Reevaluate and update firewall core logic

firewall/config.go

@@ -2,10 +2,13 @@ package firewall
 
 import (
 	"github.com/Safing/portbase/config"
+	"github.com/Safing/portmaster/status"
 )
 
 var (
-	permanentVerdicts config.BoolOption
+	permanentVerdicts  config.BoolOption
+	filterDNSByScope   status.SecurityLevelOption
+	filterDNSByProfile status.SecurityLevelOption
 )
 
 func registerConfig() error {
@@ -22,5 +25,35 @@ func registerConfig() error {
 	}
 	permanentVerdicts = config.Concurrent.GetAsBool("firewall/permanentVerdicts", true)
 
+	err = config.Register(&config.Option{
+		Name:            "Filter DNS Responses by Server Scope",
+		Key:             "firewall/filterDNSByScope",
+		Description:     "This option will filter out DNS answers that are outside of the scope of the server. A server on the public Internet may not respond with a private LAN address.",
+		ExpertiseLevel:  config.ExpertiseLevelExpert,
+		OptType:         config.OptTypeInt,
+		ExternalOptType: "security level",
+		DefaultValue:    7,
+		ValidationRegex: "^(7|6|4)$",
+	})
+	if err != nil {
+		return err
+	}
+	filterDNSByScope = status.ConfigIsActiveConcurrent("firewall/filterDNSByScope")
+
+	err = config.Register(&config.Option{
+		Name:            "Filter DNS Responses by Application Profile",
+		Key:             "firewall/filterDNSByProfile",
+		Description:     "This option will filter out DNS answers that an application would not be allowed to connect, based on its profile.",
+		ExpertiseLevel:  config.ExpertiseLevelExpert,
+		OptType:         config.OptTypeInt,
+		ExternalOptType: "security level",
+		DefaultValue:    7,
+		ValidationRegex: "^(7|6|4)$",
+	})
+	if err != nil {
+		return err
+	}
+	filterDNSByProfile = status.ConfigIsActiveConcurrent("firewall/filterDNSByProfile")
+
 	return nil
 }