Merge pull request #189 from safing/feature/improve-firewall-blocking

Improve firewall blocking

firewall/interception.go

@@ -2,6 +2,7 @@ package firewall
 
 import (
 	"context"
+	"net"
 	"os"
 	"sync/atomic"
 	"time"
@@ -29,6 +30,9 @@ var (
 	packetsBlocked  = new(uint64)
 	packetsDropped  = new(uint64)
 	packetsFailed   = new(uint64)
+
+	blockedIPv4 = net.IPv4(0, 0, 0, 17)
+	blockedIPv6 = net.ParseIP("::17")
 )
 
 func init() {
@@ -84,6 +88,11 @@ func handlePacket(ctx context.Context, pkt packet.Packet) {
 func fastTrackedPermit(pkt packet.Packet) (handled bool) {
 	meta := pkt.Info()
 
+	// Check for blocked IP
+	if meta.Dst.Equal(blockedIPv4) || meta.Dst.Equal(blockedIPv6) {
+		_ = pkt.PermanentBlock()
+	}
+
 	switch meta.Protocol {
 	case packet.ICMP:
 		// Always permit ICMP.

firewall/master.go

@@ -44,9 +44,9 @@ var deciders = []deciderFn{
 	checkPortmasterConnection,
 	checkSelfCommunication,
 	checkConnectionType,
-	checkConnectivityDomain,
 	checkConnectionScope,
 	checkEndpointLists,
+	checkConnectivityDomain,
 	checkBypassPrevention,
 	checkFilterLists,
 	dropInbound,