Skip to content

Commit

Permalink
Handle possible errors in packet sending in proxy
Browse files Browse the repository at this point in the history
  • Loading branch information
@itaispiegel
itaispiegel committed Mar 1, 2024
1 parent 12ed036 commit 53ffa54
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 7 deletions.
2 changes: 1 addition & 1 deletion examples/rules.txt
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
loopback any 127.0.0.1/8 127.0.0.1/8 any any any any accept
http any 10.1.1.1/32 10.1.2.2/32 TCP >1023 80 any accept
http any 10.1.1.1/32 10.1.2.2/32 TCP >1023 8000 any accept
åftp any 10.1.1.1/32 10.1.2.2/32 TCP >1023 21 any accept
ftp any 10.1.1.1/32 10.1.2.2/32 TCP >1023 21 any accept
GW_attack any any 10.0.2.15/32 any any any any drop
spoof1 in 10.1.1.1/24 any any any any any drop
spoof2 out 10.1.2.2/24 any any any any any drop
Expand Down
13 changes: 11 additions & 2 deletions user/pkg/proxy/ftp.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,13 +66,22 @@ func allowFtpDataConnection(data []byte, dest net.Conn, logger zerolog.Logger) b
ipToFtpRepresentation(proxyIpAddr),
clientDataAddr.Port/256, clientDataAddr.Port%256,
)
dest.Write([]byte(payloadToServer))
if _, err := dest.Write([]byte(payloadToServer)); err != nil {
log.Error().Err(err).
Str("clientAddr", clientDataAddr.String()).
Str("serverAddr", serverDataAddr.String()).
Msg("Error sending FTP data connection payload to server, blocking connection")
return false
}
log.Info().
Str("bindAddr", clientDataAddr.String()).
Str("serverAddr", serverDataAddr.String()).
Msg("Successfully allowed new FTP data connection")
} else {
dest.Write(data)
if _, err := dest.Write(data); err != nil {
logger.Error().Err(err).Msg("Error forwarding data")
return false
}
}
return true
}
Expand Down
15 changes: 11 additions & 4 deletions user/pkg/proxy/http.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ var dangerousContentTypes = []string{
"application/zip",
}

func sendBlockedResponse(dest net.Conn) {
func sendBlockedResponse(dest net.Conn) error {
resp := http.Response{
Status: "403 Forbidden",
StatusCode: 403,
Expand All @@ -27,7 +27,7 @@ func sendBlockedResponse(dest net.Conn) {
Body: io.NopCloser(strings.NewReader("Blocked by Firewall\n")),
}

resp.Write(dest)
return resp.Write(dest)
}

func blockDangerousFilesCallback(data []byte, dest net.Conn, logger zerolog.Logger) bool {
Expand All @@ -36,15 +36,22 @@ func blockDangerousFilesCallback(data []byte, dest net.Conn, logger zerolog.Logg
contentType := string(matches[1])
for i := range dangerousContentTypes {
if contentType == dangerousContentTypes[i] {
sendBlockedResponse(dest)
if err := sendBlockedResponse(dest); err != nil {
logger.Error().Err(err).Msg("Error sending blocked response")
return false
}

logger.Warn().Str("srcAddr", dest.LocalAddr().String()).
Str("destAddr", dest.RemoteAddr().String()).
Msg("Blocked CSV file")
return false
}
}
}
dest.Write(data)
if _, err := dest.Write(data); err != nil {
logger.Error().Err(err).Msg("Error forwarding data")
return false
}
return true
}

Expand Down

0 comments on commit 53ffa54

Please sign in to comment.