Improve config wording
This commit is contained in:
Daniel
@@ -69,10 +69,6 @@ var (
|
||||
cfgOptionDisableAutoPermit config.IntOption // security level option
|
||||
cfgOptionDisableAutoPermitOrder = 80
|
||||
|
||||
CfgOptionEnforceSPNKey = "filter/enforceSPN"
|
||||
cfgOptionEnforceSPN config.IntOption // security level option
|
||||
cfgOptionEnforceSPNOrder = 96
|
||||
|
||||
CfgOptionRemoveOutOfScopeDNSKey = "filter/removeOutOfScopeDNS"
|
||||
cfgOptionRemoveOutOfScopeDNS config.IntOption // security level option
|
||||
cfgOptionRemoveOutOfScopeDNSOrder = 112
|
||||
@@ -86,6 +82,10 @@ var (
|
||||
cfgOptionDomainHeuristicsOrder = 114
|
||||
|
||||
// Permanent Verdicts Order = 128
|
||||
|
||||
CfgOptionUseSPNKey = "spn/useSPN"
|
||||
cfgOptionUseSPN config.BoolOption
|
||||
cfgOptionUseSPNOrder = 128
|
||||
)
|
||||
|
||||
func registerConfiguration() error {
|
||||
@@ -94,11 +94,11 @@ func registerConfiguration() error {
|
||||
// ask - ask mode: if not verdict is found, the user is consulted
|
||||
// block - allowlist mode: everything is blocked unless permitted
|
||||
err := config.Register(&config.Option{
|
||||
Name: "Default Filter Action",
|
||||
Key: CfgOptionDefaultActionKey,
|
||||
Description: `The default filter action when nothing else permits or blocks a connection.`,
|
||||
Name: "Default Action",
|
||||
Key: CfgOptionDefaultActionKey,
|
||||
// TODO: Discuss "when nothing else"
|
||||
Description: `The default action when nothing else permits or blocks an outgoing connection. Inbound connections are always blocked by default.`,
|
||||
OptType: config.OptTypeString,
|
||||
ReleaseLevel: config.ReleaseLevelExperimental,
|
||||
DefaultValue: "permit",
|
||||
Annotations: config.Annotations{
|
||||
config.DisplayHintAnnotation: config.DisplayHintOneOf,
|
||||
@@ -131,10 +131,12 @@ func registerConfiguration() error {
|
||||
|
||||
// Disable Auto Permit
|
||||
err = config.Register(&config.Option{
|
||||
// TODO: Discuss
|
||||
Name: "Disable Auto Permit",
|
||||
Key: CfgOptionDisableAutoPermitKey,
|
||||
Description: "Auto Permit searches for a relation between an app and the destionation of a connection - if there is a correlation, the connection will be permitted. This setting is negated in order to provide a streamlined user experience, where higher settings are better.",
|
||||
Description: `Auto Permit searches for a relation between an app and the destination of a connection - if there is a correlation, the connection will be permitted. This setting is negated in order to provide a streamlined user experience, where "higher settings" provide more protection.`,
|
||||
OptType: config.OptTypeInt,
|
||||
ReleaseLevel: config.ReleaseLevelBeta,
|
||||
DefaultValue: status.SecurityLevelsAll,
|
||||
Annotations: config.Annotations{
|
||||
config.DisplayOrderAnnotation: cfgOptionDisableAutoPermitOrder,
|
||||
@@ -200,7 +202,7 @@ Examples:
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Incoming Rules",
|
||||
Key: CfgOptionServiceEndpointsKey,
|
||||
Description: "Rules that apply to incoming network connections. Network Scope restrictions and the inbound permission still apply. Also not that the implicit default action of this list is to always block.",
|
||||
Description: "Rules that apply to incoming network connections. Network Scope restrictions and the incoming permission still apply. Also note that the default action for incoming connections is to always block.",
|
||||
Help: filterListHelp,
|
||||
OptType: config.OptTypeStringArray,
|
||||
DefaultValue: []string{"+ Localhost"},
|
||||
@@ -236,9 +238,9 @@ Examples:
|
||||
|
||||
// Filter list IDs
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Filter List",
|
||||
Name: "Filter Lists",
|
||||
Key: CfgOptionFilterListsKey,
|
||||
Description: "Filter connections by matching the endpoint against configured filterlists",
|
||||
Description: "Block connections that match enabled filter lists.",
|
||||
OptType: config.OptTypeStringArray,
|
||||
DefaultValue: []string{"TRAC", "MAL"},
|
||||
Annotations: config.Annotations{
|
||||
@@ -256,9 +258,9 @@ Examples:
|
||||
|
||||
// Include CNAMEs
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Filter CNAMEs",
|
||||
Name: "Check Domain Aliases",
|
||||
Key: CfgOptionFilterCNAMEKey,
|
||||
Description: "Also filter requests where a CNAME would be blocked",
|
||||
Description: "In addition to checking a domain against rules and filter lists, also check it's resolved CNAMEs.",
|
||||
OptType: config.OptTypeInt,
|
||||
DefaultValue: status.SecurityLevelsAll,
|
||||
ExpertiseLevel: config.ExpertiseLevelExpert,
|
||||
@@ -277,9 +279,9 @@ Examples:
|
||||
|
||||
// Include subdomains
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Filter Subdomains",
|
||||
Name: "Check Subdomains",
|
||||
Key: CfgOptionFilterSubDomainsKey,
|
||||
Description: "Also filter a domain if any parent domain is blocked by a filter list",
|
||||
Description: "Also block a domain if any parent domain is blocked by a filter list",
|
||||
OptType: config.OptTypeInt,
|
||||
DefaultValue: status.SecurityLevelsAll,
|
||||
PossibleValues: status.SecurityLevelValues,
|
||||
@@ -297,9 +299,9 @@ Examples:
|
||||
|
||||
// Block Scope Local
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Block Scope Local",
|
||||
Name: "Block Device-Local Connections",
|
||||
Key: CfgOptionBlockScopeLocalKey,
|
||||
Description: "Block internal connections on your own device, ie. localhost.",
|
||||
Description: "Block all internal connections on your own device, ie. localhost.",
|
||||
OptType: config.OptTypeInt,
|
||||
ExpertiseLevel: config.ExpertiseLevelExpert,
|
||||
DefaultValue: status.SecurityLevelOff,
|
||||
@@ -318,9 +320,9 @@ Examples:
|
||||
|
||||
// Block Scope LAN
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Block Scope LAN",
|
||||
Name: "Block LAN",
|
||||
Key: CfgOptionBlockScopeLANKey,
|
||||
Description: "Block connections to the Local Area Network.",
|
||||
Description: "Block all connections from and to the Local Area Network.",
|
||||
OptType: config.OptTypeInt,
|
||||
DefaultValue: status.SecurityLevelsHighAndExtreme,
|
||||
PossibleValues: status.AllSecurityLevelValues,
|
||||
@@ -338,9 +340,9 @@ Examples:
|
||||
|
||||
// Block Scope Internet
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Block Scope Internet",
|
||||
Name: "Block Internet",
|
||||
Key: CfgOptionBlockScopeInternetKey,
|
||||
Description: "Block connections to the Internet.",
|
||||
Description: "Block connections from and to the Internet.",
|
||||
OptType: config.OptTypeInt,
|
||||
DefaultValue: status.SecurityLevelOff,
|
||||
PossibleValues: status.AllSecurityLevelValues,
|
||||
@@ -358,9 +360,9 @@ Examples:
|
||||
|
||||
// Block Peer to Peer Connections
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Block Peer to Peer Connections",
|
||||
Name: "Block P2P/Direct Connections",
|
||||
Key: CfgOptionBlockP2PKey,
|
||||
Description: "These are connections that are established directly to an IP address on the Internet without resolving a domain name via DNS first.",
|
||||
Description: "These are connections that are established directly to an IP address or peer on the Internet without resolving a domain name via DNS first.",
|
||||
OptType: config.OptTypeInt,
|
||||
DefaultValue: status.SecurityLevelExtreme,
|
||||
PossibleValues: status.SecurityLevelValues,
|
||||
@@ -378,7 +380,7 @@ Examples:
|
||||
|
||||
// Block Inbound Connections
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Block Inbound Connections",
|
||||
Name: "Block Incoming Connections",
|
||||
Key: CfgOptionBlockInboundKey,
|
||||
Description: "Connections initiated towards your device from the LAN or Internet. This will usually only be the case if you are running a network service or are using peer to peer software.",
|
||||
OptType: config.OptTypeInt,
|
||||
@@ -396,35 +398,13 @@ Examples:
|
||||
cfgOptionBlockInbound = config.Concurrent.GetAsInt(CfgOptionBlockInboundKey, int64(status.SecurityLevelsHighAndExtreme))
|
||||
cfgIntOptions[CfgOptionBlockInboundKey] = cfgOptionBlockInbound
|
||||
|
||||
// Enforce SPN
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Enforce SPN",
|
||||
Key: CfgOptionEnforceSPNKey,
|
||||
Description: "This setting enforces connections to be routed over the SPN. If this is not possible for any reason, connections will be blocked.",
|
||||
OptType: config.OptTypeInt,
|
||||
ReleaseLevel: config.ReleaseLevelExperimental,
|
||||
DefaultValue: status.SecurityLevelOff,
|
||||
PossibleValues: status.AllSecurityLevelValues,
|
||||
Annotations: config.Annotations{
|
||||
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
|
||||
config.DisplayOrderAnnotation: cfgOptionEnforceSPNOrder,
|
||||
config.CategoryAnnotation: "Advanced",
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
cfgOptionEnforceSPN = config.Concurrent.GetAsInt(CfgOptionEnforceSPNKey, int64(status.SecurityLevelOff))
|
||||
cfgIntOptions[CfgOptionEnforceSPNKey] = cfgOptionEnforceSPN
|
||||
|
||||
// Filter Out-of-Scope DNS Records
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Filter Out-of-Scope DNS Records",
|
||||
Name: "Enforce global/private split-view",
|
||||
Key: CfgOptionRemoveOutOfScopeDNSKey,
|
||||
Description: "Filter DNS answers that are outside of the scope of the server. A server on the public Internet may not respond with a private LAN address.",
|
||||
Description: "Remove private IP addresses from public DNS responses.",
|
||||
OptType: config.OptTypeInt,
|
||||
ExpertiseLevel: config.ExpertiseLevelExpert,
|
||||
ReleaseLevel: config.ReleaseLevelBeta,
|
||||
DefaultValue: status.SecurityLevelsAll,
|
||||
PossibleValues: status.SecurityLevelValues,
|
||||
Annotations: config.Annotations{
|
||||
@@ -441,12 +421,11 @@ Examples:
|
||||
|
||||
// Filter DNS Records that would be blocked
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Filter DNS Records that would be blocked",
|
||||
Name: "Remove blocked records",
|
||||
Key: CfgOptionRemoveBlockedDNSKey,
|
||||
Description: "Pre-filter DNS answers that an application would not be allowed to connect to.",
|
||||
Description: "Remove blocked IP addresses from DNS responses.",
|
||||
OptType: config.OptTypeInt,
|
||||
ExpertiseLevel: config.ExpertiseLevelExpert,
|
||||
ReleaseLevel: config.ReleaseLevelBeta,
|
||||
DefaultValue: status.SecurityLevelsAll,
|
||||
PossibleValues: status.SecurityLevelValues,
|
||||
Annotations: config.Annotations{
|
||||
@@ -463,9 +442,9 @@ Examples:
|
||||
|
||||
// Domain heuristics
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Enable Domain Heuristics",
|
||||
Name: "Domain Heuristics",
|
||||
Key: CfgOptionDomainHeuristicsKey,
|
||||
Description: "Domain Heuristics checks for suspicious looking domain names and blocks them. Ths option currently targets domains generated by malware and DNS data tunnels.",
|
||||
Description: "Domain Heuristics checks for suspicious domain names and blocks them. This option currently targets domain names generated by malware and DNS data exfiltration channels.",
|
||||
OptType: config.OptTypeInt,
|
||||
ExpertiseLevel: config.ExpertiseLevelExpert,
|
||||
DefaultValue: status.SecurityLevelsAll,
|
||||
@@ -483,9 +462,10 @@ Examples:
|
||||
|
||||
// Bypass prevention
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Prevent Bypassing",
|
||||
Key: CfgOptionPreventBypassingKey,
|
||||
Description: "Prevent apps from bypassing the privacy filter: Firefox by disabling DNS-over-HTTPs",
|
||||
Name: "Prevent Bypassing",
|
||||
Key: CfgOptionPreventBypassingKey,
|
||||
Description: `Prevent apps from bypassing the privacy filter:
|
||||
- Disable Firefox' internal DNS-over-HTTPs resolver`,
|
||||
OptType: config.OptTypeInt,
|
||||
ExpertiseLevel: config.ExpertiseLevelUser,
|
||||
ReleaseLevel: config.ReleaseLevelBeta,
|
||||
@@ -503,5 +483,24 @@ Examples:
|
||||
cfgOptionPreventBypassing = config.Concurrent.GetAsInt((CfgOptionPreventBypassingKey), int64(status.SecurityLevelsAll))
|
||||
cfgIntOptions[CfgOptionPreventBypassingKey] = cfgOptionPreventBypassing
|
||||
|
||||
// Use SPN
|
||||
err = config.Register(&config.Option{
|
||||
Name: "Use SPN",
|
||||
Key: CfgOptionUseSPNKey,
|
||||
Description: "Route connection through the Safing Privacy Network. If it is unavailable for any reason, connections will be blocked.",
|
||||
OptType: config.OptTypeBool,
|
||||
ReleaseLevel: config.ReleaseLevelExperimental,
|
||||
DefaultValue: true,
|
||||
Annotations: config.Annotations{
|
||||
config.DisplayOrderAnnotation: cfgOptionUseSPNOrder,
|
||||
config.CategoryAnnotation: "General",
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
cfgOptionUseSPN = config.Concurrent.GetAsBool(CfgOptionUseSPNKey, true)
|
||||
cfgBoolOptions[CfgOptionUseSPNKey] = cfgOptionUseSPN
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user