locked
In which layer to use FWPM_CONDITION_ALE_APP_ID RRS feed

  • Question

  • Hi!

    I wrote an IP filter app that uses the conditons FWPM_CONDITION_IP_... (PROTOCOL, LOCAL_ADDRESS ... ROMOTE_PORT) in the layer FWPM_LAYER_OUT/INBOUND_TRANSPORT_V4. It works fine!

    Now I want to supplement my app with FWPM_CONDITION_ALE_APP_ID to relieve an app from my IP filter. I know that I must use this condition in a ALE layer, but in which layer can I combine all that conditions?

     Thanks in advance

    Frank

    Friday, June 27, 2014 10:52 AM

Answers

  • The ALE layers that you would use are FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6} and FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Monday, June 30, 2014 5:36 PM
    Moderator

All replies

  • The ALE layers that you would use are FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6} and FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Monday, June 30, 2014 5:36 PM
    Moderator
  • Hi Dusty, thanks for your answer!
    I tried FWPM_CONDITION_ALE_APP_ID in FWPM_LAYER_ALE_AUTH_CONNECT_V4. It works for blocking an app.
    But when I make two filters. One default block (IP protocols from 1 to 57 are blocked) and a secound that Permits an app, everything is blocked. The exception for the app doesn't work. Here is the filter code:

    // Permit for the app
    result = FwpmGetAppIdFromFileName0(appPath, &appBlob);
    BAIL_ON_ERROR(FwpmGetAppIdFromFileName0);

    conds[0].fieldKey = FWPM_CONDITION_ALE_APP_ID;
    conds[0].matchType = FWP_MATCH_EQUAL;
    conds[0].conditionValue.type = FWP_BYTE_BLOB_TYPE;
    conds[0].conditionValue.byteBlob = appBlob;

    memset(&filter, 0, sizeof(filter));
    UuidCreate(&(filter.filterKey));
    filter.displayData.name = (PWSTR)L"PermitApp";
    filter.providerKey = (GUID*)&PROVIDER_KEY;
    filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
    filter.subLayerKey = SUBLAYER_KEY;
    filter.numFilterConditions = 1;
    filter.filterCondition = conds;
    filter.action.type = FWP_ACTION_PERMIT;
    UINT64 w = 0x5000;
    filter.weight.uint64 = &w;

    result = FwpmFilterAdd0(engine, &filter, NULL, filterId);
    BAIL_ON_ERROR(FwpmFilterAdd0);

    // Default Block
    FWP_RANGE0 portRange;
    portRange.valueLow.type = FWP_UINT8;
    portRange.valueLow.uint8 = 1;
    portRange.valueHigh.type = FWP_UINT8;
    portRange.valueHigh.uint8 = 57;
    conds[0].fieldKey = FWPM_CONDITION_IP_PROTOCOL;
    conds[0].matchType = FWP_MATCH_RANGE;
    conds[0].conditionValue.type = FWP_RANGE_TYPE;
    conds[0].conditionValue.rangeValue = &portRange;

    memset(&filter, 0, sizeof(filter));
    UuidCreate(&(filter.filterKey));
    filter.displayData.name = (PWSTR)L"DefBlock";
    filter.providerKey = (GUID*)&PROVIDER_KEY;
    filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
    filter.subLayerKey = SUBLAYER_KEY;
    filter.numFilterConditions = 1;
    filter.filterCondition = conds;
    filter.action.type = FWP_ACTION_BLOCK;
    w = 0x0500;
    filter.weight.uint64 = &w;

    result = FwpmFilterAdd0(engine, &filter, NULL, filterId);
    BAIL_ON_ERROR(FwpmFilterAdd0);

    I can't find an error and tested a lot, but the block filter with the minor weight always is ahead.
    Can you help me? Thanks
    Frank 

    Wednesday, July 2, 2014 7:09 AM
  • Hi,
    I think I found the answer by myself. I missed the line

    filter.weight.type = FWP_UINT64;

    Now the the filters seem to be sorted by weight and the code works.

    Thanks anyway

    Frank

    • Proposed as answer by Umar Yaqoob Wednesday, July 2, 2014 4:32 PM
    Wednesday, July 2, 2014 3:39 PM