Reevaluate and update firewall core logic

2019-02-22 16:18:58 +01:00
parent d28ed664aa
commit f7a07cbb2f
39 changed files with 1469 additions and 915 deletions
--- a/firewall/config.go
+++ b/firewall/config.go
@@ -2,10 +2,13 @@ package firewall

 import (
 	"github.com/Safing/portbase/config"
+	"github.com/Safing/portmaster/status"
 )

 var (
-	permanentVerdicts config.BoolOption
+	permanentVerdicts  config.BoolOption
+	filterDNSByScope   status.SecurityLevelOption
+	filterDNSByProfile status.SecurityLevelOption
 )

 func registerConfig() error {
@@ -22,5 +25,35 @@ func registerConfig() error {
 	}
 	permanentVerdicts = config.Concurrent.GetAsBool("firewall/permanentVerdicts", true)

+	err = config.Register(&config.Option{
+		Name:            "Filter DNS Responses by Server Scope",
+		Key:             "firewall/filterDNSByScope",
+		Description:     "This option will filter out DNS answers that are outside of the scope of the server. A server on the public Internet may not respond with a private LAN address.",
+		ExpertiseLevel:  config.ExpertiseLevelExpert,
+		OptType:         config.OptTypeInt,
+		ExternalOptType: "security level",
+		DefaultValue:    7,
+		ValidationRegex: "^(7|6|4)$",
+	})
+	if err != nil {
+		return err
+	}
+	filterDNSByScope = status.ConfigIsActiveConcurrent("firewall/filterDNSByScope")
+
+	err = config.Register(&config.Option{
+		Name:            "Filter DNS Responses by Application Profile",
+		Key:             "firewall/filterDNSByProfile",
+		Description:     "This option will filter out DNS answers that an application would not be allowed to connect, based on its profile.",
+		ExpertiseLevel:  config.ExpertiseLevelExpert,
+		OptType:         config.OptTypeInt,
+		ExternalOptType: "security level",
+		DefaultValue:    7,
+		ValidationRegex: "^(7|6|4)$",
+	})
+	if err != nil {
+		return err
+	}
+	filterDNSByProfile = status.ConfigIsActiveConcurrent("firewall/filterDNSByProfile")
+
 	return nil
 }
--- a/firewall/firewall.go
+++ b/firewall/firewall.go
@@ -13,6 +13,10 @@ import (
 	"github.com/Safing/portmaster/firewall/interception"
 	"github.com/Safing/portmaster/network"
 	"github.com/Safing/portmaster/network/packet"
+
+	// module dependencies
+	_ "github.com/Safing/portmaster/core"
+	_ "github.com/Safing/portmaster/profile"
 )

 var (
@@ -37,7 +41,7 @@ var (
 )

 func init() {
-	modules.Register("firewall", prep, start, stop, "global", "network", "nameserver", "profile")
+	modules.Register("firewall", prep, start, stop, "core", "network", "nameserver", "profile")
 }

 func prep() (err error) {
@@ -111,7 +115,7 @@ func handlePacket(pkt packet.Packet) {
 		return
 	}

-	// log.Debugf("firewall: pkt %s has ID %s", pkt, pkt.GetConnectionID())
+	// log.Debugf("firewall: pkt %s has ID %s", pkt, pkt.GetLinkID())

 	// use this to time how long it takes process packet
 	// timed := time.Now()
@@ -146,43 +150,51 @@ func handlePacket(pkt packet.Packet) {

 func initialHandler(pkt packet.Packet, link *network.Link) {

-	// get Connection
-	connection, err := network.GetConnectionByFirstPacket(pkt)
+	// get Communication
+	comm, err := network.GetCommunicationByFirstPacket(pkt)
 	if err != nil {
-		// get "unknown" connection
+		// get "unknown" comm
 		link.Deny(fmt.Sprintf("could not get process: %s", err))
-		connection, err = network.GetUnknownConnection(pkt)
+		comm, err = network.GetUnknownCommunication(pkt)

 		if err != nil {
 			// all failed
-			log.Errorf("firewall: could not get unknown connection (dropping %s): %s", pkt.String(), err)
-			link.UpdateVerdict(network.DROP)
-			verdict(pkt, network.DROP)
+			log.Errorf("firewall: could not get unknown comm (dropping %s): %s", pkt.String(), err)
+			link.UpdateVerdict(network.VerdictDrop)
+			verdict(pkt, network.VerdictDrop)
 			link.StopFirewallHandler()
 			return
 		}

 	}

-	// add new Link to Connection (and save both)
-	connection.AddLink(link)
+	// add new Link to Communication (and save both)
+	comm.AddLink(link)

 	// reroute dns requests to nameserver
-	if connection.Process().Pid != os.Getpid() && pkt.IsOutbound() && pkt.GetTCPUDPHeader() != nil && !pkt.GetIPHeader().Dst.Equal(localhost) && pkt.GetTCPUDPHeader().DstPort == 53 {
+	if comm.Process().Pid != os.Getpid() && pkt.IsOutbound() && pkt.GetTCPUDPHeader() != nil && !pkt.GetIPHeader().Dst.Equal(localhost) && pkt.GetTCPUDPHeader().DstPort == 53 {
 		link.RerouteToNameserver()
 		verdict(pkt, link.GetVerdict())
 		link.StopFirewallHandler()
 		return
 	}

-	// make a decision if not made already
-	if connection.GetVerdict() == network.UNDECIDED {
-		DecideOnConnection(connection, pkt)
+	// check if communication needs reevaluation
+	if comm.NeedsReevaluation() {
+		comm.ResetVerdict()
 	}
-	if connection.GetVerdict() == network.ACCEPT {
-		DecideOnLink(connection, link, pkt)
-	} else {
-		link.UpdateVerdict(connection.GetVerdict())
+
+	// make a decision if not made already
+	switch comm.GetVerdict() {
+	case network.VerdictUndecided, network.VerdictUndeterminable:
+		DecideOnCommunication(comm, pkt)
+	}
+
+	switch comm.GetVerdict() {
+	case network.VerdictUndecided, network.VerdictUndeterminable, network.VerdictAccept:
+		DecideOnLink(comm, link, pkt)
+	default:
+		link.UpdateVerdict(comm.GetVerdict())
 	}

 	// log decision
@@ -201,7 +213,7 @@ func initialHandler(pkt packet.Packet, link *network.Link) {
 	// 	// tunnel link, don't inspect
 	// 	link.Tunneled = true
 	// 	link.StopFirewallHandler()
-	// 	permanentVerdict(pkt, network.ACCEPT)
+	// 	permanentVerdict(pkt, network.VerdictAccept)
 	case link.Inspect:
 		link.SetFirewallHandler(inspectThenVerdict)
 		inspectThenVerdict(pkt, link)
@@ -241,22 +253,22 @@ func inspectThenVerdict(pkt packet.Packet, link *network.Link) {

 func permanentVerdict(pkt packet.Packet, action network.Verdict) {
 	switch action {
-	case network.ACCEPT:
+	case network.VerdictAccept:
 		atomic.AddUint64(packetsAccepted, 1)
 		pkt.PermanentAccept()
 		return
-	case network.BLOCK:
+	case network.VerdictBlock:
 		atomic.AddUint64(packetsBlocked, 1)
 		pkt.PermanentBlock()
 		return
-	case network.DROP:
+	case network.VerdictDrop:
 		atomic.AddUint64(packetsDropped, 1)
 		pkt.PermanentDrop()
 		return
-	case network.RerouteToNameserver:
+	case network.VerdictRerouteToNameserver:
 		pkt.RerouteToNameserver()
 		return
-	case network.RerouteToTunnel:
+	case network.VerdictRerouteToTunnel:
 		pkt.RerouteToTunnel()
 		return
 	}
@@ -265,22 +277,22 @@ func permanentVerdict(pkt packet.Packet, action network.Verdict) {

 func verdict(pkt packet.Packet, action network.Verdict) {
 	switch action {
-	case network.ACCEPT:
+	case network.VerdictAccept:
 		atomic.AddUint64(packetsAccepted, 1)
 		pkt.Accept()
 		return
-	case network.BLOCK:
+	case network.VerdictBlock:
 		atomic.AddUint64(packetsBlocked, 1)
 		pkt.Block()
 		return
-	case network.DROP:
+	case network.VerdictDrop:
 		atomic.AddUint64(packetsDropped, 1)
 		pkt.Drop()
 		return
-	case network.RerouteToNameserver:
+	case network.VerdictRerouteToNameserver:
 		pkt.RerouteToNameserver()
 		return
-	case network.RerouteToTunnel:
+	case network.VerdictRerouteToTunnel:
 		pkt.RerouteToTunnel()
 		return
 	}
@@ -302,26 +314,26 @@ func verdict(pkt packet.Packet, action network.Verdict) {

 func logInitialVerdict(link *network.Link) {
 	// switch link.GetVerdict() {
-	// case network.ACCEPT:
+	// case network.VerdictAccept:
 	// 	log.Infof("firewall: accepting new link: %s", link.String())
-	// case network.BLOCK:
+	// case network.VerdictBlock:
 	// 	log.Infof("firewall: blocking new link: %s", link.String())
-	// case network.DROP:
+	// case network.VerdictDrop:
 	// 	log.Infof("firewall: dropping new link: %s", link.String())
-	// case network.RerouteToNameserver:
+	// case network.VerdictRerouteToNameserver:
 	// 	log.Infof("firewall: rerouting new link to nameserver: %s", link.String())
-	// case network.RerouteToTunnel:
+	// case network.VerdictRerouteToTunnel:
 	// 	log.Infof("firewall: rerouting new link to tunnel: %s", link.String())
 	// }
 }

 func logChangedVerdict(link *network.Link) {
 	// switch link.GetVerdict() {
-	// case network.ACCEPT:
+	// case network.VerdictAccept:
 	// 	log.Infof("firewall: change! - now accepting link: %s", link.String())
-	// case network.BLOCK:
+	// case network.VerdictBlock:
 	// 	log.Infof("firewall: change! - now blocking link: %s", link.String())
-	// case network.DROP:
+	// case network.VerdictDrop:
 	// 	log.Infof("firewall: change! - now dropping link: %s", link.String())
 	// }
 }
--- a/firewall/inspection/inspection.go
+++ b/firewall/inspection/inspection.go
@@ -54,7 +54,7 @@ func RunInspectors(pkt packet.Packet, link *network.Link) (network.Verdict, bool
 	}

 	continueInspection := false
-	verdict := network.UNDECIDED
+	verdict := network.VerdictUndecided

 	for key, skip := range activeInspectors {

@@ -69,28 +69,28 @@ func RunInspectors(pkt packet.Packet, link *network.Link) (network.Verdict, bool
 		action := inspectors[key](pkt, link)
 		switch action {
 		case DO_NOTHING:
-			if verdict < network.ACCEPT {
-				verdict = network.ACCEPT
+			if verdict < network.VerdictAccept {
+				verdict = network.VerdictAccept
 			}
 			continueInspection = true
 		case BLOCK_PACKET:
-			if verdict < network.BLOCK {
-				verdict = network.BLOCK
+			if verdict < network.VerdictBlock {
+				verdict = network.VerdictBlock
 			}
 			continueInspection = true
 		case DROP_PACKET:
-			verdict = network.DROP
+			verdict = network.VerdictDrop
 			continueInspection = true
 		case BLOCK_LINK:
-			link.UpdateVerdict(network.BLOCK)
+			link.UpdateVerdict(network.VerdictBlock)
 			activeInspectors[key] = true
-			if verdict < network.BLOCK {
-				verdict = network.BLOCK
+			if verdict < network.VerdictBlock {
+				verdict = network.VerdictBlock
 			}
 		case DROP_LINK:
-			link.UpdateVerdict(network.DROP)
+			link.UpdateVerdict(network.VerdictDrop)
 			activeInspectors[key] = true
-			verdict = network.DROP
+			verdict = network.VerdictDrop
 		case STOP_INSPECTING:
 			activeInspectors[key] = true
 		}
--- a/firewall/master.go
+++ b/firewall/master.go
@@ -2,85 +2,89 @@ package firewall

 import (
 	"fmt"
+	"net"
 	"os"
 	"strings"

 	"github.com/Safing/portbase/log"
 	"github.com/Safing/portmaster/intel"
 	"github.com/Safing/portmaster/network"
+	"github.com/Safing/portmaster/network/netutils"
 	"github.com/Safing/portmaster/network/packet"
 	"github.com/Safing/portmaster/profile"
 	"github.com/Safing/portmaster/status"
+	"github.com/miekg/dns"

 	"github.com/agext/levenshtein"
 )

 // Call order:
 //
-// 1. DecideOnConnectionBeforeIntel (if connecting to domain)
+// 1. DecideOnCommunicationBeforeIntel (if connecting to domain)
 //    is called when a DNS query is made, before the query is resolved
-// 2. DecideOnConnectionAfterIntel (if connecting to domain)
+// 2. DecideOnCommunicationAfterIntel (if connecting to domain)
 //    is called when a DNS query is made, after the query is resolved
-// 3. DecideOnConnection
-//    is called when the first packet of the first link of the connection arrives
+// 3. DecideOnCommunication
+//    is called when the first packet of the first link of the communication arrives
 // 4. DecideOnLink
-//		is called when when the first packet of a link arrives only if connection has verdict UNDECIDED or CANTSAY
+//		is called when when the first packet of a link arrives only if communication has verdict UNDECIDED or CANTSAY

-// DecideOnConnectionBeforeIntel makes a decision about a connection before the dns query is resolved and intel is gathered.
-func DecideOnConnectionBeforeIntel(connection *network.Connection, fqdn string) {
-	// check:
-	// Profile.DomainWhitelist
-	// Profile.Flags
-	// - process specific: System, Admin, User
-	// - network specific: Internet, LocalNet
+// DecideOnCommunicationBeforeIntel makes a decision about a communication before the dns query is resolved and intel is gathered.
+func DecideOnCommunicationBeforeIntel(comm *network.Communication, fqdn string) {

 	// grant self
-	if connection.Process().Pid == os.Getpid() {
-		log.Infof("firewall: granting own connection %s", connection)
-		connection.Accept("")
+	if comm.Process().Pid == os.Getpid() {
+		log.Infof("firewall: granting own communication %s", comm)
+		comm.Accept("")
 		return
 	}

-	// check if there is a profile
-	profileSet := connection.Process().ProfileSet()
+	// get and check profile set
+	profileSet := comm.Process().ProfileSet()
 	if profileSet == nil {
-		log.Errorf("firewall: denying connection %s, no Profile Set", connection)
-		connection.Deny("no Profile Set")
+		log.Errorf("firewall: denying communication %s, no Profile Set", comm)
+		comm.Deny("no Profile Set")
 		return
 	}
 	profileSet.Update(status.ActiveSecurityLevel())

 	// check for any network access
 	if !profileSet.CheckFlag(profile.Internet) && !profileSet.CheckFlag(profile.LAN) {
-		log.Infof("firewall: denying connection %s, accessing Internet or LAN not allowed", connection)
-		connection.Deny("accessing Internet or LAN not allowed")
+		log.Infof("firewall: denying communication %s, accessing Internet or LAN not permitted", comm)
+		comm.Deny("accessing Internet or LAN not permitted")
 		return
 	}

-	// check domain list
-	permitted, reason, ok := profileSet.CheckEndpoint(fqdn, 0, 0, false)
-	if ok {
-		if permitted {
-			log.Infof("firewall: accepting connection %s, endpoint is whitelisted: %s", connection, reason)
-			connection.Accept(fmt.Sprintf("endpoint is whitelisted: %s", reason))
-		} else {
-			log.Infof("firewall: denying connection %s, endpoint is blacklisted: %s", connection, reason)
-			connection.Deny(fmt.Sprintf("endpoint is blacklisted: %s", reason))
-		}
+	// check endpoint list
+	result, reason := profileSet.CheckEndpointDomain(fqdn)
+	switch result {
+	case profile.NoMatch:
+		comm.UpdateVerdict(network.VerdictUndecided)
+	case profile.Undeterminable:
+		comm.UpdateVerdict(network.VerdictUndeterminable)
+		return
+	case profile.Denied:
+		log.Infof("firewall: denying communication %s, endpoint is blacklisted: %s", comm, reason)
+		comm.Deny(fmt.Sprintf("endpoint is blacklisted: %s", reason))
+		return
+	case profile.Permitted:
+		log.Infof("firewall: permitting communication %s, endpoint is whitelisted: %s", comm, reason)
+		comm.Accept(fmt.Sprintf("endpoint is whitelisted: %s", reason))
 		return
 	}

 	switch profileSet.GetProfileMode() {
 	case profile.Whitelist:
-		log.Infof("firewall: denying connection %s, domain is not whitelisted", connection)
-		connection.Deny("domain is not whitelisted")
+		log.Infof("firewall: denying communication %s, domain is not whitelisted", comm)
+		comm.Deny("domain is not whitelisted")
+		return
 	case profile.Prompt:

 		// check Related flag
 		// TODO: improve this!
 		if profileSet.CheckFlag(profile.Related) {
 			matched := false
-			pathElements := strings.Split(connection.Process().Path, "/") // FIXME: path seperator
+			pathElements := strings.Split(comm.Process().Path, "/") // FIXME: path seperator
 			// only look at the last two path segments
 			if len(pathElements) > 2 {
 				pathElements = pathElements[len(pathElements)-2:]
@@ -104,167 +108,285 @@ func DecideOnConnectionBeforeIntel(connection *network.Connection, fqdn string)
 					processElement = profileSet.UserProfile().Name
 					break matchLoop
 				}
-				if levenshtein.Match(domainElement, connection.Process().Name, nil) > 0.5 {
+				if levenshtein.Match(domainElement, comm.Process().Name, nil) > 0.5 {
 					matched = true
-					processElement = connection.Process().Name
+					processElement = comm.Process().Name
 					break matchLoop
 				}
-				if levenshtein.Match(domainElement, connection.Process().ExecName, nil) > 0.5 {
+				if levenshtein.Match(domainElement, comm.Process().ExecName, nil) > 0.5 {
 					matched = true
-					processElement = connection.Process().ExecName
+					processElement = comm.Process().ExecName
 					break matchLoop
 				}
 			}

 			if matched {
-				log.Infof("firewall: accepting connection %s, match to domain was found: %s ~== %s", connection, domainElement, processElement)
-				connection.Accept("domain is related to process")
+				log.Infof("firewall: permitting communication %s, match to domain was found: %s ~== %s", comm, domainElement, processElement)
+				comm.Accept("domain is related to process")
 			}
 		}

-		if connection.GetVerdict() != network.ACCEPT {
+		if comm.GetVerdict() != network.VerdictAccept {
 			// TODO
-			log.Infof("firewall: accepting connection %s, domain permitted (prompting is not yet implemented)", connection)
-			connection.Accept("domain permitted (prompting is not yet implemented)")
+			log.Infof("firewall: permitting communication %s, domain permitted (prompting is not yet implemented)", comm)
+			comm.Accept("domain permitted (prompting is not yet implemented)")
 		}
-
+		return
 	case profile.Blacklist:
-		log.Infof("firewall: accepting connection %s, domain is not blacklisted", connection)
-		connection.Accept("domain is not blacklisted")
+		log.Infof("firewall: permitting communication %s, domain is not blacklisted", comm)
+		comm.Accept("domain is not blacklisted")
+		return
 	}

+	log.Infof("firewall: denying communication %s, no profile mode set", comm)
+	comm.Deny("no profile mode set")
 }

-// DecideOnConnectionAfterIntel makes a decision about a connection after the dns query is resolved and intel is gathered.
-func DecideOnConnectionAfterIntel(connection *network.Connection, fqdn string, rrCache *intel.RRCache) *intel.RRCache {
+// DecideOnCommunicationAfterIntel makes a decision about a communication after the dns query is resolved and intel is gathered.
+func DecideOnCommunicationAfterIntel(comm *network.Communication, fqdn string, rrCache *intel.RRCache) {

-	// grant self
-	if connection.Process().Pid == os.Getpid() {
-		log.Infof("firewall: granting own connection %s", connection)
-		connection.Accept("")
+	// SUSPENDED until Stamp integration is finished
+
+	// grant self - should not get here
+	// if comm.Process().Pid == os.Getpid() {
+	// 	log.Infof("firewall: granting own communication %s", comm)
+	// 	comm.Accept("")
+	// 	return
+	// }
+
+	// check if there is a profile
+	// profileSet := comm.Process().ProfileSet()
+	// if profileSet == nil {
+	// 	log.Errorf("firewall: denying communication %s, no Profile Set", comm)
+	// 	comm.Deny("no Profile Set")
+	// 	return
+	// }
+	// profileSet.Update(status.ActiveSecurityLevel())
+
+	// TODO: Stamp integration
+
+	return
+}
+
+// FilterDNSResponse filters a dns response according to the application profile and settings.
+func FilterDNSResponse(comm *network.Communication, fqdn string, rrCache *intel.RRCache) *intel.RRCache {
+	// do not modify own queries - this should not happen anyway
+	if comm.Process().Pid == os.Getpid() {
 		return rrCache
 	}

 	// check if there is a profile
-	profileSet := connection.Process().ProfileSet()
+	profileSet := comm.Process().ProfileSet()
 	if profileSet == nil {
-		log.Errorf("firewall: denying connection %s, no Profile Set", connection)
-		connection.Deny("no Profile Set")
-		return rrCache
+		log.Infof("firewall: blocking dns query of communication %s, no Profile Set", comm)
+		return nil
 	}
 	profileSet.Update(status.ActiveSecurityLevel())

-	// TODO: Stamp integration
+	// save config for consistency during function call
+	secLevel := profileSet.SecurityLevel()
+	filterByScope := filterDNSByScope(secLevel)
+	filterByProfile := filterDNSByProfile(secLevel)
+
+	// check if DNS response filtering is completely turned off
+	if !filterByScope && !filterByProfile {
+		return rrCache
+	}
+
+	// duplicate entry
+	rrCache = rrCache.ShallowCopy()
+	rrCache.FilteredEntries = make([]string, 0)
+
+	// change information
+	var addressesRemoved int
+	var addressesOk int
+
+	// loop vars
+	var classification int8
+	var ip net.IP
+	var result profile.EPResult
+
+	// filter function
+	filterEntries := func(entries []dns.RR) (goodEntries []dns.RR) {
+		goodEntries = make([]dns.RR, 0, len(entries))
+
+		for _, rr := range entries {
+
+			// get IP and classification
+			switch v := rr.(type) {
+			case *dns.A:
+				ip = v.A
+			case *dns.AAAA:
+				ip = v.AAAA
+			default:
+				// add non A/AAAA entries
+				goodEntries = append(goodEntries, rr)
+				continue
+			}
+			classification = netutils.ClassifyIP(ip)
+
+			if filterByScope {
+				switch {
+				case classification == netutils.HostLocal:
+					// No DNS should return localhost addresses
+					addressesRemoved++
+					rrCache.FilteredEntries = append(rrCache.FilteredEntries, rr.String())
+					continue
+				case rrCache.ServerScope == netutils.Global && (classification == netutils.SiteLocal || classification == netutils.LinkLocal):
+					// No global DNS should return LAN addresses
+					addressesRemoved++
+					rrCache.FilteredEntries = append(rrCache.FilteredEntries, rr.String())
+					continue
+				}
+			}
+
+			if filterByProfile {
+				// filter by flags
+				switch {
+				case !profileSet.CheckFlag(profile.Internet) && classification == netutils.Global:
+					addressesRemoved++
+					rrCache.FilteredEntries = append(rrCache.FilteredEntries, rr.String())
+					continue
+				case !profileSet.CheckFlag(profile.LAN) && (classification == netutils.SiteLocal || classification == netutils.LinkLocal):
+					addressesRemoved++
+					rrCache.FilteredEntries = append(rrCache.FilteredEntries, rr.String())
+					continue
+				case !profileSet.CheckFlag(profile.Localhost) && classification == netutils.HostLocal:
+					addressesRemoved++
+					rrCache.FilteredEntries = append(rrCache.FilteredEntries, rr.String())
+					continue
+				}
+
+				// filter by endpoints
+				result, _ = profileSet.CheckEndpointIP("", ip, 0, 0, false)
+				if result == profile.Denied {
+					addressesRemoved++
+					rrCache.FilteredEntries = append(rrCache.FilteredEntries, rr.String())
+					continue
+				}
+			}
+
+			// if survived, add to good entries
+			addressesOk++
+			goodEntries = append(goodEntries, rr)
+		}
+		return
+	}
+
+	rrCache.Answer = filterEntries(rrCache.Answer)
+	rrCache.Extra = filterEntries(rrCache.Extra)
+
+	if addressesRemoved > 0 {
+		rrCache.Filtered = true
+		if addressesOk == 0 {
+			comm.Deny("no addresses returned for this domain are permitted")
+			log.Infof("firewall: fully dns responses for communication %s", comm)
+			return nil
+		}
+	}
+
+	if rrCache.Filtered {
+		log.Infof("firewall: filtered DNS replies for %s: %s", comm, strings.Join(rrCache.FilteredEntries, ", "))
+	}

 	// TODO: Gate17 integration
 	// tunnelInfo, err := AssignTunnelIP(fqdn)

-	rrCache.Duplicate().FilterEntries(profileSet.CheckFlag(profile.Internet), profileSet.CheckFlag(profile.LAN), false)
-	if len(rrCache.Answer) == 0 {
-		if profileSet.CheckFlag(profile.Internet) {
-			connection.Deny("server is located in the LAN, but LAN access is not permitted")
-		} else {
-			connection.Deny("server is located in the Internet, but Internet access is not permitted")
-		}
-	}
-
 	return rrCache
 }

-// DeciceOnConnection makes a decision about a connection with its first packet.
-func DecideOnConnection(connection *network.Connection, pkt packet.Packet) {
+// DecideOnCommunication makes a decision about a communication with its first packet.
+func DecideOnCommunication(comm *network.Communication, pkt packet.Packet) {

 	// grant self
-	if connection.Process().Pid == os.Getpid() {
-		log.Infof("firewall: granting own connection %s", connection)
-		connection.Accept("")
+	if comm.Process().Pid == os.Getpid() {
+		log.Infof("firewall: granting own communication %s", comm)
+		comm.Accept("")
 		return
 	}

 	// check if there is a profile
-	profileSet := connection.Process().ProfileSet()
+	profileSet := comm.Process().ProfileSet()
 	if profileSet == nil {
-		log.Errorf("firewall: denying connection %s, no Profile Set", connection)
-		connection.Deny("no Profile Set")
+		log.Errorf("firewall: denying communication %s, no Profile Set", comm)
+		comm.Deny("no Profile Set")
 		return
 	}
 	profileSet.Update(status.ActiveSecurityLevel())

-	// check connection type
-	switch connection.Domain {
+	// check comm type
+	switch comm.Domain {
 	case network.IncomingHost, network.IncomingLAN, network.IncomingInternet, network.IncomingInvalid:
 		if !profileSet.CheckFlag(profile.Service) {
-			log.Infof("firewall: denying connection %s, not a service", connection)
-			if connection.Domain == network.IncomingHost {
-				connection.Block("not a service")
+			log.Infof("firewall: denying communication %s, not a service", comm)
+			if comm.Domain == network.IncomingHost {
+				comm.Block("not a service")
 			} else {
-				connection.Drop("not a service")
+				comm.Drop("not a service")
 			}
 			return
 		}
 	case network.PeerLAN, network.PeerInternet, network.PeerInvalid: // Important: PeerHost is and should be missing!
 		if !profileSet.CheckFlag(profile.PeerToPeer) {
-			log.Infof("firewall: denying connection %s, peer to peer connections (to an IP) not allowed", connection)
-			connection.Deny("peer to peer connections (to an IP) not allowed")
+			log.Infof("firewall: denying communication %s, peer to peer comms (to an IP) not allowed", comm)
+			comm.Deny("peer to peer comms (to an IP) not allowed")
 			return
 		}
-	default:
 	}

 	// check network scope
-	switch connection.Domain {
+	switch comm.Domain {
 	case network.IncomingHost:
 		if !profileSet.CheckFlag(profile.Localhost) {
-			log.Infof("firewall: denying connection %s, serving localhost not allowed", connection)
-			connection.Block("serving localhost not allowed")
+			log.Infof("firewall: denying communication %s, serving localhost not allowed", comm)
+			comm.Block("serving localhost not allowed")
 			return
 		}
 	case network.IncomingLAN:
 		if !profileSet.CheckFlag(profile.LAN) {
-			log.Infof("firewall: denying connection %s, serving LAN not allowed", connection)
-			connection.Deny("serving LAN not allowed")
+			log.Infof("firewall: denying communication %s, serving LAN not allowed", comm)
+			comm.Deny("serving LAN not allowed")
 			return
 		}
 	case network.IncomingInternet:
 		if !profileSet.CheckFlag(profile.Internet) {
-			log.Infof("firewall: denying connection %s, serving Internet not allowed", connection)
-			connection.Deny("serving Internet not allowed")
+			log.Infof("firewall: denying communication %s, serving Internet not allowed", comm)
+			comm.Deny("serving Internet not allowed")
 			return
 		}
 	case network.IncomingInvalid:
-		log.Infof("firewall: denying connection %s, invalid IP address", connection)
-		connection.Drop("invalid IP address")
+		log.Infof("firewall: denying communication %s, invalid IP address", comm)
+		comm.Drop("invalid IP address")
 		return
 	case network.PeerHost:
 		if !profileSet.CheckFlag(profile.Localhost) {
-			log.Infof("firewall: denying connection %s, accessing localhost not allowed", connection)
-			connection.Block("accessing localhost not allowed")
+			log.Infof("firewall: denying communication %s, accessing localhost not allowed", comm)
+			comm.Block("accessing localhost not allowed")
 			return
 		}
 	case network.PeerLAN:
 		if !profileSet.CheckFlag(profile.LAN) {
-			log.Infof("firewall: denying connection %s, accessing the LAN not allowed", connection)
-			connection.Deny("accessing the LAN not allowed")
+			log.Infof("firewall: denying communication %s, accessing the LAN not allowed", comm)
+			comm.Deny("accessing the LAN not allowed")
 			return
 		}
 	case network.PeerInternet:
 		if !profileSet.CheckFlag(profile.Internet) {
-			log.Infof("firewall: denying connection %s, accessing the Internet not allowed", connection)
-			connection.Deny("accessing the Internet not allowed")
+			log.Infof("firewall: denying communication %s, accessing the Internet not allowed", comm)
+			comm.Deny("accessing the Internet not allowed")
 			return
 		}
 	case network.PeerInvalid:
-		log.Infof("firewall: denying connection %s, invalid IP address", connection)
-		connection.Deny("invalid IP address")
+		log.Infof("firewall: denying communication %s, invalid IP address", comm)
+		comm.Deny("invalid IP address")
 		return
 	}

-	log.Infof("firewall: accepting connection %s", connection)
-	connection.Accept("")
+	log.Infof("firewall: undeterminable verdict for communication %s", comm)
 }

 // DecideOnLink makes a decision about a link with the first packet.
-func DecideOnLink(connection *network.Connection, link *network.Link, pkt packet.Packet) {
+func DecideOnLink(comm *network.Communication, link *network.Link, pkt packet.Packet) {
 	// check:
 	// Profile.Flags
 	// - network specific: Internet, LocalNet
@@ -272,34 +394,37 @@ func DecideOnLink(connection *network.Connection, link *network.Link, pkt packet
 	// Profile.ListenPorts

 	// grant self
-	if connection.Process().Pid == os.Getpid() {
-		log.Infof("firewall: granting own link %s", connection)
-		connection.Accept("")
+	if comm.Process().Pid == os.Getpid() {
+		log.Infof("firewall: granting own link %s", comm)
+		link.Accept("")
 		return
 	}

 	// check if there is a profile
-	profileSet := connection.Process().ProfileSet()
+	profileSet := comm.Process().ProfileSet()
 	if profileSet == nil {
 		log.Infof("firewall: no Profile Set, denying %s", link)
-		link.Block("no Profile Set")
+		link.Deny("no Profile Set")
 		return
 	}
 	profileSet.Update(status.ActiveSecurityLevel())

-	// get host
-	var domainOrIP string
-	switch {
-	case strings.HasSuffix(connection.Domain, "."):
-		domainOrIP = connection.Domain
-	case connection.Direction:
-		domainOrIP = pkt.GetIPHeader().Src.String()
-	default:
-		domainOrIP = pkt.GetIPHeader().Dst.String()
+	// get domain
+	var domain string
+	if strings.HasSuffix(comm.Domain, ".") {
+		domain = comm.Domain
 	}

-	// get protocol / destination port
-	protocol := pkt.GetIPHeader().Protocol
+	// remoteIP
+	var remoteIP net.IP
+	if comm.Direction {
+		remoteIP = pkt.GetIPHeader().Src
+	} else {
+		remoteIP = pkt.GetIPHeader().Dst
+	}
+
+	// protocol and destination port
+	protocol := uint8(pkt.GetIPHeader().Protocol)
 	var dstPort uint16
 	tcpUDPHeader := pkt.GetTCPUDPHeader()
 	if tcpUDPHeader != nil {
@@ -307,15 +432,17 @@ func DecideOnLink(connection *network.Connection, link *network.Link, pkt packet
 	}

 	// check endpoints list
-	permitted, reason, ok := profileSet.CheckEndpoint(domainOrIP, uint8(protocol), dstPort, connection.Direction)
-	if ok {
-		if permitted {
-			log.Infof("firewall: accepting link %s, endpoint is whitelisted: %s", link, reason)
-			link.Accept(fmt.Sprintf("port whitelisted: %s", reason))
-		} else {
-			log.Infof("firewall: denying link %s: endpoint is blacklisted: %s", link, reason)
-			link.Deny("port blacklisted")
-		}
+	result, reason := profileSet.CheckEndpointIP(domain, remoteIP, protocol, dstPort, comm.Direction)
+	switch result {
+	// case profile.NoMatch, profile.Undeterminable:
+	// 	continue
+	case profile.Denied:
+		log.Infof("firewall: denying link %s, endpoint is blacklisted: %s", link, reason)
+		link.Deny(fmt.Sprintf("endpoint is blacklisted: %s", reason))
+		return
+	case profile.Permitted:
+		log.Infof("firewall: permitting link %s, endpoint is whitelisted: %s", link, reason)
+		link.Accept(fmt.Sprintf("endpoint is whitelisted: %s", reason))
 		return
 	}

@@ -325,15 +452,15 @@ func DecideOnLink(connection *network.Connection, link *network.Link, pkt packet
 		link.Deny("endpoint is not whitelisted")
 		return
 	case profile.Prompt:
-		log.Infof("firewall: accepting link %s: endpoint is not blacklisted (prompting is not yet implemented)", link)
+		log.Infof("firewall: permitting link %s: endpoint is not blacklisted (prompting is not yet implemented)", link)
 		link.Accept("endpoint is not blacklisted (prompting is not yet implemented)")
 		return
 	case profile.Blacklist:
-		log.Infof("firewall: accepting link %s: endpoint is not blacklisted", link)
+		log.Infof("firewall: permitting link %s: endpoint is not blacklisted", link)
 		link.Accept("endpoint is not blacklisted")
 		return
 	}

-	log.Infof("firewall: accepting link %s", link)
-	link.Accept("")
+	log.Infof("firewall: denying link %s, no profile mode set", link)
+	link.Deny("no profile mode set")
 }