Pro-actively add firewall entries for blacklist and whitelist

DigitalRuby · Aug 16, 2020 · 223448f · 223448f
1 parent 6aa549f
commit 223448f
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 10 deletions.
diff --git a/IPBanCore/Core/IPBan/IPBanConfig.cs b/IPBanCore/Core/IPBan/IPBanConfig.cs
@@ -316,7 +316,12 @@ private bool IsMatch(string entry, System.Net.IPAddress entryIPAddress, HashSet<
             return false;
         }
 
-        private void PopulateList(HashSet<System.Net.IPAddress> set, HashSet<IPAddressRange> ranges, HashSet<string> others, ref Regex regex, string setValue, string regexValue)
+        private void PopulateList(HashSet<System.Net.IPAddress> set,
+            HashSet<IPAddressRange> ranges,
+            HashSet<string> others,
+            ref Regex regex,
+            string setValue,
+            string regexValue)
         {
             setValue = (setValue ?? string.Empty).Trim();
             regexValue = (regexValue ?? string.Empty).Replace("*", @"[0-9A-Fa-f:]+?").Trim();
@@ -841,19 +846,25 @@ public static string ChangeConfigAppSetting(string config, string key, string ne
         public bool ClearFailedLoginsOnSuccessfulLogin { get { return clearFailedLoginsOnSuccessfulLogin; } }
 
         /// <summary>
-        /// Black list of ips as a comma separated string
+        /// Get all ip address ranges in the blacklist
         /// </summary>
-        public string BlackList { get { return string.Join(",", blackList); } }
+        public IReadOnlyCollection<IPAddressRange> BlackList
+        {
+            get { return blackList.Select(b => new IPAddressRange(b)).Union(blackListRanges).ToArray(); }
+        }
 
         /// <summary>
         /// Black list regex
         /// </summary>
         public string BlackListRegex { get { return (blackListRegex is null ? string.Empty : blackListRegex.ToString()); } }
 
         /// <summary>
-        /// White list of ips as a comma separated string
+        /// Get all ip address ranges in the whitelist
         /// </summary>
-        public string Whitelist { get { return string.Join(",", whitelist); } }
+        public IReadOnlyCollection<IPAddressRange> Whitelist
+        {
+            get { return whitelist.Select(b => new IPAddressRange(b)).Union(whitelistRanges).ToArray(); }
+        }
 
         /// <summary>
         /// White list regex

diff --git a/IPBanCore/Core/IPBan/IPBanService_Private.cs b/IPBanCore/Core/IPBan/IPBanService_Private.cs
@@ -536,7 +536,11 @@ private void LoadFirewall(IPBanConfig oldConfig)
                 }
             }
 
-            // add/update new rules
+            // add/update global rules
+            Firewall.AllowIPAddresses("GlobalWhitelist", Config.Whitelist);
+            Firewall.BlockIPAddresses("GlobalBlacklist", Config.BlackList);
+
+            // add/update user specified rules
             foreach (IPBanFirewallRule rule in Config.ExtraRules)
             {
                 if (rule.Block)

diff --git a/IPBanCore/Core/Utility/IPAddressRange.cs b/IPBanCore/Core/Utility/IPAddressRange.cs
@@ -495,6 +495,15 @@ public static implicit operator IPAddressRange(string s)
             return (string.IsNullOrWhiteSpace(s) ? null : IPAddressRange.Parse(s));
         }
 
+        /// <summary>
+        /// Convert ip address range to string implicit
+        /// </summary>
+        /// <param name="ip">Ip address</param>
+        public static implicit operator IPAddressRange(IPAddress ip)
+        {
+            return (ip is null ? null : new IPAddressRange(ip));
+        }
+
         /// <summary>
         /// Takes a subnetmask (eg, "255.255.254.0") and returns the CIDR bit length of that
         /// address. Throws an exception if the passed address is not valid as a subnet mask.

diff --git a/IPBanCore/DigitalRuby.IPBan.dll.config b/IPBanCore/DigitalRuby.IPBan.dll.config
@@ -726,9 +726,7 @@
     <!-- The minimum time between successful login attempts for an ip address to increment the success counter -->
     <add key="MinimumTimeBetweenSuccessfulLoginAttempts" value="00:00:00:05"/>
 
-    <!--
-    Rule prefix name for firewall rules, must contain only A-Z, 0-9 and _
-    -->
+    <!-- Rule prefix name for firewall rules, must contain only A-Z, 0-9 and _ -->
     <add key="FirewallRulePrefix" value="IPBan_"/>
 
     <!-- Comma separated list of ip addresses, cidr masks or dns names that are never banned. Whitelist takes precedence over blacklist. -->

diff --git a/IPBanTests/IPBanConfigTests.cs b/IPBanTests/IPBanConfigTests.cs
@@ -235,7 +235,7 @@ public void TestListComments()
                 "<appSettings><add key='Whitelist' value='99.99.99.99?TestIP?2020-05-25," +
                 "88.88.88.88?TestIP2?2020-05-24' /></appSettings></configuration>",
                 DefaultDnsLookup.Instance);
-            Assert.AreEqual(config.Whitelist, "99.99.99.99,88.88.88.88");
+            Assert.AreEqual(string.Join(",", config.Whitelist.OrderBy(i => i)), "88.88.88.88,99.99.99.99");
             Assert.IsTrue(config.IsWhitelisted("99.99.99.99"));
             Assert.IsTrue(config.IsWhitelisted("88.88.88.88"));
             Assert.IsFalse(config.IsWhitelisted("77.77.77.77"));