begin if DestList[i].ToUpper.Contains('.EXE') and (FwRegAppList.IndexOf(DestList[i]) = -1) then FwRegAppList.Add(DestList[i]); end; CheckAndRegApp; end; exit; end; sName := FW_NAME_POLICY_CTRL + 'B_Ips'; // pEnt := FwRuleList.GetFwRuleByName(sName); for i := 0 to ExcpList.Count - 1 do begin c := DestList.IndexOf(ExcpList[i]); if c <> -1 then DestList.Delete(c); end; for i := 0 to DestList.Count - 1 do begin sIp := DestList[i]; if sIp.Contains('/') then begin sIp := ConvIpRangeToFwIps(sIp, true); if sIp = '' then continue; end else if IsValidIpRange(sIp) then begin // IsValidIpRange() 여기서 체크하는걸로 수정 22_1011 14:05:04 kku // 아래에서 할거 없음 // n := Pos('-', sIp); // if n > 0 then // begin // sEnd := Copy(sIp, n + 1, Length(sIp) - n); // Delete(sIp, n, Length(sIp) - n + 1); // if not IsValidIP(sIp, false) or not IsValidIP(sEnd) or // (IPToDWORD(sIp) >= IPToDWORD(sEnd)) then // continue; // // sIp := DestList[i]; // end; end else begin if not IsValidIP(sIp) then begin sEnt := sIp; if not DcUrlIps.ContainsKey(sEnt) then begin sIp := ExtractIPsFromUrl(sEnt); DcUrlIps.Add(sEnt, sIp); end else sIp := DcUrlIps[sEnt]; if sIp = '' then continue; end; end; sFwName := sName + IntToStr(i + 1); pEnt := FwRuleList.GetFwRuleByName(sFwName); if (pEnt = nil) or not CheckRuleState(pEnt, true) then begin if pEnt <> nil then begin RemoveFwRule(fwRules, sFwName); FwRuleList.RemoveAddedRule(sFwName); end; FwRule := Get_POLICY_OUTBLOCK(NET_FW_IP_PROTOCOL_ANY); FwRule.sName := sFwName; FwRule.sRemoteAddresses := sIp; // StrListToCommaStr(aCtrlList); if AddFwRule(fwRules, FwRule) <> nil then FwRuleList.AddAddedRule(FwRule); Finalize(FwRule); end; end; end; nctIpWhite : begin var DestTempList, ExcpTempList: TStringList; Guard(DestTempList, TStringList.Create); Guard(ExcpTempList, TStringList.Create); Guard(DestList, TStringList.Create); DestList.CommaText := StrListToCommaStr(aCtrlList); for i := 0 to DestList.Count - 1 do begin // 범위 지정 처리등 sIp := DestList[i]; if sIp.Contains('/') then begin AddIpRangeToStrings(sIp, DestTempList); end else if IsValidIpRange(sIp) then begin // IP 범위 체크, 추가 22_0825 15:57:05 kku if DestTempList.IndexOf(sIp) = -1 then DestTempList.Add(sIp); end else begin if IsValidIP(sIp) then begin if DestTempList.IndexOf(sIp) = -1 then DestTempList.Add(sIp); end else begin // URL에서 IP 추출 22_0915 08:54:12 kku sEnt := sIp; if not DcUrlIps.ContainsKey(sEnt) then begin sIp := ExtractIPsFromUrl(sEnt); DcUrlIps.Add(sEnt, sIp); end else sIp := DcUrlIps[sEnt]; if sIp <> '' then begin SplitString(sIp, ',', TempList); for c := 0 to TempList.Count - 1 do if DestTempList.IndexOf(TempList[c]) = -1 then DestTempList.Add(TempList[c]); end; end; end; end; for i := 0 to ExcpList.Count - 1 do begin // 예외처리 sIp := ExcpList[i]; if sIp.Contains('/') then begin AddIpRangeToStrings(sIp, ExcpTempList); for c := 0 to ExcpTempList.Count - 1 do begin n := DestTempList.IndexOf(ExcpTempList[c]); if n <> -1 then DestTempList.Delete(n); end; end else if IsValidIpRange(sIp) then begin if ExcpTempList.IndexOf(sIp) = -1 then ExcpTempList.Add(sIp); end else begin n := DestTempList.IndexOf(sIp); if n <> -1 then DestTempList.Delete(n); end; end; ConvBlockIp(DestTempList.CommaText, DestList); if DestList.Count = 0 then exit; // FwRule.sRemoteAddresses := DestList.CommaText; 이렇게 한꺼번에 지정해도 된다. // 일단 원안대로 이렇게 따로 등록함. 22_0517 08:33:23 kku for i := 0 to DestList.Count - 1 do begin sIp := DestList[i]; sName := StringReplace(sIp, '-', '', [rfReplaceAll]); sName := StringReplace(sName, '.', '', [rfReplaceAll]); sName := 'eCrmHE-' + sName; pEnt := FwRuleList.GetFwRuleByName(sName); if (pEnt = nil) or not CheckRuleState2(pEnt, sIp) then begin if pEnt <> nil then begin RemoveFwRule(fwRules, pEnt.sName); FwRuleList.RemoveAddedRule(pEnt.sName); end; FwRule := Get_POLICY_OUTBLOCK(NET_FW_IP_PROTOCOL_ANY); FwRule.sName := sName; FwRule.nAction := NET_FW_ACTION_BLOCK; FwRule.sRemoteAddresses := sIp; if AddFwRule(fwRules, FwRule) <> nil then FwRuleList.AddAddedRule(FwRule); Finalize(FwRule); end; end; if (aExcpList <> '') and aExcpList.ToUpper.Contains('.EXE') then begin // APP 예외 정책이 있으면 if FwRegAppList.Count = 0 then begin ExcpAppIpList.Clear; DestList.CommaText := StrListToCommaStr(aExcpList); for i := 0 to DestList.Count - 1 do begin if DestList[i].ToUpper.Contains('.EXE') and (FwRegAppList.IndexOf(DestList[i]) = -1) and (CompareText(EXE_HE, DestList[i]) <> 0) and (CompareText(EXE_MG, DestList[i]) <> 0) then FwRegAppList.Add(DestList[i]); end; CheckAndRegApp; end; end; end; end; end; var pCheckEnt: PFwRuleEnt; i: Integer; bPrevUnsafeMode: Boolean; dwTick, dwFwCheckTick, dwSleepMSec, dwSleepLowMSec: DWORD; PO: TPrefModel; procedure LoadForceSetting; var ini: TIniFile; sPath: String; begin try sPath := GetProgramFilesDir + DIR_TG + INI_FORCEHE; if FileExists(sPath) then begin Guard(ini, TIniFile.Create(sPath)); dwSleepMSec := ini.ReadInteger('Force', 'FwInterval', 2) * 1000; dwSleepLowMSec := ini.ReadInteger('Force', 'FwLowDelay', 180) * 1000; end; except dwSleepMSec := 2000; dwSleepLowMSec := 180000; end; end; begin ZeroMemory(@PrevVpnCfg, SizeOf(PrevVpnCfg)); ZeroMemory(@NewVpnCfg, SizeOf(NewVpnCfg)); Guard(ExcpAppIpList, TStringList.Create); ExcpAppIpList.CaseSensitive := false; Guard(FwRegAppList, TStringList.Create); FwRegAppList.CaseSensitive := false; Guard(ProcList, TProcessEntList.Create); ProcList.DetailInfo := false; Guard(DcUrlIps, TDictionary.Create); dwUrlIpApiTick := 0; dwUrlIpNslookupTick := 0; if IsFirewallLowCheck then dwSleepMSec := 5000 else dwSleepMSec := 2000; dwSleepLowMSec := 180000; LoadForceSetting; CoInitialize(nil); try fwPolicy2 := CoNetFwPolicy2.Create; if fwPolicy2 = nil then begin {$IFDEF DEBUG} ASSERT(false); {$ELSE} nLastError_ := 1; _Trace('Fail .. Windows Defender - No Firewall Setting Info 11'); {$ENDIF} exit; end; fwRules := fwPolicy2.Rules; if fwRules = nil then begin {$IFDEF DEBUG} ASSERT(false); {$ELSE} nLastError_ := 2; _Trace('Fail .. Windows Defender - No Firewall Setting Info 22'); {$ENDIF} exit; end; ClearCrmFwPolicy(fwRules); Guard(FwRuleList, TFwRuleEntList.Create); dwFwCheckTick := 0; bPrevUnsafeMode := false; while not Terminated and not GetWorkStop do begin try PO := gMgSvc.ModePolicy; NewVpnCfg.sNetBlkExcept := PO.NetworkExceptList; NewVpnCfg.bBlkExcept := (PO.NetworkExceptType <> '') and (PO.NetworkExceptType <> 'false') and (NewVpnCfg.sNetBlkExcept <> ''); NewVpnCfg.bBlkDefPort := PO.IsDefPortBlock; NewVpnCfg.nBlkExtPortType := PO.ExtraPortEnableType; NewVpnCfg.sBlkPorts := PO.BlockPortList; NewVpnCfg.sNetCtrlType := PO.NetworkBlockType; NewVpnCfg.sNetCtrlList := PO.NetworkBlockList; if PO.IsNetBlockDay then begin var sChk: String := NewVpnCfg.sNetCtrlType.ToUpper; if (sChk <> PREF_NETAPP_WHITELIST) and (sChk <> PREF_NETAPP_BLACKLIST) then begin if not ((CompareDateTime(PO.NetBlockDayB, Now) = -1 ) and (CompareDateTime(PO.NetBlockDayE, Now) = 1)) then NewVpnCfg.sNetCtrlType := ''; end; end; ExtractUrlIps; if not IsSameVpnCfg or gMgSvc.NicService.IsChangeNetCfg or bUrlIpAdded then begin _Trace('방화벽 규칙 초기화', 2); // 방화벽 규칙 초기화, 셋팅 PrevVpnCfg := NewVpnCfg; ExcpAppIpList.Clear; FwRegAppList.Clear; // 도메인에서 새로운 IP 추출로 초기화 하는 경우 초기화 하지 않는다 22_1011 14:21:23 kku // 아에 프로그램 재시작전까지 초기화 안하는 방법도..? // 그럼 ExtractUrlIps() 이게 계속 실행되겠지.. if not bUrlIpAdded then DcUrlIps.Clear; bUrlIpAdded := false; dwUrlIpApiTick := 0; dwUrlIpNslookupTick := 0; ClearCrmFwPolicy(fwRules); gMgSvc.NicService.IsChangeNetCfg := false; dwFwCheckTick := 0; end; if not PrevVpnCfg.bBlkDefPort and (PrevVpnCfg.nBlkExtPortType = PREF_PORTEX_FALSE) and ( (PrevVpnCfg.sNetCtrlType = '') or (PrevVpnCfg.sNetCtrlType = 'false') or (PrevVpnCfg.sNetCtrlList = '') ) then begin Sleep(dwSleepMSec); continue; end; GetFwRulesToList(fwRules, FwRuleList); // 이거 점유율 체크 밑으로 내리면 새로운 프로세스 방화벽 등록이 느려짐 22_0721 15:05:00 kku // APP 방화벽 체크 CheckAndRegApp; // 저사양 PC에서 CPU 점유율을 낮추기 위해 느슨하게 체크 22_0719 16:49:20 kku if IsFirewallLowCheck then begin dwTick := GetTickCount; if ((dwFwCheckTick > 0) and ((dwTick - dwFwCheckTick) < dwSleepLowMSec)) then // 3분에 한번 begin Sleep(dwSleepMSec); continue; end; dwFwCheckTick := dwTick; end; // 기본 MG <--> HE 통신 포트 등록/체크 // MG.exe 사용하지 않음 22_1124 13:52:29 kku // pCheckEnt := FwRuleList.GetFwRuleByName(FW_NAME_POLICY_DEFAULT_INDIR); // if (pCheckEnt = nil) or not CheckRuleState(pCheckEnt, false) then // begin // if pCheckEnt <> nil then // RemoveFwRule(fwRules, pCheckEnt.sName); // AddFwRule(fwRules, Get_POLICY_DEFAULT_INDIR); // end; // // pCheckEnt := FwRuleList.GetFwRuleByName(FW_NAME_POLICY_DEFAULT_OUTDIR); // if (pCheckEnt = nil) or not CheckRuleState(pCheckEnt, false) then // begin // if pCheckEnt <> nil then // RemoveFwRule(fwRules, pCheckEnt.sName); // AddFwRule(fwRules, Get_POLICY_DEFAULT_OUTDIR); // end; try // 방화벽 on/off 체크 후 on으로 복구 if not fwPolicy2.FirewallEnabled[FW_PROFILE_PERSONAL] then begin fwPolicy2.FirewallEnabled[FW_PROFILE_PERSONAL] := true; _Trace('방화벽 설정 복구. (개인 네트워크)', 2); if gMgSvc <> nil then gMgSvc.SendEventLogEx(LOG_RESTORE_FIREWALL_SET, 'Private Network', false); end; if not fwPolicy2.FirewallEnabled[FW_PROFILE_PUBLIC] then begin fwPolicy2.FirewallEnabled[FW_PROFILE_PUBLIC] := true; _Trace('방화벽 설정 복구. (공용 네트워크)', 2); if gMgSvc <> nil then gMgSvc.SendEventLogEx(LOG_RESTORE_FIREWALL_SET, 'Public Network', false); end; if not fwPolicy2.FirewallEnabled[FW_PROFILE_DOMAIN] then begin fwPolicy2.FirewallEnabled[FW_PROFILE_DOMAIN] := true; _Trace('방화벽 설정 복구. (도메인 네트워크)', 2); if gMgSvc <> nil then gMgSvc.SendEventLogEx(LOG_RESTORE_FIREWALL_SET, 'Domain Network', false); end; except // .. end; if PrevVpnCfg.bBlkDefPort then begin pCheckEnt := FwRuleList.GetFwRuleByName(FW_NAME_POLICY_DEFAULTBLOCK_PORT); if (pCheckEnt = nil) or not CheckRuleState(pCheckEnt, true) then begin if pCheckEnt <> nil then RemoveFwRule(fwRules, pCheckEnt.sName); AddFwRule(fwRules, Get_POLICY_DEFAULTBLOCK_PORT); end; end; if PrevVpnCfg.nBlkExtPortType <> PREF_PORTEX_FALSE then begin pCheckEnt := FwRuleList.GetFwRuleByName(FW_NAME_POLICY_EXTRABLOCK_PORT); if (pCheckEnt = nil) or not CheckRuleState(pCheckEnt, true) then begin if pCheckEnt <> nil then RemoveFwRule(fwRules, pCheckEnt.sName); AddFwRule(fwRules, Get_POLICY_EXTRABLOCK_PORT); end; end; if (PrevVpnCfg.sNetCtrlType <> '') and (PrevVpnCfg.sNetCtrlType <> 'false') and (PrevVpnCfg.sNetCtrlList <> '') then begin CtrlType := nctFalse; if NewVpnCfg.sNetCtrlType.ToUpper = PREF_NETAPP_WHITELIST then CtrlType := nctAppWhite else if NewVpnCfg.sNetCtrlType.ToUpper = PREF_NETAPP_BLACKLIST then CtrlType := nctAppBlack else if NewVpnCfg.sNetCtrlType.ToUpper = PREF_NETIP_WHITELIST then CtrlType := nctIpWhite else if NewVpnCfg.sNetCtrlType.ToUpper = PREF_NETIP_BLACKLIST then CtrlType := nctIpBlack; if PrevVpnCfg.bBlkExcept then ProcessNetCtrl(NewVpnCfg.sNetCtrlList, NewVpnCfg.sNetBlkExcept) else ProcessNetCtrl(NewVpnCfg.sNetCtrlList, ''); end; except on E: Exception do ETgException.TraceException(Self, E, 'Fail .. Execute()'); end; Sleep(dwSleepMSec); end; finally fwRules := nil; fwPolicy2 := nil; CoUninitialize; end; end; end.