locked
Blocking UDP packets at FWPM_LAYER_INBOUND_TRANSPORT when local endpoint is not opened RRS feed

  • Question

  • Hi, all! I am trying to filter inbound UDP packets at the transport layer, but it seems that if there is no process listening on the destination port, WFP does not honor the blocking action set by my callout:

    pClassify->actionType = FWP_ACTION_BLOCK;

    pClassify->rights &= ~FWPS_RIGHT_ACTION_WRITE;

    In essence there is always a leaked ICMP "dest unreachable" packet sent out. Is there a way to really block-block UDP, so no ICMP error will be generated?

    Thanks!

    Wednesday, May 11, 2011 1:19 AM

Answers

  • The ICMP packet is generated by the TCP/IP stack.  You can stop the ICMP error from exiting the box by sitting @ OUTBOUND_ICMP_ERROR. Similar to this you can BLOCK the dropped packet again @ INBOUND_TRANSPORT_DISCARD.  This will prevent the stack from generating the DESTINATION_UNREACHABLE.

    Alternatively, you could sit at INBOUND_IPPACKET, parse the transport header and block.  This will circumvent the stack from doing a port lookup and seeing no port listening which triggers the ICMP DESTINATION_UNREACHABLE.   This method is less advised and I'd suggest going the simplar route of the first 2 options.

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, May 11, 2011 2:38 PM
    Moderator

All replies

  • In essence there is always a leaked ICMP "dest unreachable" packet sent out. Is there a way to really block-block UDP, so no ICMP error will be generated?

    Analyze value of FWPS_FIELD_INBOUND_TRANSPORT_Vx_IP_PROTOCOL. UDP is 17 (0x11)
    You may control UDP at FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_Vx level. classifyFn will be called for each UDP packet
    • Edited by EreTIk Wednesday, May 11, 2011 7:31 AM updated
    Wednesday, May 11, 2011 7:26 AM
  • The ICMP packet is generated by the TCP/IP stack.  You can stop the ICMP error from exiting the box by sitting @ OUTBOUND_ICMP_ERROR. Similar to this you can BLOCK the dropped packet again @ INBOUND_TRANSPORT_DISCARD.  This will prevent the stack from generating the DESTINATION_UNREACHABLE.

    Alternatively, you could sit at INBOUND_IPPACKET, parse the transport header and block.  This will circumvent the stack from doing a port lookup and seeing no port listening which triggers the ICMP DESTINATION_UNREACHABLE.   This method is less advised and I'd suggest going the simplar route of the first 2 options.

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, May 11, 2011 2:38 PM
    Moderator
  • Please read carefully the OP before answering!!! In this particular case the packet will never make it to the ALE layer, because there is no opened endpoint.
    Wednesday, May 11, 2011 4:29 PM
  • So essentially WFP does not honor the block action - the inbound packet gets fully processed by the stack. And yes I had already figured out that I can block  the outbound ICMP error packet, but this is very awkward way of performing filtering - at the INBOUND_TRANSPORT I have to store connection context and then at the outbound ICMP_ERROR parse the ICMP payload to get the connection 5-tuple in order to figure out whether it has to be blocked or not. I was just hoping there is a better way to do this. And yes, I do not want to blindly block all the ICMP "dest unreachable" messages.
    Wednesday, May 11, 2011 4:45 PM
  • WFP is essentially a set of inspection points during the processing of the packet.  By the time the packet has made it to the TRANSPORT LAYER, the stack has already doen a port lookup and decided to drop it.  This is all by design.  This has nothing to do with WFP not honoring the block.  The initial packet is blocked / discarded.  It just so happens that the stack triggered the block action before WFP could.  The side effect of this is the ICMP ERROr packet being sent out.  The 5 tuple is classifiable @ the ICMP_ERROR layers, so no parsing needs to be done.  and the other method would be to block the dropped packet again at the TRANSPORT_DISCARD.  This would prevent the stack from generating the dest_unreach.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, May 11, 2011 8:36 PM
    Moderator