kjkim
/
BSOne.SFC
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
BSOne.SFC/eCrmHE/EXE_eCrmHomeEdition/Thread/ThdFirewall.pas

1736 lines
53 KiB
Plaintext
Raw Blame History

{*******************************************************}
{ }
{ ThdFirewall }
{ }
{ Copyright (C) 2022 kku }
{ }
{*******************************************************}
unit ThdFirewall;
interface
uses
Tocsg.Thread, System.SysUtils, System.Classes, Winapi.Windows,
Tocsg.Firewall, NetFwTypeLib_TLB;
type
TVpnFwConfg = record
bBlkExcept,
bBlkDefPort,
bBlkSmbPort: Boolean;
nBlkExtPortType: Integer;
sBlkPorts,
sSmbExpIps,
sNetCtrlType,
sNetCtrlList,
sNetBlkExcept: String;
end;
TSleepFwConfg = record
sSleepList,
sSleepBlockType: String;
end;
TNetCtrlType = (nctFalse, nctAppBlack, nctAppWhite, nctIpBlack, nctIpWhite);
TThdFirewall = class(TTgThread)
protected
procedure Execute; override;
public
Constructor Create;
end;
implementation
uses
Tocsg.Exception, Tocsg.Safe, Winapi.ActiveX, Tocsg.Strings,
ManagerService, Tocsg.WTS, Tocsg.Path, ManagerModel, Tocsg.Convert,
Tocsg.Process, GlobalDefine, Condition, Tocsg.Network,
System.Generics.Collections, System.IniFiles, Tocsg.Url, Tocsg.Trace,
System.DateUtils;
const
// DEF_INTERNAL_PORT = '8261,8262,8263';
TOCSG_GROUP = 'Tocsg Group';
FW_NAME_POLICY_DEFAULT_INDIR = 'TocsgInternalIn';
FW_NAME_POLICY_DEFAULT_OUTDIR = 'TocsgInternalOut';
FW_NAME_POLICY_DEFAULTBLOCK_PORT = 'eCrmHomeEditionDefault';
FW_NAME_POLICY_SMB_PORT = 'eCrmHomeEditionSmb';
FW_NAME_POLICY_EXTRABLOCK_PORT = 'eCrmHomeEditionExtra';
FW_NAME_POLICY_IDLE = 'eCrmHomeEditionIdle';
FW_NAME_POLICY_IDLE_SITE = 'eCrmHomeEditionSiteIdle';
FW_NAME_POLICY_IDLE_SITE2 = 'eCrmHomeEditionSiteIdl2';
FW_NAME_POLICY_CTRL = 'eCrmHomeEdition';
// FW_NAME_POLICY_BROWSER_CHROME = 'eCrmHomeEditionBchrome';
// FW_NAME_POLICY_BROWSER_EDGE = 'eCrmHomeEditionBedge';
// FW_NAME_POLICY_BROWSER_FIREFOX = 'eCrmHomeEditionBFirefox';
// FW_NAME_POLICY_BROWSER_IEXPLORER1 = 'eCrmHomeEditionBExplorer1';
// FW_NAME_POLICY_BROWSER_IEXPLORER2 = 'eCrmHomeEditionBExplorer2';
// FW_NAME_POLICY_BROWSER_OPERA = 'eCrmHomeEditionBOpera';
FW_NAME_POLICY_BROWSER_VIVALDI = 'eCrmHomeEditionBVivaldi';
{ TThreadFirewall }
function ConvIpRangeToFwIps(sRangeIp: String; bIgrSvrIp: Boolean = false): String;
var
nPos, nRange: Integer;
i, nBegin: Integer;
IpClass: TStringList;
sIp, sSvrIp: String;
begin
Result := '';
nPos := Pos('/', sRangeIp);
if nPos = 0 then
exit;
nRange := StrToIntDef(Copy(sRangeIp, nPos + 1, Length(sRangeIp) - nPos), 0);
Delete(sRangeIp, nPos, Length(sRangeIp) - nPos + 1);
if not IsValidIP(sRangeIp) then
exit;
if nRange = 0 then
begin
Result := sRangeIp;
exit;
end;
if nRange > 255 then
nRange := 255;
Guard(IpClass, TStringList.Create);
if SplitString(sRangeIp, '.', IpClass) > 3 then
begin
if StrToIntDef(IpClass[3], 999) < nRange then
begin
Result := sRangeIp + '-' + Format('%s.%s.%s.%d', [IpClass[0], IpClass[1], IpClass[2], nRange])
end else
Result := sRangeIp;
if bIgrSvrIp then
begin
// 현재 접속중인 서버 IP만 빼주자 22_0607 13:17:18 kku
sSvrIp := StringReplace(gMgSvc.DestServerUrl, 'http://', '', [rfReplaceAll]);
sSvrIp := StringReplace(sSvrIp, 'https://', '', [rfReplaceAll]);
nPos := Pos(':', sSvrIp);
if nPos > 0 then
Delete(sSvrIp, nPos, Length(sSvrIp) - nPos + 1);
if IsValidIP(sSvrIp) then
begin
nBegin := StrToIntDef(IpClass[3], 999);
if nBegin >= nRange then
begin
Result := sRangeIp;
exit;
end;
for i := 0 to (nRange - nBegin) do
begin
sIp := Format('%s.%s.%s.%d', [IpClass[0], IpClass[1], IpClass[2], nBegin + i]);
if sIp = sSvrIp then
begin
if i = 0 then
begin
Result := Format('%s.%s.%s.%d-%s.%s.%s.%d',
[IpClass[0], IpClass[1], IpClass[2], nBegin + 1,
IpClass[0], IpClass[1], IpClass[2], nRange]);
end else
if i = (nRange - nBegin) then
begin
Result := Format('%s.%s.%s.%d-%s.%s.%s.%d',
[IpClass[0], IpClass[1], IpClass[2], nBegin,
IpClass[0], IpClass[1], IpClass[2], nRange - 1]);
end else
begin
Result := Format('%s.%s.%s.%d-%s.%s.%s.%d,',
[IpClass[0], IpClass[1], IpClass[2], nBegin,
IpClass[0], IpClass[1], IpClass[2], nBegin + i - 1]);
Result := Result + Format('%s.%s.%s.%d-%s.%s.%s.%d',
[IpClass[0], IpClass[1], IpClass[2], nBegin +i + 1,
IpClass[0], IpClass[1], IpClass[2], nRange]);
end;
break;
end;
if (nBegin + i) = 255 then
begin
Result := sRangeIp + '-' + Format('%s.%s.%s.%d', [IpClass[0], IpClass[1], IpClass[2], nRange]);
break;
end;
end;
end;
end;
end;
end;
procedure ConvBlockIp(sIpCommaStr: String; aDestList: TStringList; bIgrSvrDest: Boolean = true);
var
sIp, sStart, sVal, sEnd: String;
SrcList,
EntList: TStringList;
i, ii, nPos: Integer;
dwIp,
dwNextIp: DWORD;
IpList: TList<DWORD>;
DcIpEx: TDictionary<DWORD,DWORD>;
dwBeginIp,
dwEnd: DWORD;
function GetIpRangeEnd(aIp: DWORD): DWORD;
var
c: Integer;
begin
if (DcIpEx.Count > 0) and DcIpEx.ContainsKey(aIp) then
begin
Result := GetIpRangeEnd(DcIpEx[aIp]);
DcIpEx.Remove(aIp);
while i < IpList.Count do
begin
aIp := IpList[i];
if aIp > Result then
break;
Inc(i);
end;
exit;
end;
c := 0;
while (i + c) < IpList.Count do
begin
dwNextIp := IpList[i + c];
if (aIp + c + 1) <> dwNextIp then
break;
if (DcIpEx.Count > 0) and DcIpEx.ContainsKey(aIp) then
begin
Result := GetIpRangeEnd(DcIpEx[aIp]);
exit;
end;
Inc(c);
end;
if c > 0 then
Inc(i, c)
else
Inc(i);
Result := aIp + c;
end;
begin
aDestList.Clear;
if sIpCommaStr = '' then
exit;
Guard(SrcList, TStringList.Create);
Guard(EntList, TStringList.Create);
SrcList.CommaText := sIpCommaStr;
if SrcList.Count = 0 then
exit;
// 서버 IP 정보도 예외 추가 22_0526 09:32:04 kku
if bIgrSvrDest then
begin
GetDestServerList(EntList);
for i := 0 to EntList.Count - 1 do
begin
sVal := StringReplace(EntList[i], 'http://', '', [rfReplaceAll]);
sVal := StringReplace(sVal, 'https://', '', [rfReplaceAll]);
nPos := Pos(':', sVal);
if nPos > 0 then
Delete(sVal, nPos, Length(sVal) - nPos + 1);
if IsValidIP(sVal) and (SrcList.IndexOf(sVal) = -1) then
SrcList.Add(sVal);
end;
end;
Guard(IpList, TList<DWORD>.Create);
Guard(DcIpEx, TDictionary<DWORD,DWORD>.Create);
for i := 0 to SrcList.Count - 1 do
begin
sIp := SrcList[i];
nPos := Pos('-', sIp);
if nPos > 0 then
begin
sEnd := Copy(sIp, nPos + 1, Length(sIp) - nPos);
Delete(sIp, nPos, Length(sIp) - nPos + 1);
if IsValidIP(sIp, false) and IsValidIP(sEnd) and
(IPToDWORD(sIp) < IPToDWORD(sEnd)) then
begin
dwIp := IPToDWORD(sIp);
if (IpList.IndexOf(dwIp) = -1) and not DcIpEx.ContainsKey(dwIp) then
begin
DcIpEx.Add(dwIp, IPToDWORD(sEnd));
IpList.Add(dwIp);
end;
end;
end else begin
dwIp := IPToDWORD(SrcList[i]);
if (dwIp <> 0) and (IpList.IndexOf(dwIp) = -1) then
IpList.Add(dwIp);
end;
end;
IpList.Sort;
sVal := '';
dwBeginIp := 0;
i := 0;
while i < IpList.Count do
begin
dwIp := IpList[i];
if dwBeginIp = dwIp then
begin
dwBeginIp := GetIpRangeEnd(dwIp) + 1;
continue;
end;
dwEnd := dwIp - 1;
if dwEnd = 0 then
sVal := DWORDToIP(dwBeginIp)
else
sVal := DWORDToIP(dwBeginIp) + '-' + DWORDToIP(dwEnd);
if aDestList.IndexOf(sVal) = -1 then
aDestList.Add(sVal);
dwBeginIp := GetIpRangeEnd(dwIp) + 1;
end;
sVal := DWORDToIP(dwBeginIp) + '-255.255.255.255';
if aDestList.IndexOf(sVal) = -1 then
aDestList.Add(sVal);
end;
function Get_POLICY_OUTBLOCK(aProtocol: Integer = NET_FW_IP_PROTOCOL_TCP): TFwRule;
begin
ZeroMemory(@Result, SizeOf(Result));
with Result do
begin
sGroup := TOCSG_GROUP;
sDesc := 'Open Product default protocols over ';
case aProtocol of
NET_FW_IP_PROTOCOL_TCP : sDesc := sDesc + 'TCP';
NET_FW_IP_PROTOCOL_UDP : sDesc := sDesc + 'UDP';
NET_FW_IP_PROTOCOL_ANY : sDesc := sDesc + 'TCP/UDP';
end;
nProtocol := aProtocol;
nProfiles := FW_PROFILE_ANY;
nAction := NET_FW_ACTION_BLOCK;
nDirection := NET_FW_RULE_DIR_OUT;
bEnabled := true;
end;
end;
//function Get_POLICY_DEFAULT_INDIR: TFwRule;
//begin
// Result := Get_POLICY_OUTBLOCK;
// with Result do
// begin
// sName := FW_NAME_POLICY_DEFAULT_INDIR;
// sGroup := TOCSG_GROUP;
// nAction := NET_FW_ACTION_ALLOW;
// nDirection := NET_FW_RULE_DIR_IN;
// sLocalPorts := DEF_INTERNAL_PORT;
// sRemotePorts := DEF_INTERNAL_PORT;
// end;
//end;
//
//function Get_POLICY_DEFAULT_OUTDIR: TFwRule;
//begin
// Result := Get_POLICY_OUTBLOCK;
// with Result do
// begin
// sName := FW_NAME_POLICY_DEFAULT_OUTDIR;
// sGroup := TOCSG_GROUP;
// nAction := NET_FW_ACTION_ALLOW;
// sLocalPorts := DEF_INTERNAL_PORT;
// sRemotePorts := DEF_INTERNAL_PORT;
// end;
//end;
function Get_POLICY_DEFAULTBLOCK_PORT: TFwRule;
begin
Result := Get_POLICY_OUTBLOCK;
with Result do
begin
sName := FW_NAME_POLICY_DEFAULTBLOCK_PORT;
sRemotePorts := '20,21,23,25,69,110,119,123,143,989,990,2501,5001,9100,9101,9102,9600';
end;
TTgTrace.T('기본 포트 차단 등록. Port=%s', [Result.sRemotePorts], 2);
if gMgSvc <> nil then
gMgSvc.SendEventLogEx(LOG_REG_BASIC_PORT_BLOCK, Result.sRemotePorts, false);
end;
function Get_POLICY_SMB_PORT(sExpIps: String): TFwRule;
var
DestList, ExcpAppIpList: TStringList;
i, n: Integer;
sEnt, sIp, sEnd: String;
begin
Result := Get_POLICY_OUTBLOCK;
with Result do
begin
sName := FW_NAME_POLICY_SMB_PORT;
sRemotePorts := '137,138,139,445';
if gMgSvc.PrefModel.SmbPortEx <> '' then
SumString(sRemotePorts, gMgSvc.PrefModel.SmbPortEx, ',');
if sExpIps <> '' then
begin
Guard(DestList, TStringList.Create);
Guard(ExcpAppIpList, TStringList.Create);
DestList.CommaText := StrListToCommaStr(sExpIps);
for i := 0 to DestList.Count - 1 do
begin
sEnt := DestList[i];
if sEnt.Contains('/') then
begin
sIp := ConvIpRangeToFwIps(sEnt);
if sIp <> '' then
ExcpAppIpList.Add(sIp);
end else
if IsValidIpRange(sEnt) then
begin
sIp := sEnt;
n := Pos('-', sIp);
if n > 0 then
begin
sEnd := Copy(sIp, n + 1, Length(sIp) - n);
Delete(sIp, n, Length(sIp) - n + 1);
if IsValidIP(sIp, false) and IsValidIP(sEnd) and
(IPToDWORD(sIp) < IPToDWORD(sEnd)) then
ExcpAppIpList.Add(sEnt);
end;
end else begin
if IsValidIP(sEnt) then
begin
if ExcpAppIpList.IndexOf(sEnt) = -1 then
ExcpAppIpList.Add(sEnt);
end;
end;
end;
if ExcpAppIpList.Count > 0 then
begin
ConvBlockIp(ExcpAppIpList.CommaText, DestList, false);
if DestList.Count > 0 then
sRemoteAddresses := DestList.CommaText;
end;
end;
end;
TTgTrace.T('SMB 포트 차단 등록. Port=%s', [Result.sRemotePorts], 2);
if gMgSvc <> nil then
gMgSvc.SendEventLogEx(LOG_REG_BASIC_PORT_BLOCK, Result.sRemotePorts, false);
end;
function StrListToList(aStrList: String; aList: TStringList): Integer;
var
StrList: TStringList;
sVal: String;
i: Integer;
begin
Result := 0;
aList.Clear;
if aStrList = '' then
exit;
Guard(StrList, TStringList.Create);
sVal := StringReplace(aStrList, ';', '|', [rfReplaceAll]);
sVal := StringReplace(sVal, ' ', '|', [rfReplaceAll]);
Result := SplitString(sVal, '|', aList);
end;
function Get_POLICY_EXTRABLOCK_PORT(bAllPortBlk: Boolean = false): TFwRule;
var
sPort,
sBlkPorts: String;
i, c, nPos, nPortPos, nPortEnd: Integer;
SvrList: TStringList;
begin
if not bAllPortBlk then
begin
sBlkPorts := '';
if gMgSvc.ModePolicy.ExtraPortEnableType = PREF_PORTEX_WHITE then
begin
var StrList: TStringList;
Guard(StrList, TStringList.Create);
SplitString(StrListToCommaStr(gMgSvc.ModePolicy.BlockPortList), ',', StrList);
var PortList: TList<Integer>;
Guard(PortList, TList<Integer>.Create);
// 서버 접속 포트 예외 등록 22_0729 10:58:44 kku
Guard(SvrList, TStringList.Create);
GetDestServerList(SvrList);
nPortPos := 0;
for i := 0 to SvrList.Count - 1 do
begin
sPort := StringReplace(SvrList[i], 'https://', '', [rfReplaceAll]);
sPort := StringReplace(sPort, 'http://', '', [rfReplaceAll]);
nPos := Pos(':', sPort);
if nPos = 0 then
continue;
Delete(sPort, 1, nPos);
nPos := Pos('/', sPort);
if nPos = 0 then
continue;
SetLength(sPort, nPos - 1);
c := StrToIntDef(sPort, -1);
if (c <> -1) and (PortList.IndexOf(c) = -1) then
begin
PortList.Add(c);
Inc(nPortPos);
end;
end;
// 서버 사용 포트가 없다면 80을 기본 추가해준다. 22_0803 08:17:44 kku
if (nPortPos = 0) and (PortList.IndexOf(80) = -1) then
PortList.Add(80);
for i := 0 to StrList.Count - 1 do
begin
sPort := StrList[i];
nPos := Pos('-', sPort);
if nPos > 0 then
begin
nPortPos := StrToIntDef(Copy(sPort, 1, nPos - 1), -1);
Delete(sPort, 1, nPos);
nPortEnd := StrToIntDef(sPort, -1);
if (nPortPos > -1) and (nPortEnd > -1) and
(nPortPos < nPortEnd) then
begin
while nPortPos <= nPortEnd do
begin
if PortList.IndexOf(nPortPos) = -1 then
PortList.Add(nPortPos);
Inc(nPortPos);
end;
end;
end else begin
nPortPos := StrToIntDef(StrList[i], -1);
if (nPortPos <> -1) and (PortList.IndexOf(nPortPos) = -1) then
PortList.Add(nPortPos);
end;
end;
PortList.Sort;
// 0-65535
nPos := 0;
nPortPos := 0;
for i := 0 to PortList.Count - 1 do
begin
if (i <> (PortList.Count - 1)) and
(PortList[i + 1] = (PortList[i] + 1)) then
begin
if nPos = 0 then
begin
SumString(sBlkPorts, Format('%d-%d', [nPortPos, PortList[i] - 1]), ',');
nPortPos := PortList[i];
end;
Inc(nPos);
continue;
end;
if nPos <> 0 then
begin
Inc(nPortPos, nPos + 1);
nPos := 0;
end else
begin
if (PortList[i] <> 0) and ((PortList[i] - nPortPos) <> 1) then
begin
SumString(sBlkPorts, Format('%d-%d', [nPortPos, PortList[i] - 1]), ',');
end else
SumString(sBlkPorts, IntToStr(nPortPos), ',');
nPortPos := PortList[i] + 1;
end;
end;
Inc(nPortPos, nPos);
if nPortPos < 65535 then
SumString(sBlkPorts, Format('%d-65535', [nPortPos]), ',');
end else
sBlkPorts := StrListToCommaStr(gMgSvc.ModePolicy.BlockPortList, ',', true);
if sBlkPorts = '' then
sBlkPorts := '21';
end else
sBlkPorts := '*';
Result := Get_POLICY_OUTBLOCK;
with Result do
begin
sName := FW_NAME_POLICY_EXTRABLOCK_PORT;
sDesc := 'Prevent extra protocols over TCP';
sRemotePorts := sBlkPorts;
end;
TTgTrace.T('추가 포트 차단 등록. Port=%s', [Result.sRemotePorts], 2);
if gMgSvc <> nil then
gMgSvc.SendEventLogEx(LOG_REG_USER_PORT_BLOCK, Result.sRemotePorts, false);
end;
function Get_POLICY_POLICY_IDLE: TFwRule;
begin
Result := Get_POLICY_OUTBLOCK;
with Result do
begin
sName := FW_NAME_POLICY_IDLE;
sRemotePorts := '80,135,445,902,912,1025,1026,1027,1028,1041,1688,3838,5357,8443,23401';
end;
end;
function Get_POLICY_IDLE_SITE: TFwRule;
begin
Result := Get_POLICY_OUTBLOCK;
with Result do
begin
sName := FW_NAME_POLICY_IDLE_SITE;
sRemotePorts := '443,3478,3479,5938,8801,8802';
sRemoteAddresses := '193.1.1.1-255.255.255.255';
end;
end;
function Get_POLICY_IDLE_SITE2: TFwRule;
begin
Result := Get_POLICY_OUTBLOCK;
with Result do
begin
sName := FW_NAME_POLICY_IDLE_SITE2;
sRemotePorts := '443,3478,3479,5938,8801,8802';
sRemoteAddresses := '20.10.10.10-110.255.255.255';
end;
end;
function Get_POLICY_APP(sPath: String): TFwRule;
begin
Result := Get_POLICY_OUTBLOCK(NET_FW_IP_PROTOCOL_ANY);
with Result do
begin
sName := 'eCrmHE-B_' + ExtractFileName(CutFileExt(sPath));
sAppName := sPath;
sDesc := 'Prevent Network Access';
// sRemotePorts := '443,80,8080,8443,135,445,902,912,1025,1026,1027,1028,1688,3838,5357,23401';
end;
end;
function Get_POLICY_BROWSER_VIVALDI: TFwRule;
begin
Result := Get_POLICY_OUTBLOCK(NET_FW_IP_PROTOCOL_ANY);
with Result do
begin
sName := FW_NAME_POLICY_BROWSER_VIVALDI;
sAppName := Format('C:\Users\%s\AppData\Local\Programs\Opera\launcher.exe', [WTS_GetCurrentUserName]);
sRemotePorts := '443,80,8080,8443,135,445,902,912,1025,1026,1027,1028,1688,3838,5357,23401';
end;
end;
function GetSvrDestIpCommaStr: String;
var
EntList: TStringList;
i, nPos: Integer;
sVal: String;
begin
Result := '';
Guard(EntList, TStringList.Create);
GetDestServerList(EntList);
for i := 0 to EntList.Count - 1 do
begin
sVal := StringReplace(EntList[i], 'http://', '', [rfReplaceAll]);
sVal := StringReplace(sVal, 'https://', '', [rfReplaceAll]);
nPos := Pos(':', sVal);
if nPos > 0 then
Delete(sVal, nPos, Length(sVal) - nPos + 1);
if IsValidIP(sVal) then
SumString(Result, sVal, ',');
end;
end;
{ TThdFirewall }
Constructor TThdFirewall.Create;
begin
Inherited Create;
if IsFirewallLowCheck then
Priority := tpLowest;
end;
procedure TThdFirewall.Execute;
const
SEC_URLIP_API = 5;
SEC_URLIP_NSLOOKUP = 300;
var
fwPolicy2: INetFwPolicy2;
fwRules: INetFwRules;
FwRuleList: TFwRuleEntList;
PrevVpnCfg, NewVpnCfg: TVpnFwConfg;
PrevSlpCfg, NewSlpCfg: TSleepFwConfg;
ExcpAppIpList,
FwRegAppList: TStringList;
ProcList: TProcessEntList;
CtrlType: TNetCtrlType;
bWhiteIp: Boolean; // APP 차단, APP만 허용에서 예외 IP 처리 시 화이트 리스트로 처리하도록 체크 22_0721 14:24:09 kku
// 도메인차단
dwUrlIpApiTick,
dwUrlIpNslookupTick: DWORD;
bUrlIpAdded: Boolean;
DcUrlIps: TDictionary<String,String>;
procedure ExtractUrlIps;
var
enum: TEnumerator<String>;
IpList,
ChkList: TStringList;
i: Integer;
dwTick: DWORD;
bDoNslookup: Boolean;
begin
try
if DcUrlIps.Count = 0 then
exit;
dwTick := GetTickCount;
if dwUrlIpApiTick = 0 then
begin
dwUrlIpApiTick := dwTick;
dwUrlIpNslookupTick := dwTick;
exit;
end;
bDoNslookup := ((dwTick - dwUrlIpNslookupTick) div 1000) >= SEC_URLIP_NSLOOKUP;
if bDoNslookup then
begin
dwUrlIpApiTick := dwTick;
dwUrlIpNslookupTick := dwTick;
end else begin
if ((dwTick - dwUrlIpApiTick) div 1000) < SEC_URLIP_API then
exit;
dwUrlIpApiTick := dwTick;
end;
Guard(IpList, TStringList.Create);
Guard(ChkList, TStringList.Create);
Guard(enum, DcUrlIps.Keys.GetEnumerator);
while enum.MoveNext do
begin
SplitString(DcUrlIps[enum.Current], ',', IpList);
if bDoNslookup then
SplitString(ExtractIPsFromUrl(enum.Current), ',', ChkList)
else
SplitString(GetHostIPsFromDomain(enum.Current), ',', ChkList);
for i := 0 to ChkList.Count - 1 do
if IpList.IndexOf(ChkList[i]) = -1 then
begin
DcUrlIps[enum.Current] := DcUrlIps[enum.Current] + ',' + ChkList[i];
_Trace('CatchIP .. URL=%s, IP=%s', [enum.Current, ChkList[i]], 2);
bUrlIpAdded := true;
end;
end;
except
on E: Exception do
ETgException.TraceException(Self, E, 'Fail .. ExtractUrlIps()');
end;
end;
function IsSameVpnCfg: Boolean;
begin
Result := false;
with PrevVpnCfg do
begin
if bBlkExcept <> NewVpnCfg.bBlkExcept then exit;
if bBlkDefPort <> NewVpnCfg.bBlkDefPort then exit;
if nBlkExtPortType <> NewVpnCfg.nBlkExtPortType then exit;
if sBlkPorts <> NewVpnCfg.sBlkPorts then exit;
if sNetCtrlType <> NewVpnCfg.sNetCtrlType then exit;
if sNetCtrlList <> NewVpnCfg.sNetCtrlList then exit;
if sNetBlkExcept <> NewVpnCfg.sNetBlkExcept then exit;
if bBlkSmbPort <> NewVpnCfg.bBlkSmbPort then exit;
if sSmbExpIps <> NewVpnCfg.sSmbExpIps then exit;
end;
Result := true;
end;
function IsSameSlpCfg: Boolean;
begin
Result := false;
with PrevSlpCfg do
begin
if sSleepList <> NewSlpCfg.sSleepList then exit;
if sSleepBlockType <> NewSlpCfg.sSleepBlockType then exit;
end;
Result := true;
end;
function CheckRuleState(aEnt: PFwRuleEnt; bIsOrgBlock: Boolean): Boolean;
begin
// 규칙이 있지만 꺼져있거나 연결 허용, 차단이 제대로 되어 있는 체크 22_0516 16:29:02 kku
Result := false;
if not aEnt.bEnabled then
exit;
if (aEnt.nAction = NET_FW_ACTION_ALLOW) and bIsOrgBlock then
exit;
if (aEnt.nAction = NET_FW_ACTION_BLOCK) and not bIsOrgBlock then
exit;
Result := true;
end;
function CheckRuleState2(aEnt: PFwRuleEnt; sIp: String): Boolean;
begin
// IP 차단 체크 전용
Result := false;
if not aEnt.bEnabled then
exit;
if aEnt.nAction <> NET_FW_ACTION_BLOCK then
exit;
if aEnt.sRemoteAddr <> sIp then
exit;
Result := true;
end;
procedure CheckAndRegApp;
var
i, c, n: Integer;
sPath,
sPName, sName,
sNameHead: String;
pEnt: PFwRuleEnt;
FwRule: TFwRule;
// DestList: TStringList;
begin
try
if FwRegAppList.Count = 0 then
exit;
// Guard(DestList, TStringList.Create);
sNameHead := 'eCrmHE-B_';
ProcList.UpdateProcessList;
case CtrlType of
nctAppBlack :
begin
for i := FwRegAppList.Count - 1 downto 0 do
begin
if Terminated or GetWorkStop then
exit;
sPName := FwRegAppList[i];
if CompareText(EXE_HE, sPName) = 0 then
continue;
pEnt := FwRuleList.GetFwRuleByName(sNameHead + CutFileExt(sPName));
if pEnt = nil then
begin
sPath := ProcList.GetProcPathByName(sPName);
if (sPath <> '') and FileExists(sPath) then
begin
FwRule := Get_POLICY_APP(sPath);
if ExcpAppIpList.Count > 0 then
FwRule.sRemoteAddresses := ExcpAppIpList.CommaText;
if AddFwRule(fwRules, FwRule) <> nil then
FwRuleList.AddAddedRule(FwRule); // 중복 실행된 프로세스가 있기 때문에 이렇게 추가 성공할 룰은 체크를 위해 바로 넣어줌
// FwRegAppList.Delete(i); // 계속 체크되도록 놔둠 22_0516 16:24:58 kku
Finalize(FwRule);
end;
end else begin
// FwRegAppList.Delete(i); // 계속 체크되도록 놔둠 22_0516 16:24:58 kku
// 설정이 훼손되었다면 지운다. 그러면 반복되며 다시 설정 됨 22_0516 16:37:10 kku
if not CheckRuleState(pEnt, true) then
RemoveFwRule(fwRules, pEnt.sName);
end;
end;
end;
nctAppWhite :
begin
for c := 0 to ProcList.Count - 1 do
begin
if Terminated or GetWorkStop then
exit;
sPName := ProcList[c].sModuleBaseName;
if FwRegAppList.IndexOf(sPName) = -1 then
begin
pEnt := FwRuleList.GetFwRuleByName(sNameHead + CutFileExt(sPName));
if pEnt = nil then
begin
sPath := ProcList[c].sModuleFileName;
if (sPath <> '') and FileExists(sPath) then
begin
FwRule := Get_POLICY_APP(sPath);
if bWhiteIp then
begin
if ExcpAppIpList.Count > 0 then
FwRule.sRemoteAddresses := ExcpAppIpList.CommaText;
end;
if AddFwRule(fwRules, FwRule) <> nil then
FwRuleList.AddAddedRule(FwRule); // 중복 실행된 프로세스가 있기 때문에 이렇게 추가 성공할 룰은 체크를 위해 바로 넣어줌
Finalize(FwRule);
end;
end else begin
// 설정이 훼손되었다면 지운다. 그러면 반복되며 다시 설정 됨 22_0516 16:37:10 kku
if not CheckRuleState(pEnt, true) then
RemoveFwRule(fwRules, pEnt.sName);
end;
end else
if not bWhiteIp and
(ExcpAppIpList.Count > 0) and
(CompareText(EXE_HE, sPName) <> 0) then
begin
// 예외 IP가 있다면 차단 등록한다 22_0602 17:46:05 kku
for n := 0 to ExcpAppIpList.Count - 1 do
begin
sName := StringReplace(ExcpAppIpList[n], '.', '', [rfReplaceAll]);
sName := StringReplace(sName, '-', '', [rfReplaceAll]);
sName := sNameHead + CutFileExt(sPName) + sName;
pEnt := FwRuleList.GetFwRuleByName(sName);
if pEnt = nil then
begin
sPath := ProcList[c].sModuleFileName;
if (sPath <> '') and FileExists(sPath) then
begin
FwRule := Get_POLICY_APP(sPath);
FwRule.sName := sName;
FwRule.sRemoteAddresses := ExcpAppIpList[n];
if AddFwRule(fwRules, FwRule) <> nil then
FwRuleList.AddAddedRule(FwRule);
Finalize(FwRule);
end;
end;
end;
end;
end;
end;
nctIpBlack :
begin
for c := 0 to ProcList.Count - 1 do
begin
if Terminated or GetWorkStop then
exit;
sPName := ProcList[c].sModuleBaseName;
if FwRegAppList.IndexOf(sPName) = -1 then
begin
for n := 0 to ExcpAppIpList.Count - 1 do
begin
sName := StringReplace(ExcpAppIpList[n], '.', '', [rfReplaceAll]);
sName := StringReplace(sName, '-', '', [rfReplaceAll]);
sName := sNameHead + CutFileExt(sPName) + sName;
pEnt := FwRuleList.GetFwRuleByName(sName);
if pEnt = nil then
begin
sPath := ProcList[c].sModuleFileName;
if (sPath <> '') and FileExists(sPath) then
begin
FwRule := Get_POLICY_APP(sPath);
FwRule.sName := sName;
FwRule.sRemoteAddresses := ExcpAppIpList[n];
if AddFwRule(fwRules, FwRule) <> nil then
FwRuleList.AddAddedRule(FwRule);
Finalize(FwRule);
end;
end;
end;
end;
end;
end;
nctIpWhite :
begin
for i := FwRegAppList.Count - 1 downto 0 do
begin
if Terminated or GetWorkStop then
exit;
sPName := FwRegAppList[i];
if CompareText(EXE_HE, sPName) = 0 then
continue;
pEnt := FwRuleList.GetFwRuleByName(sNameHead + CutFileExt(sPName));
if pEnt = nil then
begin
sPath := ProcList.GetProcPathByName(sPName);
if (sPath <> '') and FileExists(sPath) then
begin
FwRule := Get_POLICY_APP(sPath);
if AddFwRule(fwRules, FwRule) <> nil then
FwRuleList.AddAddedRule(FwRule);
Finalize(FwRule);
end;
end else begin
if not CheckRuleState(pEnt, true) then
RemoveFwRule(fwRules, pEnt.sName);
end;
end;
end;
end;
except
on E: Exception do
begin
ExcpAppIpList.Clear;
FwRegAppList.Clear;
ETgException.TraceException(E, 'Fail .. CheckAndRegApp()');
end;
end;
end;
procedure AddIpRangeToStrings(sRangeIp: String; aList: TStrings);
var
nPos, nRange: Integer;
i, nBegin: Integer;
IpClass: TStringList;
sIp: String;
begin
nPos := Pos('/', sRangeIp);
if nPos = 0 then
exit;
nRange := StrToIntDef(Copy(sRangeIp, nPos + 1, Length(sRangeIp) - nPos), 0);
Delete(sRangeIp, nPos, Length(sRangeIp) - nPos + 1);
if not IsValidIP(sRangeIp) then
exit;
if nRange = 0 then
begin
if aList.IndexOf(sRangeIp) = -1 then
aList.Add(sRangeIp);
exit;
end;
if nRange > 255 then
nRange := 255;
Guard(IpClass, TStringList.Create);
if SplitString(sRangeIp, '.', IpClass) > 3 then
begin
nBegin := StrToIntDef(IpClass[3], 999);
if nBegin >= nRange then
begin
// 범위 체크
if aList.IndexOf(sRangeIp) = -1 then
aList.Add(sRangeIp);
exit;
end;
for i := 0 to (nRange - nBegin) do
begin
sIp := Format('%s.%s.%s.%d', [IpClass[0], IpClass[1], IpClass[2], nBegin + i]);
if aList.IndexOf(sIp) = -1 then
aList.Add(sIp);
if (nBegin + i) = 255 then
break;
end;
end;
end;
procedure ProcessNetCtrl(aCtrlList, aExcpList: String);
var
FwRule: TFwRule;
sIp,
sEnt,
sEnd,
sName,
sFwName: String;
pEnt: PFwRuleEnt;
TempList,
DestList,
ExcpList: TStringList;
i, c, n: Integer;
begin
Guard(TempList, TStringList.Create);
Guard(ExcpList, TStringList.Create);
bWhiteIp := aExcpList.StartsWith('@WHITEIP:');
ExcpList.CommaText := StrListToCommaStr(aExcpList);
case CtrlType of
nctFalse : ;
nctAppBlack,
nctAppWhite :
begin
if FwRegAppList.Count > 0 then
exit;
FwRegAppList.CommaText := StrListToCommaStr(aCtrlList);
if CtrlType = nctAppWhite then
begin
FwRegAppList.Add(EXE_HE); // 나 추가
FwRegAppList.Add(EXE_MG); // 나 추가
FwRegAppList.Add('svchost.exe'); // 이거까지 차단하면 DNS 서비스 동작이 멈춘다 22_0524 13:10:30 kku
FwRegAppList.Add('MsMpEng.exe'); // 디펜더 관련
for i := 0 to ExcpList.Count - 1 do
begin
sEnt := ExcpList[i];
if (UpperCase(GetFileExt(sEnt)) = 'EXE') and
(FwRegAppList.IndexOf(sEnt) = -1) then
begin
FwRegAppList.Add(sEnt)
end else
if sEnt.Contains('/') then
begin
// IP 범위 체크, 추가
AddIpRangeToStrings(sEnt, ExcpAppIpList);
end else
if IsValidIpRange(sEnt) then
begin
// IP 범위 체크, 추가 22_0825 15:57:05 kku
if ExcpAppIpList.IndexOf(sEnt) = -1 then
ExcpAppIpList.Add(sEnt);
end else begin
if IsValidIP(sEnt) then
begin
if ExcpAppIpList.IndexOf(sEnt) = -1 then
ExcpAppIpList.Add(sEnt);
end else begin
// URL에서 IP 추출 22_0915 08:54:12 kku
if not DcUrlIps.ContainsKey(sEnt) then
begin
sIp := ExtractIPsFromUrl(sEnt);
DcUrlIps.Add(sEnt, sIp);
end else
sIp := DcUrlIps[sEnt];
if sIp <> '' then
begin
SplitString(sIp, ',', TempList);
for c := 0 to TempList.Count - 1 do
if ExcpAppIpList.IndexOf(TempList[c]) = -1 then
ExcpAppIpList.Add(TempList[c]);
end;
end;
end;
end;
// 후처리 22_0804 14:48:41 kku
if bWhiteIp and (ExcpAppIpList.Count > 0) then
ConvBlockIp(ExcpAppIpList.CommaText, ExcpAppIpList, false);
end else
if CtrlType = nctAppBlack then
begin
for i := 0 to ExcpList.Count - 1 do
begin
sEnt := ExcpList[i];
if UpperCase(GetFileExt(sEnt)) = 'EXE' then
begin
c := FwRegAppList.IndexOf(sEnt);
if c <> -1 then
FwRegAppList.Delete(c);
end else
if sEnt.Contains('/') then
begin
// IP 범위 체크, 추가
AddIpRangeToStrings(sEnt, ExcpAppIpList);
end else
if IsValidIpRange(sEnt) then
begin
// IP 범위 체크, 추가 22_0825 15:57:05 kku
if ExcpAppIpList.IndexOf(sEnt) = -1 then
ExcpAppIpList.Add(sEnt);
end else
begin
if IsValidIP(sEnt) then
begin
if ExcpAppIpList.IndexOf(sEnt) = -1 then
ExcpAppIpList.Add(sEnt);
end else begin
// URL에서 IP 추출 22_0915 08:54:12 kku
if not DcUrlIps.ContainsKey(sEnt) then
begin
sIp := ExtractIPsFromUrl(sEnt);
DcUrlIps.Add(sEnt, sIp);
end else
sIp := DcUrlIps[sEnt];
if sIp <> '' then
begin
SplitString(sIp, ',', TempList);
for c := 0 to TempList.Count - 1 do
if ExcpAppIpList.IndexOf(TempList[c]) = -1 then
ExcpAppIpList.Add(TempList[c]);
end;
end;
end;
end;
c := FwRegAppList.IndexOf(EXE_HE);
if c <> -1 then
FwRegAppList.Delete(c);
// 후처리 22_0804 14:48:41 kku
if ExcpAppIpList.Count > 0 then
ConvBlockIp(ExcpAppIpList.CommaText, ExcpAppIpList, false);
end;
CheckAndRegApp;
end;
nctIpBlack :
begin
Guard(DestList, TStringList.Create);
DestList.CommaText := StrListToCommaStr(aCtrlList);
if (aExcpList <> '') and aExcpList.ToUpper.Contains('.EXE') then
begin
// APP 예외 정책이 있으면
if FwRegAppList.Count = 0 then
begin
ExcpAppIpList.Clear;
for i := 0 to DestList.Count - 1 do
begin
sEnt := DestList[i];
if sEnt.Contains('/') then
begin
sIp := ConvIpRangeToFwIps(sEnt);
if sIp <> '' then
ExcpAppIpList.Add(sIp);
end else
if IsValidIpRange(sEnt) then
begin
sIp := sEnt;
n := Pos('-', sIp);
if n > 0 then
begin
sEnd := Copy(sIp, n + 1, Length(sIp) - n);
Delete(sIp, n, Length(sIp) - n + 1);
if IsValidIP(sIp, false) and IsValidIP(sEnd) and
(IPToDWORD(sIp) < IPToDWORD(sEnd)) then
ExcpAppIpList.Add(sEnt);
end;
end else begin
if IsValidIP(sEnt) then
begin
if ExcpAppIpList.IndexOf(sEnt) = -1 then
ExcpAppIpList.Add(sEnt);
end else begin
// URL에서 IP 추출 22_0915 08:54:12 kku
if not DcUrlIps.ContainsKey(sEnt) then
begin
sIp := ExtractIPsFromUrl(sEnt);
DcUrlIps.Add(sEnt, sIp);
end else
sIp := DcUrlIps[sEnt];
if sIp <> '' then
begin
SplitString(sIp, ',', TempList);
for c := 0 to TempList.Count - 1 do
if ExcpAppIpList.IndexOf(TempList[c]) = -1 then
ExcpAppIpList.Add(TempList[c]);
end;
end;
end;
end;
FwRegAppList.Add(EXE_HE);
FwRegAppList.Add(EXE_MG);
DestList.CommaText := StrListToCommaStr(aExcpList);
for i := 0 to DestList.Count - 1 do
begin
if DestList[i].ToUpper.Contains('.EXE') and
(FwRegAppList.IndexOf(DestList[i]) = -1) then
FwRegAppList.Add(DestList[i]);
end;
CheckAndRegApp;
end;
exit;
end;
sName := FW_NAME_POLICY_CTRL + 'B_Ips';
// pEnt := FwRuleList.GetFwRuleByName(sName);
for i := 0 to ExcpList.Count - 1 do
begin
c := DestList.IndexOf(ExcpList[i]);
if c <> -1 then
DestList.Delete(c);
end;
for i := 0 to DestList.Count - 1 do
begin
sIp := DestList[i];
if sIp.Contains('/') then
begin
sIp := ConvIpRangeToFwIps(sIp, true);
if sIp = '' then
continue;
end else
if IsValidIpRange(sIp) then
begin
// IsValidIpRange() 여기서 체크하는걸로 수정 22_1011 14:05:04 kku
// 아래에서 할거 없음
// n := Pos('-', sIp);
// if n > 0 then
// begin
// sEnd := Copy(sIp, n + 1, Length(sIp) - n);
// Delete(sIp, n, Length(sIp) - n + 1);
// if not IsValidIP(sIp, false) or not IsValidIP(sEnd) or
// (IPToDWORD(sIp) >= IPToDWORD(sEnd)) then
// continue;
//
// sIp := DestList[i];
// end;
end else begin
if not IsValidIP(sIp) then
begin
sEnt := sIp;
if not DcUrlIps.ContainsKey(sEnt) then
begin
sIp := ExtractIPsFromUrl(sEnt);
DcUrlIps.Add(sEnt, sIp);
end else
sIp := DcUrlIps[sEnt];
if sIp = '' then
continue;
end;
end;
sFwName := sName + IntToStr(i + 1);
pEnt := FwRuleList.GetFwRuleByName(sFwName);
if (pEnt = nil) or not CheckRuleState(pEnt, true) then
begin
if pEnt <> nil then
begin
RemoveFwRule(fwRules, sFwName);
FwRuleList.RemoveAddedRule(sFwName);
end;
FwRule := Get_POLICY_OUTBLOCK(NET_FW_IP_PROTOCOL_ANY);
FwRule.sName := sFwName;
FwRule.sRemoteAddresses := sIp; // StrListToCommaStr(aCtrlList);
if AddFwRule(fwRules, FwRule) <> nil then
FwRuleList.AddAddedRule(FwRule);
Finalize(FwRule);
end;
end;
end;
nctIpWhite :
begin
var DestTempList, ExcpTempList: TStringList;
Guard(DestTempList, TStringList.Create);
Guard(ExcpTempList, TStringList.Create);
Guard(DestList, TStringList.Create);
DestList.CommaText := StrListToCommaStr(aCtrlList);
for i := 0 to DestList.Count - 1 do
begin
// 범위 지정 처리등
sIp := DestList[i];
if sIp.Contains('/') then
begin
AddIpRangeToStrings(sIp, DestTempList);
end else
if IsValidIpRange(sIp) then
begin
// IP 범위 체크, 추가 22_0825 15:57:05 kku
if DestTempList.IndexOf(sIp) = -1 then
DestTempList.Add(sIp);
end else begin
if IsValidIP(sIp) then
begin
if DestTempList.IndexOf(sIp) = -1 then
DestTempList.Add(sIp);
end else begin
// URL에서 IP 추출 22_0915 08:54:12 kku
sEnt := sIp;
if not DcUrlIps.ContainsKey(sEnt) then
begin
sIp := ExtractIPsFromUrl(sEnt);
DcUrlIps.Add(sEnt, sIp);
end else
sIp := DcUrlIps[sEnt];
if sIp <> '' then
begin
SplitString(sIp, ',', TempList);
for c := 0 to TempList.Count - 1 do
if DestTempList.IndexOf(TempList[c]) = -1 then
DestTempList.Add(TempList[c]);
end;
end;
end;
end;
for i := 0 to ExcpList.Count - 1 do
begin
// 예외처리
sIp := ExcpList[i];
if sIp.Contains('/') then
begin
AddIpRangeToStrings(sIp, ExcpTempList);
for c := 0 to ExcpTempList.Count - 1 do
begin
n := DestTempList.IndexOf(ExcpTempList[c]);
if n <> -1 then
DestTempList.Delete(n);
end;
end else
if IsValidIpRange(sIp) then
begin
if ExcpTempList.IndexOf(sIp) = -1 then
ExcpTempList.Add(sIp);
end else
begin
n := DestTempList.IndexOf(sIp);
if n <> -1 then
DestTempList.Delete(n);
end;
end;
ConvBlockIp(DestTempList.CommaText, DestList);
if DestList.Count = 0 then
exit;
// FwRule.sRemoteAddresses := DestList.CommaText; 이렇게 한꺼번에 지정해도 된다.
// 일단 원안대로 이렇게 따로 등록함. 22_0517 08:33:23 kku
for i := 0 to DestList.Count - 1 do
begin
sIp := DestList[i];
sName := StringReplace(sIp, '-', '', [rfReplaceAll]);
sName := StringReplace(sName, '.', '', [rfReplaceAll]);
sName := 'eCrmHE-' + sName;
pEnt := FwRuleList.GetFwRuleByName(sName);
if (pEnt = nil) or not CheckRuleState2(pEnt, sIp) then
begin
if pEnt <> nil then
begin
RemoveFwRule(fwRules, pEnt.sName);
FwRuleList.RemoveAddedRule(pEnt.sName);
end;
FwRule := Get_POLICY_OUTBLOCK(NET_FW_IP_PROTOCOL_ANY);
FwRule.sName := sName;
FwRule.nAction := NET_FW_ACTION_BLOCK;
FwRule.sRemoteAddresses := sIp;
if AddFwRule(fwRules, FwRule) <> nil then
FwRuleList.AddAddedRule(FwRule);
Finalize(FwRule);
end;
end;
if (aExcpList <> '') and aExcpList.ToUpper.Contains('.EXE') then
begin
// APP 예외 정책이 있으면
if FwRegAppList.Count = 0 then
begin
ExcpAppIpList.Clear;
DestList.CommaText := StrListToCommaStr(aExcpList);
for i := 0 to DestList.Count - 1 do
begin
if DestList[i].ToUpper.Contains('.EXE') and
(FwRegAppList.IndexOf(DestList[i]) = -1) and
(CompareText(EXE_HE, DestList[i]) <> 0) and
(CompareText(EXE_MG, DestList[i]) <> 0) then
FwRegAppList.Add(DestList[i]);
end;
CheckAndRegApp;
end;
end;
end;
end;
end;
var
pCheckEnt: PFwRuleEnt;
i: Integer;
bPrevUnsafeMode: Boolean;
dwTick,
dwFwCheckTick,
dwSleepMSec,
dwSleepLowMSec: DWORD;
PO: TPrefModel;
procedure LoadForceSetting;
var
ini: TIniFile;
sPath: String;
begin
try
sPath := GetProgramFilesDir + DIR_TG + INI_FORCEHE;
if FileExists(sPath) then
begin
Guard(ini, TIniFile.Create(sPath));
dwSleepMSec := ini.ReadInteger('Force', 'FwInterval', 2) * 1000;
dwSleepLowMSec := ini.ReadInteger('Force', 'FwLowDelay', 180) * 1000;
end;
except
dwSleepMSec := 2000;
dwSleepLowMSec := 180000;
end;
end;
begin
ZeroMemory(@PrevVpnCfg, SizeOf(PrevVpnCfg));
ZeroMemory(@NewVpnCfg, SizeOf(NewVpnCfg));
Guard(ExcpAppIpList, TStringList.Create);
ExcpAppIpList.CaseSensitive := false;
Guard(FwRegAppList, TStringList.Create);
FwRegAppList.CaseSensitive := false;
Guard(ProcList, TProcessEntList.Create);
ProcList.DetailInfo := false;
Guard(DcUrlIps, TDictionary<String,String>.Create);
dwUrlIpApiTick := 0;
dwUrlIpNslookupTick := 0;
if IsFirewallLowCheck then
dwSleepMSec := 5000
else
dwSleepMSec := 2000;
dwSleepLowMSec := 180000;
LoadForceSetting;
CoInitialize(nil);
try
fwPolicy2 := CoNetFwPolicy2.Create;
if fwPolicy2 = nil then
begin
{$IFDEF DEBUG}
ASSERT(false);
{$ELSE}
nLastError_ := 1;
_Trace('Fail .. Windows Defender - No Firewall Setting Info 11');
{$ENDIF}
exit;
end;
fwRules := fwPolicy2.Rules;
if fwRules = nil then
begin
{$IFDEF DEBUG}
ASSERT(false);
{$ELSE}
nLastError_ := 2;
_Trace('Fail .. Windows Defender - No Firewall Setting Info 22');
{$ENDIF}
exit;
end;
ClearCrmFwPolicy(fwRules);
Guard(FwRuleList, TFwRuleEntList.Create);
dwFwCheckTick := 0;
bPrevUnsafeMode := false;
while not Terminated and not GetWorkStop do
begin
try
PO := gMgSvc.ModePolicy;
NewVpnCfg.sNetBlkExcept := PO.NetworkExceptList;
NewVpnCfg.bBlkSmbPort := PO.IsSmbPortBlock;
NewVpnCfg.sSmbExpIps := PO.SMBPortExceptList;
NewVpnCfg.bBlkExcept := (PO.NetworkExceptType <> '') and
(PO.NetworkExceptType <> 'false') and
(NewVpnCfg.sNetBlkExcept <> '');
NewVpnCfg.bBlkDefPort := PO.IsDefPortBlock;
NewVpnCfg.nBlkExtPortType := PO.ExtraPortEnableType;
NewVpnCfg.sBlkPorts := PO.BlockPortList;
NewVpnCfg.sNetCtrlType := PO.NetworkBlockType;
NewVpnCfg.sNetCtrlList := PO.NetworkBlockList;
if PO.IsNetBlockDay then
begin
var sChk: String := NewVpnCfg.sNetCtrlType.ToUpper;
if (sChk <> PREF_NETAPP_WHITELIST) and (sChk <> PREF_NETAPP_BLACKLIST) then
begin
if not ((CompareDateTime(PO.NetBlockDayB, Now) = -1 ) and
(CompareDateTime(PO.NetBlockDayE, Now) = 1)) then
NewVpnCfg.sNetCtrlType := '';
end;
end;
ExtractUrlIps;
if not IsSameVpnCfg or gMgSvc.NicService.IsChangeNetCfg or bUrlIpAdded then
begin
_Trace('방화벽 규칙 초기화', 2);
// 방화벽 규칙 초기화, 셋팅
PrevVpnCfg := NewVpnCfg;
ExcpAppIpList.Clear;
FwRegAppList.Clear;
// 도메인에서 새로운 IP 추출로 초기화 하는 경우 초기화 하지 않는다 22_1011 14:21:23 kku
// 아에 프로그램 재시작전까지 초기화 안하는 방법도..?
// 그럼 ExtractUrlIps() 이게 계속 실행되겠지..
if not bUrlIpAdded then
DcUrlIps.Clear;
bUrlIpAdded := false;
dwUrlIpApiTick := 0;
dwUrlIpNslookupTick := 0;
ClearCrmFwPolicy(fwRules);
gMgSvc.NicService.IsChangeNetCfg := false;
dwFwCheckTick := 0;
end;
if not PrevVpnCfg.bBlkDefPort and
not PrevVpnCfg.bBlkSmbPort and
(PrevVpnCfg.nBlkExtPortType = PREF_PORTEX_FALSE) and
( (PrevVpnCfg.sNetCtrlType = '') or
(PrevVpnCfg.sNetCtrlType = 'false') or
(PrevVpnCfg.sNetCtrlList = '') ) then
begin
Sleep(dwSleepMSec);
continue;
end;
GetFwRulesToList(fwRules, FwRuleList);
// 이거 점유율 체크 밑으로 내리면 새로운 프로세스 방화벽 등록이 느려짐 22_0721 15:05:00 kku
// APP 방화벽 체크
CheckAndRegApp;
// 저사양 PC에서 CPU 점유율을 낮추기 위해 느슨하게 체크 22_0719 16:49:20 kku
if IsFirewallLowCheck then
begin
dwTick := GetTickCount;
if ((dwFwCheckTick > 0) and ((dwTick - dwFwCheckTick) < dwSleepLowMSec)) then // 3분에 한번
begin
Sleep(dwSleepMSec);
continue;
end;
dwFwCheckTick := dwTick;
end;
// 기본 MG <--> HE 통신 포트 등록/체크
// MG.exe 사용하지 않음 22_1124 13:52:29 kku
// pCheckEnt := FwRuleList.GetFwRuleByName(FW_NAME_POLICY_DEFAULT_INDIR);
// if (pCheckEnt = nil) or not CheckRuleState(pCheckEnt, false) then
// begin
// if pCheckEnt <> nil then
// RemoveFwRule(fwRules, pCheckEnt.sName);
// AddFwRule(fwRules, Get_POLICY_DEFAULT_INDIR);
// end;
//
// pCheckEnt := FwRuleList.GetFwRuleByName(FW_NAME_POLICY_DEFAULT_OUTDIR);
// if (pCheckEnt = nil) or not CheckRuleState(pCheckEnt, false) then
// begin
// if pCheckEnt <> nil then
// RemoveFwRule(fwRules, pCheckEnt.sName);
// AddFwRule(fwRules, Get_POLICY_DEFAULT_OUTDIR);
// end;
try
// 방화벽 on/off 체크 후 on으로 복구
if not fwPolicy2.FirewallEnabled[FW_PROFILE_PERSONAL] then
begin
fwPolicy2.FirewallEnabled[FW_PROFILE_PERSONAL] := true;
_Trace('방화벽 설정 복구. (개인 네트워크)', 2);
if gMgSvc <> nil then
gMgSvc.SendEventLogEx(LOG_RESTORE_FIREWALL_SET, 'Private Network', false);
end;
if not fwPolicy2.FirewallEnabled[FW_PROFILE_PUBLIC] then
begin
fwPolicy2.FirewallEnabled[FW_PROFILE_PUBLIC] := true;
_Trace('방화벽 설정 복구. (공용 네트워크)', 2);
if gMgSvc <> nil then
gMgSvc.SendEventLogEx(LOG_RESTORE_FIREWALL_SET, 'Public Network', false);
end;
if not fwPolicy2.FirewallEnabled[FW_PROFILE_DOMAIN] then
begin
fwPolicy2.FirewallEnabled[FW_PROFILE_DOMAIN] := true;
_Trace('방화벽 설정 복구. (도메인 네트워크)', 2);
if gMgSvc <> nil then
gMgSvc.SendEventLogEx(LOG_RESTORE_FIREWALL_SET, 'Domain Network', false);
end;
except
// ..
end;
if PrevVpnCfg.bBlkDefPort then
begin
pCheckEnt := FwRuleList.GetFwRuleByName(FW_NAME_POLICY_DEFAULTBLOCK_PORT);
if (pCheckEnt = nil) or not CheckRuleState(pCheckEnt, true) then
begin
if pCheckEnt <> nil then
RemoveFwRule(fwRules, pCheckEnt.sName);
AddFwRule(fwRules, Get_POLICY_DEFAULTBLOCK_PORT);
end;
end;
if PrevVpnCfg.bBlkSmbPort then
begin
pCheckEnt := FwRuleList.GetFwRuleByName(FW_NAME_POLICY_SMB_PORT);
if (pCheckEnt = nil) or not CheckRuleState(pCheckEnt, true) then
begin
if pCheckEnt <> nil then
RemoveFwRule(fwRules, pCheckEnt.sName);
AddFwRule(fwRules, Get_POLICY_SMB_PORT(PrevVpnCfg.sSmbExpIps));
end;
end;
if PrevVpnCfg.nBlkExtPortType <> PREF_PORTEX_FALSE then
begin
pCheckEnt := FwRuleList.GetFwRuleByName(FW_NAME_POLICY_EXTRABLOCK_PORT);
if (pCheckEnt = nil) or not CheckRuleState(pCheckEnt, true) then
begin
if pCheckEnt <> nil then
RemoveFwRule(fwRules, pCheckEnt.sName);
AddFwRule(fwRules, Get_POLICY_EXTRABLOCK_PORT);
end;
end;
if (PrevVpnCfg.sNetCtrlType <> '') and
(PrevVpnCfg.sNetCtrlType <> 'false') and
(PrevVpnCfg.sNetCtrlList <> '') then
begin
CtrlType := nctFalse;
if NewVpnCfg.sNetCtrlType.ToUpper = PREF_NETAPP_WHITELIST then
CtrlType := nctAppWhite
else if NewVpnCfg.sNetCtrlType.ToUpper = PREF_NETAPP_BLACKLIST then
CtrlType := nctAppBlack
else
if NewVpnCfg.sNetCtrlType.ToUpper = PREF_NETIP_WHITELIST then
CtrlType := nctIpWhite
else
if NewVpnCfg.sNetCtrlType.ToUpper = PREF_NETIP_BLACKLIST then
CtrlType := nctIpBlack;
if PrevVpnCfg.bBlkExcept then
ProcessNetCtrl(NewVpnCfg.sNetCtrlList, NewVpnCfg.sNetBlkExcept)
else
ProcessNetCtrl(NewVpnCfg.sNetCtrlList, '');
end;
except
on E: Exception do
ETgException.TraceException(Self, E, 'Fail .. Execute()');
end;
Sleep(dwSleepMSec);
end;
finally
fwRules := nil;
fwPolicy2 := nil;
CoUninitialize;
end;
end;
end.
Reference in New Issue View Git Blame Copy Permalink